CN111294326B - Method, apparatus, device and medium for confirming system data security - Google Patents

Method, apparatus, device and medium for confirming system data security Download PDF

Info

Publication number
CN111294326B
CN111294326B CN201811506591.4A CN201811506591A CN111294326B CN 111294326 B CN111294326 B CN 111294326B CN 201811506591 A CN201811506591 A CN 201811506591A CN 111294326 B CN111294326 B CN 111294326B
Authority
CN
China
Prior art keywords
information
client
data
http request
picture
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811506591.4A
Other languages
Chinese (zh)
Other versions
CN111294326A (en
Inventor
薛磊
陈庆霞
龚永鑫
杜立
刘二喜
王昊
蒋东
李亚波
张学奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Xinjiang Co ltd
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Group Xinjiang Co ltd
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Xinjiang Co ltd, China Mobile Communications Group Co Ltd filed Critical China Mobile Group Xinjiang Co ltd
Priority to CN201811506591.4A priority Critical patent/CN111294326B/en
Publication of CN111294326A publication Critical patent/CN111294326A/en
Application granted granted Critical
Publication of CN111294326B publication Critical patent/CN111294326B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

A method, apparatus, device and medium for validating system data security. The method comprises the following steps: when the client sends hypertext transfer protocol (HTTP) request information to the server, the client draws a picture with a preset pixel value through a picture drawing component and configures data information of the picture, wherein the data information comprises: the method comprises the steps that attribute information of a picture and characteristic data of a client side are obtained, and HTTP request information comprises HTTP request header information; carrying out data processing on byte data of the picture with the data information to obtain fingerprint information of the client; encrypting the fingerprint information through a dynamic key to obtain a system ciphertext, and writing the system ciphertext into HTTP request header information; and the server side confirms the safety of system data according to the HTTP request header information written into the system ciphertext, wherein the system data comprises the data of the client side and the data of the server side. According to the method, the device, the equipment and the medium provided by the embodiment of the invention, the system data safety can be accurately confirmed.

Description

Method, apparatus, device and medium for confirming system data security
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a medium for confirming system data security.
Background
When accessing a server, the server typically establishes an access relationship with thousands of different clients. At this time, the server needs to record the identity information of the client, so as to generate an access record of the server.
At present, when a client accesses a server, the server records access records of the server only by identifying identity information of the client. However, the server side does not verify the security of the request information generated by the client when accessing the server side. Therefore, some malicious software is easy to appear, and the processing flow of the client can be simulated. Therefore, legal client identity information is generated at the server side, and potential safety hazards exist in system data.
Therefore, the technical problem that the system data has potential safety hazards when the client accesses the server exists.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a medium for confirming system data security, which can accurately confirm the system data security.
In one aspect of the embodiments of the present invention, a method for confirming system data security is provided, where the method includes:
when the client sends hypertext transfer protocol (HTTP) request information to the server, the client draws a picture with a preset pixel value through a picture drawing component and configures data information of the picture, wherein the data information comprises: the method comprises the steps that attribute information of a picture and characteristic data of a client side are obtained, and HTTP request information comprises HTTP request header information;
carrying out data processing on byte data of the picture with the data information to obtain fingerprint information of the client;
encrypting the fingerprint information through a dynamic key to obtain a system ciphertext, and writing the system ciphertext into HTTP request header information;
and the server side confirms the safety of system data according to the HTTP request header information written into the system ciphertext, wherein the system data comprises the data of the client side and the data of the server side.
In another aspect of the embodiments of the present invention, an apparatus for confirming system data security is provided, where the apparatus includes:
the picture drawing module is used for drawing a picture with a preset pixel value and configuring data information of the picture by the client through the picture drawing component when the client sends HTTP request information to the server, and the data information comprises: the method comprises the steps that attribute information of a picture and characteristic data of a client side are obtained, and HTTP request information comprises HTTP request header information;
the fingerprint information module is used for carrying out data processing on byte data of the picture with the data information to obtain fingerprint information of the client;
the system ciphertext module is used for encrypting the fingerprint information through a dynamic key to obtain a system ciphertext and writing the system ciphertext into HTTP request header information;
and the system data module is used for confirming the safety of system data by the server side according to the HTTP request header information written into the system ciphertext, wherein the system data comprises the data of the client side and the data of the server side.
According to another aspect of the embodiments of the present invention, there is provided an apparatus for confirming system data security, the apparatus including:
a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements the method of validating system data security as provided in any aspect of embodiments of the invention described above.
According to another aspect of embodiments of the present invention, there is provided a computer storage medium having computer program instructions stored thereon, the computer program instructions when executed by a processor implementing the method for confirming system data security as provided in any one of the aspects of embodiments of the present invention described above.
The embodiment of the invention provides a method, a device, equipment and a medium for confirming system data security. And drawing the picture by using the picture drawing component, configuring corresponding data information, and finally obtaining the fingerprint information of the client through data processing and encryption. And writing the fingerprint information of the client in the HTTP request header information, and confirming the system data safety by identifying the fingerprint information of the client in the HTTP request header information by the server. The method can effectively avoid the condition that the malicious software simulates the processing flow of the client, so that the server generates legal client identity information to cause potential safety hazard to system data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings may be obtained according to the drawings without creative efforts.
FIG. 1 illustrates a flow diagram of a method of validating system data security in accordance with an embodiment of the present invention;
FIG. 2 illustrates a flow diagram of a particular method of validating system data security in accordance with an embodiment of the invention;
FIG. 3 is a flow chart illustrating a method of obtaining client fingerprint information according to an embodiment of the invention;
FIG. 4 is a process flow diagram of a server according to an embodiment of the invention;
FIG. 5 is a schematic structural diagram of an apparatus for confirming system data security according to an embodiment of the present invention;
FIG. 6 sets forth a block diagram of an exemplary hardware architecture of computing devices capable of implementing the method and apparatus for validating system data security according to embodiments of the present invention.
Detailed Description
Features of various aspects and exemplary embodiments of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and the embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional identical elements in the process, method, article, or apparatus that comprises the element.
A method, an apparatus, a device, and a medium for confirming system data security according to embodiments of the present invention are described in detail below with reference to the accompanying drawings. It should be noted that these examples are not intended to limit the scope of the present disclosure.
The method for confirming system data security according to the embodiment of the present invention is described in detail below with reference to fig. 1 and 4.
In one embodiment of the present invention, as shown in fig. 1, fig. 1 is a flowchart illustrating a method for confirming system data security according to an embodiment of the present invention. First, when a visitor clicks a client, the client generates unique fingerprint information and adds honeypots in Hyper Text Transfer Protocol (HTTP) request header information. It should be understood that honeypots are a technique for cheating attackers, and the security protection capability of a real system is enhanced through technical and administrative means.
In the embodiment of the invention, the honeypots can be some interference data, the interference data refers to any data without any practical meaning, and the interference data can play an interference role in the process that a malicious program guesses the HTTP request header information of the client. Meanwhile, the interference data does not have any influence on HTTP request header information.
Secondly, when the client calls the server, the server performs signature checking processing. The signature verification processing may be to determine a request parameter in HTTP request information sent by the client to the server. For example, whether a User Agent (UA) in HTTP request information sent by the client to the server is a valid parameter is determined, and when the determination result is the valid parameter, the server stores the first fingerprint information.
Next, when the client does not request for access to the server for the first time, the client generates the fingerprint information of the client of the current request again and adds honeypots in the HTTP request header information of the current request. And when the client calls the server again, the server performs signature checking processing again. It should be noted that the signature verification process at this time may be to verify whether the information digest of the client at the time of the current request is consistent with the first information digest. And when the check result is consistent, the server side acquires the fingerprint information of the client side in the current request, and verifies the acquired fingerprint information of the client side in the current request with the first fingerprint information. And if the verification result is inconsistent, returning to the client. And when the verification result is consistent, the server side performs subsequent service processing and returns the processing result to the client side.
For better understanding of the present invention, the method for confirming system data security according to an embodiment of the present invention is described in detail below with reference to fig. 2, and fig. 2 is a flowchart illustrating a specific method for confirming system data security according to an embodiment of the present invention.
As shown in fig. 2, a method 200 for confirming system data security in the embodiment of the present invention includes the following steps:
s210, when the client sends the HTTP request information to the server, the client draws a picture with a preset pixel value through the picture drawing component and configures data information of the picture, wherein the data information comprises: the method comprises the steps of obtaining attribute information of a picture and characteristic data of a client, wherein HTTP request information comprises HTTP request header information.
Specifically, the picture drawing component may be a hypertext Markup Language 5 (HTML) Canvas component. The Canvas component may be used to generate images on web pages in real time and manipulate the image content. The HTTP request header information is used to indicate the request type of the client when sending the request to the server. The attribute information of the picture may be at least one of a background color, a font size, and a font type. The characteristic data of the client may be a user unique identification and/or fixed characters. The user unique identifier may be a time domain identity (Session Id), and the fixed character may be a website domain name character.
In an embodiment of the present invention, when the client sends the HTTP request message to the server, the client draws a picture according to a preset pixel value through the HTML5 Canvas component. And configuring at least one attribute information of background color, font size and font type for the picture, and configuring Session Id and/or website domain name characters of the client for the picture.
In the embodiment of the present invention, since a World Wide Web (Web) Application or an Application (APP) of a Browser/Server (Browser/Server, B/S mode) does not need any third-party plug-in, a client unique code cannot be obtained as identity information of a client. Each browser uses a different image Processing engine, each browser has a different picture derivation type, a different compression level, a different Central Processing Unit (CPU) involvement, and a different operating system uses a different anti-aliasing algorithm when Processing pictures.
Therefore, the finally exported pictures of each browser have differences, so that the fingerprint information of the client is obtained by the picture drawing component, the fingerprint information can be used as the unique identity authentication of the client, and the data security of the system can be confirmed by verifying the fingerprint information of the client.
And S220, carrying out data processing on byte data of the picture with the data information to obtain fingerprint information of the client.
In an embodiment of the present invention, the client first encodes the byte data of the picture configured with the data information through base64 to obtain a corresponding character string. Among them, base64 is encoded for transferring longer byte data in the HTTP environment.
Next, the character string obtained above is subjected to Cyclic Redundancy Check (CRC 32) to obtain a CRC32 characteristic value.
And finally, taking the obtained CRC32 characteristic value as fingerprint information of the client. CRC32 is an error detection means used in the fields of data storage and data communication to ensure the correctness of data.
In the embodiment of the invention, by base64 encoding, longer byte data can be encoded into character strings, thereby facilitating the transmission of longer identification information in the HTTP environment. The obtained CRC32 characteristic value is used as the fingerprint information of the client, so that the fingerprint information of the client can be ensured to be correct, and the condition that the fingerprint information of the client is abnormal due to data processing can not occur.
In an embodiment of the present invention, as shown in fig. 3, fig. 3 is a flowchart illustrating a method for acquiring fingerprint information of a client in an embodiment of the present invention. The method 300 for acquiring the fingerprint information of the client in the embodiment of the present invention includes the following steps:
s310, dynamically creating a Canvas component in the memory.
S320, obtaining the context of the Canvas assembly.
S330, a random picture of m × n pixels is created.
S340, establishing a picture attribute value.
S350, writing special characters (self-defining).
And S360, acquiring a picture value (base64) and processing.
And S370, extracting characteristic values of the CRC 32.
Specifically, first, the client randomly generates an HTML5 Canvas component. Second, a Canvas 2d image rendering context is obtained. Next, a random picture of m n pixels is drawn in memory through the context of the Canvas component. It should be understood that m and n should both be positive integers. Then, some attribute values of the picture are set: such as background color, font size, font type, etc. Then, special characters are written on the picture, wherein the special characters can be self-defined character information. For example, a user unique designation (e.g., sessionId) or a fixed character (e.g., a website domain name character). Finally, byte data of the picture is obtained, and base64 encoding is carried out on the byte data. And performing CRC32 characteristic value extraction on the character string obtained after base64 encoding, and taking the extracted CRC32 characteristic value as fingerprint information of the client.
And S230, encrypting the fingerprint information through the dynamic key to obtain a system ciphertext, and writing the system ciphertext into HTTP request header information.
Specifically, the key is a parameter that is input in an algorithm for converting plaintext into ciphertext or converting ciphertext into plaintext. The dynamic key is a key generated differently each time the client requests access to the server. The plaintext refers to a text or a character string that is not encrypted. In a communication system it may be text, bitmap, digitized voice or digitized video images, etc. Ciphertext refers to a character or a character string acted by an encryption algorithm and is called ciphertext.
In one embodiment of the invention, the fingerprint information of the client is used as a plaintext, and the fingerprint information of the client is encrypted by a dynamic key to obtain a system ciphertext. And finally, writing the obtained system ciphertext into HTTP request header information. It should be noted that the dynamic key may also encrypt the service data of the client and the fingerprint information of the client together, use the encrypted service data and the encrypted fingerprint information of the client as a system ciphertext together, and write the system ciphertext into the HTTP request header information.
In the embodiment of the present invention, based on that the dynamic key is obtained by encrypting an 8-bit random number by a public key, the probability of randomly generating two identical dynamic keys is 1/100000000, so that the client generates different dynamic keys each time the client requests to access the server. Therefore, the system ciphertext obtained by encrypting the dynamic key cannot be cracked by malicious software to obtain the fingerprint information of the client, and the system data security can be conveniently confirmed. It should be understood that the above-mentioned random number digits are only exemplary, and no particular limitation is imposed on the number of digits of the random number.
And S240, the server side confirms the safety of system data according to the HTTP request header information written into the system ciphertext, wherein the system data comprises the data of the client side and the data of the server side.
In an embodiment of the present invention, after receiving the HTTP request information that is initially sent by the client, the server obtains the fingerprint information of the client by decrypting the HTTP request header information written in the system ciphertext. And the fingerprint information is taken as first fingerprint information and stored in the server side.
And after the server receives the HTTP request information which is not sent by the client for the first time, the server decrypts the HTTP request header information written in the system ciphertext to obtain the fingerprint information of the client at the current request. And comparing the fingerprint information of the client side in the current request with the first fingerprint information stored in the server side, and if the fingerprint information of the client side in the current request is consistent with the first fingerprint information stored in the server side, confirming the data security of the system.
If the fingerprint information of the client is inconsistent with the first fingerprint information stored in the server when the client requests, the server considers that the Session of the client is hijacked by malicious software, and therefore the server immediately carries out safety processing.
In the embodiment of the invention, the system data security is confirmed only when the fingerprint information of the client is consistent with the first fingerprint information when the client does not send the HTTP request information to the server for the first time. The method and the system effectively avoid the situation that the security hidden danger exists in system data due to the fact that the server generates legal client identity information by means of simulating the processing flow of the client by some malicious software.
In another embodiment of the present invention, the difference from the above embodiment is that the server receives the HTTP request information that is not sent by the client for the first time and decrypts the HTTP request header information written in the system ciphertext to obtain the fingerprint information of the client when the client currently requests, and may further process the system ciphertext corresponding to the HTTP request information sent by the client for the first time by using a Message Digest Algorithm (Message-Digest Algorithm MD5, MD5), and use the obtained information Digest as the first information Digest. Similarly, the MD5 is used to process the system ciphertext corresponding to the current request, so as to obtain the information summary of the client when the request is made.
Next, if the information abstract of the client at the time of the current request is consistent with the first information abstract, the fingerprint information of the client at the time of the current request is obtained. If the information abstract of the client side is inconsistent with the first information abstract in the current request, the server side can immediately perform security processing.
In the embodiment of the present invention, because MD5 can process any file, a unique information digest of the corresponding file is obtained. And the obtained information abstract changes after any change is made to the file. Therefore, the system ciphertext is processed by the MD5, and the system ciphertext can be effectively prevented from being tampered.
In another embodiment of the present invention, before decrypting the HTTP request header information written in the system ciphertext to obtain the first fingerprint information of the client, it may be further determined that the request parameter in the HTTP request information sent by the client to the server is a legal parameter. Namely, the HTTP request information sent by the client to the server is confirmed to be the request information sent by the legitimate browser. The request parameter may be UA in the HTTP request message.
In an embodiment of the present invention, each time the client sends the HTTP request message to the server, one or more sets of interference data may be written in the HTTP request header information in the HTTP request message. It should be understood that the interference data refers to any data without any practical meaning, and the interference data may play an interfering role in guessing HTTP request header information of the client by a malicious program. Meanwhile, interference data does not have any influence on HTTP request header information.
By writing interference data into the HTTP request header information of the client, malicious programs can be effectively prevented from guessing the HTTP request header information of the client, and the security of the fingerprint information of the client in the process of being transmitted from the client to the server is improved.
In an embodiment of the present invention, as shown in fig. 4, fig. 4 is a schematic diagram illustrating a processing method of a server side in an embodiment of the present invention. The method 400 for acquiring the fingerprint information of the client in the embodiment of the invention comprises the following steps:
and S410, acquiring HTTP request information of the client.
And S420, checking other data such as fingerprints.
And S430, fingerprint matching.
And S440, carrying out subsequent processing.
S450, confirming that the Session is hijacked.
And S460, performing safety processing.
Specifically, firstly, after acquiring HTTP request information of a client, a server checks other data such as a fingerprint. And if the signature verification fails, the server side carries out safety processing. And if the signature verification is passed, the server side performs fingerprint matching, and if the fingerprint information in the current request is matched with the first fingerprint information, the server side performs subsequent service processing. And if the fingerprint information in the current request is not matched with the first fingerprint information, the server side considers that the Session of the client side is hijacked, and therefore safety processing is carried out.
By the method for confirming system data security in the embodiment, since the pictures finally exported by different browsers are different in the B/S mode, the pictures are drawn by the picture drawing component and the corresponding data information is configured, and then the fingerprint information of the client is finally obtained through data processing and encryption. And writing fingerprint information of the client into the HTTP request header information, and confirming system data safety by the server side through identifying the fingerprint information of the client in the HTTP request header information. The method can effectively avoid the condition that the security hidden danger exists in the system data because the server generates the legal client identity information by simulating the processing flow of the client by the malicious software.
The apparatus for confirming system data security according to an embodiment of the present invention, which corresponds to the method for confirming system data security, is described in detail with reference to fig. 5.
Fig. 5 is a schematic structural diagram of an apparatus for confirming system data security according to an embodiment of the present invention.
As shown in fig. 5, the apparatus 500 for confirming system data security includes:
the picture drawing module 510 is configured to, when the client sends a hypertext transfer protocol HTTP request message to the server, draw, by the client, a picture with a preset pixel value through a picture drawing component and configure data information of the picture, where the data information includes: the method comprises the steps of obtaining attribute information of pictures and characteristic data of a client, wherein HTTP request information comprises HTTP request header information.
The fingerprint information module 520 is configured to perform data processing on byte data of the picture with the data information to obtain fingerprint information of the client.
And the system ciphertext module 530 is configured to encrypt the fingerprint information with the dynamic key to obtain a system ciphertext, and write the system ciphertext into the HTTP request header information.
And the system data module 540 is used for the server side to confirm the security of the system data according to the HTTP request header information written in the system ciphertext, wherein the system data comprises data of the client side and data of the server side.
In an embodiment of the present invention, the picture drawing module 510 is specifically configured to, when the client sends the HTTP request information to the server, draw, by the client, a picture with a preset pixel value through the picture drawing component, and configure data information of the picture. The data information includes: the method comprises the steps of obtaining attribute information of a picture and characteristic data of a client, wherein HTTP request information comprises HTTP request header information. The attribute information includes one or more of the following parameters: background color, font size, and font type. The characteristic data includes: a user unique identification and/or a fixed character. The picture drawing component comprises: HTML5 Canvas. The user unique identifier comprises: the time domain identity recognition Session Id. The fixed character includes: website domain name characters.
Through the picture drawing module 510, the fingerprint information of the client is obtained, and then the system data security can be accurately confirmed by verifying the fingerprint information of the client.
In an embodiment of the present invention, the fingerprint information module 520 is specifically configured to base64 encode byte data of a picture with data information to obtain a character string. And performing CRC32 check on the character string to obtain a CRC32 characteristic value. The characteristic value of the CRC32 is used as fingerprint information of the client.
Longer byte data is encoded into a string by the fingerprint information module 520, thereby facilitating the transfer of longer identification information in the HTTP environment. The obtained CRC32 characteristic value is used as the fingerprint information of the client, so that the fingerprint information of the client can be ensured to be correct, and the condition that the fingerprint information of the client is abnormal due to data processing can not occur.
In an embodiment of the present invention, the system ciphertext module 530 is further configured to write the interference data in the HTTP request header information of the client.
Interference data is written in the HTTP request header information of the client through the system ciphertext module 530, so that malicious programs can be effectively prevented from guessing the HTTP request header information of the client, and the security of the fingerprint information of the client in the process of being transmitted from the client to the server is improved.
In an embodiment of the present invention, the system data module 540 is specifically configured to, after receiving, at the server side, HTTP request information that is sent by the client for the first time, decrypt HTTP request header information that is written in the system ciphertext to obtain the first fingerprint information of the client. And after receiving the HTTP request information which is not sent by the client for the first time, the server decrypts the HTTP request header information written in the system ciphertext to obtain the fingerprint information of the client when the client requests currently. And if the fingerprint information of the client is consistent with the first fingerprint information of the client when the client requests currently, confirming the safety of the system data.
Through the system data module 540, the security of the system data is confirmed only when the fingerprint information of the client is consistent with the first fingerprint information when the client does not send the HTTP request information to the server for the first time. The method and the system effectively avoid some malicious software, and can simulate the processing flow of the client, so that legal client identity information is generated at the server, and the condition that potential safety hazards exist in system data is caused.
In an embodiment of the present invention, the system data module 540 is further configured to process the system ciphertext by using the MD5 before decrypting the HTTP request header information written in the system ciphertext to obtain the fingerprint information of the client when the client requests currently, so as to obtain a first information digest when the client requests the HTTP request information for the first time and an information digest when the client requests currently. And determining that the information abstract of the client is consistent with the first information abstract when the client requests currently.
Through the system data module 540, the system ciphertext is processed by the MD5, so that the system ciphertext can be effectively prevented from being tampered.
In an embodiment of the present invention, the system data module 540 is further configured to decrypt the request header information of the HTTP written in the system ciphertext, and before obtaining the first fingerprint information of the client, determine that a request parameter in the HTTP request information sent by the client to the server is a legal parameter, where the request parameter includes: the User Agent.
By the system data module 540, interference data is written in the HTTP request header information of the client, so that a malicious program can be effectively prevented from guessing the HTTP request header information of the client, and the security of the fingerprint information of the client in the process of being transmitted from the client to the server is improved.
Through the device for confirming the user information security in the embodiment, the server side confirms the system data security by identifying the fingerprint information of the client side written in the HTTP request header information. The method can effectively avoid the condition that the security hidden danger exists in the system data because the server generates the legal client identity information by simulating the processing flow of the client by the malicious software.
FIG. 6 sets forth a block diagram of an exemplary hardware architecture of computing devices capable of implementing the method and apparatus for validating system data security according to embodiments of the present invention.
As shown in fig. 6, computing device 600 includes an input device 601, an input interface 602, a central processor 603, a memory 604, an output interface 605, and an output device 606. The input interface 602, the central processing unit 603, the memory 604, and the output interface 605 are connected to each other via a bus 610, and the input device 601 and the output device 606 are connected to the bus 610 via the input interface 602 and the output interface 605, respectively, and further connected to other components of the computing device 600.
Specifically, the input device 601 receives input information from the outside, and transmits the input information to the central processor 603 through the input interface 602; the central processor 603 processes input information based on computer-executable instructions stored in the memory 604 to generate output information, stores the output information temporarily or permanently in the memory 604, and then transmits the output information to the output device 606 through the output interface 605; output device 606 outputs output information to the exterior of computing device 600 for use by a user.
That is, the computing device shown in fig. 6 may also be implemented with a device for validating system data security, which may include: a memory storing computer-executable instructions; and a processor which, when executing computer executable instructions, may implement the method and apparatus for validating system data security described in connection with fig. 1-5.
An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores computer program instructions; the computer program instructions, when executed by a processor, implement the method for validating system data security provided by embodiments of the present invention.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention. The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. For example, the algorithms described in the specific embodiments may be modified without departing from the basic spirit of the invention. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.

Claims (10)

1. A method for validating system data security, comprising:
when a client sends hypertext transfer protocol (HTTP) request information to a server, the client draws a picture with a preset pixel value through a picture drawing component and configures data information of the picture, wherein the data information comprises: attribute information of the picture and feature data of the client, wherein the HTTP request information comprises HTTP request header information;
carrying out data processing on byte data of the picture with the data information to obtain fingerprint information of the client;
encrypting the fingerprint information through a dynamic key to obtain a system ciphertext, and writing the system ciphertext into the HTTP request header information;
the server side confirms the safety of system data according to HTTP request header information written into the system ciphertext, wherein the system data comprise the data of the client side and the data of the server side;
the server side confirms the system data security according to the HTTP request header information written in the system ciphertext, and the method comprises the following steps:
after the server receives the HTTP request information which is not sent by the client for the first time, whether the information abstract of the client at the current request is consistent with the first information abstract at the time of the HTTP request information which is sent by the client for the first time is determined; the information digest of the client and the first information digest are obtained by processing the system ciphertext by using a message digest algorithm MD5 when the client requests currently;
decrypting HTTP request header information written in the system ciphertext under the condition that the information summary of the client is consistent with the first information summary when the current request is determined, and obtaining fingerprint information of the client when the current request is obtained;
if the fingerprint information of the client side is consistent with the first fingerprint information of the client side in the current request, confirming the system data security; the first fingerprint information is obtained by decrypting HTTP request header information written in the system ciphertext after the server receives HTTP request information sent by the client for the first time;
the method further comprises the following steps:
and under the condition that the information abstract of the client is determined to be inconsistent with the first information abstract when the current request is made, the server side carries out safety processing.
2. The method for validating system data security as claimed in claim 1,
the attribute information includes one or more of the following parameters: background color, font size and font type;
the characteristic data includes: a user unique identification and/or a fixed character.
3. The method for confirming system data security according to claim 1, wherein the performing data processing on byte data of the picture with the data information to obtain fingerprint information of the client includes:
carrying out base64 encoding on byte data of the picture with the data information to obtain a character string;
performing Cyclic Redundancy Check (CRC) 32 on the character string to obtain a CRC32 characteristic value;
and taking the CRC32 characteristic value as fingerprint information of the client.
4. The method for validating system data security as claimed in claim 2,
the user unique identifier comprises: identifying the Session Id by a time domain identity;
the fixed character includes: website domain name characters.
5. The method for validating system data security as claimed in claim 1, further comprising:
and writing interference data in HTTP request header information of the client.
6. The method for confirming system data security according to claim 1, wherein before decrypting the request header information of the HTTP written into the system ciphertext to obtain the first fingerprint information of the client, the method further comprises:
determining that request parameters in HTTP request information sent by the client to the server are legal parameters, wherein the request parameters include: the User Agent.
7. The method for confirming system data security of claim 1, wherein the picture drawing component comprises: the hypertext markup language Canvas HTML5 Canvas.
8. An apparatus for validating system data security, comprising:
the image drawing module is used for drawing an image with a preset pixel value and configuring data information of the image by an image drawing component when a client sends hypertext transfer protocol (HTTP) request information to a server, wherein the data information comprises: attribute information of the picture and characteristic data of the client, wherein the HTTP request information comprises HTTP request header information;
the fingerprint information module is used for carrying out data processing on byte data of the picture with the data information to obtain fingerprint information of the client;
the system ciphertext module is used for encrypting the fingerprint information through a dynamic key to obtain a system ciphertext and writing the system ciphertext into the HTTP request header information;
the system data module is used for confirming system data safety by the server side according to HTTP request header information written in the system ciphertext, and the system data comprises data of the client side and data of the server side;
the system data module is specifically configured to:
after the server receives the HTTP request information which is not sent by the client for the first time, determining whether the information abstract of the client at the current request is consistent with the first information abstract of the HTTP request information which is sent by the client for the first time; when the client requests the system ciphertext, the information digest of the client and the first information digest are obtained by processing the system ciphertext through a message digest algorithm MD 5;
decrypting HTTP request header information written in the system ciphertext under the condition that the information summary of the client is consistent with the first information summary when the current request is determined, and obtaining fingerprint information of the client when the current request is obtained;
if the fingerprint information of the client side is consistent with the first fingerprint information of the client side in the current request, confirming the system data security; the first fingerprint information is obtained by decrypting HTTP request header information written in the system ciphertext after the server receives HTTP request information sent by the client for the first time;
the system data module is further to:
and under the condition that the information abstract of the client is determined to be inconsistent with the first information abstract when the current request is made, the server side carries out safety processing.
9. An apparatus for validating system data security, the apparatus comprising:
a processor and a memory storing computer program instructions;
the processor when executing the computer program instructions implements a method of validating system data security as defined in any one of claims 1 to 7.
10. A computer storage medium having computer program instructions stored thereon which, when executed by a processor, implement a method of validating system data security as claimed in any one of claims 1 to 7.
CN201811506591.4A 2018-12-10 2018-12-10 Method, apparatus, device and medium for confirming system data security Active CN111294326B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811506591.4A CN111294326B (en) 2018-12-10 2018-12-10 Method, apparatus, device and medium for confirming system data security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811506591.4A CN111294326B (en) 2018-12-10 2018-12-10 Method, apparatus, device and medium for confirming system data security

Publications (2)

Publication Number Publication Date
CN111294326A CN111294326A (en) 2020-06-16
CN111294326B true CN111294326B (en) 2022-09-27

Family

ID=71024113

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811506591.4A Active CN111294326B (en) 2018-12-10 2018-12-10 Method, apparatus, device and medium for confirming system data security

Country Status (1)

Country Link
CN (1) CN111294326B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594842A (en) * 2012-03-21 2012-07-18 江苏新大诚信息技术有限公司 Device-fingerprint-based network management message authentication and encryption scheme
CN103888410B (en) * 2012-12-19 2018-05-18 卓望数码技术(深圳)有限公司 Application identity verification method and system
CN106878265B (en) * 2016-12-21 2020-09-18 重庆华龙艾迪信息技术有限公司 Data processing method and device
CN107239491A (en) * 2017-04-25 2017-10-10 广州阿里巴巴文学信息技术有限公司 For realizing method, equipment, browser and electronic equipment that user behavior is followed the trail of
CN107277017A (en) * 2017-06-22 2017-10-20 北京洋浦伟业科技发展有限公司 Purview certification method, apparatus and system based on encryption key and device-fingerprint

Also Published As

Publication number Publication date
CN111294326A (en) 2020-06-16

Similar Documents

Publication Publication Date Title
CN110493202B (en) Login token generation and verification method and device and server
KR101853610B1 (en) Digital signature authentication system based on biometric information and digital signature authentication method thereof
US9887999B2 (en) Login method and apparatus
CN104468531B (en) The authorization method of sensitive data, device and system
US8381272B1 (en) Systems and methods for strengthening web credentials
CN106911684B (en) Authentication method and system
CN108322416B (en) Security authentication implementation method, device and system
WO2018064881A1 (en) Method and system for saving user login state for use in ios client terminal
CN108075888B (en) Dynamic URL generation method and device, storage medium and electronic equipment
CN114614994B (en) Communication method, device, client and storage medium of API (application program interface) data
CN107517194B (en) Return source authentication method and device of content distribution network
CN103763104B (en) A kind of method and system of dynamic authentication
CN102801724A (en) Identity authentication method combining graphic image with dynamic password
CN109698806B (en) User data verification method and system
CN113536250B (en) Token generation method, login verification method and related equipment
CN109818906B (en) Equipment fingerprint information processing method and device and server
CN112566121A (en) Method for preventing attack, server, electronic equipment and storage medium
CN108900472B (en) Information transmission method and device
CN107770183B (en) Data transmission method and device
CN112565156B (en) Information registration method, device and system
CN109145543B (en) Identity authentication method
CN111294326B (en) Method, apparatus, device and medium for confirming system data security
CN114760078B (en) Method and system for preventing malicious tampering of page request parameters
CN110890979A (en) Automatic deploying method, device, equipment and medium for fortress machine
CN110740112B (en) Authentication method, apparatus and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant