CN109756460B - Replay attack prevention method and device - Google Patents
Replay attack prevention method and device Download PDFInfo
- Publication number
- CN109756460B CN109756460B CN201711079676.4A CN201711079676A CN109756460B CN 109756460 B CN109756460 B CN 109756460B CN 201711079676 A CN201711079676 A CN 201711079676A CN 109756460 B CN109756460 B CN 109756460B
- Authority
- CN
- China
- Prior art keywords
- serial number
- client
- authentication
- window
- service request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to the field of mobile internet, in particular to a method and a device for preventing replay attack, which are used for receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried when the service request is sent last time and a preset incremental step length; according to the preset validity period, whether the authentication voucher is valid or not is judged, whether the serial number is in a serial number window corresponding to the stored authentication voucher or not is judged, whether the serial number is legal or not is further judged, whether the service request is a replay request or not is determined, and therefore when the client sends the service request, the client can carry the authentication voucher and the gradually increased serial number to achieve replay attack prevention, interaction times are reduced, efficiency and system performance are improved, the authentication voucher is stored in association with the serial number and is provided with the validity period, information storage capacity can be effectively controlled, misjudgment can be avoided through the serial number window, and strict time synchronization is not needed.
Description
Technical Field
The invention relates to the field of mobile internet, in particular to a replay attack prevention method and a replay attack prevention device.
Background
Replay Attacks (Replay Attacks), also called Replay Attacks (Replay Attacks) or Freshness Attacks (Freshness Attacks), refer to Attacks that an attacker intercepts and retransmits a packet that a target host has received, in order to achieve the purpose of spoofing. Such attacks may continue to maliciously or fraudulently repeat a valid data transmission. The attacker steals the authentication credentials by using network monitoring or other methods, and then retransmits the authentication credentials to the server. Replay attacks can occur in any network communication process, and various servers of the current network service are often subjected to replay attacks of an attacker.
In the prior art, methods for protection against replay attacks, such as challenge-response methods, are known. When the client requests the server, the server firstly generates a random number and returns the random number to the client, then the client takes the random number to access the server, and the server compares the parameter of the client, if the parameter is consistent, the client is not a replay attack, and the access is allowed.
However, in the prior art, in the challenge-response method, each time a client requests a service, the client needs to first request the server to generate a challenge code, and then the client takes the response code and performs service access, that is, the client and the server need to perform two interactions, which reduces system performance, and is a great challenge for high-latency systems such as servers in a network.
Disclosure of Invention
The embodiment of the invention provides a replay attack prevention method and a replay attack prevention device, which are used for solving the problems that in the prior art, the replay attack prevention method is low in efficiency and the system performance is reduced.
The embodiment of the invention provides the following specific technical scheme:
a method of preventing replay attacks, comprising:
receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last service request sending and a preset incremental step length;
judging whether the authentication voucher is in a preset validity period or not according to the preset validity period, and if so, determining that the authentication voucher is valid;
judging whether the serial number is in the serial number window or not according to the stored serial number window corresponding to the authentication certificate, judging whether the serial number is not recorded or not according to the recorded accessed serial number corresponding to the authentication certificate, if so, determining that the serial number is legal, and determining that the service request is not a replay request.
Preferably, further comprising:
receiving a login request sent by a client;
and after the identity verification of the client is passed, returning an authentication certificate and a serial number initial value to the client, generating a serial number window according to the preset window size and the serial number initial value and the preset window size by taking the serial number initial value as a center, taking the serial number in the serial number window as a serial number corresponding to the authentication certificate, and storing the authentication certificate and the serial number window corresponding to the authentication certificate.
Preferably, further comprising:
and if the serial number is determined to be in the serial number window, updating the stored serial number window corresponding to the authentication certificate by taking the serial number as a center according to the size of a preset window, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication certificate.
Preferably, further comprising:
if the authentication voucher is determined not to be in the preset valid period, clearing the stored authentication voucher, the serial number window corresponding to the authentication voucher and the recorded accessed serial number corresponding to the authentication voucher.
Preferably, further comprising:
and determining that the service request passes the verification according to a preset tamper-proof verification method.
An apparatus for preventing replay attack, comprising:
the first receiving unit is used for receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last service request sending and a preset incremental step length;
the first judging unit is used for judging whether the authentication voucher is in the preset valid period or not according to the preset valid period, and if so, determining that the authentication voucher is valid;
and the second judging unit is used for judging whether the serial number is in the serial number window according to the stored serial number window corresponding to the authentication certificate, judging whether the serial number is not recorded according to the recorded accessed serial number corresponding to the authentication certificate, if so, determining that the serial number is legal, and determining that the service request is not a replay request.
Preferably, further comprising:
the second receiving unit is used for receiving the login request sent by the client;
the sending unit is used for returning an authentication certificate and a serial number initial value to the client after the identity verification of the client is determined to pass;
and the storage updating unit is used for generating a serial number window according to a preset window size and the serial number initial value by taking the serial number initial value as a center and according to the preset window size, taking the serial number in the serial number window as a serial number corresponding to the authentication certificate, and storing the authentication certificate and the serial number window corresponding to the authentication certificate.
Preferably, the save update unit is further configured to:
and if the serial number is determined to be in the serial number window, updating the stored serial number window corresponding to the authentication certificate by taking the serial number as a center according to the size of a preset window, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication certificate.
Preferably, further comprising:
and the clearing unit is used for clearing the stored authentication certificate, the serial number window corresponding to the authentication certificate and the recorded accessed serial number corresponding to the authentication certificate if the authentication certificate is determined not to be in the preset validity period.
Preferably, further comprising:
and the third judging unit is used for determining that the service request passes the verification according to a preset tamper-proof verification method.
A computer device, comprising:
at least one memory for storing a computer program;
at least one processor configured to implement the steps of the replay attack prevention method in an embodiment of the present invention when executing the computer program stored in the memory.
A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of a method of preventing replay attacks in an embodiment of the present invention.
In the embodiment of the invention, a service request sent by a client is received, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last time of sending the service request and a preset incremental step length; judging whether the authentication voucher is in a preset validity period or not according to the preset validity period, and if so, determining that the authentication voucher is valid; judging whether the serial number is in the serial number window according to the stored serial number window corresponding to the authentication certificate, judging whether the serial number is not recorded according to the recorded accessed serial number corresponding to the authentication certificate, if so, determining that the serial number is legal, and determining that the service request is not a replay request, so that the client carries the authentication certificate and the progressively increased serial number when sending the service request, does not need to interact with the server to obtain a random number each time, reduces the interaction times with the server, improves the efficiency and the system performance, stores the serial number associated with the authentication certificate, is provided with an expiration date, can effectively control the information storage amount, not only stores one serial number, can avoid the misjudgment under the condition of concurrent requests through the serial number window, and only needs to set the expiration date of the authentication certificate by the server, and the time synchronization of the server and the client is not required to be ensured, so that the complexity is reduced.
Drawings
FIG. 1 is a flowchart illustrating an exemplary embodiment of a method for preventing replay attacks;
FIG. 2 is a detailed flowchart of a replay attack prevention method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a replay attack prevention apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a server structure according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the method for preventing replay attack provided by the embodiment of the present invention specifically includes the following steps:
step 100: receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last service request sending and a preset incremental step length.
In practice, for example, based on the login authentication of oauth2.0, when the client communicates with the server, the client first requests the server to log in, and after the identity of the client is verified, the client can send a service request to the server to execute a corresponding service.
In the embodiment of the present invention, when step 100 is executed, the client sends a service request to the server, where the service request needs to carry an authentication credential and an incremented serial number, which are obtained when login authentication is performed, and the server determines whether the service request is a replay attack.
The initial value of the serial number and the authentication certificate are returned to the client when the server receives a login request of the client, so that the client sends a service request based on the authentication certificate and the initial value of the serial number.
Before step 100 is executed, the method further includes:
first, a login request sent by a client is received.
Then, after the identity verification of the client is confirmed to pass, returning an authentication certificate and a serial number initial value to the client, generating a serial number window according to a preset window size and the serial number initial value, centering on the serial number initial value and the preset window size, taking the serial number in the serial number window as a serial number corresponding to the authentication certificate, and storing the authentication certificate and the serial number window corresponding to the authentication certificate.
For example, after a login request sent by a client is received and the identity of the client is verified, the returned authentication credential is a, the initial value of the serial number is 100, the size of the preset window is 11, the serial number window obtained by taking 100 as the center and the window size of 11 is [95, 105], the server stores the authentication credential in association with the serial number window, and the serial number window corresponding to the authentication credential a is [95, 105 ].
And if the identity of the client passes the verification, the identity of the client passes the verification.
In the embodiment of the invention, the sequence number window is stored, rather than only one sequence number is stored to judge whether the sequence number sent by the client is legal, so that the problem that a service request carrying a larger sequence number possibly arrives at the server first under the condition of concurrent requests and then the service request carrying a smaller sequence number is discarded as a replay request is solved, a certain window size is set, too much information cannot be stored, and the condition of misjudgment can be prevented.
For example, the window of the sequence number corresponding to the authentication credential a is [95, 105], the sequence number carried in the service request sent by the client is 103, then access is allowed, meanwhile, 103 is recorded as an accessed sequence number, the window of the sequence number is adjusted to [98, 108], and only the accessed sequence number in the adjusted window of the sequence number is retained, then the client sends the service request carrying the sequence number 101 again, although 101 is smaller than 103, 101 is still within the range of [98, 108], and the server also allows access and records the sequence number.
Further, in the embodiment of the present invention, a validity period of an authentication credential needs to be set, for example, the validity period is 2 hours, and according to the validity period of the authentication credential, if it is determined that the authentication credential is not within the preset validity period, the stored authentication credential, the serial number window corresponding to the authentication credential, and the recorded accessed serial number corresponding to the authentication credential are cleared.
Therefore, the authentication certificate is stored in the serial number window associated with the authentication certificate, the period of validity is set, the stored information can be cleared after the period of validity is exceeded, and the information storage capacity can be effectively controlled.
In addition, in the embodiment of the invention, the client sends a login request to the server, the server generates an authentication certificate and a serial number initial value after determining that the identity of the client passes the verification and sends the authentication certificate and the serial number initial value to the client, and then when the client carries out a service request later, the authentication certificate and the gradually increased serial number are carried so that the server judges whether the service request is anti-replay attack or not, the authentication certificate and the serial number initial value are only obtained during the login request and are directly used during the service request later, the authentication certificate and the serial number do not need to be requested from the server first, and therefore, the server does not need to carry out two or more interactions with the server every time the service request is carried out, the interaction times between the client and the server are reduced, and the efficiency and.
Step 110: and judging whether the authentication voucher is in the preset validity period or not according to the preset validity period, and if so, determining that the authentication voucher is valid.
For example, the preset validity period is 1h, when the server receives the login request of the client, the time of the returned authentication credential is 10:00:00, then the client carries the authentication credential to send the service request to the server, and the time of the server receiving the service request is 10:30:00, then it can be determined that the authentication credential is valid within the validity period.
Further, if the authentication credential is determined to be expired, the server needs to log in the client again, and when the login request of the client is received again, the server regenerates the authentication credential and the initial value of the serial number, sends the newly generated authentication credential and the initial value of the serial number to the client, and refreshes the authentication credential and the initial value of the serial number of the client.
Before step 110 is executed, the method further includes:
and determining that the service request passes the verification according to a preset tamper-proof verification method.
In the embodiment of the invention, a server and a client agree an anti-tampering check method in advance, for example, a parameter dictionary sorting method, a public key encryption method and the like, which are not limited, and the aim is to encrypt parameters in a service request, prevent the parameters in the service request from being tampered, ensure the security, and prevent an authentication certificate and a serial number in the service request from being cracked after the service request is intercepted and captured, so as to replay the request to deceive the server.
Therefore, after receiving the service request, the server firstly judges whether the service request is tampered according to a preset tamper-proof verification method, and after the verification is passed, the authentication certificate and the serial number in the service request can be obtained, and then whether the service request is a replay request is judged according to the authentication certificate and the serial number.
Step 120: judging whether the serial number is in the serial number window or not according to the stored serial number window corresponding to the authentication certificate, judging whether the serial number is not recorded or not according to the recorded accessed serial number corresponding to the authentication certificate, if so, determining that the serial number is legal, and determining that the service request is not a replay request.
Further, if it is determined that the serial number is within the serial number window, updating the stored serial number window corresponding to the authentication credential based on a preset window size with the serial number as a center, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication credential.
Thus, in the embodiment of the present invention, after determining that the service request is not a replay request, the corresponding service logic may be processed continuously, and if it is determined that the service request is a replay request, the service request may be discarded.
That is, in the embodiment of the present invention, whether the serial number is legal is determined, according to two conditions, one is according to the saved serial number window, and the other is according to the recorded serial number. The stored serial number window is obtained by continuously updating according to the initial value of the serial number, the size of the window and the serial number judged to be legal at the last time, and the recorded serial number is the recorded serial number judged to be legal, namely the accessed serial number.
For example, if the server stores a sequence number window of [95, 105] and no access sequence number has been recorded, then only if the access is allowed by the sequence number in the range and not recorded, that is, the service request is determined not to be a replay request. For example, if the sequence number carried in the service request sent by the client is 104, and 104 is within [95, 105], then access is allowed, and meanwhile, 104 is recorded as an accessed sequence number, the sequence number window is adjusted to [99, 109], and only the accessed sequence number within the adjusted sequence number window is reserved, then the client sends the service request carrying the sequence number of 101 again, and the server also allows access and records the sequence number, but when the client sends the service request carrying the sequence number of 101 or 104 again, because there are 101 and 104 in the sequence number window, the server can consider the service request as a replay request.
In the embodiment of the invention, a service request sent by a client carries an authentication voucher and an increasing serial number, a server judges whether the authentication voucher is valid according to a preset validity period, judges whether the serial number is legal according to a serial number window corresponding to the stored authentication voucher, and further judges whether the service request is a replay request, so that the client only needs to obtain an initial value of the serial number during login, and then sends a plurality of service requests, the client only needs to carry the increasing serial number according to the preset increasing step length to accord with the anti-replay attack method of the server, the client does not need to interact with the server to obtain a random number when carrying out the service request every time, namely, the client does not need to interact with the server twice or more in a challenge-response method similar to the prior art, and the system performance is improved.
In addition, in the embodiment of the invention, the authentication voucher is stored in association with the serial number and is provided with the period of validity, the information storage capacity can be effectively controlled, not only one serial number is stored, but also a serial number window is stored according to the size of a preset window, and the serial numbers in the range of the serial number window can be considered to be legal, so that the condition of misjudgment under the condition of concurrent requests can be prevented.
The above embodiments are further described in detail below using a specific application scenario. Specifically, referring to fig. 2, in the embodiment of the present invention, the execution process of the replay attack prevention method is specifically as follows:
step 200: and receiving a service request sent by a client.
And the client acquires the authentication certificate and the initial value of the serial number returned by the server when sending the login request. And then the client carries the authentication certificate and the serial number when sending the service request, and the serial number in the service request is continuously increased according to the preset increasing step length, so that the service request does not need to interact with the server to obtain random number at each time, the interaction times are reduced, and the system performance is improved.
For example, if the sequence number carried when the service request was last sent is 100, and the predicted incremental step size is 1, the sequence number carried when the service request was sent this time is 101.
Step 201: and judging whether the anti-tampering check is passed, if so, executing the step 203, otherwise, executing the step 202.
Specifically, whether the service request passes the verification is judged according to a preset tamper-proof verification method, so as to prevent parameters in the service request from being tampered, and further prevent replay attack. And after the verification is passed, the server acquires the authentication certificate and the serial number in the service request.
Step 202: the verification fails.
Step 203: and judging whether the authentication certificate in the service request is valid, if so, executing the step 205, otherwise, executing the step 204.
Specifically, the method comprises the following steps: and judging whether the authentication voucher is in the preset validity period or not according to the preset validity period.
Step 204: the authentication credential is invalid.
Further, if the authentication credential is determined to be invalid, the authentication credential, the associated serial number window, and the accessed serial number corresponding to the authentication credential may be cleared, reducing the amount of information stored.
Step 205: and judging whether the sequence number in the service request is legal, if so, executing the step 207, otherwise, executing the step 206.
Specifically, the method comprises the following steps: and judging whether the serial number is in the serial number window or not according to the serial number window corresponding to the stored authentication certificate, judging whether the serial number is not recorded or not according to the accessed serial number corresponding to the recorded authentication certificate, if so, judging that the serial number is legal, and otherwise, judging that the serial number is illegal.
Step 206: it is determined that the service request is a replay request.
Step 207: determining that the service request is not a replay request, recording a sequence number in the service request, and updating a stored sequence number window corresponding to the authentication certificate.
Step 208: the business logic is processed.
Based on the above embodiments, referring to fig. 3, in an embodiment of the present invention, a replay attack prevention apparatus specifically includes:
a first receiving unit 30, configured to receive a service request sent by a client, where the service request at least includes an authentication credential and a sequence number of the client, and the sequence number is obtained by the client according to a sequence number carried in last sending of the service request and a preset incremental step length;
a first judging unit 31, configured to judge, according to a preset validity period, whether the authentication credential is within the preset validity period, and if so, determine that the authentication credential is valid;
a second determining unit 32, configured to determine whether the serial number is in the serial number window according to the stored serial number window corresponding to the authentication credential, and determine whether the serial number is not recorded according to the recorded accessed serial number corresponding to the authentication credential, if both are yes, it is determined that the serial number is legal, and it is determined that the service request is not a replay request.
Preferably, further comprising:
a second receiving unit 33, configured to receive a login request sent by a client;
a sending unit 34, configured to return an authentication credential and a sequence number initial value to the client after determining that the identity verification of the client passes;
and the saving and updating unit 35 is configured to generate a serial number window according to a preset window size and the serial number initial value, centering on the serial number initial value, according to the preset window size, use the serial number in the serial number window as the serial number corresponding to the authentication credential, and save the authentication credential and the serial number window corresponding to the authentication credential.
Preferably, the saving and updating unit 35 is further configured to:
and if the serial number is determined to be in the serial number window, updating the stored serial number window corresponding to the authentication certificate by taking the serial number as a center according to the size of a preset window, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication certificate.
Preferably, further comprising:
a clearing unit 36, configured to clear the stored authentication credential, the serial number window corresponding to the authentication credential, and the recorded accessed serial number corresponding to the authentication credential if it is determined that the authentication credential is not within the preset validity period.
Preferably, further comprising:
and a third determining unit 37, configured to determine that the service request passes verification according to a preset tamper-proof verification method.
Referring to fig. 4, a schematic diagram of a server structure according to an embodiment of the present invention is shown.
Embodiments of the present invention provide a server, which may include a processor 410 (CPU), a memory 420, an input device 430, an output device 440, and the like, wherein the input device 430 may include a keyboard, a mouse, a touch screen, and the like, and the output device 440 may include a Display device, such as a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT), and the like.
By calling the program instructions stored in the memory 420, the processor 410 is configured to perform the following steps according to the obtained program instructions:
receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last service request sending and a preset incremental step length;
judging whether the authentication voucher is in a preset validity period or not according to the preset validity period, and if so, determining that the authentication voucher is valid;
judging whether the serial number is in the serial number window or not according to the stored serial number window corresponding to the authentication certificate, judging whether the serial number is not recorded or not according to the recorded accessed serial number corresponding to the authentication certificate, if so, determining that the serial number is legal, and determining that the service request is not a replay request.
Preferably, the processor 410 is further configured to:
receiving a login request sent by a client;
and after the identity verification of the client is passed, returning an authentication certificate and a serial number initial value to the client, generating a serial number window according to the preset window size and the serial number initial value and the preset window size by taking the serial number initial value as a center, taking the serial number in the serial number window as a serial number corresponding to the authentication certificate, and storing the authentication certificate and the serial number window corresponding to the authentication certificate.
Preferably, the processor 410 is further configured to:
and if the serial number is determined to be in the serial number window, updating the stored serial number window corresponding to the authentication certificate by taking the serial number as a center according to the size of a preset window, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication certificate.
Preferably, the processor 410 is further configured to:
if the authentication voucher is determined not to be in the preset valid period, clearing the stored authentication voucher, the serial number window corresponding to the authentication voucher and the recorded accessed serial number corresponding to the authentication voucher.
Preferably, the processor 410 is further configured to:
and determining that the service request passes the verification according to a preset tamper-proof verification method.
Based on the above embodiments, in an embodiment of the present invention, there is provided a computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the replay attack prevention method in any of the above method embodiments.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.
Claims (10)
1. A method of preventing replay attacks, comprising:
receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last service request sending and a preset incremental step length;
judging whether the authentication voucher is in a preset validity period or not according to the preset validity period, and if so, determining that the authentication voucher is valid;
judging whether the serial number is in the serial number window or not according to the stored serial number window corresponding to the authentication certificate, judging whether the serial number is not recorded or not according to the recorded accessed serial number corresponding to the authentication certificate, if so, determining that the serial number is legal, and determining that the service request is not a replay request; if the serial number is determined to be in the serial number window, updating the stored serial number window corresponding to the authentication certificate by taking the serial number as a center according to a preset window size, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication certificate.
2. The method of claim 1, further comprising:
receiving a login request sent by a client;
and after the identity verification of the client is passed, returning an authentication certificate and a serial number initial value to the client, generating a serial number window according to the preset window size and the serial number initial value and the preset window size by taking the serial number initial value as a center, taking the serial number in the serial number window as a serial number corresponding to the authentication certificate, and storing the authentication certificate and the serial number window corresponding to the authentication certificate.
3. The method of claim 1, further comprising:
if the authentication voucher is determined not to be in the preset valid period, clearing the stored authentication voucher, the serial number window corresponding to the authentication voucher and the recorded accessed serial number corresponding to the authentication voucher.
4. The method of any one of claims 1-3, further comprising:
and determining that the service request passes the verification according to a preset tamper-proof verification method.
5. An apparatus for preventing replay attack, comprising:
the first receiving unit is used for receiving a service request sent by a client, wherein the service request at least comprises an authentication certificate and a serial number of the client, and the serial number is obtained by the client according to the serial number carried in the last service request sending and a preset incremental step length;
the first judging unit is used for judging whether the authentication voucher is in the preset valid period or not according to the preset valid period, and if so, determining that the authentication voucher is valid;
a second judging unit, configured to judge whether the serial number is in a serial number window according to a stored serial number window corresponding to the authentication credential, judge whether the serial number is not recorded according to an accessed serial number corresponding to the recorded authentication credential, and if yes, determine that the serial number is legal, and determine that the service request is not a replay request;
the save update unit is configured to: and if the serial number is determined to be in the serial number window, updating the stored serial number window corresponding to the authentication certificate by taking the serial number as a center according to the size of a preset window, recording the serial number, and updating the recorded accessed serial number corresponding to the authentication certificate.
6. The apparatus of claim 5, further comprising:
the second receiving unit is used for receiving the login request sent by the client;
the sending unit is used for returning an authentication certificate and a serial number initial value to the client after the identity verification of the client is determined to pass;
and the storage updating unit is used for generating a serial number window according to a preset window size and the serial number initial value by taking the serial number initial value as a center and according to the preset window size, taking the serial number in the serial number window as a serial number corresponding to the authentication certificate, and storing the authentication certificate and the serial number window corresponding to the authentication certificate.
7. The apparatus of claim 5, further comprising:
and the clearing unit is used for clearing the stored authentication certificate, the serial number window corresponding to the authentication certificate and the recorded accessed serial number corresponding to the authentication certificate if the authentication certificate is determined not to be in the preset validity period.
8. The apparatus of any of claims 5-7, further comprising:
and the third judging unit is used for determining that the service request passes the verification according to a preset tamper-proof verification method.
9. A computer device, comprising:
at least one memory for storing a computer program;
at least one processor adapted to implement the steps of the method according to any of claims 1-4 when executing a computer program stored in a memory.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program realizing the steps of the method according to any one of claims 1-4 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711079676.4A CN109756460B (en) | 2017-11-06 | 2017-11-06 | Replay attack prevention method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711079676.4A CN109756460B (en) | 2017-11-06 | 2017-11-06 | Replay attack prevention method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109756460A CN109756460A (en) | 2019-05-14 |
| CN109756460B true CN109756460B (en) | 2021-07-09 |
Family
ID=66400334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711079676.4A Active CN109756460B (en) | 2017-11-06 | 2017-11-06 | Replay attack prevention method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109756460B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200599A (en) * | 2019-12-28 | 2020-05-26 | 浪潮电子信息产业股份有限公司 | Access authentication method, device, equipment and readable storage medium |
| CN113132338A (en) * | 2020-01-15 | 2021-07-16 | 中国移动通信有限公司研究院 | Authentication processing method, device and equipment |
| CN116569516A (en) * | 2020-09-30 | 2023-08-08 | 中兴通讯股份有限公司 | Method for preventing leakage of authentication serial number of mobile terminal |
| CN112291270B (en) * | 2020-12-08 | 2021-03-12 | 北京和利时系统工程有限公司 | Data transmission method and device |
| CN113433841B (en) * | 2021-05-16 | 2022-05-31 | 武汉领普科技有限公司 | Self-generating wireless switch, controlled equipment and control system |
| CN113726796B (en) * | 2021-08-31 | 2023-10-27 | 深圳平安智慧医健科技有限公司 | Data interaction method, device, equipment and medium based on medical internet of things |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739659A (en) * | 2012-06-16 | 2012-10-17 | 华南师范大学 | Authentication method for preventing replay attack |
| CN104092697A (en) * | 2014-07-18 | 2014-10-08 | 杭州华三通信技术有限公司 | Anti-replaying method and device based on time |
| CN105681470A (en) * | 2012-03-29 | 2016-06-15 | 北京奇虎科技有限公司 | Communication method, server and terminal based on hypertext transfer protocol |
| CN106713305A (en) * | 2016-12-20 | 2017-05-24 | 济南浪潮高新科技投资发展有限公司 | Replay attack prevention method based on function level timeout configuration |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9419949B2 (en) * | 2014-03-31 | 2016-08-16 | EXILANT Technologies Private Limited | Increased communication security |
| CN104038505B (en) * | 2014-06-24 | 2017-09-15 | 新华三技术有限公司 | A kind of method and apparatus of IPSec anti-replays |
-
2017
- 2017-11-06 CN CN201711079676.4A patent/CN109756460B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681470A (en) * | 2012-03-29 | 2016-06-15 | 北京奇虎科技有限公司 | Communication method, server and terminal based on hypertext transfer protocol |
| CN102739659A (en) * | 2012-06-16 | 2012-10-17 | 华南师范大学 | Authentication method for preventing replay attack |
| CN104092697A (en) * | 2014-07-18 | 2014-10-08 | 杭州华三通信技术有限公司 | Anti-replaying method and device based on time |
| CN106713305A (en) * | 2016-12-20 | 2017-05-24 | 济南浪潮高新科技投资发展有限公司 | Replay attack prevention method based on function level timeout configuration |
Non-Patent Citations (2)
| Title |
|---|
| 周俊.《TETRA网络安全体系的研究与端到端加密实现》.《中国优秀硕士学位论文全文数据库 信息科技辑》.2008, * |
| 肖斌斌等.《基于双重验证的抗重放攻击方案》.《计算机工程》.2017, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109756460A (en) | 2019-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109756460B (en) | Replay attack prevention method and device | |
| CN107135073B (en) | Interface calling method and device | |
| US9356958B2 (en) | Apparatus and method for protecting communication pattern of network traffic | |
| US9705895B1 (en) | System and methods for classifying internet devices as hostile or benign | |
| US9661013B2 (en) | Manipulating API requests to indicate source computer application trustworthiness | |
| US9059985B1 (en) | Methods for fraud detection | |
| EP3453136B1 (en) | Methods and apparatus for device authentication and secure data exchange between a server application and a device | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| US8386784B2 (en) | Apparatus and method for securely submitting and processing a request | |
| US10270792B1 (en) | Methods for detecting malicious smart bots to improve network security and devices thereof | |
| WO2016184216A1 (en) | Link-stealing prevention method, link-stealing prevention server, and client side | |
| US20180191504A1 (en) | Verification information update | |
| US10419431B2 (en) | Preventing cross-site request forgery using environment fingerprints of a client device | |
| US20150350249A1 (en) | Determining trustworthiness of api requests based on source computer applications' responses to attack messages | |
| US10122755B2 (en) | Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
| CN113992354A (en) | Identity authentication method, device, equipment and machine readable storage medium | |
| US11677765B1 (en) | Distributed denial of service attack mitigation | |
| CN112968910B (en) | Replay attack prevention method and device | |
| US20180295151A1 (en) | Methods for mitigating network attacks through client partitioning and devices thereof | |
| Aljawarneh et al. | A web client authentication system using smart card for e-systems: initial testing and evaluation | |
| CN107276967B (en) | Distributed system and login verification method thereof | |
| CN111371743A (en) | Security defense method, device and system | |
| EP2888689B1 (en) | Data verification | |
| CN114640524A (en) | Method, apparatus, device and medium for processing transaction replay attack | |
| CN110971606B (en) | Construction method and application method of HACCP (Hadoop distributed control protocol) security system in Web application development |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |