CN111294388B

CN111294388B - Configuration file generation method, device, equipment and storage medium

Info

Publication number: CN111294388B
Application number: CN202010045341.6A
Authority: CN
Inventors: 翟岳辉; 刘亚猛
Original assignee: Ping An Life Insurance Company of China Ltd
Current assignee: Ping An Life Insurance Company of China Ltd
Priority date: 2020-01-16
Filing date: 2020-01-16
Publication date: 2023-09-29
Anticipated expiration: 2040-01-16
Also published as: CN111294388A

Abstract

The invention relates to the field of information security, and discloses a method, a device, equipment and a storage medium for generating a configuration file, which are used for preventing information leakage of the configuration file in the process of extracting the configuration file, improving the protection of a system on the configuration file and reducing the potential safety hazard of the system. The method comprises the following steps: the method comprises the steps that a configuration request of a client is obtained, the configuration request is analyzed by a preset algorithm to obtain a key to be authenticated, the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key; judging whether the key to be detected is the same as the authentication key, wherein the authentication key is obtained by analyzing the configuration information through presetting of a presetting algorithm; if the authentication key is the same as the key to be authenticated, generating a session key; and feeding back a configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.

Description

Configuration file generation method, device, equipment and storage medium

Technical Field

The present invention relates to the field of information security, and in particular, to a method, an apparatus, a device, and a storage medium for generating a configuration file.

Background

In the field of computer science, a configuration file is a computer file, and when a user logs on to a computer based on a new technology (Windows new technology, windows NT) of a Windows operating system for the first time, a system on the computer will default to create a special configuration file for saving a client name, a client password, a network connection, a printer connection, a mouse setting, a window size and a window position, and the like. In general, the configuration files store the configuration parameters and initial settings of the computer program, and the presence of the configuration files facilitates the modification or setting of the computer by the client, so that the security of the configuration files is particularly important.

In the micro-service architecture, the protection of the configuration file is generally realized by setting a uniform password, and in the process of acquiring the configuration file by the client, the configuration file can be obtained only by cracking the password through a corresponding key. However, in the mode of setting the configuration file to be a unified password, when an illegal client uses the unified password to crack the key of the computer, the configuration file can be leaked in a large range, and the security of the system is threatened.

Disclosure of Invention

The invention provides a method, a device, equipment and a storage medium for generating a configuration file, which are used for preventing the problem of configuration file information leakage and improving the protection capability of a system on the configuration file.

The first aspect of the embodiment of the invention provides a method for generating a configuration file, which comprises the following steps: acquiring a configuration request of a client, and analyzing the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key; judging whether the key to be authenticated is the same as an authentication key or not, wherein the authentication key is obtained by analyzing configuration information through presetting of the presetting algorithm; if the authentication key is the same as the key to be authenticated, generating a session key; and feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.

Optionally, in a first implementation manner of the first aspect of the embodiment of the present invention, a configuration request of the client is obtained in a configuration center, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key; obtaining a challenge code generated according to the configuration request in the configuration center; and analyzing the challenge code and the key to be detected by using the preset algorithm to obtain the key to be authenticated.

Optionally, in a second implementation manner of the first aspect of the embodiment of the present invention, a byte length of the key to be detected is adjusted, where the byte length of the key to be detected is the same as a preset byte length; performing exclusive OR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length; combining the first related key with the challenge code to obtain a first candidate key; performing exclusive OR operation on the key to be detected and a preset second character string to obtain a second correlation key, wherein the byte length of the preset second character string is the same as the preset byte length; and combining the second related key with the first candidate key to obtain a key to be authenticated.

Optionally, in a third implementation manner of the first aspect of the embodiment of the present invention, a second preset key in the configuration center is obtained; carrying out key derivation on the client name and a second preset key through a triple data encryption algorithm, and obtaining a symmetric key in a configuration center, wherein preset configuration information comprises the client name; acquiring an authentication key according to the symmetric key and the preset algorithm; and judging whether the key to be authenticated is the same as the authentication key.

Optionally, in a fourth implementation manner of the first aspect of the embodiment of the present invention, in a configuration center, byte data of a client name is obtained, and the preset configuration information includes the client name; performing a triple data encryption algorithm on the byte data of the client name and the second preset key to obtain a first symmetric key; inverting the byte data of the client name to obtain the inverted byte data of the client name; performing a triple data encryption algorithm on the anti-byte data of the client name and the second preset key to obtain a second symmetric key; and combining the first symmetric key with the second symmetric key to obtain a symmetric key.

Optionally, in a fifth implementation manner of the first aspect of the embodiment of the present invention, a byte length of the symmetric key is adjusted, where the byte length of the symmetric key is the same as the preset byte length; performing exclusive OR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length; combining the third related key with the challenge code to obtain a second candidate key; performing exclusive OR operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length; and combining the third related key with the second candidate key to obtain an authentication key.

Optionally, in a sixth implementation manner of the first aspect of the embodiment of the present invention, preset configuration information is obtained in a configuration center; and arranging and summarizing the preset configuration information according to preset rules to obtain a configuration file.

A second aspect of an embodiment of the present invention provides a device for generating a configuration file, including: the system comprises an analysis unit, a verification unit and a verification unit, wherein the analysis unit is used for acquiring a configuration request of a client, and analyzing the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key; the judging unit is used for judging whether the key to be authenticated is the same as the authentication key, and the authentication key is obtained by analyzing the configuration information through preset algorithm; a confirmation unit, configured to generate a session key if the authentication key is the same as the key to be authenticated; and the feedback unit is used for feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.

Optionally, in a first implementation manner of the second aspect of the embodiment of the present invention, the parsing unit specifically includes: the first acquisition module is used for acquiring a configuration request of the client in the configuration center, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key; the generating module is used for acquiring the challenge code generated according to the configuration request in the configuration center; and the analysis module is used for analyzing the challenge code and the key to be detected by utilizing the preset algorithm to obtain the key to be authenticated.

Optionally, in a second implementation manner of the second aspect of the embodiment of the present invention, the parsing module is specifically configured to: adjusting the byte length of the key to be detected, wherein the byte length of the key to be detected is the same as the preset byte length; performing exclusive OR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length; combining the first related key with the challenge code to obtain a first candidate key; performing exclusive OR operation on the key to be detected and a preset second character string to obtain a second correlation key, wherein the byte length of the preset second character string is the same as the preset byte length; and combining the second related key with the first candidate key to obtain a key to be authenticated.

Optionally, in a third implementation manner of the second aspect of the embodiment of the present invention, the deriving unit includes: a second acquisition module for acquiring a second preset key in the configuration center; the deriving module is used for carrying out key derivation on the client name and the second preset key through a triple data encryption algorithm, and obtaining a symmetric key in the configuration center, wherein the preset configuration information comprises the client name; the third acquisition module is used for acquiring an authentication key according to the symmetric key and the preset algorithm; and the judging module is used for judging whether the key to be authenticated is the same as the authentication key.

Optionally, in a fourth implementation manner of the second aspect of the embodiment of the present invention, the deriving module is specifically configured to: in a configuration center, byte data of a client name is acquired, and preset configuration information comprises the client name; performing a triple data encryption algorithm on the byte data of the client name and the second preset key to obtain a first symmetric key; inverting the byte data of the client name to obtain the inverted byte data of the client name; performing a triple data encryption algorithm on the anti-byte data of the client name and the second preset key to obtain a second symmetric key; and combining the first symmetric key with the second symmetric key to obtain a symmetric key.

Optionally, in a fifth implementation manner of the second aspect of the embodiment of the present invention, the third obtaining module is specifically configured to: adjusting the byte length of the symmetric key, wherein the byte length of the symmetric key is the same as the preset byte length; performing exclusive OR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length; combining the third related key with the challenge code to obtain a second candidate key; performing exclusive OR operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length; and combining the third related key with the second candidate key to obtain an authentication key.

Optionally, in a sixth implementation manner of the second aspect of the embodiment of the present invention, the method for generating a configuration file further includes: a second acquisition unit for acquiring preset configuration information in the configuration center; and the summarizing unit is used for arranging and summarizing the preset configuration information according to preset rules to obtain a configuration file.

A third aspect of the embodiment of the present invention provides a device for generating a configuration file, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the configuration file-based generating method according to any one of the foregoing embodiments when executing the computer program.

A fourth aspect of an embodiment of the invention provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the method of the first aspect described above.

From the above technical solutions, the embodiment of the present invention has the following advantages:

in the embodiment of the invention, in the process of extracting the configuration file, the identification verification of the client is carried out by transmitting the key to be authenticated of the client to the configuration center, and the transmission of the configuration price is carried out after the verification is successful, so that the information leakage of the configuration file is prevented, the protection of the system to the configuration file is improved, and the potential safety hazard of the system is reduced.

Drawings

FIG. 1 is a schematic diagram of an embodiment of a method for generating a configuration file according to the present invention;

FIG. 2 is a schematic diagram of another embodiment of a method for generating a configuration file according to the present invention;

FIG. 3 is a schematic diagram of an embodiment of a configuration file generating apparatus according to the present invention;

FIG. 4 is a schematic diagram of another embodiment of a configuration file generating apparatus according to the present invention;

FIG. 5 is a schematic diagram of an embodiment of a configuration file generating apparatus according to the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.

Referring to fig. 1, an embodiment of a method for generating a configuration file in an embodiment of the present invention includes:

101. and acquiring a configuration request of the client, and analyzing the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on the name of the client and a first preset key.

The method comprises the steps that a server obtains a configuration request of a client, analyzes the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key.

The configuration request refers to a request that the client needs to extract the configuration file in the server, wherein the configuration file is a special file for storing the name of the client, the password of the client and the like when the client logs in the server, and the client extracting the configuration file needs to perform identity verification due to the importance of the configuration file, and can acquire the configuration file after the identity verification is successful. The configuration request of the client comprises a client name and a first preset key, and in the process of identity verification of the client, in view of the condition that the first preset key is revealed caused by directly transmitting the first preset key to a server, the key derivation algorithm is utilized to derive the client name and the first preset key, so that the key to be detected is obtained.

It should be noted that, here, a key derivation algorithm, which is also called a key distribution algorithm, is utilized, and is a deterministic algorithm for deriving a symmetric key from some secret values, for example: a double-length (a length key is 8 bytes) master key is arranged in the server, and data needing to be encrypted is subjected to decentralized processing by using the master key to derive a double-length symmetric encryption key. The server uses the same key in the encryption and decryption process so that both keys can be simply derived from each other.

It will be appreciated that the preset algorithm as utilized herein is a hash-message authentication code (HMAC).

102. Judging whether the key to be authenticated is the same as the authentication key, wherein the authentication key is obtained by analyzing the configuration information through presetting an algorithm.

The server judges whether the key to be authenticated is the same as the authentication key, and the authentication key is obtained by analyzing the configuration information through presetting an algorithm.

It should be noted that, the configuration center uses the distributed version control system git, so that project version management from small to very large can be effectively and rapidly processed. The server adopts a distributed version control system to effectively and rapidly record one or a plurality of file content changes so as to review the revision condition of a specific version; a file or item may be backed up to a state at a point in time in the past and the part of the access client changes and when changes were made may be found; the file can be deleted and restored, so that the server can operate the file more flexibly and variably to meet different requirements of clients.

The use of git can localize the version library of the server and support the offline submission of files, the version library is relatively independent and does not affect collaborative development, and a client can arbitrarily execute the actions of submitting codes, creating branches and the like on the version library; reducing the 'warehouse pollution' of the server, wherein the git only generates a corresponding catalogue for each item, and all version control information of the item is in the catalogue; the server can store the content in a metadata mode, and the version library of the clone version has everything on the central version library, such as labels, branches, version records and the like; the server supports fast switching branches to be convenient to merge, and the merging performance is good. Different branches can be switched under the same directory, and the combination is convenient.

It should be noted that, in addition, in this embodiment, a version control System (SVN) of an open source code may be used instead of git to configure a file.

It will be appreciated that since clients typically use weaker passwords, password-based key derivation functions are slow and take up a lot of memory, making it difficult to launch brute force and other attacks. The password-based key derivation function makes it difficult for the system to remember the key and there is a risk of storing the key, there is a risk of the profile being stolen, and the master key is difficult to crack using a brute force attack, so the server can generate a symmetric key using the key derivation function that is not password-based. Symmetric encryption is much faster than public key encryption, and there are many encryption algorithms, such as: a data encryption standard (data encryption standard, DES), wherein the key bytes in the DES are 56 bits in total, and the block cipher design is carried out on the needed encrypted data by adopting the principle of confusion and diffusion; triple data encryption algorithm (triple data encryption algorithm,3 DES), 3DES corresponds to the server applying three DES times to each standby secret data block, since the key byte length of DES cipher is too short and easily hacked by violence, 3DES avoids similar attacks by increasing the key byte length of DES; advanced encryption standard (advanced encryption standard, AES), the key bytes in AES may be 128 bits, 192 bits or 256 bits. Here, the server performs key derivation on the second preset key and the configuration information, which are set in advance in the server, by using a triple data encryption algorithm, thereby obtaining a symmetric key.

It should be noted that, the preset algorithm is HMAC, and the symmetric key and the challenge code are resolved to obtain the authentication key. The process of obtaining the authentication key is similar to the process of obtaining the key to be authenticated, and thus will not be described in detail herein.

Therefore, the server does not transmit the obtained symmetric key in the transmission channel, and compares the authentication key calculated in the configuration center with the key to be verified calculated in the client, so that the symmetric key is ensured not to be revealed, other clients cannot know the key for accessing the configuration center, and the security of file transmission is ensured.

103. If the authentication key is the same as the key to be authenticated, a session key is generated.

And if the authentication key is the same as the key to be authenticated, the server generates a session key.

After the server obtains the authentication key and the key to be authenticated which are respectively combined with the challenge code, the authentication key and the key to be authenticated are compared, and if the content of the authentication key and the key to be authenticated at the same position is the same, the authentication key and the key to be authenticated are the same.

Illustrating: assuming that the authentication key combined by the challenge code of the server is 'CDEF 4321', the key to be verified combined by the client through the challenge code is 'CDEF 4321', the key to be verified is transmitted to the server, the server compares the key to be verified with the authentication key, and the content of the key to be verified in the same position are consistent, so that a conclusion that the key to be verified and the authentication key are the same is obtained, and meanwhile, the server generates a session key.

104. And feeding back a configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.

The session key used by the server is agreed in advance by both parties, and a third party cannot acquire the session key, so that the information transmitted between the client and the server only has a challenge code and a key to be authenticated, the challenge code is a random number used as a client of the server 'challenge', the key to be authenticated is a result of the server 'response' of the client passing through the HMAC, the server compares the key to be authenticated with the authentication key, if the key to be authenticated is the same, the target key in the key to be authenticated and the symmetric key in the authentication key are the same, the client is a legal client, and the server can feed back the configuration file of the configuration center to the client. In the process of identity authentication, the server cannot calculate the symmetric key according to the challenge code and the key to be authenticated, and the client cannot imitate a consistent server response because the symmetric key cannot be matched, so that the server judges that the client is a dangerous client, the server cannot feed back the configuration file of the configuration center to the client, and the safety of the configuration file is further ensured.

Because the HMAC algorithm has "transient", i.e. the key to be authenticated is only valid at that time, after the session key is used to perform communication feedback to the configuration file, if the client wants to acquire the configuration file again, the server needs to perform identity authentication again.

It should be noted that, when the server feeds back the configuration file in the configuration center, the latest modification time of the configuration file is fed back at the same time.

Referring to fig. 2, another embodiment of a method for generating a configuration file according to an embodiment of the present invention includes:

201. and acquiring a configuration request of the client, and analyzing the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on the name of the client and a first preset key.

The method comprises the steps that a server obtains a configuration request of a client, analyzes the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key. Specifically, a configuration request of a client is obtained in a configuration center, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key; obtaining a challenge code generated according to a configuration request in a configuration center; and analyzing the challenge code and the key to be detected by using a preset algorithm to obtain the key to be authenticated.

Analyzing the challenge code and the key to be detected by using a preset algorithm, wherein obtaining the key to be authenticated comprises adjusting the byte length of the key to be detected, wherein the byte length of the key to be detected is the same as the preset byte length; performing exclusive OR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length; combining the first related key with the challenge code to obtain a first candidate key; performing exclusive OR operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length; and combining the second related key with the first candidate key to obtain a key to be authenticated.

It can be understood that the preset algorithm used here is a hash message authentication code (hash-based message authentication code, HMAC), it parses the configuration request and the key to be detected to obtain the key to be authenticated, firstly the server judges the byte length of the key to be detected, if the byte length of the key to be detected is shorter than the preset byte length (if the key is shorter than the one-way hash function packet length), the server fills 0 at the end of the byte of the key to be detected until the byte length of the key to be detected reaches the packet length of the one-way hash function of the preset byte length, if the byte length of the key to be detected is longer than the preset byte length (if the key is longer than the packet length), the server uses the one-way hash function to calculate the hash value of the key to be detected equal to the preset byte length, and then uses the hash value as the key to be detected, if the byte length of the key to be detected is the same as the preset byte length, the key to be detected is not processed; then the server carries out exclusive OR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the preset first character string is a character string which is formed by continuously and circularly repeating 00110110 as a bit sequence until the byte length is the same as the preset byte length; the server combines the first related key with a challenge code to obtain a first candidate key, wherein the challenge code is a character string randomly generated by the server, the server attaches the first related key at the beginning of the challenge code, and the combined result is input into a one-way hash function to obtain the first candidate key; performing exclusive OR operation on the key to be detected and a preset second character string to obtain a second related key, wherein the preset second character string is a character string with the 01011100 bit sequence being continuously and circularly repeated until the byte length is the same as the preset byte length; and finally, the server combines the second related key with the first candidate key to obtain a key to be authenticated, wherein the server splices the second related key at the end of the challenge code and inputs the combined result into a one-way hash function to obtain the key to be authenticated.

202. And acquiring preset configuration information in the configuration center.

The server acquires preset configuration information from the configuration center.

203. And arranging and summarizing preset configuration information according to preset rules to obtain a configuration file.

And the server arranges and gathers the preset configuration information according to preset rules to obtain a configuration file.

It will be appreciated that a configuration file is a collection of settings and files that the system loads for a client's desired environment when the client logs into the computer, or when the client is using software. The method comprises the steps of arranging and summarizing all the configuration information special for the client, such as program items, screen colors, network connection, printer connection, mouse setting, the size and the position of a window and the like, according to preset rules, so as to obtain a configuration file. In the case of a micro-service in the Java language, the micro-service in the Java language exists in a software development kit (software development kit, SDK) form (jar package) and is directly referred to when in use. A microservice is herein understood to be a system that operates independently, such as: panning client systems, order systems, these running systems require some configuration information, such as: the connection address, client name, client password of the invocation database, which configuration information is typically not stored on the machine where the micro-service resides, but is configured in a centrally managed configuration center. The micro service is started, firstly accesses the configuration center, and reads the configuration information needed to be used to the local memory for later connection with the database. When the micro-service is started, a fixed starting flow is observed, firstly, a logic program of the SDK is loaded, the logic program accesses a configuration center and reads a configuration file, and after the configuration file is successfully read, preset values set by the micro-service in a development stage are configured into corresponding program variables, such as: value ("$ { redis. Timeout }")

Private int redis Timeout；

The micro-service will configure the redis. Timeout to the corresponding redistimeout variable, but the server needs to authenticate during the process of reading the configuration file to ensure the security of the data.

204. Judging whether the key to be authenticated is the same as the authentication key, wherein the authentication key is obtained by analyzing the configuration information through presetting an algorithm.

The server judges whether the key to be authenticated is the same as the authentication key, and the authentication key is obtained by analyzing the configuration information through presetting an algorithm. Specifically, the server acquires a second preset key in the configuration center; the server derives the client name and the second preset key through a triple data encryption algorithm, a symmetric key is obtained in a configuration center, and preset configuration information comprises the client name; the server obtains an authentication key according to the symmetric key and a preset algorithm; the server judges whether the key to be authenticated is the same as the authentication key.

The server derives the client name and the second preset key through a triple data encryption algorithm, a symmetric key is obtained in a configuration center, and preset configuration information comprises the client name which is specifically used for: in a configuration center, a server acquires byte data of a client name, and preset configuration information comprises the client name; the server performs a triple data encryption algorithm on the byte data of the client name and the second preset key to obtain a first symmetric key; the server inverts the byte data of the client name to obtain the inverted byte data of the client name; the server performs a triple data encryption algorithm on the anti-byte data of the client name and the second preset key to obtain a second symmetric key; and the server combines the first symmetric key with the second symmetric key to obtain the symmetric key.

For example, the server encrypts the client name and the second preset key in the configuration center by using a key derivation algorithm, firstly, the server obtains the second preset key in the configuration center and byte data of the client name in the configuration information, sets the byte of the second preset key as 8 bits, selects the rightmost 8 byte data of the client name byte data as input data, uses the input data and the second preset key as a triple data encryption algorithm to obtain a first symmetric key, secondly, the server negates the rightmost 8 byte data of the client name byte data to obtain inverse byte data of the client name, uses the inverse byte data of the client name and the preset key as a triple data encryption algorithm to obtain a second symmetric key, and combines the first symmetric key and the second symmetric key to obtain a double-length symmetric key.

The server obtains the authentication key according to the symmetric key and a preset algorithm, wherein the authentication key is specifically used for: the server adjusts the byte length of the symmetric key, wherein the byte length of the symmetric key is the same as the preset byte length; the server performs exclusive OR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length; the server combines the third related key with the challenge code to obtain a second candidate key; the server performs exclusive OR operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length; the server combines the third related key with the second candidate key to obtain an authentication key.

For example, in the authentication process, the server assumes that the micro service name is: ai-ark-admin, authentication key: AABBCCDDAABBCCDDAABBCCDDAABBCCDD, organizing request messages: the post request of http adopts json format, and the program result obtained by the server is as follows:

"application"："ai-ark-admin"，

"challenge"："ABCD1234"

"mac"："CDEF4321"

the application in the result is a micro-service name, and the display result is ai-ark-admin; the challenge code responded by the configuration center is that the configuration center randomly generates a character string, and the result is displayed as ABCD1234; and the mac in the result is an authentication key obtained by the configuration center by using the challenge code and the symmetric key and adopting the HMAC algorithm, is a character string obtained by carrying out operation on fields for processing the mac in the message in series, and is displayed as a CDEF4321.

205. If the authentication key is the same as the key to be authenticated, a session key is generated.

If the authentication key is the same as the key to be authenticated, the server generates a session key.

It should be noted that the process of identity authentication performed by the server is as follows: firstly, a server receives a configuration request sent by a client, the server generates a challenge code according to the configuration request after receiving the configuration request, the client utilizes the challenge code and a key to be detected to operate and obtain a key to be authenticated, meanwhile, the server utilizes the challenge code and a symmetric key to operate in a configuration center and obtain an authentication key, if the authentication key is the same as the key to be authenticated, the client is a legal client, the server can transmit a configuration file to the client, and thus the encryption and authentication process ensures the security of file transmission.

206. And feeding back a configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.

The server feeds back a configuration file to the client through the session key, wherein the configuration file comprises preset configuration information.

The method for generating a configuration file in the embodiment of the present invention is described above, and the device for generating a configuration file in the embodiment of the present invention is described below, referring to fig. 3, where an embodiment of the device for generating a configuration file in the embodiment of the present invention includes:

the analyzing unit 301 is configured to obtain a configuration request of the client, and analyze the configuration request by using a preset algorithm to obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key;

The judging unit 302 is configured to judge whether the key to be authenticated is the same as the authentication key, where the authentication key is obtained by analyzing the configuration information through preset algorithm preset;

a confirmation unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated;

and the feedback unit 304 is configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.

In the embodiment of the present invention, the parsing unit 301 is configured to obtain a configuration request of a client, and parse the configuration request by using a preset algorithm to obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key; the judging unit 302 is configured to judge whether the key to be authenticated is the same as the authentication key, where the authentication key is obtained by analyzing the configuration information through preset algorithm preset; a confirmation unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated; and the feedback unit 304 is configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.

Referring to fig. 4, another embodiment of a configuration file generating apparatus in an embodiment of the present invention includes:

Optionally, the parsing unit 301 includes:

the first obtaining module 3011 is configured to obtain a configuration request of the client in the configuration center, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key;

a generating module 3012, configured to obtain, in a configuration center, a challenge code generated according to a configuration request;

And the analyzing module 3013 is configured to analyze the challenge code and the key to be detected by using a preset algorithm, so as to obtain the key to be authenticated.

Optionally, the parsing module 3013 is specifically configured to:

adjusting the byte length of the key to be detected, wherein the byte length of the key to be detected is the same as the preset byte length;

performing exclusive OR operation on the key to be detected and a preset first character string to obtain a first related key, wherein the byte length of the preset first character string is the same as the preset byte length;

combining the first related key with the challenge code to obtain a first candidate key;

performing exclusive OR operation on the key to be detected and a preset second character string to obtain a second related key, wherein the byte length of the preset second character string is the same as the preset byte length;

and combining the second related key with the first candidate key to obtain a key to be authenticated.

Optionally, the judging unit 302 includes:

a second obtaining module 3021, configured to obtain a second preset key in the configuration center;

the deriving module 3022 is configured to derive the client name and the second preset key through a triple data encryption algorithm, obtain a symmetric key in the configuration center, and include the client name in the preset configuration information;

A third obtaining module 3023, configured to obtain an authentication key according to the symmetric key and a preset algorithm;

a determining module 3024, configured to determine whether the key to be authenticated is the same as the authentication key.

Optionally, the deriving module 3022 is specifically configured to:

in a configuration center, byte data of a client name is acquired, and preset configuration information comprises the client name;

performing a triple data encryption algorithm on byte data of the client name and a second preset key to obtain a first symmetric key;

inverting the byte data of the client name to obtain the inverted byte data of the client name;

performing a triple data encryption algorithm on the anti-byte data of the client name and the second preset key to obtain a second symmetric key;

and combining the first symmetric key with the second symmetric key to obtain the symmetric key.

Optionally, the third obtaining module 3023 is specifically configured to:

adjusting the byte length of the symmetric key, wherein the byte length of the symmetric key is the same as the preset byte length;

performing exclusive OR operation on the symmetric key and a preset third character string to obtain a third related key, wherein the byte length of the preset third character string is the same as the preset byte length;

combining the third related key with the challenge code to obtain a second candidate key;

Performing exclusive OR operation on the symmetric key and a preset fourth character string to obtain a fourth related key, wherein the byte length of the preset fourth character string is the same as the preset byte length;

and combining the third related key with the second candidate key to obtain the authentication key.

Optionally, the method for generating the configuration file further includes:

a second acquiring unit 305, configured to acquire preset configuration information in a configuration center;

and the summarizing unit 306 is configured to arrange and summarize preset configuration information according to preset rules to obtain a configuration file.

In the embodiment of the present invention, the parsing unit 301 is configured to obtain a configuration request of a client, and parse the configuration request by using a preset algorithm to obtain a key to be authenticated, where the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a name of the client and a first preset key; a second acquiring unit 305, configured to acquire preset configuration information in a configuration center; a summarizing unit 306, configured to arrange and summarize preset configuration information according to a preset rule, so as to obtain a configuration file; the judging unit 302 is configured to judge whether the key to be authenticated is the same as the authentication key, where the authentication key is obtained by analyzing the configuration information through preset algorithm preset; a confirmation unit 303, configured to generate a session key if the authentication key is the same as the key to be authenticated; and the feedback unit 304 is configured to feed back a configuration file to the client through the session key, where the configuration file includes preset configuration information.

The configuration file generating device in the embodiment of the present invention is described in detail from the point of view of the modularized functional entity in fig. 3 to 4, and the configuration file generating device in the embodiment of the present invention is described in detail from the point of view of hardware processing.

The following describes the respective constituent elements of the configuration file generating apparatus in detail with reference to fig. 5:

fig. 5 is a schematic structural diagram of a configuration file generating device according to an embodiment of the present invention, where the configuration file generating device 500 may generate relatively large differences according to different configurations or performances, and may include one or more processors (central processing units, CPU) 501 (e.g., one or more processors) and a memory 509, and one or more storage media 508 (e.g., one or more mass storage devices) storing application programs 507 or data 506. Wherein the memory 509 and storage medium 508 may be transitory or persistent storage. The program stored on the storage medium 508 may include one or more modules (not shown), each of which may include a series of instruction operations on the check-in management device. Still further, the processor 501 may be configured to communicate with the storage medium 508 and execute a series of instruction operations in the storage medium 508 on the configuration file generating device 500.

The configuration file generation device 500 may also include one or more power supplies 502, one or more wired or wireless network interfaces 503, one or more input/output interfaces 504, and/or one or more operating systems 505, such as Windows Serve, mac OS X, unix, linux, freeBSD, and the like. It will be appreciated by those skilled in the art that the configuration file generation device structure shown in fig. 5 does not constitute a limitation of the configuration file generation device, and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.

the processor 501 is a control center of the configuration file generating device, and may perform processing according to a configuration file generating method. The processor 501 interfaces and lines with various parts of the overall profile generation device to enhance the protection of the profile by running or executing software programs and/or modules stored in the memory 509 and invoking data stored in the memory 509 by authenticating the client that extracted the profile. The storage medium 508 and the memory 509 are both carriers for storing data, and in the embodiment of the present invention, the storage medium 508 may refer to an internal memory with a small storage capacity but a fast speed, and the memory 509 may be an external memory with a large storage capacity but a slow storage speed.

The memory 509 may be used to store software programs and modules, and the processor 501 performs various functional applications and data processing of the configuration file generation device 500 by running the software programs and modules stored in the memory 509. The memory 509 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the profile generation device, etc. In addition, the memory 509 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. The profile generation program and received data streams provided in embodiments of the present invention are stored in memory and when needed, processor 501 is invoked from memory 509.

When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present invention are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, twisted pair), or wireless (e.g., infrared, wireless, microwave, etc.) means. Computer readable storage media can be any available media that can be stored by a computer or data storage devices such as servers, data centers, etc. that contain an integration of one or more available media. Usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., optical disks), or semiconductor media (e.g., solid State Disks (SSDs)), or the like.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.

In the several embodiments provided in the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for generating a configuration file, comprising:

acquiring a configuration request of a client, and analyzing the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key;

judging whether the key to be authenticated is the same as an authentication key or not, wherein the authentication key is obtained by analyzing configuration information through presetting of the presetting algorithm;

if the authentication key is the same as the key to be authenticated, generating a session key;

feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information;

The step of judging whether the key to be authenticated is the same as the authentication key, wherein the authentication key is obtained by analyzing the configuration information through the preset algorithm preset comprises the following steps:

acquiring a second preset key in the configuration center;

carrying out key derivation on the client name and a second preset key through a triple data encryption algorithm, and obtaining a symmetric key in a configuration center, wherein preset configuration information comprises the client name;

acquiring an authentication key according to the symmetric key and the preset algorithm;

and judging whether the key to be authenticated is the same as the authentication key.

2. The method according to claim 1, wherein the obtaining the configuration request of the client and analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, the configuration request includes a key to be detected, and the key to be detected is obtained by performing key derivation on a client name and a first preset key, and the key to be detected includes:

acquiring a configuration request of a client from a configuration center, wherein the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key;

obtaining a challenge code generated according to the configuration request in the configuration center;

And analyzing the challenge code and the key to be detected by using the preset algorithm to obtain the key to be authenticated.

3. The method of claim 2, wherein the parsing the challenge code and the key to be detected using the preset algorithm to obtain a key to be authenticated comprises:

performing exclusive OR operation on the key to be detected and a preset second character string to obtain a second correlation key, wherein the byte length of the preset second character string is the same as the preset byte length;

4. The method according to claim 1, wherein the key derivation of the client name and the second preset key by a triple data encryption algorithm, the symmetric key being obtained in the configuration center, the preset configuration information including the client name includes:

performing a triple data encryption algorithm on the byte data of the client name and the second preset key to obtain a first symmetric key;

and combining the first symmetric key with the second symmetric key to obtain a symmetric key.

5. The method of claim 1, wherein the obtaining an authentication key from the symmetric key and the preset algorithm comprises:

and combining the third related key with the second candidate key to obtain an authentication key.

6. The method according to any one of claims 1-5, wherein after the obtaining the configuration request of the client and analyzing the configuration request by using a preset algorithm to obtain a key to be authenticated, the configuration request includes a key to be detected, where the key to be detected is obtained by deriving a client name from a first preset key, and after the determining whether the key to be authenticated is the same as an authentication key, where the authentication key is obtained by analyzing configuration information by presetting by using the preset algorithm, the method further includes:

acquiring preset configuration information from a configuration center;

and arranging and summarizing the preset configuration information according to preset rules to obtain a configuration file.

7. A profile generating apparatus, wherein the profile generating apparatus performs the profile generating method according to claim 1, the profile generating apparatus comprising:

The system comprises an analysis unit, a verification unit and a verification unit, wherein the analysis unit is used for acquiring a configuration request of a client, and analyzing the configuration request by utilizing a preset algorithm to obtain a key to be authenticated, the configuration request comprises a key to be detected, and the key to be detected is obtained by carrying out key derivation on a client name and a first preset key;

the judging unit is used for judging whether the key to be authenticated is the same as the authentication key, and the authentication key is obtained by analyzing the configuration information through preset algorithm;

a confirmation unit, configured to generate a session key if the authentication key is the same as the key to be authenticated;

and the feedback unit is used for feeding back a configuration file to the client through the session key, wherein the configuration file comprises the preset configuration information.

8. A profile generation apparatus, characterized by comprising:

the system comprises a memory and at least one processor, wherein instructions are stored in the memory, and the memory and the at least one processor are interconnected through a line;

the at least one processor invokes the instructions in the memory to cause the profile generation device to perform the profile generation method of any one of claims 1-6.

9. A computer readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the steps of a method of generating a configuration file as claimed in any one of claims 1 to 6.