CN112948896A - Signature information verification method and information signature method - Google Patents

Signature information verification method and information signature method Download PDF

Info

Publication number
CN112948896A
CN112948896A CN202110120397.8A CN202110120397A CN112948896A CN 112948896 A CN112948896 A CN 112948896A CN 202110120397 A CN202110120397 A CN 202110120397A CN 112948896 A CN112948896 A CN 112948896A
Authority
CN
China
Prior art keywords
signature
information
signed
client
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110120397.8A
Other languages
Chinese (zh)
Inventor
魏捷
谢红宝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Xunlei Network Culture Co ltd
Original Assignee
Shenzhen Xunlei Network Culture Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Xunlei Network Culture Co ltd filed Critical Shenzhen Xunlei Network Culture Co ltd
Priority to CN202110120397.8A priority Critical patent/CN112948896A/en
Publication of CN112948896A publication Critical patent/CN112948896A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a signature information verification method and an information signature method. The signature information verification method comprises the following steps: the client side obtains at least two groups of signature parameter combinations and initial information to be signed, the signature parameter combinations carry out signature encryption on the initial information to be signed one by one according to a first preset sequence to obtain a final signature result, and the signature result obtained by signature encryption each time is used as the information to be signed for next signature encryption. And the client sends the final signature result to the server. The server side obtains at least two groups of signature parameter combinations and initial information to be signed; the signature parameter combination is used for carrying out signature encryption on the initial information to be signed one by one according to a first preset sequence to obtain a target signature result; and if the server side judges that the final signature result is matched with the target signature result, the verification is judged to be passed. Through the mode, the invention can improve the security of information signature encryption.

Description

Signature information verification method and information signature method
Technical Field
The present invention relates to the field of information security, and in particular, to a method for verifying signature information and an information signature method.
Background
In a security attack and defense scene, a client requests for tampering, which is one of the most common attack and defense scenes. The corresponding defense strategies mainly include: client signing, application hardening, code obfuscation, and anti-debugging, among others.
At present, a common signature scheme is mainly to encrypt a client request through a fixed key and a hash algorithm to generate a corresponding signature result, and a server side performs signature verification by using the same method, so that the integrity of the request is ensured, and a middleman can be prevented from tampering the client request to a certain extent. However, if the attacker obtains the fixed secret key and the hash algorithm through a decompilation method, the client request can be tampered arbitrarily, so that the role of the signature algorithm is greatly reduced.
Disclosure of Invention
In view of the above, the present invention provides a method for verifying signature information and an information signature method, which can improve the security of information signature encryption.
In order to solve the technical problems, the invention adopts a technical scheme that: provided is an information signing method including: acquiring at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed; signature encryption is carried out on the initial information to be signed one by one according to a first preset sequence by the signature parameter combinations until all the signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed for next signature encryption; and sending the final signature result to a server side.
In an embodiment of the present invention, the step of obtaining at least two sets of signature parameter combinations includes: sending the identity identification information to a server side so that the server side generates at least two groups of signature parameter combinations corresponding to the identity identification information; at least two sets of signature parameter combinations are received.
In an embodiment of the present invention, the step of performing signature encryption on the initial information to be signed one by one according to a first predetermined sequence by combining the signature parameters includes: sending a signature parameter request to a server side, so that the server side responds to the signature parameter request and feeds back a signature parameter corresponding to the signature parameter request to a client side or feeds back address information for storing the signature parameter to the client side; receiving a signature parameter or receiving address information.
In an embodiment of the present invention, the step of obtaining at least two sets of signature parameter combinations comprises: and respectively storing each group of signature parameter combination in different files.
In an embodiment of the present invention, the step of obtaining at least two sets of signature parameter combinations includes: respectively generating corresponding signature functions according to the signature algorithm and the secret key of each group of signature parameter combination; the step of carrying out signature encryption on the initial information to be signed one by one according to a first preset sequence by combining all the signature parameters comprises the following steps: and the signature functions carry out signature encryption on the initial information to be signed one by one according to a first preset sequence.
In an embodiment of the present invention, the initial information to be signed includes a device unique identifier and a timestamp of the client; the step of sending the final signature result to the server side comprises the following steps: sending the final signature result, the unique equipment identifier and the timestamp to a server side so that the server side can judge whether the unique equipment identifier is matched with the unique target equipment identifier or not, wherein the unique target equipment identifier is determined by the server side according to the identity identifier information of the client side; and judging whether the interval duration from the current time point to the time point corresponding to the timestamp exceeds a preset duration or not.
In order to solve the technical problem, the invention adopts another technical scheme that: provided is a method for verifying signature information, including: receiving a final signature result sent by a client; acquiring at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed; signature encryption is carried out on the initial information to be signed one by one according to a first preset sequence by the signature parameter combinations until all the signature parameter combinations are traversed to obtain a target signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed for next signature encryption; judging whether the final signature result is matched with a target signature result; if yes, the verification is judged to be passed.
In an embodiment of the present invention, the step of receiving the final signature result sent by the client includes: receiving identity identification information sent by a client; generating at least two different groups of signature parameter combinations according to different identity information; and sending the at least two groups of signature parameter combinations to the client.
In an embodiment of the present invention, the step of receiving the final signature result sent by the client includes: receiving a signature parameter request sent by a client; responding to the signature parameter request, and acquiring the signature parameter corresponding to the signature parameter request or acquiring address information for storing the signature parameter; and sending the signature parameters or the address information to the client.
In an embodiment of the present invention, the step of receiving a signature parameter request sent by a client includes: responding to the signature parameter request, and judging whether the signature parameter request is in an abnormal state; if yes, sending the wrong signature parameter or address information to the client, or not processing the signature parameter request.
In an embodiment of the present invention, the initial information to be signed includes a device unique identifier and a timestamp of the client; the step of receiving the final signature result sent by the client comprises the following steps: receiving a final signature result, a unique device identifier and a timestamp sent by a client; the step of judging that the verification is passed further comprises the following steps: judging whether the unique equipment identifier is matched with the unique target equipment identifier, wherein the unique target equipment identifier is determined by the server side according to the identity identifier information of the client side; judging whether the interval duration from the current time point to the time point corresponding to the timestamp exceeds a preset duration or not; and if the unique equipment identifier is matched with the unique target equipment identifier and the interval time from the current time point to the time point corresponding to the timestamp does not exceed the preset time, judging that the verification is passed.
In order to solve the technical problem, the invention adopts another technical scheme that: provided is a method for verifying signature information, including: the method comprises the steps that a client side obtains at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed, and the at least two groups of signature parameter combinations and the initial information to be signed are generated by a server according to client side information; the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence until all signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed of next signature encryption; the client sends the final signature result to the server; the server side obtains at least two groups of signature parameter combinations and initial information to be signed; the server side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on all signature parameter combinations until all signature parameter combinations are traversed to obtain a target signature result; the server side judges whether the final signature result is matched with the target signature result; if yes, the verification is judged to be passed.
In order to solve the technical problem, the invention adopts another technical scheme that: there is provided a method of verifying signature information, the method comprising: the method comprises the steps that a client side obtains at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed; the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence until all signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed of next signature encryption; the client sends the final signature result to the server; the server side obtains at least two groups of decryption parameter combinations and initial information to be signed, wherein the decryption parameter combinations correspond to the signature parameter combinations one to one, each group of decryption parameter combinations respectively comprise decryption algorithms and keys, and the decryption algorithms and the keys of each group of decryption parameter combinations are used for decrypting signature results of the corresponding signature parameter combinations; the server side decrypts the decryption parameter combinations one by one according to a second preset sequence until all decryption parameter combinations are traversed to obtain target decryption information, wherein decryption information obtained by each decryption is used as information to be decrypted next time; the server side judges whether the target decryption information is matched with the initial information to be signed or not; if yes, the verification is judged to be passed.
In order to solve the technical problem, the invention adopts another technical scheme that: provided is a method for verifying signature information, including: receiving a final signature result sent by a client, wherein the final signature result is obtained by combining, signing and encrypting at least two groups of signature parameters; acquiring at least two groups of decryption parameter combinations and initial information to be signed, wherein the decryption parameter combinations correspond to the signature parameter combinations one to one, each group of decryption parameter combinations respectively comprise decryption algorithms and keys, and the decryption algorithms and the keys of each group of decryption parameter combinations are used for decrypting signature results of the corresponding signature parameter combinations; decrypting the final signature result one by one according to a second predetermined sequence until all decryption parameter combinations are traversed to obtain target decryption information, wherein the decryption information obtained by each decryption is used as information to be decrypted next time; judging whether the target decryption information is matched with the initial information to be signed; if yes, the verification is judged to be passed.
The invention has the beneficial effects that: the invention provides a signature information verification method and an information signature method, which are different from the prior art. In the verification method, a client carries out signature encryption on initial information to be signed one by one according to a first preset sequence by combining various signature parameters, and a signature result obtained by signature encryption each time is used as the information to be signed for next signature encryption. The server side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on all the signature parameter combinations until all the signature parameter combinations are traversed to obtain a target signature result, and the signature result obtained by signature encryption each time is used as the information to be signed for next signature encryption; or the server side decrypts the final signature results one by one according to a second preset sequence until all the decryption parameter combinations are traversed to obtain target decryption information, wherein the result obtained by each decryption is used as the information to be decrypted next time. Therefore, when the final signature result matches the target signature result or the target decryption information matches the initial information to be signed, the server judges that the verification is passed, which means that an attacker needs to decode all algorithms and keys applied by the invention, thereby greatly improving the complexity of tampering and improving the security of information signature encryption.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. Moreover, the drawings and the description are not intended to limit the scope of the inventive concept in any way, but rather to illustrate it by those skilled in the art with reference to specific embodiments.
FIG. 1 is a flowchart illustrating a first embodiment of a method for verifying signature information according to the present invention;
FIG. 2 is a flowchart illustrating a second embodiment of the signature information verification method according to the present invention;
FIG. 3 is a flowchart illustrating an embodiment of a method for a client to obtain signature parameters according to the present invention;
FIG. 4 is a flowchart illustrating an information signing method according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a third embodiment of the signature information verification method according to the present invention;
FIG. 6 is a flowchart illustrating a fourth embodiment of the signature information verification method according to the present invention;
fig. 7 is a flowchart illustrating a fifth embodiment of the signature information verification method according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
In order to solve the technical problem of insufficient security of information signature encryption in the prior art, an embodiment of the invention provides a signature information verification method. The signature information verification method comprises the following steps: the method comprises the steps that a client side obtains at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed; the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence until all signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed of next signature encryption; the client sends the final signature result to the server; the server side obtains at least two groups of signature parameter combinations and initial information to be signed; the server side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on all signature parameter combinations until all signature parameter combinations are traversed to obtain a target signature result; the server side judges whether the final signature result is matched with the target signature result; if yes, the verification is judged to be passed. As described in detail below.
Referring to fig. 1, fig. 1 is a flowchart illustrating a first embodiment of a method for verifying signature information according to the present invention.
It should be noted that, in this embodiment, the main implementation body of the verification method of the signature information is a system formed by a client and a server, and the following detailed description is made on a specific implementation manner of the first embodiment of the verification method of the signature information, but the verification method of the signature information described in this embodiment is not limited to the following steps:
s101: the client side obtains at least two groups of signature parameter combinations and initial information to be signed;
in this embodiment, the client side obtains at least two groups of signature parameter combinations and initial information to be signed in advance, wherein each group of signature parameter combinations respectively comprises a signature algorithm and a secret key, the signature algorithm and the secret key are used for performing signature encryption on the information to be signed, and the initial information to be signed is the initial information to be encrypted, so that the burden of the client side for obtaining and processing the information is reduced.
S102: the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on all signature parameter combinations until all signature parameter combinations are traversed to obtain a final signature result;
in this embodiment, after the client acquires at least two sets of signature parameter combinations and the initial information to be signed, the client signs and encrypts the initial information to be signed one by one according to a first predetermined sequence until all the signature parameter combinations are traversed to obtain a final signature result, so that the security of the information signature method is increased, and the decoding complexity of an attacker is increased.
The signature result obtained by signature encryption at each time is used as the information to be signed for signature encryption at the next time, so that an attacker needs to decode all signature algorithms and keys when decoding, the complexity of tampering is greatly improved, and the security of information signature encryption can be further improved.
S103: the client sends the final signature result to the server;
in this embodiment, after the client obtains the final signature result, the client sends the final signature result to the server, so that the final signature result is verified by the server, and the security of signature information verification is improved.
S104: the server side obtains at least two groups of signature parameter combinations and initial information to be signed;
in this embodiment, the server side obtains at least two groups of signature parameter combinations and initial information to be signed, where each group of signature parameter combination includes a signature algorithm and a key, respectively, the signature algorithm and the key are used to perform signature encryption on the information to be signed, and the initial information to be signed is the initial information to be encrypted. Moreover, at least two groups of signature parameter combinations and initial information to be signed acquired by the server side are consistent with at least two groups of signature parameter combinations and initial information to be signed acquired by the client side, so that the final signature result can be verified by the server side.
S105: the server side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on all signature parameter combinations until all signature parameter combinations are traversed to obtain a target signature result;
in this embodiment, after the server side obtains at least two sets of signature parameter combinations and the initial information to be signed, the server side performs signature encryption on the initial information to be signed one by one according to the first predetermined sequence again for each signature parameter combination until all signature parameter combinations are traversed to obtain a target signature result. The signature encryption process of the server side should be the same as the encryption process of the client side set forth in step S102, so that the server side can obtain the target signature result that is not tampered, by encrypting the initial information to be signed, so as to verify the final signature result.
S106: the server side judges whether the final signature result is matched with the target signature result;
in this embodiment, after the server side obtains the target signature result, it is determined whether the final signature result matches the target signature result, so that an autonomous response behavior is made according to the determination result, and the security of information signature encryption is improved.
S107: if yes, judging that the verification is passed;
in this embodiment, if the server determines that the final signature result matches the target signature result, it may be determined that the final target result is not decoded and tampered by an attacker, and it is determined that the verification is passed, so that the server and the client may continue to execute normal business logic.
When the content of the final signature result is consistent with the corresponding content in the target signature result, the final signature result may be considered to be matched with the target signature result, which is not limited herein.
In the conventional information signature scheme, if an attacker obtains a signature algorithm and a secret key of a signature parameter combination through a decompilation means, the client request can be tampered arbitrarily. Generally, at this time, a common coping scheme of the client is to update the signature algorithm and the key, and reissue the updated client, but since the attacker already records the address of the encrypted code, the attacker still can easily decompile the reissued client version to obtain the updated signature algorithm and the key, so that the effect of signature parameter combination is greatly reduced.
However, in the method for verifying signature information provided by this embodiment, the client performs signature encryption on the initial information to be signed one by one according to the first predetermined sequence by combining the signature parameters, and a signature result obtained by encrypting each signature is used as the information to be signed for encrypting the next signature. And the server side carries out signature encryption on the initial information to be signed one by one according to the same first preset sequence for all the signature parameter combinations until all the signature parameter combinations are traversed to obtain a target signature result, and the signature result obtained by signature encryption each time is used as the information to be signed for next signature encryption. Therefore, when the final signature result matches the target signature result, the server determines that the verification is passed, which means that an attacker needs to decode all signature algorithms and keys applied in the embodiment, thereby greatly improving the complexity of tampering, and thus improving the security of information signature encryption.
Referring to fig. 2, fig. 2 is a flowchart illustrating a second embodiment of a method for verifying signature information according to the present invention.
It should be noted that, in this embodiment, the main implementation body of the method for verifying the signature information is a system formed by a client and a server, and a specific implementation of the second embodiment of the method for verifying the signature information is described in detail below, but the method for verifying the signature information described in this embodiment is not limited to the following steps:
s201: the client sends the identity identification information to the server;
in this embodiment, the client packages information required in the signature information verification process in advance and sends the information to the server, that is, the client sends the identification information to the server, so that the server can store the identification information of the client in advance.
The identity information may include type information and version information of the client.
S202: the server side generates at least two groups of signature parameter combinations corresponding to the identity identification information;
in this embodiment, after the server receives the identification information sent by the client, the server can generate at least two sets of signature parameter combinations corresponding to the identification information, where each set of signature parameter combination includes a signature algorithm and a key, and the signature algorithm and the key are used to perform signature encryption on the information to be signed. That is to say, the server can generate at least two different sets of signature parameter combinations according to the identity information of different clients, so that when an attacker decrypts different clients, the attacker with different identity information cannot decrypt one of the signature parameter combinations of other clients, and the security of information signature encryption is further improved.
Optionally, the signature algorithm may be a hash algorithm or the like, and based on differences between different clients, at least two sets of signature parameter combinations obtained by different clients may be different, so that when an attacker breaks one client, the attacker can simultaneously break signature information of other clients, thereby improving the security of the information signature method.
Specifically, the number of signature parameter combinations obtained by the client may be two groups, three groups, or even more, and theoretically, the greater the number of signature parameter combinations, the higher the security of the information signature method.
For example, the server may generate three sets of signature parameter combinations, which are signature parameter combination a1, signature parameter combination a2, and signature parameter combination A3, as follows:
signature parameter combination a 1: signature algorithm X1, key Y1;
signature parameter combination a 2: signature algorithm X2, key Y2;
signature parameter combination a 3: signature algorithm X3, key Y3.
In addition, in this embodiment, at least two sets of signature parameter combinations and the initial information to be signed may be pre-stored in the client, or may be obtained by the client from the server, which is not limited herein.
S203: the client side obtains at least two groups of signature parameter combinations;
in this embodiment, after the server generates at least two sets of signature parameter combinations corresponding to the identification information, the server sends the at least two sets of signature parameter combinations to the client, and the client obtains the at least two sets of signature parameter combinations. As in the foregoing embodiment, each set of signature parameter combination in this embodiment respectively includes a signature algorithm and a key, where the signature algorithm and the key are used to perform signature encryption on information to be signed.
S204: the client generates a signature function;
in this embodiment, after obtaining at least two sets of signature parameter combinations, the client combines each set of signature parameter to generate a set of signature functions, that is, generates corresponding signature functions based on a set of corresponding signature algorithm and key, so that when the signature parameter combinations are called in subsequent steps, the corresponding signature functions can be directly called to facilitate the calling of the corresponding signature algorithm and key, thereby reducing data processing amount.
In an alternative embodiment, at least two sets of signature parameter combinations set forth in the above embodiments may be stored in the client in advance, and the client can directly obtain the locally stored signature parameter combination to encrypt the information to be signed and generate the signature function. And the client sends the at least two groups of signature parameter combinations to the server, so that the server can obtain the signature parameter combinations for signature encryption, and the same signature parameter combinations are used for signature encryption of the information to be encrypted.
S205: the client side stores each group of signature parameter combination in different files respectively;
in this embodiment, after the client acquires at least two sets of signature parameter combinations, each set of signature parameter combination is randomly and respectively stored in different modules and/or files, that is, code obfuscation is achieved. The attacker needs to spend a long time to obtain the signature algorithms and the secret keys of different signature parameter combinations when decoding, and the workload required by the attacker is further increased due to different positions of the signature parameter combinations of different clients, so that the decoding difficulty of the attacker is improved, and the safety of the signature information verification method is further improved. And further performing packaging and publishing.
Optionally, the client may randomly and respectively store the generated signature functions in different files, so as to facilitate subsequent calls of the related signature algorithm and the key.
The modules and/or files may be APK (Android application package) files and the like.
S206: the client acquires initial information to be signed;
in this embodiment, the client acquires initial information to be signed. The initial information to be signed in the foregoing embodiment is the same as the initial information to be signed in this embodiment, and the initial information to be signed includes type information and version information of the client, a device unique identifier of the client, a timestamp, and the like, that is, the initial information to be signed is the identity information of the client in the foregoing step.
The unique device identification of the client is used for identifying the identity of the device with the client, and the unique device identifications of the client among different devices are different, so that the uniqueness of the device identity is represented. The time stamp is data generated using a digital signature technology to generate and manage the time stamp, and digitally signing a signature object generates the time stamp to prove that an original document exists before a signature time.
Specifically, the initial information to be signed may be pre-stored in the client, or may be acquired by the client from the server.
S207: the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence by combining the signature parameters to obtain a final signature result;
in this embodiment, after the client acquires at least two sets of signature parameter combinations and the initial information to be signed, the client signs and encrypts the initial information to be signed one by one according to a first predetermined sequence until all signature parameter combinations are traversed to obtain a final signature result, so that the complexity of the information signature method is increased, and the decoding difficulty of an attacker is increased. The signature result obtained by signature encryption at each time is used as the information to be signed for signature encryption at the next time, so that an attacker needs to decode all signature algorithms and keys when decoding, the complexity of tampering is greatly improved, and the security of information signature encryption can be further improved.
For example, the client performs signature encryption on the initial information to be signed through the first group of signature parameter combinations to obtain a first signature result; and further encrypting the first signature result through a second group of signature parameter combinations to obtain a second signature result, and repeating the steps until the client traverses all the signature parameter combinations according to a first preset sequence to obtain a final signature result. The following is described in detail with reference to the foregoing steps in which three sets of signature parameter combinations are obtained by the current client:
the preset client-side obtains three groups of signature parameter combinations which are respectively a signature parameter combination A1, a signature parameter combination A2 and a signature parameter combination A3, and the first preset sequence is to execute the signature parameter combination A1, the signature parameter combination A2 and the signature parameter combination A3 in sequence.
Specifically, the signature Algorithm included in the signature parameter combination a1 is MD5 (Message Digest Algorithm, MD5 Message-Digest Algorithm), and the corresponding KEY is KEY 1;
the signature Algorithm included in the signature parameter combination a2 is SHA1 (Secure Hash Algorithm 1), and the corresponding KEY is KEY 2;
the signature Algorithm included in the signature parameter combination a3 is SHA256 (Secure Hash Algorithm 256), and the corresponding KEY is KEY 3.
The initial information to be signed acquired by the client is as follows: the type information (CLIENT _ id) of the CLIENT is CLIENT _ a, the version information (verison) of the CLIENT is 1.0, the unique identifier (DEVICE _ id) of the CLIENT is DEVICE _ a, and the timestamp (timestamp) is 1500000000.
Since the partial signature algorithm may require the acquisition of signature parameters at the server side, the specific implementation is described in detail below.
Specifically, first, the initial information to be signed acquired by the client is generated:
client_id=CLIENT_Adevice_id=DEVICE_Arequest=EXAMPLEtimestamp=1500000000version=1.0;
secondly, the initial information to be signed is signed and encrypted through a first group of signature parameter combination A1 (signature algorithm MD5 and KEY1), and a first signature result is obtained:
sign=md5(client_id=CLIENT_Adevice_id=DEVICE_Arequest=EXAMPLEtimestamp=1500000000version=1.0KEY1)=0ae10a1639005479b699815bd4a21050;
then, the first signature result is encrypted by a second set of signature parameter combination a2 (signature algorithm SHA1 and KEY2) to obtain a second signature result:
sign=sha1(0ae10a1639005479b699815bd4a21050KEY2)=b4b4b9886b58972483a8580af9349a05b506f161;
next, the second signature result is encrypted by a third set of signature parameter combination a3 (signature algorithm SHA256 and KEY3) to obtain a final signature result:
sign=sha256(b4b4b9886b58972483a8580af9349a05b506f161KEY3)=03592d71e1713bfe2c8345b973527681903d65f6d762e95f0e63439a661f2cdb;
at this time, the client performs signature encryption on the initial information to be signed one by one according to a first predetermined sequence through the three groups of signature parameter combinations to obtain a final signature result, wherein the final signature result is 03592d71e1713bfe2c8345b973527681903d65f6d762e95f0e63439a661f2 cdb.
Therefore, signature encryption is realized through the combination of at least two groups of signature parameters, so that an attacker needs to decode all signature algorithms when trying to tamper a client request, the complexity of tampering the client request is improved, the safety of the information signature method is improved, and the safety of the signature information verification method is improved.
S208: the client sends a final signature result to the server;
in this embodiment, after the client obtains the final signature result, the client sends the final signature result to the server, so that the final signature result is verified by the server, and the security of signature information verification is improved.
Further, the client sends the initial information to be signed to the server, so that the server can mark the final signature result through the initial information to be signed, and the server can conveniently know the source of the obtained final signature result.
S209: the server side obtains at least two groups of signature parameter combinations and initial information to be signed;
in this embodiment, the server side obtains at least two groups of signature parameter combinations and initial information to be signed, where each group of signature parameter combination includes a signature algorithm and a key, respectively, the signature algorithm and the key are used to perform signature encryption on the information to be signed, and the initial information to be signed is the initial information to be encrypted. Moreover, at least two groups of signature parameter combinations and initial information to be signed acquired by the server side are consistent with at least two groups of signature parameter combinations and initial information to be signed acquired by the client side, so that the final signature result can be verified by the server side.
Specifically, the initial information to be signed acquired by the server is the client identity identification information, so that the server can acquire at least two sets of signature parameter combinations generated in the previous step and sent to the client according to the acquired initial information to be signed, and the client and the server can perform signature encryption on the information to be signed through the same at least two sets of signature parameter combinations.
S210: the server side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence by combining the signature parameters to obtain a target signature result;
in this embodiment, after the server side obtains at least two sets of signature parameter combinations and the initial information to be signed, the server side performs signature encryption on the initial information to be signed one by one according to the first predetermined sequence again for each signature parameter combination until all signature parameter combinations are traversed to obtain a target signature result. The signature encryption process of the server side should be the same as the encryption process of the client side set forth in step S207, so that the server side can obtain the target signature result that is not tampered, by encrypting the initial information to be signed, so as to verify the final signature result.
The following is described with reference to an example of obtaining three sets of signature parameter combinations in the above steps:
the same as the three sets of signature parameter combinations obtained by the client, namely, the signature parameter combination a1, the signature parameter combination a2, and the signature parameter combination A3, the first predetermined order is to execute the signature parameter combination a1, the signature parameter combination a2, and the signature parameter combination A3 in sequence.
Specifically, the signature algorithm included in the signature parameter combination a1 is MD5, and the corresponding KEY is KEY 1;
the signature algorithm included in the signature parameter combination A2 is SHA1, and the corresponding KEY is KEY 2;
the signature algorithm included in the signature parameter combination a3 is SHA256, and the corresponding KEY is KEY 3.
Firstly, a server side acquires initial information to be signed, wherein the initial information to be signed is identity identification information used for indicating the identity of a client side in the previous step; secondly, signing and encrypting the initial information to be signed through a first group of signature parameter combinations A1 (signature algorithm MD5 and KEY1) to obtain a first signature result; then, encrypting the first signature result through a second group of signature parameter combination A2 (signature algorithm SHA1 and KEY2) to obtain a second signature result; then, the second signature result is encrypted by the third set of signature parameter combination a3 (signature algorithm SHA256 and KEY3) to obtain the final signature result.
S211: the server side judges whether the final signature result is matched with a target signature result;
in this embodiment, if the server determines that the final signature result matches the target signature result, step S212 is executed; and if the server side judges that the final signature result does not match the target signature result, the process is ended.
After the server side obtains the target signature result, whether the final signature result is matched with the target signature result or not is judged, so that an autonomous response behavior is made according to the judgment result, and the security of information signature encryption is improved.
Specifically, if the final signature result matches the target signature result, it is considered that the final signature result obtained by the server is not tampered by an attacker, that is, the final signature result sent by the client, and the subsequent steps may be executed. If the final signature result does not match the target signature result, the final signature result obtained by the server is considered to have been tampered by the attacker, and at this time, the "final signature result" obtained by the server is not the final signature result sent by the client, so that the subsequent steps are not executed, and the process is ended.
The content of the final signature result is consistent with the corresponding content in the target signature result, and the final signature result may be considered to be matched with the target signature result, which is not limited herein.
Further, the server side also judges whether the unique device identifier matches the unique target device identifier, and judges whether the interval from the current time point to the time corresponding to the timestamp exceeds a preset time length. When the server side judges that the device unique identifier matches the target device unique identifier and the time interval from the current time point to the time stamp does not exceed the preset time length, step S212 is executed, so that the obtained final signature result is further confirmed, and the security of information signature encryption is further improved.
Specifically, the device unique identifier of the client is included in the initial information to be signed, and is used to indicate that the client device has different device unique identifiers of the clients. The unique identification of the target equipment is determined by the server according to the identity identification information of the client, and whether the final signature result obtained by the server comes from the client is judged by judging whether the unique identification of the equipment is matched with the identification of the target equipment. Optionally, the matching of the device unique identifier and the target device unique identifier may be performed in such a way that the device unique identifier and the target device unique identifier are identical.
And the server side can also judge that the time interval from the current time point to the time corresponding to the timestamp exceeds the preset time length, so that the timeliness of the final signature result is ensured, the abuse of the final signature result is avoided, and the possibility of tampering the final signature result is reduced.
S212: the verification is passed;
in this embodiment, when the server determines that the final signature result matches the target signature result, the device unique identifier matches the target device unique identifier, and the interval between the current time point and the time corresponding to the timestamp does not exceed the preset duration, it is determined that the final signature result is not tampered by an attacker, and the server determines that the verification is passed, so that a normal service logic can be executed between the server and the client.
In summary, in the method for verifying signature information provided in this embodiment, the client obtains at least two sets of signature parameter combinations, encrypts the initial information to be signed through multiple sets of signature algorithms and keys, and an attacker needs to break all signature algorithms when trying to tamper with any request, thereby improving the security of information signature encryption.
Furthermore, the type information and the signature parameter combinations obtained by the version information of different clients are different, the corresponding signature parameter combinations are independently used for encrypting the initial information to be signed, and the dispersed positions of the signature parameter combinations are different, so that even if the signature algorithm of a certain client version is leaked or decoded, the negative influence on the clients of other versions and types is avoided.
Furthermore, the time stamp is introduced in the process of the verification method of the signature information, so that the final signature result is strongly related to the client and has invalidity, and the final signature result can be used only by one device within a certain time, thereby avoiding the situation that the signature result is abused.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for a client to obtain signature parameters according to an embodiment of the present invention.
As explained in the embodiment of step S207, the signature algorithm in the partial signature parameter combination needs to obtain the signature parameters from the server side, which is explained in detail below. It should be noted that the method for the client to obtain the signature parameter set forth in this embodiment is an exemplary embodiment of the method for the client to obtain the signature parameter in step S207 in the foregoing embodiment, and is not limited to the following steps:
s2071: the client sends a signature parameter request to the server;
in this embodiment, when the signature algorithm needs to acquire the signature parameter, the client sends a signature parameter request to the server, so that the server can autonomously respond to the signature parameter request, and thus the server can intervene in the information signature process to enhance the reliability of the information signature process.
S2072: the server side responds to the signature parameter request and judges whether the signature parameter request is in an abnormal state or not;
in this embodiment, if the signature parameter request is in an abnormal state, step S2073 is executed; if the signature parameter request is not in an abnormal state, step S2074 is executed.
After the client sends the signature parameter request to the server, the server responds to the signature parameter request, and the server judges whether the signature parameter request is in an abnormal state.
Specifically, the embodiment has a complete judgment mechanism for judging whether the signature parameter request is in an abnormal state, and the server side can judge the frequency of sending the signature parameter request by the client, the time of sending the signature parameter request by the client, whether the current client is already in a blacklist, and the like, so as to judge whether the signature parameter request is in an abnormal state.
For example, when an attacker decrypts a signature, the attacker needs to continuously send a signature parameter request for verification, and when the frequency of sending signature requests is high, the attacker can be considered to decrypt a signature algorithm at this time; when the time end of the client sending the signature parameter request has a larger time difference with the ordinary time, the client can also be considered as an attacker decoding the signature algorithm, and the server end makes an autonomous response behavior at the moment.
It should be noted that, the server side determines whether the signature parameter request is in an abnormal state, instead of singly relying on one of the conditions, a complete determination mechanism is correspondingly established to objectively determine the state of the signature parameter request, so as to improve the accuracy of the determination result, and avoid that the user makes a misjudgment when sending the signature parameter request to affect the normal use of the user.
S2073: feeding back the wrong signature parameter or address information to the client, or not processing the signature parameter request;
in this embodiment, if the server side determines that the signature parameter request is in an abnormal state, the server side feeds back an erroneous signature parameter or address information to the client side, so that the server side can transmit a misleading result to the client side having the abnormal signature parameter request in the process of information signature, thereby transmitting the erroneous related information to an attacker, preventing the attacker from finding that the server has perceived that the attacker is attacked, thus the attacker is alert, and meanwhile, the understanding cost of the attacker can be increased, and the security of information signature encryption is improved. Or the signature parameter request is not processed, and the process ends.
S2074: feeding back a signature parameter corresponding to the signature parameter request to the client, or feeding back address information storing the signature parameter to the client;
in this embodiment, if the server side determines that the signature parameter request is not in an abnormal state, the server side feeds back the signature parameter corresponding to the signature parameter request to the client side, or feeds back address information storing the signature parameter to the client side, so as to enable the signature algorithm to continue to execute.
Alternatively, the address information for storing the signature parameter may be URL (Uniform Resource Locator) information, where the URL is an address that is Uniform and unique on the network.
S2075: the client receives the signature parameter or the address information;
in this embodiment, after the server side feeds back the signature parameter corresponding to the signature parameter request to the client side, or feeds back the address information storing the signature parameter to the client side, the client side receives the corresponding signature parameter or address information and acquires the corresponding signature parameter, so that the signature algorithm can be correctly executed, the information to be encrypted is encrypted through the signature parameter combination or the corresponding signature parameter, and the security of the information encryption process is further improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating an information signing method according to an embodiment of the present invention.
It should be noted that, an execution subject of the embodiment is a client, the client can implement information signing, and a detailed description is given below on a specific implementation of an embodiment of an information signing method, but the information signing method described in the embodiment is not limited to the following steps:
s401: acquiring at least two groups of signature parameter combinations and initial information to be signed;
in this embodiment, the client acquires at least two groups of signature parameters and initial information to be signed, wherein each group of signature parameter combination respectively includes a signature algorithm and a key, the signature algorithm and the key are used for performing signature encryption on the information to be signed, and the initial information to be signed is the initial information to be encrypted, so that the burden of the client for acquiring and processing the information is reduced.
S402: signature encryption is carried out on the initial information to be signed one by one according to a first preset sequence by the signature parameter combinations until all the signature parameter combinations are traversed to obtain a final signature result;
in this embodiment, after the client acquires at least two sets of signature parameter combinations and the initial information to be signed, the client signs and encrypts the initial information to be signed one by one according to a first predetermined sequence until all the signature parameter combinations are traversed to obtain a final signature result, so that the security of the information signature method is increased, and the decoding complexity of an attacker is increased. And the signature result obtained by encrypting the signature each time is used as the information to be signed for encrypting the next signature so as to reduce the data processing amount of the encryption of the client.
S403: sending the final signature result to a server;
in this embodiment, after the client obtains the final signature result, the client sends the final signature result to the server, so that the server can synchronously obtain the final signature result of the client, and further can verify the signature information through the server.
Referring to fig. 5, fig. 5 is a flowchart illustrating a third embodiment of a method for verifying signature information according to the present invention.
It should be noted that, an execution subject of this embodiment is a server, the server can implement verification of signature information, and a detailed description is given below of a specific implementation of the third embodiment of the verification method of signature information, but the verification method of signature information described in this embodiment is not limited to the following steps:
s501: receiving a final signature result sent by a client;
in this embodiment, the server receives a final signature result sent by the client, where the final signature result is an object of signature information verification, and thus autonomously makes a response behavior according to the verification result.
S502: acquiring at least two groups of signature parameter combinations and initial information to be signed;
in this embodiment, the server side further needs to obtain at least two sets of signature parameter combinations and initial information to be signed. Each group of signature parameter combination respectively comprises a signature algorithm and a secret key, the signature algorithm and the secret key are used for carrying out signature encryption on information to be signed, and the initial information to be signed is the initial information to be encrypted. Moreover, at least two groups of signature parameter combinations and initial information to be signed acquired by the server side are consistent with at least two groups of signature parameter combinations and initial information to be signed acquired by the client side, so that the final signature result can be verified by the server side.
S503: signature encryption is carried out on the initial information to be signed one by one according to a first preset sequence by the signature parameter combinations until all the signature parameter combinations are traversed to obtain a target signature result;
in this embodiment, after the server side obtains at least two sets of signature parameter combinations and the initial information to be signed, the server side performs signature encryption on the initial information to be signed one by one according to the first predetermined sequence again for each signature parameter combination until all signature parameter combinations are traversed to obtain a target signature result. The signature encryption process of the server side should be the same as the encryption process of the client side set forth in step S402 in the foregoing embodiment, so that the server side can obtain the target signature result that is not tampered, by encrypting the initial information to be signed, so as to verify the final signature result.
S504: judging whether the final signature result is matched with a target signature result;
in this embodiment, after the server side obtains the target signature result, it is determined whether the final signature result obtained from the client side matches the target signature result, so that an autonomous response behavior is made according to the determination result, and the security of information signature encryption is improved.
S505: if yes, judging that the verification is passed;
in this embodiment, if the server determines that the final signature result matches the target signature result, and the final target result is not decoded and tampered by an attacker, the verification is determined to be passed, so that the server and the client can continue to execute normal business logic.
When the content of the final signature result is consistent with the corresponding content in the target signature result, the final signature result may be considered to be matched with the target signature result, which is not limited herein.
Referring to fig. 6, fig. 6 is a flowchart illustrating a fourth embodiment of a method for verifying signature information according to the present invention.
It should be noted that, in this embodiment, the main implementation body of the method for verifying the signature information is a system formed by a client and a server, and a detailed description is given below of a specific implementation manner of a fourth embodiment of the method for verifying the signature information, but the method for verifying the signature information described in this embodiment is not limited to the following steps:
s601: the client side obtains at least two groups of signature parameter combinations and initial information to be signed;
in this embodiment, the client side obtains at least two groups of signature parameter combinations and initial information to be signed in advance, wherein each group of signature parameter combinations respectively comprises a signature algorithm and a secret key, the signature algorithm and the secret key are used for performing signature encryption on the information to be signed, and the initial information to be signed is the initial information to be encrypted, so that the burden of the client side for obtaining and processing the information is reduced. The detailed description is similar to the previous embodiment and will not be repeated herein.
Alternatively, the signature algorithm may be a symmetric encryption algorithm or the like, so that the server side can decrypt through a decryption algorithm corresponding to the signature algorithm.
For example, the client obtains three sets of signature parameter combinations, namely, a signature parameter combination a1, a signature parameter combination a2, and a signature parameter combination A3, where the signature parameter combination a1 includes a signature algorithm X1 and a key Y1, the signature parameter combination a2 includes a signature algorithm X2 and a key Y2, and the signature parameter combination A3 includes a signature algorithm X3 and a key Y3.
S602: the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on all signature parameter combinations until all signature parameter combinations are traversed to obtain a final signature result;
in this embodiment, after the client acquires at least two sets of signature parameter combinations and the initial information to be signed, the client signs and encrypts the initial information to be signed one by one according to a first predetermined sequence until all the signature parameter combinations are traversed to obtain a final signature result, so that the security of the information signature method is increased, and the decoding complexity of an attacker is increased. And the signature result obtained by encrypting the signature each time is used as the information to be signed for encrypting the next signature so as to reduce the data processing amount of the encryption of the client.
Explaining based on the example of step S601, the first predetermined sequence is to sequentially execute signature parameter combination a1, signature parameter combination a2, and signature parameter combination A3, that is, to sequentially encrypt the information to be encrypted by signature algorithm X1 and key Y1, signature algorithm X2 and key Y2, signature algorithm X3, and key Y3.
S603: the client sends the final signature result to the server;
in this embodiment, after the client obtains the final signature result, the client sends the final signature result to the server, so that the final signature result is verified by the server, and the security of signature information verification is improved.
S604: the server side obtains at least two groups of decryption parameter combinations and initial information to be signed;
in this embodiment, the server side obtains at least two sets of decryption parameter combinations and initial information to be signed, where the decryption parameter combinations correspond to the signature parameter combinations one to one, each set of decryption parameter combinations respectively includes a decryption algorithm and a key, and the decryption algorithm and the key of each set of decryption parameter combinations are used for decrypting the signature result of the corresponding signature parameter combination.
Moreover, the initial information to be signed acquired by the server side should be consistent with the initial information to be signed acquired by the client side, so that the verification of the initial information to be signed by the server side can be realized.
S605: the server side decrypts the decryption parameter combinations one by one according to a second preset sequence until all the parameter decryption combinations are traversed to obtain target decryption information;
in this embodiment, after the server side obtains at least two sets of decryption parameter combinations and the initial information to be signed, the server side decrypts the final signature results of the decryption parameter combinations one by one according to a second predetermined sequence until all the parameter decryption combinations are traversed to obtain the target decryption information.
The decryption information obtained by each decryption is used as the information to be decrypted for the next signature decryption, which is equivalent to reversely repeating the process of step S602.
Specifically, the execution order of the decryption parameter combinations in the second predetermined order is the reverse order of the execution order of the corresponding signature parameter combinations in the first predetermined order, that is, the execution order of the decryption algorithm in the decryption parameter combinations corresponds to the reverse order of the execution order of the signature algorithm in the signature parameter combinations.
The following is illustrated with reference to the above example of steps:
the decryption parameter combinations corresponding to signature parameter combination a1, signature parameter combination a2, and signature parameter combination A3 are: the decryption parameter combination B1, the decryption parameter combination B2, and the decryption parameter combination B3 are as follows:
decryption parameter combination B1: decryption algorithm X1, key Y1, where decryption algorithm X1 is the decryption algorithm corresponding to signature algorithm X3;
decryption parameter combination B2: decryption algorithm X2, key Y2, where decryption algorithm X2 is the decryption algorithm corresponding to signature algorithm X2;
decryption parameter combination B3: decryption algorithm X3, key Y3, where decryption algorithm X3 is the decryption algorithm corresponding to signature algorithm X1.
The second predetermined sequence is to execute the decryption parameter combination B1, the decryption parameter combination B2 and the decryption parameter combination B3 in sequence.
For example, when the selected signature algorithm is a symmetric encryption algorithm, the corresponding decryption parameter combination is the same symmetric encryption algorithm and key, and the second predetermined sequence is to sequentially execute decryption parameter combination B1, decryption parameter combination B2, and decryption parameter combination B3, that is, to sequentially decrypt the information to be decrypted through decryption algorithm x1, key Y1, decryption algorithm x2, key Y2, decryption algorithm x3, and key Y3, so that the calculation amount is reduced, and the decryption speed and the decryption efficiency are improved.
S606: the server side judges whether the target decryption information is matched with an initial result to be signed;
in this embodiment, after the server side obtains the target decryption information, it is determined whether the target decryption information matches the initial result to be signed, so that an autonomous response behavior is made according to the determination result, and the security of information signature encryption is improved.
S607: if yes, judging that the verification is passed;
in this embodiment, if the server determines that the target decryption information matches the initial information to be signed, it may be determined that the final target result is not decoded and tampered by an attacker, and it is determined that the verification is passed, so that the server and the client may continue to execute normal business logic.
When the target decryption information is consistent with the corresponding content in the initial information to be signed, the target decryption information may be considered to be matched with the initial information to be signed, which is not limited herein.
Referring to fig. 7, fig. 7 is a flowchart illustrating a fifth embodiment of a method for verifying signature information according to the present invention.
It should be noted that the execution subject of the embodiment is the server side, and the reason why the information signing method of the client side is not illustrated again is that the information signing method of the client side is the same as the method described in the foregoing embodiment, and is not described herein again. The following describes in detail a specific implementation of a fifth embodiment of the method for verifying signature information, but the method for verifying signature information described in this embodiment is not limited to the following steps:
s701: receiving a final signature result sent by a client;
in this embodiment, the server receives the final signature result sent by the client, and verifies the signature information by processing the final signature result, so as to autonomously make a response behavior according to the verification result.
S702: acquiring at least two groups of decryption parameter combinations and initial information to be signed;
in this embodiment, the server side obtains at least two sets of decryption parameter combinations and initial information to be signed, where the decryption parameter combinations correspond to the signature parameter combinations one to one, each set of decryption parameter combinations respectively includes a decryption algorithm and a key, and the decryption algorithm and the key of each set of decryption parameter combinations are used for decrypting the signature result of the corresponding signature parameter combination.
Moreover, the initial information to be signed acquired by the server side should be consistent with the initial information to be signed acquired by the client side, so that the verification of the initial information to be signed by the server side can be realized.
S703: decrypting the final signature result one by one according to a second predetermined sequence for each decryption parameter combination until all decryption parameter combinations are traversed to obtain target decryption information;
in this embodiment, after the server side obtains at least two sets of decryption parameter combinations and the initial information to be signed, the server side decrypts the final signature results of the decryption parameter combinations one by one according to a second predetermined sequence until all the parameter decryption combinations are traversed to obtain the target decryption information.
Specifically, the execution order of the decryption parameter combinations in the second predetermined order is the reverse order of the execution order of the corresponding signature parameter combinations in the first predetermined order, that is, the execution order of the decryption algorithm in the decryption parameter combinations corresponds to the reverse order of the execution order of the signature algorithm in the signature parameter combinations.
S704: judging whether the target decryption information is matched with the initial information to be signed;
in this embodiment, after the server side obtains the target decryption information, it is determined whether the target decryption information matches the initial result to be signed, so that an autonomous response behavior is made according to the determination result, and the security of information signature encryption is improved.
S705: if yes, judging that the verification is passed;
in this embodiment, if the server determines that the target decryption information matches the initial information to be signed, it may be determined that the final target result is not decoded and tampered by an attacker, and it is determined that the verification is passed, so that the server and the client may continue to execute normal business logic.
In summary, according to the method for verifying the signature information provided by the present invention, the client obtains at least two sets of signature parameter combinations, encrypts the initial information to be signed through a plurality of sets of signature algorithms and keys, and an attacker needs to break all signature algorithms when trying to tamper with any request, thereby improving the security of information signature encryption.
Furthermore, the type information and the signature parameter combinations obtained by the version information of different clients are different, the corresponding signature parameter combinations are independently used for encrypting the initial information to be signed, and the dispersed positions of the signature parameter combinations are different, so that even if the signature algorithm of a certain client version is leaked or decoded, the negative influence on the clients of other versions and types is avoided.
And the time stamp is introduced in the process of the verification method of the signature information, so that the final signature result is strongly related to the client and has invalidity, and the final signature result can be used only by one device within a certain time, thereby avoiding the situation that the signature result is abused.
Furthermore, the server can send misleading results to the client with abnormal signature parameter requests in the process of information signature, so that the understanding cost of an attacker can be increased while the attacker is confused, and the security of information signature encryption is further improved.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (14)

1. An information signing method, comprising:
acquiring at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed;
performing signature encryption on the initial information to be signed one by one according to a first preset sequence by using each signature parameter combination until all the signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption each time is used as the information to be signed for next signature encryption;
sending the final signature result to a server;
and receiving the verification result sent by the server.
2. The method for signing information according to claim 1, wherein said step of obtaining at least two sets of signature parameter combinations comprises:
sending identity identification information to the server side so that the server side generates at least two groups of signature parameter combinations corresponding to the identity identification information;
receiving the at least two sets of signature parameter combinations.
3. The information signing method of claim 1, wherein said step of signing and encrypting the initial information to be signed one by one according to a first predetermined sequence by combining each of the signature parameters comprises:
sending a signature parameter request to the server, so that the server responds to the signature parameter request, and feeding back a signature parameter corresponding to the signature parameter request to the client, or feeding back address information storing the signature parameter to the client;
receiving the signature parameter or receiving the address information.
4. The method of claim 1, wherein the step of obtaining at least two sets of signature parameter combinations is followed by the step of:
and respectively storing each group of signature parameter combination in different files.
5. The information signing method according to claim 1,
the step of obtaining at least two sets of signature parameter combinations comprises:
respectively generating corresponding signature functions according to the signature algorithm and the secret key of each group of signature parameter combination;
the step of performing signature encryption on the initial information to be signed one by one according to a first preset sequence by combining the signature parameters comprises the following steps:
and performing signature encryption on the initial information to be signed one by using each signature function according to the first preset sequence.
6. The information signing method according to claim 1,
the initial information to be signed comprises a unique device identifier and a timestamp of the client;
the step of sending the final signature result to a server side comprises:
sending the final signature result, the unique device identifier and the timestamp to the server, so that the server judges whether the unique device identifier matches a unique target device identifier, wherein the unique target device identifier is determined by the server according to the identity identifier information of the client; and judging whether the interval duration from the current time point to the time point corresponding to the timestamp exceeds a preset duration or not.
7. A method for verifying signature information, comprising:
receiving a final signature result sent by a client;
acquiring at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed;
performing signature encryption on the initial information to be signed one by one according to a first preset sequence by using each signature parameter combination until all the signature parameter combinations are traversed to obtain a target signature result, wherein the signature result obtained by signature encryption each time is used as the information to be signed for next signature encryption;
judging whether the final signature result is matched with the target signature result;
if yes, judging that the verification is passed;
and sending a verification result to the client.
8. The verification method according to claim 7, wherein the step of receiving the final signature result sent by the client comprises:
receiving identity identification information sent by the client;
generating at least two different groups of signature parameter combinations according to the different identity information;
and sending the at least two groups of signature parameter combinations to the client.
9. The verification method according to claim 7, wherein the step of receiving the final signature result sent by the client comprises:
receiving a signature parameter request sent by the client;
responding to the signature parameter request, and acquiring a signature parameter corresponding to the signature parameter request or acquiring address information for storing the signature parameter;
and sending the signature parameters or the address information to the client.
10. The method of claim 9, wherein the step of receiving the request for signature parameters sent by the client is followed by:
responding to the signature parameter request, and judging whether the signature parameter request is in an abnormal state;
if yes, sending the wrong signature parameter or address information to the client, or not processing the signature parameter request.
11. The authentication method according to claim 7,
the initial information to be signed comprises a unique device identifier and a timestamp of the client;
the step of receiving the final signature result sent by the client comprises the following steps:
receiving the final signature result, the unique device identifier and the timestamp sent by the client;
the step of judging that the verification is passed further comprises:
judging whether the unique equipment identifier is matched with a unique target equipment identifier, wherein the unique target equipment identifier is determined by the server side according to the identity identifier information of the client side; judging whether the interval duration from the current time point to the time point corresponding to the timestamp exceeds a preset duration or not;
and if the unique equipment identifier is matched with the unique target equipment identifier and the interval time from the current time point to the time point corresponding to the timestamp does not exceed the preset time, judging that the verification is passed.
12. A method for verifying signature information, comprising:
the method comprises the steps that a client side obtains at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed, and the at least two groups of signature parameter combinations and the initial information to be signed are generated by a server according to client side information;
the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on the signature parameter combinations until all the signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed for next signature encryption;
the client sends the final signature result to a server;
the server side acquires the at least two groups of signature parameter combinations and the initial information to be signed;
the server side carries out signature encryption on the initial information to be signed one by one according to the first preset sequence on all the signature parameter combinations until all the signature parameter combinations are traversed to obtain a target signature result;
the server side judges whether the final signature result is matched with the target signature result;
if yes, the verification is judged to be passed.
13. A method for verifying signature information, comprising:
the method comprises the steps that a client side obtains at least two groups of signature parameter combinations and initial information to be signed, wherein each group of signature parameter combination respectively comprises a signature algorithm and a secret key, and the signature algorithm and the secret key are used for carrying out signature encryption on the information to be signed;
the client side carries out signature encryption on the initial information to be signed one by one according to a first preset sequence on the signature parameter combinations until all the signature parameter combinations are traversed to obtain a final signature result, wherein the signature result obtained by signature encryption at each time is used as the information to be signed for next signature encryption;
the client sends the final signature result to a server;
the server side obtains at least two groups of decryption parameter combinations and the initial information to be signed, wherein the decryption parameter combinations correspond to the signature parameter combinations one to one, each group of decryption parameter combinations respectively comprise decryption algorithms and keys, and the decryption algorithms and the keys of each group of decryption parameter combinations are used for decrypting signature results of the corresponding signature parameter combinations;
the server side decrypts the final signature result one by one according to a second preset sequence until all the decryption parameter combinations are traversed to obtain target decryption information, wherein decryption information obtained by decryption each time is used as information to be decrypted next time;
the server side judges whether the target decryption information is matched with the initial information to be signed or not;
if yes, the verification is judged to be passed.
14. A method for verifying signature information, comprising:
receiving a final signature result sent by a client, wherein the final signature result is obtained by combining, signing and encrypting at least two groups of signature parameters;
acquiring at least two groups of decryption parameter combinations and initial information to be signed, wherein the decryption parameter combinations correspond to the signature parameter combinations one to one, each group of decryption parameter combinations respectively comprise decryption algorithms and keys, and the decryption algorithms and the keys of each group of decryption parameter combinations are used for decrypting signature results of the corresponding signature parameter combinations;
decrypting the final signature result one by one according to a second preset sequence until all the decryption parameter combinations are traversed to obtain target decryption information, wherein the decryption information obtained by each decryption is used as information to be decrypted next time;
judging whether the target decryption information is matched with the initial information to be signed;
if yes, the verification is judged to be passed.
CN202110120397.8A 2021-01-28 2021-01-28 Signature information verification method and information signature method Pending CN112948896A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110120397.8A CN112948896A (en) 2021-01-28 2021-01-28 Signature information verification method and information signature method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110120397.8A CN112948896A (en) 2021-01-28 2021-01-28 Signature information verification method and information signature method

Publications (1)

Publication Number Publication Date
CN112948896A true CN112948896A (en) 2021-06-11

Family

ID=76238874

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110120397.8A Pending CN112948896A (en) 2021-01-28 2021-01-28 Signature information verification method and information signature method

Country Status (1)

Country Link
CN (1) CN112948896A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872935A (en) * 2021-08-24 2021-12-31 青岛海尔科技有限公司 Data verification method and device, storage medium and electronic device
CN115935438A (en) * 2023-02-03 2023-04-07 杭州金智塔科技有限公司 Data privacy intersection system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767613A (en) * 2014-01-02 2015-07-08 腾讯科技(深圳)有限公司 Signature verification method, device and system
WO2019019593A1 (en) * 2017-07-28 2019-01-31 深圳市光峰光电技术有限公司 Stateless communication security signature method, terminal and server end
CN110290102A (en) * 2019-04-26 2019-09-27 武汉众邦银行股份有限公司 Service security system and method based on application
CN111628863A (en) * 2020-05-29 2020-09-04 北京海泰方圆科技股份有限公司 Data signature method and device, electronic equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767613A (en) * 2014-01-02 2015-07-08 腾讯科技(深圳)有限公司 Signature verification method, device and system
WO2019019593A1 (en) * 2017-07-28 2019-01-31 深圳市光峰光电技术有限公司 Stateless communication security signature method, terminal and server end
CN110290102A (en) * 2019-04-26 2019-09-27 武汉众邦银行股份有限公司 Service security system and method based on application
CN111628863A (en) * 2020-05-29 2020-09-04 北京海泰方圆科技股份有限公司 Data signature method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872935A (en) * 2021-08-24 2021-12-31 青岛海尔科技有限公司 Data verification method and device, storage medium and electronic device
CN115935438A (en) * 2023-02-03 2023-04-07 杭州金智塔科技有限公司 Data privacy intersection system and method

Similar Documents

Publication Publication Date Title
CN110493197B (en) Login processing method and related equipment
CN109067524B (en) Public and private key pair generation method and system
EP2291787B1 (en) Techniques for ensuring authentication and integrity of communications
CN109981255B (en) Method and system for updating key pool
CN106941404B (en) Key protection method and device
CN104836784B (en) A kind of information processing method, client and server
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN110662091B (en) Third-party live video access method, storage medium, electronic device and system
CN111914291A (en) Message processing method, device, equipment and storage medium
CN115225672B (en) End-to-end data transmission method, equipment and medium
CN111130798A (en) Request authentication method and related equipment
CN112948896A (en) Signature information verification method and information signature method
CN114520726A (en) Processing method and device based on block chain data, processor and electronic equipment
CN113115309B (en) Data processing method and device for Internet of vehicles, storage medium and electronic equipment
CN117436043A (en) Method and device for verifying source of file to be executed and readable storage medium
CN116419217B (en) OTA data upgrading method, system, equipment and storage medium
CN110149205B (en) Method for protecting Internet of things terminal by using block chain
CN116566589A (en) Data communication method, device, storage medium and processor
CN110995671A (en) Communication method and system
CN113872769B (en) Device authentication method and device based on PUF, computer device and storage medium
CN108242997B (en) Method and apparatus for secure communication
KR101256114B1 (en) Message authentication code test method and system of many mac testserver
CN114143198A (en) Firmware upgrading method
US20050108528A1 (en) Computer network and method for transmitting and authenticating data in the computer network
CN113572717A (en) Communication connection establishing method, washing and protecting equipment and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination