CN111294388A - Configuration file generation method, device, equipment and storage medium - Google Patents

Configuration file generation method, device, equipment and storage medium Download PDF

Info

Publication number
CN111294388A
CN111294388A CN202010045341.6A CN202010045341A CN111294388A CN 111294388 A CN111294388 A CN 111294388A CN 202010045341 A CN202010045341 A CN 202010045341A CN 111294388 A CN111294388 A CN 111294388A
Authority
CN
China
Prior art keywords
key
preset
configuration
client
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010045341.6A
Other languages
Chinese (zh)
Other versions
CN111294388B (en
Inventor
翟岳辉
刘亚猛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Life Insurance Company of China Ltd
Original Assignee
Ping An Life Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Life Insurance Company of China Ltd filed Critical Ping An Life Insurance Company of China Ltd
Priority to CN202010045341.6A priority Critical patent/CN111294388B/en
Publication of CN111294388A publication Critical patent/CN111294388A/en
Application granted granted Critical
Publication of CN111294388B publication Critical patent/CN111294388B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of information security, and discloses a method, a device, equipment and a storage medium for generating a configuration file, which are used for preventing information leakage of the configuration file in the process of extracting the configuration file, improving the protection of a system on the configuration file and reducing the potential safety hazard of the system. The method comprises the following steps: acquiring a configuration request of a client, analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key; judging whether the key to be detected is the same as the authentication key, wherein the authentication key is obtained by analyzing configuration information through preset algorithm presetting; if the authentication key is the same as the key to be authenticated, a session key is generated; and feeding back the configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.

Description

Configuration file generation method, device, equipment and storage medium
Technical Field
The present invention relates to the field of information security, and in particular, to a method, an apparatus, a device, and a storage medium for generating a configuration file.
Background
In the field of computer science, a configuration file is a computer file, and when a user logs on a computer based on Windows new technology (Windows NT) for the first time, a system on the computer creates a special configuration file by default to store a client name, a client password, a network connection, a printer connection, a mouse setting, a window size and position, and the like. In general, configuration files are stored with configuration parameters and initial settings of a computer program, and the existence of the configuration files facilitates clients to modify or set the computer, so that the security of the configuration files is particularly important.
In the micro-service architecture, protection of the configuration file is generally realized by setting a uniform password, and the configuration file can be obtained only by cracking the password through a corresponding key in the process of obtaining the configuration file by the client. However, in the way of setting the configuration file into a uniform password, when an illegal client uses the uniform password to break the secret key of the computer, the configuration file is leaked in a large range, and the security of the system is threatened.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for generating a configuration file, which are used for preventing the problem of information leakage of the configuration file and improving the protection capability of a system on the configuration file.
A first aspect of an embodiment of the present invention provides a method for generating a configuration file, including: acquiring a configuration request of a client, analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key; judging whether the key to be detected is the same as an authentication key, wherein the authentication key is obtained by analyzing configuration information through preset algorithm presetting; if the authentication key is the same as the key to be authenticated, a session key is generated; and feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.
Optionally, in a first implementation manner of the first aspect of the embodiment of the present invention, a configuration request of a client is obtained in a configuration center, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key; obtaining a challenge code generated according to the configuration request in the configuration center; and analyzing the challenge code and the key to be detected by using the preset algorithm to obtain the key to be authenticated.
Optionally, in a second implementation manner of the first aspect of the embodiment of the present invention, the byte length of the key to be detected is adjusted, where the byte length of the key to be detected is the same as a preset byte length; performing exclusive-or operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length; combining the first related key with the challenge code to obtain a first candidate key; performing exclusive-or operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length; and combining the second related key with the first candidate key to obtain a key to be authenticated.
Optionally, in a third implementation manner of the first aspect of the embodiment of the present invention, a second preset key in the configuration center is obtained; carrying out key derivation on the client name and a second preset key through a triple data encryption algorithm to obtain a symmetric key in a configuration center, wherein the preset configuration information comprises the client name; obtaining an authentication key according to the symmetric key and the preset algorithm; and judging whether the key to be detected is the same as the authentication key.
Optionally, in a fourth implementation manner of the first aspect of the embodiment of the present invention, in a configuration center, byte data of a client name is obtained, where the preset configuration information includes the client name; performing triple data encryption algorithm on the byte data of the client name and a second preset key to obtain a first symmetric key; negating the byte data of the client name to obtain the reversed byte data of the client name; performing a triple data encryption algorithm on the inverted byte data of the client name and the second preset key to obtain a second symmetric key; and combining the first symmetric key and the second symmetric key to obtain a symmetric key.
Optionally, in a fifth implementation manner of the first aspect of the embodiment of the present invention, a byte length of the symmetric key is adjusted, where the byte length of the symmetric key is the same as the preset byte length; carrying out XOR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length; combining the third related key with the challenge code to obtain a second candidate key; performing exclusive-or operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length; and combining the third related secret key with the second candidate secret key to obtain an authentication secret key.
Optionally, in a sixth implementation manner of the first aspect of the embodiment of the present invention, preset configuration information is obtained in a configuration center; and arranging and summarizing the preset configuration information according to preset rules to obtain a configuration file.
A second aspect of the embodiments of the present invention provides a device for generating a configuration file, including: the system comprises an analysis unit, a verification unit and a verification unit, wherein the analysis unit is used for acquiring a configuration request of a client and analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key; the judging unit is used for judging whether the key to be detected is the same as an authentication key or not, and the authentication key is obtained by analyzing configuration information through preset algorithm presetting; the confirming unit is used for generating a session key if the authentication key is the same as the key to be authenticated; and the feedback unit is used for feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.
Optionally, in a first implementation manner of the second aspect of the embodiment of the present invention, the parsing unit specifically includes: the system comprises a first acquisition module, a first configuration module and a second acquisition module, wherein the first acquisition module is used for acquiring a configuration request of a client in a configuration center, the configuration request comprises a key to be detected, and the key to be detected is obtained by key derivation between a client name and a first preset key; a generating module, configured to obtain, in the configuration center, a challenge code generated according to the configuration request; and the analysis module is used for analyzing the challenge code and the key to be detected by using the preset algorithm to obtain the key to be authenticated.
Optionally, in a second implementation manner of the second aspect of the embodiment of the present invention, the parsing module is specifically configured to: adjusting the byte length of the key to be detected, wherein the byte length of the key to be detected is the same as the preset byte length; performing exclusive-or operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length; combining the first related key with the challenge code to obtain a first candidate key; performing exclusive-or operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length; and combining the second related key with the first candidate key to obtain a key to be authenticated.
Optionally, in a third implementation manner of the second aspect of the embodiment of the present invention, the derivation unit includes: the second acquisition module is used for acquiring a second preset key in the configuration center; the derivation module is used for carrying out key derivation on the client name and a second preset key through a triple data encryption algorithm to obtain a symmetric key in a configuration center, wherein the preset configuration information comprises the client name; the third obtaining module is used for obtaining an authentication key according to the symmetric key and the preset algorithm; and the judging module is used for judging whether the key to be detected is the same as the authentication key.
Optionally, in a fourth implementation manner of the second aspect of the embodiment of the present invention, the derivation module is specifically configured to: in a configuration center, acquiring byte data of a client name, wherein the preset configuration information comprises the client name; performing triple data encryption algorithm on the byte data of the client name and a second preset key to obtain a first symmetric key; negating the byte data of the client name to obtain the reversed byte data of the client name; performing a triple data encryption algorithm on the inverted byte data of the client name and the second preset key to obtain a second symmetric key; and combining the first symmetric key and the second symmetric key to obtain a symmetric key.
Optionally, in a fifth implementation manner of the second aspect of the embodiment of the present invention, the third obtaining module is specifically configured to: adjusting the byte length of the symmetric key, wherein the byte length of the symmetric key is the same as the preset byte length; carrying out XOR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length; combining the third related key with the challenge code to obtain a second candidate key; performing exclusive-or operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length; and combining the third related secret key with the second candidate secret key to obtain an authentication secret key.
Optionally, in a sixth implementation manner of the second aspect of the embodiment of the present invention, the method for generating a configuration file further includes: the second acquisition unit is used for acquiring preset configuration information in the configuration center; and the summarizing unit is used for arranging and summarizing the preset configuration information according to a preset rule to obtain a configuration file.
A third aspect of an embodiment of the present invention provides a device for generating a configuration file, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the method for generating a configuration file according to any one of the foregoing embodiments when executing the computer program.
A fourth aspect of embodiments of the present invention provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the first aspect described above.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, in the process of extracting the configuration file, the key to be authenticated of the client is transmitted to the configuration center to carry out identity identification verification of the client, and the configuration asking price is transmitted after the verification is successful, so that the information leakage of the configuration file is prevented, the protection of the system on the configuration file is improved, and the potential safety hazard of the system is reduced.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a method for generating a configuration file according to the present invention;
FIG. 2 is a schematic diagram of another embodiment of a method for generating a configuration file according to the present invention;
FIG. 3 is a schematic diagram of an embodiment of a device for generating a configuration file according to the present invention;
FIG. 4 is a schematic diagram of another embodiment of a device for generating a configuration file according to the present invention;
fig. 5 is a schematic diagram of an embodiment of a device for generating a configuration file according to the present invention.
Detailed Description
The invention provides a method, a device, equipment and a storage medium for generating a configuration file, which are used for preventing the problem of information leakage of the configuration file and improving the protection capability of a system on the configuration file.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, an embodiment of a method for generating a configuration file according to an embodiment of the present invention includes:
101. the method comprises the steps of obtaining a configuration request of a client, analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key.
The server obtains a configuration request of the client, analyzes the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on the name of the client and a first preset key.
The configuration request refers to a request that a client needs to extract a configuration file in a server, the configuration file is a special file which is created by a system and used for storing a client name, a client password and the like when the client logs in the server, and due to the importance of the configuration file, the client which extracts the configuration file needs to perform identity authentication and can acquire the configuration file after the identity authentication is successful. The configuration request of the client comprises a client name and a first preset key, and in the process of identity verification of the client, in view of the fact that the first preset key is leaked when the first preset key is directly transmitted to the server, a key derivation algorithm is used for carrying out key derivation on the client name and the first preset key to obtain a key to be detected.
It should be noted that a key derivation algorithm is utilized herein, which is also called a key distribution algorithm and is a deterministic algorithm for deriving a symmetric key from some secret values, such as: a double-length (one length key is 8 bytes) master key is arranged in the server, and the master key is used for performing decentralized processing on data to be encrypted to derive a double-length symmetric encryption key. The server uses the same key in both encryption and decryption, so that the two keys can simply be keys derived from each other.
It can be understood that the preset algorithm used here is a hash-based message authentication code (HMAC), which parses the configuration request and the key to be detected to obtain the key to be authenticated.
102. And judging whether the key to be detected is the same as the authentication key, wherein the authentication key is obtained by analyzing the configuration information through preset algorithm presetting.
The server judges whether the key to be detected is the same as the authentication key, and the authentication key is obtained by analyzing the configuration information through preset algorithm presetting.
It should be noted that, the configuration center herein employs a distributed version control system git, which can effectively process the version management of projects from very small to very large at high speed. The server adopts a distributed version control system, so that the content change of one or a plurality of files can be effectively and quickly recorded, and the revision condition of a specific version can be consulted; a file or an item can be backed up to the state of a certain past time point, and the part of accessing the client change and the change when the client change is carried out can be found out; the file can be deleted and restored, so that the operation of the server on the file is more flexible and changeable, and different requirements of the client side are met.
The use of git can localize the version library of the server and support the off-line submission of the file, the version library is relatively independent and does not influence the collaborative development, and the client can arbitrarily execute the behaviors of submitting codes, creating branches and the like on the version library; reducing the warehouse pollution of the server, wherein git only generates a corresponding catalogue for each project, and all version control information of the project is in the catalogue; the server can store the content in a metadata mode, a version library is completely cloned, and the version library of the cloned version has all the things on a central version library, such as tags, branches, version records and the like; the server supports fast switching of branches, and the merging is convenient and has good merging performance. Different branches can be switched under the same directory, and merging is convenient.
Note that, in this embodiment, the file may be arranged by using an open source version control System (SVN) instead of git.
It can be appreciated that since clients typically use weak passwords, cryptographic-based key derivation functions are slow while taking up a large amount of memory, making it difficult to launch brute force attacks and other attacks. The key derivation function based on the password makes it difficult for the system to remember the key and store the risk, so that there is a risk of theft of the configuration file, and the master key is difficult to crack using brute force attack, so that the server can generate a symmetric key using the key derivation function which is not based on the password. Symmetric encryption is much faster than public key encryption, and there are many kinds of encryption algorithms, such as: data Encryption Standard (DES), wherein the number of key bytes in DES is 56, and the block cipher design is performed on the data to be encrypted by adopting the principle of confusion and diffusion; triple data encryption algorithm (3 DES), 3DES is equivalent to a server applying three times of DES to each block of data to be encrypted, because the length of the key byte of the DES cipher is too short and is easily cracked by violence, and 3DES avoids similar attacks by increasing the length of the key byte of DES; advanced Encryption Standard (AES), the key bytes in AES may be 128 bits, 192 bits, or 256 bits. Here, the server performs key derivation on a second preset key and configuration information, which are set in the server in advance, using a triple data encryption algorithm, thereby obtaining a symmetric key.
It should be noted that the preset algorithm here is HMAC, and the symmetric key and the challenge code are analyzed to obtain the authentication key. The process of acquiring the authentication key is similar to that of acquiring the key to be authenticated, and therefore, the details are not described herein.
Therefore, the server does not transmit the obtained symmetric key in the transmission channel, and compares the authentication key calculated in the configuration center with the key to be verified calculated in the client, so that the symmetric key is ensured not to be leaked, other clients cannot know the key for accessing the configuration center, and the security of file transmission is ensured.
103. And if the authentication key is the same as the key to be authenticated, generating a session key.
And if the authentication key is the same as the key to be authenticated, the server generates a session key.
It should be noted that, after the authentication key and the key to be authenticated, which are respectively combined with the challenge code, are obtained by the server, the authentication key and the key to be verified are compared, and if the contents of the authentication key and the key to be authenticated at the same position are the same, it indicates that the authentication key and the key to be verified are the same.
For example, the following steps are carried out: assuming that the authentication key combined by the challenge code by the server is 'CDEF 4321', the key to be verified combined by the challenge code by the client is 'CDEF 4321', the key to be verified is transmitted to the server, the server compares the key to be verified with the authentication key, and the contents of the two keys at the same position are consistent, then the conclusion that the key to be verified and the authentication key are the same is obtained, and the server generates a session key at the same time.
104. And feeding back the configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.
The session key used by the server is agreed by the two parties in advance, and cannot be obtained by the third party, so that the information transmitted between the client and the server only comprises a challenge code and a key to be authenticated, the challenge code is a random number for challenging the client by the server, the key to be authenticated is a result of responding the server by the client after passing through the HMAC, the key to be authenticated and the authentication key are compared by the server, if the challenge code and the key to be authenticated are the same, a target key in the key to be authenticated and a symmetric key in the authentication key are the same, the client is a legal client, and the server can feed back a configuration file of a configuration center to the client. In the process of identity authentication, the server cannot calculate a symmetric key according to the challenge code and the key to be authenticated, and because the symmetric key cannot be matched, the client cannot imitate a consistent server response, the server judges that the client is a dangerous client, so the server cannot feed back the configuration file of the configuration center to the client, and the security of the configuration file is further ensured.
Because the HMAC algorithm is "transient," that is, the key to be authenticated is only valid at that time, after the configuration file is fed back by using the session key for communication, if the client wants to acquire the configuration file again, the server needs to perform identity authentication again.
It should be noted that, when the server feeds back the configuration file in the configuration center, the server feeds back the latest modification time of the configuration file at the same time.
In the embodiment of the invention, in the process of extracting the configuration file, the key to be authenticated of the client is transmitted to the configuration center to carry out identity identification verification of the client, and the configuration asking price is transmitted after the verification is successful, so that the information leakage of the configuration file is prevented, the protection of the system on the configuration file is improved, and the potential safety hazard of the system is reduced.
Referring to fig. 2, another embodiment of the method for generating a configuration file according to the embodiment of the present invention includes:
201. the method comprises the steps of obtaining a configuration request of a client, analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key.
The server obtains a configuration request of the client, analyzes the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on the name of the client and a first preset key. Specifically, a configuration request of a client is obtained in a configuration center, the configuration request comprises a key to be detected, and the key to be detected is obtained by key derivation of a client name and a first preset key; acquiring a challenge code generated according to the configuration request in a configuration center; and analyzing the challenge code and the key to be detected by using a preset algorithm to obtain the key to be authenticated.
The method comprises the steps of analyzing a challenge code and a key to be detected by using a preset algorithm to obtain the key to be authenticated, wherein the step of adjusting the byte length of the key to be detected is carried out, and the byte length of the key to be detected is the same as the preset byte length; carrying out XOR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length; combining the first related key with the challenge code to obtain a first candidate key; performing XOR operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length; and combining the second related key with the first candidate key to obtain the key to be authenticated.
The configuration request refers to a request that a client needs to extract a configuration file in a server, the configuration file is a special file which is created by a system and used for storing a client name, a client password and the like when the client logs in the server, and due to the importance of the configuration file, the client which extracts the configuration file needs to perform identity authentication and can acquire the configuration file after the identity authentication is successful. The configuration request of the client comprises a client name and a first preset key, and in the process of identity verification of the client, in view of the fact that the first preset key is leaked when the first preset key is directly transmitted to the server, a key derivation algorithm is used for carrying out key derivation on the client name and the first preset key to obtain a key to be detected.
It can be understood that the preset algorithm used here is a hash-based message authentication code (HMAC), which parses the configuration request and the key to be detected to obtain a key to be authenticated, the server first determines the byte length of the key to be detected, if the byte length of the key to be detected is shorter than the preset byte length (if the key is shorter than the one-way hash function packet length), the server fills 0 at the end of the byte of the key to be detected until the byte length of the key to be detected reaches the packet length of the one-way hash function of the length of the preset byte, if the byte length of the key to be detected is longer than the preset byte length (if the key is longer than the packet length), the server uses the one-way hash function to find the hash value of the key to be detected equal to the preset byte length, and then uses the hash value as the key to be detected, if the byte length of the key to be detected is the same as the preset byte length, the key to be detected does not need to be processed; then the server carries out XOR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the preset first character string is the character string obtained by continuously and circularly repeating the bit sequence of 00110110 until the byte length is the same as the preset byte length; the server combines the first related key with the challenge code to obtain a first candidate key, wherein the challenge code is a character string randomly generated by the server, the server attaches the first related key to the beginning of the challenge code, and inputs the combination result into a one-way hash function to obtain the first candidate key; performing exclusive-or operation on the key to be detected and a preset second character string to obtain a second related key, wherein the preset second character string is a character string obtained by continuously and circularly repeating the bit sequence of 01011100 until the byte length is the same as the preset byte length; and finally, the server combines the second related key with the first candidate key to obtain a key to be authenticated, wherein the server splices the second related key at the end of the challenge code and inputs the combined result into a one-way hash function to obtain the key to be authenticated.
202. Preset configuration information is obtained in a configuration center.
The server obtains preset configuration information in the configuration center.
It should be noted that, the configuration center herein employs a distributed version control system git, which can effectively process the version management of projects from very small to very large at high speed. The server adopts a distributed version control system, so that the content change of one or a plurality of files can be effectively and quickly recorded, and the revision condition of a specific version can be consulted; a file or an item can be backed up to the state of a certain past time point, and the part of accessing the client change and the change when the client change is carried out can be found out; the file can be deleted and restored, so that the operation of the server on the file is more flexible and changeable, and different requirements of the client side are met.
The use of git can localize the version library of the server and support the off-line submission of the file, the version library is relatively independent and does not influence the collaborative development, and the client can arbitrarily execute the behaviors of submitting codes, creating branches and the like on the version library; reducing the warehouse pollution of the server, wherein git only generates a corresponding catalogue for each project, and all version control information of the project is in the catalogue; the server can store the content in a metadata mode, a version library is completely cloned, and the version library of the cloned version has all the things on a central version library, such as tags, branches, version records and the like; the server supports fast switching of branches, and the merging is convenient and has good merging performance. Different branches can be switched under the same directory, and merging is convenient.
Note that, in this embodiment, the file may be arranged by using an open source version control System (SVN) instead of git.
203. And arranging and summarizing the preset configuration information according to preset rules to obtain a configuration file.
The server arranges and summarizes the preset configuration information according to preset rules to obtain a configuration file.
It is understood that the configuration file is a set of settings and files that the system loads into the client the desired environment when the client logs into the computer or when the client uses software. The method comprises the specific configuration settings of all clients, such as program items, screen colors, network connection, printer connection, mouse setting, window size and position and the like, and the configuration files are obtained by arranging and summarizing the set configuration information according to preset rules. In the case of Java language microservices, Java language microservices exist in a Software Development Kit (SDK) mode (jar package), and are directly referred to when used. Here, microserver is understood to mean a system that operates independently, for example: a panning client system, an order system, which requires some configuration information, such as: the connection address, the client name and the client password of the database are called, and the configuration information is generally not stored on a machine where the micro-service is located, but is configured in a centrally managed configuration center. At the beginning of starting the micro service, firstly, the configuration center is accessed, and the configuration information required to be used is read into a local memory for being connected with a database at the back. The micro-service complies with the fixed starting process when starting, firstly, the logic program of the SDK is loaded, the logic program can access the configuration center and read the configuration file, and after the reading is successful, the preset value set by the micro-service in the development stage is configured to the corresponding program variable, such as: @ Value ("$ { redis. timeout }")
Private intredis Timeout;
The microservice configures the redis Timeout into the corresponding redis Timeout variable, but the server needs to perform authentication in the process of reading the configuration file to ensure the security of data.
204. And judging whether the key to be detected is the same as the authentication key, wherein the authentication key is obtained by analyzing the configuration information through preset algorithm presetting.
The server judges whether the key to be detected is the same as the authentication key, and the authentication key is obtained by analyzing the configuration information through preset algorithm presetting. Specifically, the server acquires a second preset key in the configuration center; the server performs key derivation on the client name and a second preset key through a triple data encryption algorithm to obtain a symmetric key in a configuration center, wherein preset configuration information comprises the client name; the server acquires an authentication key according to the symmetric key and a preset algorithm; the server judges whether the key to be detected is the same as the authentication key.
The server performs key derivation on the client name and a second preset key through a triple data encryption algorithm to obtain a symmetric key in the configuration center, and the preset configuration information includes the client name specifically used for: in a configuration center, a server acquires byte data of a client name, and preset configuration information comprises the client name; the server carries out triple data encryption algorithm on the byte data of the client name and a second preset key to obtain a first symmetric key; the server negating the byte data of the client name to obtain the negative byte data of the client name; the server performs a triple data encryption algorithm on the inverted byte data of the client name and a second preset key to obtain a second symmetric key; and the server combines the first symmetric key and the second symmetric key to obtain a symmetric key.
For example, the server encrypts the client name and the second preset key in the configuration center by using a key derivation algorithm, the server first obtains the second preset key in the configuration center and byte data of the client name in the configuration information, sets the byte of the second preset key to be 8 bits, the server selects the rightmost 8 bytes of the byte data of the client name as input data, the server performs a triple data encryption algorithm on the input data and the second preset key to obtain a first symmetric key, and secondly, the server performs negation on the rightmost 8 bytes of the byte data of the client name to obtain the inverted byte data of the client name, the server performs a triple data encryption algorithm on the inverted byte data of the client name and a preset key to obtain a second symmetric key, and the first symmetric key and the second symmetric key are combined to obtain a double-length symmetric key.
The server obtains the authentication key according to the symmetric key and the preset algorithm, and the authentication key is specifically used for: the server adjusts the byte length of the symmetric key, and the byte length of the symmetric key is the same as the preset byte length; the server carries out XOR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length; the server combines the third related key with the challenge code to obtain a second candidate key; the server carries out XOR operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length; and combining the third related secret key with the second candidate secret key by the server to obtain the authentication secret key.
It should be noted that the preset algorithm here is HMAC, and the symmetric key and the challenge code are analyzed to obtain the authentication key. The process of acquiring the authentication key is similar to that of acquiring the key to be authenticated, and therefore, the details are not described herein.
Therefore, the server does not transmit the obtained symmetric key in the transmission channel, and compares the authentication key calculated in the configuration center with the key to be verified calculated in the client, so that the symmetric key is ensured not to be leaked, other clients cannot know the key for accessing the configuration center, and the security of file transmission is ensured.
For example, in the process of identity verification, the server assumes that the name of the micro-service is: ai-ark-admin, authentication key: AABBCCDDAABBCCDDAABBCCDDAABBCCDD, the organization request message: http post request is in json format, and the server obtains the following program results:
"application":"ai-ark-admin",
"challenge":"ABCD1234"
"mac":"CDEF4321"
application in the results is the name of the micro service, and the result is ai-ark-admin; the challenge in the result is a challenge code responded by the configuration center, a character string is randomly generated by the configuration center, and the result is displayed as ABCD 1234; the mac in the result is an authentication key obtained by the configuration center by using the challenge code and the symmetric key and adopting the HMAC algorithm, and is a character string obtained by serially connecting fields for processing the mac in the message and performing operation, and the display result is CDEF 4321.
205. And if the authentication key is the same as the key to be authenticated, generating a session key.
And if the authentication key is the same as the key to be authenticated, the server generates a session key.
It should be noted that, after the authentication key and the key to be authenticated, which are respectively combined with the challenge code, are obtained by the server, the authentication key and the key to be verified are compared, and if the contents of the authentication key and the key to be authenticated at the same position are the same, it indicates that the authentication key and the key to be verified are the same.
For example, the following steps are carried out: assuming that the authentication key combined by the challenge code by the server is 'CDEF 4321', the key to be verified combined by the challenge code by the client is 'CDEF 4321', the key to be verified is transmitted to the server, the server compares the key to be verified with the authentication key, and the contents of the two keys at the same position are consistent, then the conclusion that the key to be verified and the authentication key are the same is obtained, and the server generates a session key at the same time.
It should be noted that the process of the server performing the identity authentication is as follows: the method comprises the steps that firstly, a server receives a configuration request sent by a client, the server generates a challenge code according to the configuration request after receiving the configuration request, the client utilizes the challenge code and a key to be detected to calculate and obtain a key to be authenticated, meanwhile, the server utilizes the challenge code and a symmetric key to calculate and obtain an authentication key in a configuration center, if the authentication key is the same as the key to be authenticated, the client is a legal client, the server can transmit a configuration file to the client, and therefore the encryption and authentication processes guarantee the safety of file transmission.
206. And feeding back the configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.
And the server feeds back the configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.
The session key used by the server is agreed by the two parties in advance, and cannot be obtained by the third party, so that the information transmitted between the client and the server only comprises a challenge code and a key to be authenticated, the challenge code is a random number for challenging the client by the server, the key to be authenticated is a result of responding the server by the client after passing through the HMAC, the key to be authenticated and the authentication key are compared by the server, if the challenge code and the key to be authenticated are the same, a target key in the key to be authenticated and a symmetric key in the authentication key are the same, the client is a legal client, and the server can feed back a configuration file of a configuration center to the client. In the process of identity authentication, the server cannot calculate a symmetric key according to the challenge code and the key to be authenticated, and because the symmetric key cannot be matched, the client cannot imitate a consistent server response, the server judges that the client is a dangerous client, so the server cannot feed back the configuration file of the configuration center to the client, and the security of the configuration file is further ensured.
Because the HMAC algorithm is "transient," that is, the key to be authenticated is only valid at that time, after the configuration file is fed back by using the session key for communication, if the client wants to acquire the configuration file again, the server needs to perform identity authentication again.
It should be noted that, when the server feeds back the configuration file in the configuration center, the server feeds back the latest modification time of the configuration file at the same time.
In the embodiment of the invention, in the process of extracting the configuration file, the key to be authenticated of the client is transmitted to the configuration center to carry out identity identification verification of the client, and the configuration asking price is transmitted after the verification is successful, so that the information leakage of the configuration file is prevented, the protection of the system on the configuration file is improved, and the potential safety hazard of the system is reduced.
In the above description of the method for generating a configuration file in the embodiment of the present invention, referring to fig. 3, a device for generating a configuration file in the embodiment of the present invention is described below, where an embodiment of the device for generating a configuration file in the embodiment of the present invention includes:
the analysis unit 301 is configured to obtain a configuration request of the client, analyze the configuration request by using a preset algorithm, and obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key;
a judging unit 302, configured to judge whether the key to be detected is the same as the authentication key, where the authentication key is obtained by analyzing configuration information through preset algorithm presetting;
a confirming unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated;
a feedback unit 304, configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.
In the embodiment of the present invention, the parsing unit 301 is configured to obtain a configuration request of a client, and parse the configuration request by using a preset algorithm to obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key; a judging unit 302, configured to judge whether the key to be detected is the same as the authentication key, where the authentication key is obtained by analyzing configuration information through preset algorithm presetting; a confirming unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated; a feedback unit 304, configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.
In the embodiment of the invention, in the process of extracting the configuration file, the key to be authenticated of the client is transmitted to the configuration center to carry out identity identification verification of the client, and the configuration asking price is transmitted after the verification is successful, so that the information leakage of the configuration file is prevented, the protection of the system on the configuration file is improved, and the potential safety hazard of the system is reduced.
Referring to fig. 4, another embodiment of the apparatus for generating a configuration file according to the embodiment of the present invention includes:
the analysis unit 301 is configured to obtain a configuration request of the client, analyze the configuration request by using a preset algorithm, and obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key;
a judging unit 302, configured to judge whether the key to be detected is the same as the authentication key, where the authentication key is obtained by analyzing configuration information through preset algorithm presetting;
a confirming unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated;
a feedback unit 304, configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.
Optionally, the parsing unit 301 includes:
a first obtaining module 3011, configured to obtain, in a configuration center, a configuration request of a client, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key;
a generating module 3012, configured to obtain, in the configuration center, a challenge code generated according to the configuration request;
and the analyzing module 3013 is configured to analyze the challenge code and the key to be detected by using a preset algorithm to obtain a key to be authenticated.
Optionally, the parsing module 3013 is specifically configured to:
adjusting the byte length of the key to be detected, wherein the byte length of the key to be detected is the same as the preset byte length;
carrying out XOR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length;
combining the first related key with the challenge code to obtain a first candidate key;
performing XOR operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length;
and combining the second related key with the first candidate key to obtain the key to be authenticated.
Optionally, the determining unit 302 includes:
a second obtaining module 3021, configured to obtain a second preset key in the configuration center;
a derivation module 3022, configured to perform key derivation on the client name and the second preset key through a triple data encryption algorithm, and obtain a symmetric key in the configuration center, where the preset configuration information includes the client name;
a third obtaining module 3023, configured to obtain an authentication key according to the symmetric key and a preset algorithm;
the judging module 3024 is configured to judge whether the key to be detected is the same as the authentication key.
Optionally, the derivation module 3022 is specifically configured to:
in a configuration center, acquiring byte data of a client name, wherein preset configuration information comprises the client name;
performing triple data encryption algorithm on byte data of the client name and a second preset key to obtain a first symmetric key;
negating the byte data of the client name to obtain the reversed byte data of the client name;
performing triple data encryption algorithm on the inverted byte data of the client name and a second preset key to obtain a second symmetric key;
and combining the first symmetric key and the second symmetric key to obtain a symmetric key.
Optionally, the third obtaining module 3023 is specifically configured to:
adjusting the byte length of the symmetric key, wherein the byte length of the symmetric key is the same as the preset byte length;
carrying out XOR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length;
combining the third related key with the challenge code to obtain a second candidate key;
carrying out XOR operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length;
and combining the third related secret key with the second candidate secret key to obtain the authentication secret key.
Optionally, the method for generating a configuration file further includes:
a second obtaining unit 305 for obtaining preset configuration information in the configuration center;
the summarizing unit 306 is configured to arrange and summarize preset configuration information according to preset rules to obtain a configuration file.
In the embodiment of the present invention, the parsing unit 301 is configured to obtain a configuration request of a client, and parse the configuration request by using a preset algorithm to obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key; a second obtaining unit 305 for obtaining preset configuration information in the configuration center; the summarizing unit 306 is configured to arrange and summarize preset configuration information according to a preset rule to obtain a configuration file; a judging unit 302, configured to judge whether the key to be detected is the same as the authentication key, where the authentication key is obtained by analyzing configuration information through preset algorithm presetting; a confirming unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated; a feedback unit 304, configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.
In the embodiment of the invention, in the process of extracting the configuration file, the key to be authenticated of the client is transmitted to the configuration center to carry out identity identification verification of the client, and the configuration asking price is transmitted after the verification is successful, so that the information leakage of the configuration file is prevented, the protection of the system on the configuration file is improved, and the potential safety hazard of the system is reduced.
Fig. 3 to fig. 4 describe the apparatus for generating a configuration file in the embodiment of the present invention in detail from the perspective of a modular functional entity, and the apparatus for generating a configuration file in the embodiment of the present invention is described in detail from the perspective of hardware processing.
The following specifically describes each component of the configuration file generation device with reference to fig. 5:
fig. 5 is a schematic structural diagram of a configuration file generating device according to an embodiment of the present invention, where the configuration file generating device 500 may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 501 (e.g., one or more processors) and a memory 509, and one or more storage media 508 (e.g., one or more mass storage devices) for storing applications 507 or data 506. Memory 509 and storage medium 508 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 508 may include one or more modules (not shown), each of which may include a series of instruction operations for a check-in management device. Still further, the processor 501 may be configured to communicate with the storage medium 508 to execute a series of instruction operations in the storage medium 508 on the configuration file generating device 500.
The profile generation apparatus 500 may also include one or more power supplies 502, one or more wired or wireless network interfaces 503, one or more input-output interfaces 504, and/or one or more operating systems 505, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc. Those skilled in the art will appreciate that the configuration of the profile generation apparatus shown in fig. 5 does not constitute a limitation of the profile generation apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following specifically describes each component of the configuration file generation device with reference to fig. 5:
the processor 501 is a control center of the profile generation device, and can perform processing according to the profile generation method. The processor 501 connects the various parts of the whole configuration file generation device by using various interfaces and lines, and improves the protection of the system for the configuration file by performing or executing software programs and/or modules stored in the memory 509 and calling data stored in the memory 509 and authenticating the client side from which the configuration file is extracted. The storage medium 508 and the memory 509 are carriers for storing data, in the embodiment of the present invention, the storage medium 508 may be an internal memory with a small storage capacity but a high speed, and the memory 509 may be an external memory with a large storage capacity but a low storage speed.
The memory 509 may be used to store software programs and modules, and the processor 501 executes various functional applications and data processing of the configuration file generating apparatus 500 by running the software programs and modules stored in the memory 509. The memory 509 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the generation device of the profile, and the like. Further, the memory 509 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. The configuration file generation program and the received data stream provided in the embodiment of the present invention are stored in the memory, and when they are needed to be used, the processor 501 calls from the memory 509.
The procedures or functions according to the embodiments of the invention are brought about in whole or in part when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, optical fiber, twisted pair) or wirelessly (e.g., infrared, wireless, microwave, etc.). A computer-readable storage medium may be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., compact disk), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method for generating a configuration file, comprising:
acquiring a configuration request of a client, analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key;
judging whether the key to be detected is the same as an authentication key, wherein the authentication key is obtained by analyzing configuration information through preset algorithm presetting;
if the authentication key is the same as the key to be authenticated, a session key is generated;
and feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.
2. The method according to claim 1, wherein the obtaining of the configuration request of the client and the parsing of the configuration request by using a preset algorithm obtain a key to be authenticated, the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key, and includes:
the method comprises the steps that a configuration request of a client is obtained in a configuration center, the configuration request comprises a key to be detected, and the key to be detected is obtained by key derivation of a client name and a first preset key;
obtaining a challenge code generated according to the configuration request in the configuration center;
and analyzing the challenge code and the key to be detected by using the preset algorithm to obtain the key to be authenticated.
3. The method according to claim 2, wherein the analyzing the challenge code and the key to be detected by using the preset algorithm to obtain the key to be authenticated comprises:
adjusting the byte length of the key to be detected, wherein the byte length of the key to be detected is the same as the preset byte length;
performing exclusive-or operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length;
combining the first related key with the challenge code to obtain a first candidate key;
performing exclusive-or operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length;
and combining the second related key with the first candidate key to obtain a key to be authenticated.
4. The method according to claim 1, wherein the determining whether the key to be detected is the same as an authentication key, the authentication key being obtained by analyzing configuration information through the preset algorithm preset comprises:
acquiring a second preset key in the configuration center;
carrying out key derivation on the client name and a second preset key through a triple data encryption algorithm to obtain a symmetric key in a configuration center, wherein the preset configuration information comprises the client name;
obtaining an authentication key according to the symmetric key and the preset algorithm;
and judging whether the key to be detected is the same as the authentication key.
5. The method of claim 4, wherein the deriving the key between the client name and the second preset key by a triple data encryption algorithm to obtain a symmetric key in the configuration center, and the including the client name in the preset configuration information comprises:
in a configuration center, acquiring byte data of a client name, wherein the preset configuration information comprises the client name;
performing triple data encryption algorithm on the byte data of the client name and a second preset key to obtain a first symmetric key;
negating the byte data of the client name to obtain the reversed byte data of the client name;
performing a triple data encryption algorithm on the inverted byte data of the client name and the second preset key to obtain a second symmetric key;
and combining the first symmetric key and the second symmetric key to obtain a symmetric key.
6. The method of claim 3, wherein obtaining an authentication key based on the symmetric key and the preset algorithm comprises:
adjusting the byte length of the symmetric key, wherein the byte length of the symmetric key is the same as the preset byte length;
carrying out XOR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length;
combining the third related key with the challenge code to obtain a second candidate key;
performing exclusive-or operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length;
and combining the third related secret key with the second candidate secret key to obtain an authentication secret key.
7. The method according to claims 1 to 6, wherein before the obtaining of the configuration request of the client and the parsing of the configuration request by using a preset algorithm to obtain the key to be authenticated, the configuration request includes the key to be detected, the key to be detected is obtained by performing key derivation on a client name and a first preset key, and the preset configuration information and a second preset key are subjected to key derivation by using a triple data encryption algorithm in the configuration center to obtain a symmetric key, the method further comprises:
acquiring preset configuration information in a configuration center;
and arranging and summarizing the preset configuration information according to preset rules to obtain a configuration file.
8. An apparatus for generating a configuration file, comprising:
the system comprises an analysis unit, a verification unit and a verification unit, wherein the analysis unit is used for acquiring a configuration request of a client and analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, the configuration request comprises a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key;
the judging unit is used for judging whether the key to be detected is the same as an authentication key or not, and the authentication key is obtained by analyzing configuration information through preset algorithm presetting;
the confirming unit is used for generating a session key if the authentication key is the same as the key to be authenticated;
and the feedback unit is used for feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.
9. A device for generating a configuration file, comprising:
a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line;
the at least one processor invokes the instructions in the memory to cause the profile generation device to perform the profile generation method of any of claims 1-7.
10. A computer-readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the steps of a method of profile generation as claimed in any one of claims 1 to 7.
CN202010045341.6A 2020-01-16 2020-01-16 Configuration file generation method, device, equipment and storage medium Active CN111294388B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010045341.6A CN111294388B (en) 2020-01-16 2020-01-16 Configuration file generation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010045341.6A CN111294388B (en) 2020-01-16 2020-01-16 Configuration file generation method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111294388A true CN111294388A (en) 2020-06-16
CN111294388B CN111294388B (en) 2023-09-29

Family

ID=71026282

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010045341.6A Active CN111294388B (en) 2020-01-16 2020-01-16 Configuration file generation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111294388B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112306582A (en) * 2020-12-08 2021-02-02 树根互联技术有限公司 Configuration variable encryption and decryption method and device, computer equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104579694A (en) * 2015-02-09 2015-04-29 浙江大学 Identity authentication method and system
US20160330179A1 (en) * 2015-05-06 2016-11-10 Samsung Sds Co., Ltd. System and method for key exchange based on authentication information
CN109309910A (en) * 2018-10-30 2019-02-05 深圳市元征科技股份有限公司 Communication data transmission method, system, equipment and computer readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104579694A (en) * 2015-02-09 2015-04-29 浙江大学 Identity authentication method and system
US20160330179A1 (en) * 2015-05-06 2016-11-10 Samsung Sds Co., Ltd. System and method for key exchange based on authentication information
CN109309910A (en) * 2018-10-30 2019-02-05 深圳市元征科技股份有限公司 Communication data transmission method, system, equipment and computer readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谷双双;夏鲁宁;贾世杰;: "一种加密硬盘的身份鉴别和密钥保护方案", 密码学报, no. 02 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112306582A (en) * 2020-12-08 2021-02-02 树根互联技术有限公司 Configuration variable encryption and decryption method and device, computer equipment and readable storage medium

Also Published As

Publication number Publication date
CN111294388B (en) 2023-09-29

Similar Documents

Publication Publication Date Title
CN107689869B (en) User password management method and server
CN107294937B (en) Data transmission method based on network communication, client and server
CN105760764B (en) Encryption and decryption method and device for embedded storage device file and terminal
CN113364760A (en) Data encryption processing method and device, computer equipment and storage medium
US20170085377A1 (en) Encryption system with key recovery and double aead key wrapping
CN106599723B (en) File encryption method and device and file decryption method and device
CN109462602B (en) Login information storage method, login verification method, device, equipment and medium
US20180091487A1 (en) Electronic device, server and communication system for securely transmitting information
CN109672521B (en) Security storage system and method based on national encryption engine
US10630722B2 (en) System and method for sharing information in a private ecosystem
US20230325516A1 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
CN107528689B (en) Password modification method based on Ukey
CN110071937B (en) Login method, system and storage medium based on block chain
CN111859435B (en) Data security processing method and device
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN113204772A (en) Data processing method, device, system, terminal, server and storage medium
KR101479290B1 (en) Agent for providing security cloud service, security token device for security cloud service
CN108418679B (en) Method and device for processing secret key under multiple data centers and electronic equipment
CN113726515B (en) UKEY-based key processing method, storage medium and electronic device
GB2488753A (en) Encrypted communication
CN111294388B (en) Configuration file generation method, device, equipment and storage medium
CN110912683B (en) Password storage method and device and password verification method and device
CN109871698B (en) Data processing method, data processing device, computer equipment and storage medium
CN109995534B (en) Method and device for carrying out security authentication on application program
CN112199730A (en) Method and device for processing application data on terminal and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant