CN111756749B - Secure access method, device, equipment and storage medium - Google Patents

Secure access method, device, equipment and storage medium Download PDF

Info

Publication number
CN111756749B
CN111756749B CN202010592653.9A CN202010592653A CN111756749B CN 111756749 B CN111756749 B CN 111756749B CN 202010592653 A CN202010592653 A CN 202010592653A CN 111756749 B CN111756749 B CN 111756749B
Authority
CN
China
Prior art keywords
request
access
parameter
request parameters
reordering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010592653.9A
Other languages
Chinese (zh)
Other versions
CN111756749A (en
Inventor
汪博
罗韬
邵小亮
谢隆飞
程榆
邹斯韬
刘远浩
李曦晶
方圆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202010592653.9A priority Critical patent/CN111756749B/en
Publication of CN111756749A publication Critical patent/CN111756749A/en
Application granted granted Critical
Publication of CN111756749B publication Critical patent/CN111756749B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The embodiment of the application discloses a secure access method, a secure access device, a secure access equipment and a storage medium. The method comprises the following steps: if the number of the request parameters is at least two, sorting the request parameters, and dividing the request parameters into a preset number of parameter groups; reordering the request parameters in the parameter group to obtain reordering request parameters; and generating a digital signature according to the reordering request parameters for carrying out safe access on the safe access server. According to the method and the device, the request parameters in the parameter group are reordered, so that the phenomenon that an illegal visitor forges the digital signature by cracking a conventional ordering mode is avoided, and the safety of access is improved.

Description

Secure access method, device, equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of communication security, in particular to a secure access method, a device, equipment and a storage medium.
Background
With the continuous popularization of internet technology, various types of information systems can be deployed by each organization, and great convenience is brought to work and life of people. But simultaneously, network attackers are also ubiquitous, and can detect bugs on system access and achieve the purposes of illegal access, illegal operation and even system damage through the bugs. For example, a replay attack: the intruder X intercepts the message sent to the B by the A by some means, and then the X sends the intercepted message to the B directly, so that the B mistakenly regards the X as the A, the purpose of deceiving the system is achieved, and the method is mainly used for the identity authentication process and destroying the authentication correctness. It is also possible to hijack an attack for a request: the intruder X intercepts the message sent by the A to the B by some means, and then modifies part of parameters to achieve the aim of executing illegal operation.
At present, in order to avoid illegal access, a common scheme is to perform verification of a digital signature. However, for the current security access method and verification method, an illegal visitor is likely to break the generation method of the digital signature, so that illegal access is realized, and replay attack is difficult to defend only through verification of the digital signature.
Disclosure of Invention
The embodiment of the application provides a secure access method, a secure access device, a secure access equipment and a secure access storage medium, so that the security of a generated digital signature is improved through confusion sorting.
In one embodiment, an embodiment of the present application provides a secure access method, where the method includes:
if the number of the request parameters is at least two, sorting the request parameters, and dividing the request parameters into a preset number of parameter groups;
reordering the request parameters in the parameter group to obtain reordering request parameters;
and generating a digital signature according to the reordering request parameters for carrying out safe access on the safe access server.
In another embodiment, an embodiment of the present application further provides a security access device, where the security access device includes:
the request parameter grouping module is used for sequencing the request parameters and dividing the request parameters into a preset number of parameter groups if the number of the request parameters is at least two;
a reordering request parameter determining module, configured to reorder the request parameters in the parameter set to obtain reordering request parameters;
and the security access module is used for generating a digital signature according to the reordering request parameters and performing security access on the security access server.
In another embodiment, an embodiment of the present application further provides an apparatus, including: one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the secure access method of any of the embodiments of the present application.
In yet another embodiment, the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the secure access method according to any one of the embodiments of the present application.
In the embodiment of the application, under the condition that the number of the request parameters is at least two, the request parameters are sequenced and divided into the parameter groups with the preset number; the request parameters in the parameter group are reordered to obtain reordered request parameters, so that an illegal visitor is prevented from acquiring a conventional ordering mode, a digital signature is generated by adopting the ordering mode, the purpose of forging the digital signature is achieved, the digital signature is generated according to the reordered request parameters and is used for carrying out safe access on a safe access server, and therefore the digital signature is more unique, is difficult to crack or forge by the illegal visitor, and the access safety is improved.
Drawings
Fig. 1 is a schematic flowchart of a secure access method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of communication between a tenant application and a cloud service according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a secure access method according to another embodiment of the present invention;
FIG. 4 is a data access signaling diagram provided in accordance with yet another embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating a digital signature verification process according to another embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a security access device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a secure access device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It should be further noted that, for the convenience of description, only some structures related to the present invention are shown in the drawings, not all of them.
Fig. 1 is a schematic flowchart of a secure access method according to an embodiment of the present invention. The secure access method provided by this embodiment is applicable to a case where an access requester generates a digital signature according to request parameters, and specifically, may be used to improve a sorting manner of the request parameters, so as to generate the digital signature. The method may particularly be performed by a secure access apparatus, which may be implemented by means of software and/or hardware, which may be integrated in a secure access device. Referring to fig. 1, the method of the embodiment of the present application specifically includes:
s110, if the number of the request parameters is at least two, the request parameters are sequenced and divided into a preset number of parameter groups.
Specifically, as shown in fig. 2, the embodiment of the present application may be applicable to a case where a tenant accesses a database cluster in a cloud service by processing a service through the cloud service, and the tenant and the cloud service communicate with each other through a communication protocol, and during a data transmission process, communication data is likely to be intercepted by an illegal visitor, so as to implement illegal behaviors such as a replay attack or a request hijack attack. The scheme of the embodiment of the application provides an effective solution to the problems.
The request parameter is a request parameter of the access requester, and may include multiple request parameters in the form of a key-value pair. The sorting mode can be ascending sorting or reverse sorting according to the key values. The preset number may be set according to an actual situation, the number of the request parameters in each parameter group may be set according to the actual situation, the request parameters in each parameter group may be the same, for example, all are 3, or may be different, for example, the number of the request parameters in the first group is 2, the number of the request parameters in the second group is 3, the number of the request parameters in the third group is 4, and so on.
For example, in order to avoid an illegal visitor from acquiring a conventional request parameter sorting manner, the request parameters may be sorted first and then sorted confusingly, so that the illegal visitor cannot guess the sorting manner. If all the request parameters are subjected to confusion sorting processing, because a certain sequence relation still exists on the whole, the sorting rule in the request parameters is easy to determine, and therefore if the whole sorting of all the request parameters is directly processed, an illegal visitor still easily steps on the sorting mode, in the embodiment of the application, the request parameters are grouped, the sorting of the request parameters in each group is confused, and therefore the illegal visitor is difficult to guess the sorting mode by the sorting rule of a large number of request parameters, and further forge the digital signature.
S120, reordering the request parameters in the parameter group to obtain reordering request parameters.
The reordering is performed in a different manner from the ordering in S110. For example, if the request parameters are sorted in an ascending order, the request parameters in the parameter group may be sorted in a reverse order or sorted in an ascending order. And reordering the request parameters in the parameter group to obtain reordering parameter groups, wherein each reordering parameter group constitutes a reordering request parameter. Because the request parameters in each parameter group are reordered, an illegal visitor is difficult to guess the grouping mode and the sequencing mode in each parameter group, and the reordering request parameters are obtained by reordering the original sequencing request parameters after grouping, so that the digital signature cannot be forged by guessing the sequencing mode of the whole request parameters.
In this embodiment of the present application, reordering request parameters in the parameter set to obtain a reordering request parameter includes: reordering the request parameters in the parameter group according to the key values to obtain reordering request parameters; the reordering mode of the reordering request parameters is different from the ordering mode of the ordering request parameters.
And S130, generating a digital signature according to the reordering request parameters for carrying out safe access on the safe access server.
Illustratively, the reordering request parameters may be converted into a request parameter string, the request parameter string is subjected to Base64 encoding to obtain an encoded string, the encoded string is processed by using an information digest algorithm to obtain a digital signature, and then the access requester may send the digital signature to the secure access server, so that the secure access server verifies the validity of the access requester according to the digital signature to ensure the security of access.
In this embodiment of the present application, if the request parameter is one, the method further includes: determining a timestamp key value pair of the access request; combining the request parameter with the timestamp key value pair to obtain a combined request parameter; and determining a digital signature according to the combined request parameters for carrying out safe access on a safe access server.
Specifically, when the number of the request parameters is one, sorting is not needed, and in order to avoid that an illegal visitor knows the content according to which the secure access is based, the request parameters are combined with the timestamp key value pairs to obtain combined request parameters, and then a digital signature is determined according to the combined request parameters.
In the embodiment of the application, under the condition that the number of the request parameters is at least two, the request parameters are sequenced and divided into the parameter groups with the preset number; the request parameters in the parameter group are reordered to obtain reordered request parameters, so that an illegal visitor is prevented from acquiring a conventional ordering mode, a digital signature is generated by adopting the ordering mode, the purpose of forging the digital signature is achieved, the digital signature is generated according to the reordered request parameters and is used for carrying out safe access on a safe access server, and therefore the digital signature is more unique, is difficult to crack or forge by the illegal visitor, and the access safety is improved.
Fig. 3 is a flowchart illustrating a secure access method according to another embodiment of the present invention. Details which are not described in detail in the present embodiment are described in the above embodiments. Referring to fig. 3, the secure access method provided in this embodiment may include:
and S210, if the number of the request parameters is at least two, performing ascending sorting or descending sorting on the request parameters according to the key values to obtain sorting request parameters.
For example, for at least two request parameters, the at least two request parameters may be sorted according to the sequence from small to large of the ASCII codes corresponding to the keys of the at least two request parameters, or sorted according to the sequence from large to small of the ASCII codes corresponding to the keys of the at least two request parameters, which is not limited herein. The request parameters may be structured data, and are presented in a list form, and the sorting of the at least two request parameters according to the ascending order of the ASCII codes of the key values of the at least two request parameters may specifically be:
(1) The length of the parameter list is n, and a variable initial value i =0, j =0 is set; (2) Let the key of the ith request parameter in the request parameter list be X, X = a [ i ]. Key; (3) Comparing the size of the character string of A [ j ] key and X according to ASCII code, if A [ j ] key is less than X, then the two exchange positions, A [ j ] key is A [ i ] key exchanged for the exchange position of the current parameter list; (4) j + +, repeating step (3) until j = n-i-1; (5) i + +, repeating (2) to (4) until i = n-1.
S220, taking two adjacent request parameters as parameter pairs, wherein the request parameters in each parameter pair are different.
Illustratively, two adjacent request parameters can be taken as a parameter pair from the first or from any one, for example, A [0] key and A [1] key are a parameter pair, A [2] key and A [3] key are a parameter pair, A [4] key and A [5] key are a parameter pair, and so on. If a request parameter A [ n ] key is left at last, the other request parameters are not used for establishing the parameter pair.
And S230, exchanging the sequence of the request parameters in each parameter pair to obtain reordering parameters.
Illustratively, if the original request parameters are ordered into A [0] key, A [1] key, A [2] key, A [3] key, A [4] key, A [5] key, A [6] key according to the sequence of the ASCII codes corresponding to the keys of the request parameters from small to large, the order of the parameter pair A [0] key and the A [1] key is exchanged into A [1] key, A [0] key, A [2] key is exchanged into A [3] key, A [2] key, A [4] key and A [5] key is exchanged into A [5] key, A [4] key, and finally the reordering parameters are A [1] key, A [0] key, A [3] key, A [4] key, A [6] key.
S240, converting the reordering request parameters into request parameter character strings, and coding the request parameter character strings to obtain coded character strings.
In the embodiment of the application, the reordering request parameters are converted into the request parameter character string, and the request parameter character string is coded, so that the algorithm is simple, the coding and decoding efficiency is high, the coding result is not easy to read, the defense effect is enhanced, and the unprintable characters can be transmitted.
S250, generating a digital signature according to at least one of the identifier of the access requester, the random character string, the splicing character string and the timestamp and the coding character string; the spliced character string is obtained by combining the symbols.
Specifically, if the digital signature is generated only from the encoded character string, there may be a case where the generated digital signature is the same in the case of high concurrency, and therefore, in the embodiment of the present application, the digital signature may be combined with the encoded character string according to at least one of the identifier of the access requester, the random character string, the concatenation character string, and the timestamp, so that the unique identifier of the digital signature is implemented, and the two generated digital signatures are prevented from being the same.
In this embodiment of the present application, generating a digital signature according to at least one of an identifier of an access requester, the random string, a concatenation string, and a timestamp, and the encoding string includes: combining the coded character string, the identifier of the access requester, the random character string, the spliced character string and the timestamp to obtain a combined character string according to the sequence of the coded character string, the spliced character string, the identifier of the access requester, the spliced character string, the timestamp and the random character string; and processing the combined character string by adopting an information abstract algorithm to obtain a digital signature.
Specifically, a combined character string may be formed by "an encoding character string + a splicing character string + an identifier of an access requester + a splicing character string + a timestamp + a random character string", where the splicing character string may be a self-defined special character such as "& ^" to avoid adopting a conventional character and being guessed by an illegal visitor. The combined character string is processed by adopting an MD5 information abstract algorithm to obtain a digital signature, the uniqueness of the digital signature can be ensured through the identification, the timestamp and the random character string of the access requester, the safety of the digital signature can be ensured through splicing the character string and the random character string, and the digital signature is prevented from being forged and falsified.
In an embodiment of the present application, after generating the digital signature according to the reordering request parameter, the method further includes: generating an access request according to the coding character string, the identification of the access requester, the splicing character string, the timestamp, the sequence of the random character string and the digital signature; and sending the access request to a security access server, and verifying the signature by the security access server according to the request parameters, the identifier of the access requester, the splicing character string, the timestamp, the sequence of the random character string and the digital signature.
In this embodiment of the present application, the process of the secure access server performing digital signature verification may be: determining an access type according to the access request data; if the access type is a preset access type, determining whether the digital signature in the access request data is consistent with the candidate digital signature in a pre-stored database; and if so, determining that the access request is an illegal access request. The preset access type comprises at least one access type except query access. Determining an access type according to the access request data, including: and if the transaction code in the access request data is matched with a pre-stored transaction code with a preset access type, determining that the access type of the access request is the preset access type. The method further comprises the following steps: and if the access type is not a preset access type or is a preset access type, and the digital signature in the access request data is inconsistent with the candidate digital signature in the pre-stored database, performing security check on the digital signature. And performing security check on the digital signature, including: determining an access digital signature according to the coding character string, the access requester identifier, the random character string, the splicing character string and the timestamp in the access request data; if the access digital signature is consistent with the digital signature in the access request data, the digital signature passes the safety verification; the digital signature in the access request data is generated by an access requester according to a coding character string, an access requester identifier, a random character string, a splicing character string and a timestamp, the coding character string is obtained by the access requester by converting a rearrangement request parameter into a parameter character string and coding, the rearrangement request parameter is obtained by the access requester by sorting the request parameter and then dividing the request parameter into a preset number of parameter groups, and the request parameter in the parameter groups is obtained by re-sorting. The method further comprises the following steps: and if the access type of the access request is a preset access type and the access request is a legal access request, storing the digital signature of the access request in a pre-storage database. After saving the digital signature of the access request in a pre-stored database, the method further comprises: if the digital signature storage time of the access request in the pre-stored database meets the preset storage time, deleting the digital signature from the pre-stored database; wherein the preset saving time is consistent with the Token valid time of the access request.
According to the technical scheme of the embodiment of the application, the reordering request parameters are obtained by reordering the request parameters in the parameter group, so that an illegal visitor is prevented from acquiring a conventional ordering mode, a digital signature is generated by adopting the ordering mode, the purpose of forging the digital signature is achieved, the uniqueness of the digital signature can be ensured by introducing the identification, the timestamp and the random character string of the access requester, the safety of the digital signature can be ensured by introducing the splicing character string and the random character string, and the digital signature is prevented from being forged and falsified.
Fig. 4 is a flowchart of a specific implementation of secure access according to an embodiment of the present invention. Details which are not described in detail in the present embodiment are described in the above embodiments. Referring to fig. 4, the specific process of the secure access provided by this embodiment may include:
and the tenant application assembles the request Token parameter, generates a data signature and sends the request Token parameter and the digital signature to the security access server. And the secure access server verifies the received Token parameter and the digital signature and generates the Token. And the security access server saves the Token in the distributed cache server, and returns the Token to the tenant application, and the tenant application caches the Token. When the tenant application needs to access the security access server, the message is assembled, the message, the Token and the data signature are sent to the security access server, the security access server verifies the Token sent by the tenant application according to the Token stored in the distributed cache server, and if the verification is passed, the digital signature is verified.
As shown in fig. 5, the process of verifying the digital signature is that the secure access server receives a message, token, and digital signature SignF sent by the tenant application, and an identifier, a random string, a concatenation string, and a timestamp of an access requester, and queries whether a transaction code of the access request in the message is in an important transaction white list. The transaction code is a code representing the operation type of the current access request, for example, for a data query operation, the transaction code corresponding to the query operation, and for a data modification operation, the transaction code corresponding to the modification operation, because the query operation does not affect the data, and the modification operation affects the data, the operation that can affect the data, such as the modification operation, is determined as an important transaction. Because only the transaction codes of the operations which can cause the data to change are stored in the important transaction white list, instead of storing the transaction codes of all the operations, the problem that the performance is affected because a large number of digital signatures are stored in the distributed cache after a large number of non-important transactions are applied by the tenant is received is avoided. The important trade white list stores the trade code corresponding to the important trade. Therefore, the secure access server can compare the received transaction code with the transaction codes in the important transaction white list to determine whether the currently requested transaction is an important transaction. If the transaction is important, further inquiring whether the digital signature SignF is stored in the distributed cache, if the digital signature SignF is in the distributed cache, it indicates that the tenant application exists before to carry the digital signature for access, and if the tenant application continues to access, the regenerated digital signature should be updated and is different from the original digital signature, so that the current access is known to be a replay attack of an illegal visitor. If the digital signature SignF is not in the distributed cache or the transaction code of the access request is not in the important transaction white list, the digital signature SignF is verified. And the security access server generates a digital signature SignB according to the request parameters, the identifier of the access request party, the random character string, the splicing character string and the time stamp, the generation method of the digital signature SignB is consistent with the generation method of the digital signature SignF, the digital signature SignF and the digital signature SignB are compared, if the digital signature SignB is consistent with the digital signature SignF, the verification is passed, the access request is processed to obtain a processing result, the processing result is returned to the tenant application, and the SignB is stored in the distributed cache. And if the SignF is inconsistent with the SignB, determining that the access request is illegal access, and returning an error. For the access request of the transaction code in the important transaction white list, besides the request hijack attack, whether the request hijack attack is the replay attack can be verified, and the access request of the transaction code outside the important transaction white list only needs to be verified whether the request hijack attack is the replay attack.
In the embodiment of the application, the SignB is placed in the distributed cache and deleted from the distributed cache after the preset time is saved, so as to save the cache space, wherein the preset time is consistent with the effective time of the Token, if the illegal visitor initiates the replay attack again after the preset time is exceeded, although the saved Token in the distributed cache is deleted, the security access server cannot determine the illegal visitor as the replay attack, but the Token of the illegal visitor is invalid at this time and cannot pass the Token check, so that the replay attack of the illegal visitor is effectively intercepted.
The embodiment of the application can defend request hijack attack and replay attack by combining the design of the digital signature rule with the conventional Token. The ordering algorithm of the parameters sent by the requester is improved, the parameters are ordered according to the ASCII codes, disordered through transposition, and assembled through special character strings, so that the condition that only one parameter exists is specially processed, and the possibility of guessing by an attacker is reduced. The requests in the white list can check whether the requests are replay attacks or not besides the requests in the white list, and the requests outside the white list only check the requests in the white list, so that the performance problem caused by the excessive number of the stored digital signatures in the cache database can be avoided.
Fig. 6 is a schematic structural diagram of a security access apparatus according to an embodiment of the present invention. The device can be applied to the condition of generating the digital signature according to the request parameters of the access requester, and particularly can be used for improving the ordering mode of the request parameters so as to generate the digital signature. The apparatus may be implemented in software and/or hardware, and the apparatus may be integrated in a secure access device. Referring to fig. 6, the apparatus specifically includes:
a request parameter grouping module 310, configured to, if the number of the request parameters is at least two, sort the request parameters and divide the request parameters into a preset number of parameter groups;
a reordering request parameter determining module 320, configured to reorder the request parameters in the parameter set to obtain reordering request parameters;
and the security access module 330 is configured to generate a digital signature according to the reordering request parameter, and perform security access on the security access server.
In this embodiment of the present application, the request parameter grouping module 310 includes:
and the key value sorting unit is used for performing ascending sorting or reverse sorting on the request parameters according to the key values to obtain sorting request parameters.
In an embodiment of the present application, the reordering request parameter determining module 320 includes:
the key value reordering unit is used for reordering the request parameters in the parameter group according to the key value to obtain reordering request parameters; the reordering mode of the reordering request parameters is different from the ordering mode of the ordering request parameters.
In this embodiment of the present application, the request parameter grouping module 310 includes:
the parameter pair determining unit is used for taking two adjacent request parameters as parameter pairs, wherein the request parameters in each parameter pair are different;
accordingly, the reordering request parameter determining module 320 comprises:
and the exchanging unit is used for exchanging the request parameter sequence in each parameter pair to obtain the reordering parameter.
In this embodiment, the security access module 330 includes:
the encoding character string determining unit is used for converting the reordering request parameters into request parameter character strings and encoding the request parameter character strings to obtain encoding character strings;
the combination unit is used for generating a digital signature according to at least one of the identification of the access requester, the random character string, the splicing character string and the timestamp and the coding character string; the spliced character string is obtained by combining the symbols.
In an embodiment of the present application, the combining unit includes:
the combined character string determining subunit is used for combining the coded character string, the identifier of the access requester, the random character string, the spliced character string and the timestamp according to the coded character string, the spliced character string, the identifier of the access requester, the spliced character string, the timestamp and the sequence of the random character string to obtain a combined character string;
and the information abstract algorithm processing subunit is used for processing the combined character string by adopting an information abstract algorithm to obtain the digital signature.
In an embodiment of the present application, the apparatus further includes:
the access request generation module is used for generating an access request according to the coding character string, the identifier of the access requester, the splicing character string, the timestamp, the sequence of the random character string and the digital signature;
and the access request sending module is used for sending the access request to the security access server so that the security access server checks the signature according to the request parameters, the identifier of the access requester, the splicing character string, the timestamp, the sequence of the random character string and the digital signature.
In this embodiment of the present application, if the request parameter is one, the apparatus further includes:
the timestamp key-value pair determining module is used for determining the timestamp key-value pair of the access request;
the combined request parameter determining module is used for combining the request parameters with the timestamp key value pairs to obtain combined request parameters;
and the signature generating module is used for determining a digital signature according to the combined request parameter and is used for carrying out safe access on a safe access server.
The security access device provided by the embodiment of the application can execute the security access method provided by any embodiment of the application, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 7 is a schematic structural diagram of a security access device according to an embodiment of the present invention. Fig. 7 illustrates a block diagram of an exemplary secure access device 412 suitable for use in implementing embodiments of the present application. The security access device 412 shown in fig. 7 is only an example, and should not bring any limitations to the function and scope of use of the embodiments of the present application.
As shown in fig. 7, the secure access device 412 may include: one or more processors 416; the memory 428 is configured to store one or more programs, and when the one or more programs are executed by the one or more processors 416, the one or more processors 416 are enabled to implement the secure access method provided in the embodiment of the present application, including:
if the number of the request parameters is at least two, sorting the request parameters, and dividing the request parameters into a preset number of parameter groups;
reordering request parameters in the parameter group to obtain reordering request parameters;
and generating a digital signature according to the reordering request parameters for carrying out safe access on the safe access server.
The components of the secure access device 412 may include, but are not limited to: one or more processors or processors 416, a memory 428, and a bus 418 that couples the various device components including the memory 428 and the processors 416.
Bus 418 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The security access device 412 typically includes a variety of computer device readable storage media. These storage media may be any available storage media that can be accessed by secure access device 412, including volatile and non-volatile storage media, removable and non-removable storage media.
Memory 428 can include computer-device readable storage media in the form of volatile memory, such as Random Access Memory (RAM) 430 and/or cache memory 432. The secure access device 412 may further include other removable/non-removable, volatile/nonvolatile computer device storage media. By way of example only, storage device 434 may be used to read from and write to non-removable, nonvolatile magnetic storage media (not shown in FIG. 7 and commonly referred to as a "hard drive"). Although not shown in FIG. 7, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical storage medium) may be provided. In these cases, each drive may be connected to bus 418 by one or more data storage media interfaces. Memory 428 can include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 440 having a set (at least one) of program modules 442 may be stored, for instance, in memory 428, such program modules 442 including, but not limited to, an operating device, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. The program modules 442 generally perform the functions and/or methodologies of the described embodiments of the invention.
The secure access device 412 may also communicate with one or more external devices 414 (e.g., keyboard, pointing device, display 426, etc.), with one or more devices that enable a user to interact with the secure access device 412, and/or with any devices (e.g., network card, modem, etc.) that enable the secure access device 412 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 422. Also, secure access device 412 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through network adapter 420. As shown in fig. 7, network adapter 420 communicates with the other modules of secure access device 412 via bus 418. It should be appreciated that although not shown in FIG. 7, other hardware and/or software modules may be used in conjunction with the secure access device 412, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID devices, tape drives, and data backup storage devices, among others.
The processor 416 performs various functional applications and data processing, such as implementing a secure access method provided by embodiments of the present application, by executing at least one of the other programs stored in the memory 428.
One embodiment of the present invention provides a storage medium containing computer-executable instructions which, when executed by a computer processor, perform a method of secure access, comprising:
if the number of the request parameters is at least two, sorting the request parameters, and dividing the request parameters into a preset number of parameter groups;
reordering request parameters in the parameter group to obtain reordering request parameters;
and generating a digital signature according to the reordering request parameters for carrying out safe access on the safe access server.
The computer storage media of the embodiments of the present application may take any combination of one or more computer-readable storage media. The computer readable storage medium may be a computer readable signal storage medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor device, apparatus, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the present application, a computer readable storage medium may be any tangible storage medium that can contain, or store a program for use by or in connection with an instruction execution apparatus, device, or apparatus.
A computer readable signal storage medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal storage medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution apparatus, device, or apparatus.
Program code embodied on a computer readable storage medium may be transmitted using any appropriate storage medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or device. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in some detail by the above embodiments, the invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the invention, and the scope of the invention is determined by the scope of the appended claims.

Claims (9)

1. A secure access method, the method comprising:
if the number of the request parameters is at least two, sorting the request parameters, and dividing the request parameters into a preset number of parameter groups;
reordering request parameters in the parameter group to obtain reordering request parameters;
generating a digital signature according to the reordering request parameters for performing secure access to a secure access server, wherein the secure access server is used for receiving an access request sent by an access requesting party, inquiring whether a transaction code of the access request is in an important transaction white list, checking whether the access request of the transaction code in the important transaction white list is a request hijack attack and whether the access request is a replay attack, and checking whether the access request of the transaction code outside the important transaction white list is the request hijack attack; the important trade white list is used for storing trade codes of operations for changing data;
if the request parameter is one, determining a timestamp key value pair of the access request;
combining the request parameter with the timestamp key value pair to obtain a combined request parameter;
determining a digital signature for carrying out safe access on a safe access server according to the combined request parameter;
wherein dividing the request parameters into a preset number of parameter groups comprises:
taking two adjacent request parameters as parameter pairs, wherein the request parameters in each parameter pair are different;
correspondingly, reordering the request parameters in the parameter group to obtain reordered request parameters includes:
request parameter sequences in each parameter pair are mixed, and the request parameter sequences in each parameter pair are exchanged to obtain reordering parameters.
2. The method of claim 1, wherein ordering request parameters comprises:
and performing ascending sorting or reverse sorting on the request parameters according to the key values to obtain sorting request parameters.
3. The method of claim 2, wherein reordering request parameters in the parameter set to obtain reordered request parameters comprises:
reordering the request parameters in the parameter group according to key values to obtain reordering request parameters; the reordering mode of the reordering request parameters is different from the ordering mode of the ordering request parameters.
4. The method of claim 1, wherein generating a digital signature based on the reordering request parameters comprises:
converting the reordering request parameters into request parameter character strings, and coding the request parameter character strings to obtain coded character strings;
generating a digital signature according to at least one of the identifier of the access requester, the random character string, the splicing character string and the timestamp, and the encoding character string; the spliced character string is obtained by combining the symbols.
5. The method of claim 4, wherein generating a digital signature based on at least one of an identification of an access requester, a random string, a concatenation string, and a timestamp, and the encoding string comprises:
combining the coded character string, the identifier of the access requester, the random character string, the spliced character string and the timestamp to obtain a combined character string according to the sequence of the coded character string, the spliced character string, the identifier of the access requester, the spliced character string, the timestamp and the random character string;
and processing the combined character string by adopting an information abstract algorithm to obtain a digital signature.
6. The method of claim 5, wherein after generating the digital signature according to the reordering request parameters, the method further comprises:
generating an access request according to the coded character string, the identifier of the access requester, the splicing character string, the timestamp, the sequence of the random character string and the digital signature;
and sending the access request to a secure access server, and verifying the signature by the secure access server according to the request parameters, the identification of the access requester, the splicing character string, the timestamp, the sequence of the random character string and the digital signature.
7. A secure access apparatus, the apparatus comprising:
the request parameter grouping module is used for sequencing the request parameters and dividing the request parameters into a preset number of parameter groups if the number of the request parameters is at least two;
a reordering request parameter determining module, configured to reorder the request parameters in the parameter set to obtain reordering request parameters;
the safety access module is used for generating a digital signature according to the reordering request parameters and carrying out safety access on a safety access server, wherein the safety access server is used for receiving an access request sent by an access request party, inquiring whether a transaction code of the access request is in an important transaction white list, checking whether the access request of the transaction code in the important transaction white list is a request hijack attack and whether the access request is a replay attack, and checking whether the access request of the transaction code outside the important transaction white list is the request hijack attack; the important trade white list is used for storing trade codes of operations for changing data;
the request parameter grouping module comprises a parameter pair determining unit, and is specifically used for taking two adjacent request parameters as parameter pairs, wherein the request parameters in the parameter pairs are different;
the reordering request parameter determining module comprises a exchanging unit, and is specifically configured to exchange the request parameter sequence in each parameter pair to obtain reordering parameters.
8. A secure access device, the device comprising:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the secure access method of any of claims 1-6.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the secure access method according to any one of claims 1 to 6.
CN202010592653.9A 2020-06-24 2020-06-24 Secure access method, device, equipment and storage medium Active CN111756749B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010592653.9A CN111756749B (en) 2020-06-24 2020-06-24 Secure access method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010592653.9A CN111756749B (en) 2020-06-24 2020-06-24 Secure access method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111756749A CN111756749A (en) 2020-10-09
CN111756749B true CN111756749B (en) 2022-11-04

Family

ID=72677286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010592653.9A Active CN111756749B (en) 2020-06-24 2020-06-24 Secure access method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111756749B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116189895B (en) * 2023-04-10 2023-07-07 深圳曼瑞德科技有限公司 Control method and device of health detection equipment, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7631193B1 (en) * 1994-11-28 2009-12-08 Yt Acquisition Corporation Tokenless identification system for authorization of electronic transactions and electronic transmissions
US8453221B2 (en) * 2007-12-19 2013-05-28 Microsoft International Holdings B.V. Method for improving security in login and single sign-on procedures

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007104044A (en) * 2005-09-30 2007-04-19 Toshiba Corp Authentication information providing system and method, and program
CN104935568A (en) * 2015-04-20 2015-09-23 成都康赛信息技术有限公司 Interface authentication signature method facing cloud platform
CN106656953A (en) * 2016-09-23 2017-05-10 焦点科技股份有限公司 Method for realizing safe interface calling between systems based on Internet
CN106533658A (en) * 2017-01-11 2017-03-22 安徽博约信息科技股份有限公司 URL tamper-proofing signature and signature verification method based on MD5 algorithm
CN110839004A (en) * 2018-08-16 2020-02-25 北京京东尚科信息技术有限公司 Method and device for access authentication
CN109714370B (en) * 2019-03-07 2021-04-02 四川长虹电器股份有限公司 HTTP (hyper text transport protocol) -based cloud security communication implementation method
CN110221925A (en) * 2019-05-13 2019-09-10 平安科技(深圳)有限公司 Processing method, device and the computer equipment of data submission request
CN110851210A (en) * 2019-11-12 2020-02-28 北京字节跳动网络技术有限公司 Interface program calling method, device, equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7631193B1 (en) * 1994-11-28 2009-12-08 Yt Acquisition Corporation Tokenless identification system for authorization of electronic transactions and electronic transmissions
US8453221B2 (en) * 2007-12-19 2013-05-28 Microsoft International Holdings B.V. Method for improving security in login and single sign-on procedures

Also Published As

Publication number Publication date
CN111756749A (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN108961052B (en) Verification method, storage method, device, equipment and medium of block chain data
CN111756750B (en) Secure access method, device, equipment and storage medium
CN111163182B (en) Block chain-based device registration method and apparatus, electronic device, and storage medium
US20160104068A1 (en) Match engine for detection of multi-pattern rules
CN108683667B (en) Account protection method, device, system and storage medium
CN112528262A (en) Application program access method, device, medium and electronic equipment based on token
CN110489466B (en) Method and device for generating invitation code, terminal equipment and storage medium
CN110851748A (en) Short link generation method, server, storage medium and computer equipment
WO2015010568A1 (en) Method,apparatus and server for identity authentication
CN110888838A (en) Object storage based request processing method, device, equipment and storage medium
CN112511316B (en) Single sign-on access method and device, computer equipment and readable storage medium
CN110311880A (en) Method for uploading, the apparatus and system of file
CN113132416B (en) Data packet detection method and device
CN110601832A (en) Data access method and device
CN111143808B (en) System security authentication method and device, computing equipment and storage medium
CN111756749B (en) Secure access method, device, equipment and storage medium
CN109088872B (en) Using method and device of cloud platform with service life, electronic equipment and medium
CN112235104B (en) Data encryption transmission method, system, terminal and storage medium
CN114615031A (en) File storage method and device, electronic equipment and storage medium
CN112600864A (en) Verification code verification method, device, server and medium
CN112711696A (en) Request access method, device, electronic equipment and storage medium
CN109150898B (en) Method and apparatus for processing information
CN114978646A (en) Access authority determination method, device, equipment and storage medium
CN115242402A (en) Signature method, signature verification method and electronic equipment
US20210203650A1 (en) Data message authentication based on a random number

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220920

Address after: 12 / F, 15 / F, 99 Yincheng Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai, 200120

Applicant after: Jianxin Financial Science and Technology Co.,Ltd.

Address before: 25 Financial Street, Xicheng District, Beijing 100033

Applicant before: CHINA CONSTRUCTION BANK Corp.

Applicant before: Jianxin Financial Science and Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant