CN112953720A - Network request processing method, device, equipment and storage medium - Google Patents
Network request processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112953720A CN112953720A CN202110119780.1A CN202110119780A CN112953720A CN 112953720 A CN112953720 A CN 112953720A CN 202110119780 A CN202110119780 A CN 202110119780A CN 112953720 A CN112953720 A CN 112953720A
- Authority
- CN
- China
- Prior art keywords
- network request
- signature
- processed
- data
- replay
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 29
- 238000000034 method Methods 0.000 claims description 30
- 238000004590 computer program Methods 0.000 claims description 11
- 238000000605 extraction Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 abstract description 23
- 238000013524 data verification Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The application discloses a network request processing method, a device, equipment and a storage medium, comprising the following steps: performing security configuration based on target requirements to generate a corresponding target protocol, and transmitting the target protocol to the client; receiving a network request to be processed sent by a client and a first data signature of the network request to be processed; the first data signature is a data signature obtained by encrypting the network request to be processed by the client according to the target protocol; encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed; and matching the first data signature with the second data signature, and carrying out corresponding processing on the network request based on the matching result. The network request is correspondingly processed based on the target protocol meeting the target requirement, so that the global interface data verification based on the application layer is realized, the security loophole existing in the security transmission layer is avoided, and the security of the data in the network transmission process is improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for processing a network request.
Background
The existing network security policy is mainly implemented by encrypting network transmission data by using a security transport layer protocol (TLS), and has a major defect that an encryption mode of the security transport layer protocol cannot be effective under certain conditions, such as when an attacker is an end user, or an intermediate attacker tricks the end user to allow non-security certificate trust, or the intermediate attacker acquires a protocol root certificate of the security transport layer. At this time, the attacker can modify the request data transmitted by the network at the application level, and realize functions such as "picking up hidden coupons", "tampering game score data", and the like, and realize functions such as "refreshing bills", "refreshing coupons", and the like through a high-frequency replay request interface, even realize functions such as "binding other users' wallets using balances" through tampering member request information. The existing method for verifying the network request data in a single interface mode has the problems of high cost, low accuracy, incomplete comprehensiveness and the like, cannot cope with infinite attack vulnerabilities, and further cannot guarantee the data security in network transmission.
Disclosure of Invention
In view of this, an object of the present invention is to provide a method, an apparatus, a device, and a storage medium for processing a network request, which can perform corresponding processing on the network request based on a target protocol satisfying a target requirement, so as to implement global interface data verification based on an application layer, avoid security holes existing in a security transport layer, and improve security of data in a network transmission process without affecting overall performance of a system. The specific scheme is as follows:
a first aspect of the present application provides a network request processing method, applied to a server, including:
performing security configuration based on target requirements to generate a corresponding target protocol, and transmitting the target protocol to a client;
receiving a network request to be processed sent by the client and a first data signature of the network request to be processed; the first data signature is a data signature obtained by the client encrypting the network request to be processed according to the target protocol;
encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed;
and matching the first data signature with the second data signature, and carrying out corresponding processing on the network request based on a matching result.
Optionally, the receiving the to-be-processed network request sent by the client and the first data signature of the to-be-processed network request includes:
and receiving a network request to be processed sent by the client and a first anti-tampering signature and a first anti-replay signature of the network request to be processed.
Optionally, the encrypting the received to-be-processed network request based on the target protocol to obtain a second data signature of the to-be-processed network request includes:
extracting the data in the received network request to be processed according to the extraction rule of the target protocol to obtain target data;
and generating a protocol key based on the encryption rule of the target protocol, and encrypting the target data and the protocol key by using an encryption mode corresponding to the encryption rule to obtain a second anti-tampering signature of the network request to be processed.
Optionally, the matching the first data signature with the second data signature, and performing corresponding processing on the network request based on a matching result includes:
matching the first tamper-resistant signature with the second tamper-resistant signature, determining the first replay-resistant signature as a second replay-resistant signature if the first tamper-resistant signature is identical to the second tamper-resistant signature, and storing the second replay-resistant signature;
and matching the first anti-replay signature with all the stored second anti-replay signatures, and intercepting the network request to be processed if the second anti-replay signature is consistent with the first anti-replay signature.
Optionally, the storing the second anti-replay signature includes:
and storing the second replay signature by using a remote dictionary service according to the duration rule of the target protocol.
Optionally, before determining the first anti-replay signature as the second anti-replay signature, the method further includes:
and judging whether the position of the first anti-replay signature in the data message corresponding to the network request to be processed is consistent with the position specified by the target protocol or not, if so, starting a step of determining the first anti-replay signature as a second anti-replay signature, and if not, intercepting the network request to be processed.
The network request processing method provided by the application can also be applied to a client, and comprises the following steps:
acquiring a target protocol sent by a server, and encrypting a network request to be processed based on the target protocol to obtain a first data signature of the network request to be processed;
and sending the network request to be processed and the first data signature to the server, so that the server encrypts the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed, matches the first data signature with the second data signature, and performs corresponding processing on the network request based on a matching result.
A second aspect of the present application provides a network request processing apparatus, applied to a server, including:
the configuration module is used for carrying out security configuration based on target requirements to generate a corresponding target protocol and transmitting the target protocol to the client;
the receiving module is used for receiving the network request to be processed sent by the client and a first data signature of the network request to be processed; the first data signature is obtained after the client encrypts the network request to be processed according to the target protocol;
the encryption module is used for encrypting the received network request to be processed based on the target protocol so as to obtain a second data signature of the network request to be processed;
and the matching module is used for matching the first data signature with the second data signature and correspondingly processing the network request based on a matching result.
A third aspect of the application provides an electronic device comprising a processor and a memory; wherein the memory is used for storing a computer program which is loaded and executed by the processor to implement the aforementioned network request processing method.
A fourth aspect of the present application provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are loaded and executed by a processor, the foregoing network request processing method is implemented.
In the application, firstly, security configuration is carried out based on target requirements to generate a corresponding target protocol, and the target protocol is transmitted to a client. And then receiving a network request to be processed sent by the client and a first data signature of the network request to be processed, wherein the first data signature is a data signature obtained by encrypting the network request to be processed according to a target protocol by the client. And finally, encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed, matching the first data signature with the second data signature, and correspondingly processing the network request based on the matching result. The network request is correspondingly processed based on the target protocol meeting the target requirement, so that the global interface data verification based on the application layer is realized, the security loophole existing in the security transmission layer is avoided, and the security of the data in the network transmission process is improved under the condition of not influencing the overall performance of the system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a network request processing method provided in the present application;
fig. 2 is a flowchart of a specific network request processing method provided in the present application;
fig. 3 is a schematic diagram illustrating a network request processing method of a Web client according to the present application;
fig. 4 is a schematic diagram illustrating a network request processing method of an applet client according to the present application;
fig. 5 is a schematic structural diagram of a network request processing apparatus according to the present application;
fig. 6 is a block diagram of an electronic device for processing a network request according to the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The existing network security policy is mainly implemented by encrypting network transmission data by using a security transport layer protocol (TLS), and has the main defects that the encryption mode of the security transport layer protocol cannot be effective under certain conditions, an attacker can modify request data transmitted by a network at an application level, a method for verifying the network request data in a single interface mode has the problems of high cost, low accuracy, incomplete integrity and the like, cannot cope with infinite attack vulnerabilities, and cannot ensure the data security in network transmission. In view of the technical defects, the application provides a network request processing scheme, which can perform corresponding processing on a network request based on a target protocol meeting target requirements, realize global interface data verification based on an application layer, avoid security holes existing in a security transmission layer, and improve the security of data in a network transmission process under the condition of not affecting the overall performance of a system.
Fig. 1 is a flowchart of a network request processing method provided in an embodiment of the present application, and is applied to a server. Referring to fig. 1, the network request processing method includes:
s11: and carrying out security configuration based on the target requirement to generate a corresponding target protocol, and transmitting the target protocol to the client.
In this embodiment, the server performs security configuration based on a target requirement to generate a corresponding target protocol, and transmits the target protocol to the client. The target requirement is characterized in that a mode of processing transmission data when network transmission is carried out between the Web client or the small program client and the server, the mode comprises limitation of an extraction rule and an encryption mode, a generation rule of a protocol key, duration of data storage and the like, and before data transmission, corresponding safety configuration can be carried out on a server side according to the target requirement of a relevant user so as to generate a customized target protocol. And transmitting the target protocol to the client, wherein the client and the server process the network request data based on the same security configuration protocol.
S12: receiving a network request to be processed sent by the client and a first data signature of the network request to be processed; and the first data signature is a data signature obtained by encrypting the network request to be processed by the client according to the target protocol.
S13: and encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed.
In this embodiment, after the client acquires the target protocol sent by the server, the client encrypts the to-be-processed network request that needs to be transmitted based on the target protocol to obtain the first data signature of the to-be-processed network request, and sends the to-be-processed network request and the first data signature of the to-be-processed network request to the server, and the server receives the to-be-processed network request sent by the client and the first data signature of the to-be-processed network request. The encryption processing process is also a process of generating a data signature, and the encryption basis, the encryption mode, and the like in this process have been agreed in the target protocol, and of course, the user may reconfigure at the server according to the own needs to generate a new target protocol. It is to be understood that, in this embodiment, in the case where it is desired to avoid a tampering attack, the first data signature is an anti-tampering signature, in the case where it is desired to avoid a replay attack, the first data signature is an anti-replay signature, and in order to avoid both a tampering attack and a replay attack, the first data signature includes an anti-tampering signature and an anti-replay signature.
In this embodiment, after receiving the to-be-processed network request sent by the client and the first data signature of the to-be-processed network request, the server needs to generate a signature corresponding to the first data signature by using the same processing method to form a comparison, and specifically, the server encrypts the received to-be-processed network request based on the target protocol to obtain a second data signature of the to-be-processed network request. It can be understood that, when the first data signature sent by the client is a tamper-resistant data signature, the server only needs to generate a corresponding tamper-resistant signature, that is, only needs to verify the tamper-resistant data signature sent by the server.
S14: and matching the first data signature with the second data signature, and carrying out corresponding processing on the network request based on a matching result.
In this embodiment, the first data signature and the second data signature are matched, and the network request is correspondingly processed based on a matching result. The step is a signature verification process, and whether the network data transmitted by the client and the server in the data interaction process changes is judged by verifying whether the first data signature is consistent with the second data signature. When the hash digest of the first data signature is consistent with the hash digest of the second data signature, it indicates that the network request received by the server is correct request data sent by the client and has not been tampered in the transmission process, and at this time, the server may perform a next response to the received network request, for example, call other backend services to implement a corresponding service function. However, when the hash digest of the first data signature is inconsistent with the hash digest of the second data signature, it indicates that the network request has changed during transmission, and there may be an unpredictable attack, and at this time, the server should intercept the network request or perform a deeper verification.
Therefore, according to the embodiment of the application, security configuration is firstly carried out based on the target requirement to generate the corresponding target protocol, and the target protocol is transmitted to the client. And then receiving a network request to be processed sent by the client and a first data signature of the network request to be processed, wherein the first data signature is a data signature obtained by encrypting the network request to be processed according to a target protocol by the client. And finally, encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed, matching the first data signature with the second data signature, and correspondingly processing the network request based on the matching result. According to the embodiment of the application, the network request is correspondingly processed based on the target protocol meeting the target requirement, so that the global interface data verification based on the application layer is realized, the security loophole existing in the security transmission layer is avoided, and the security of the data in the network transmission process is improved under the condition that the overall performance of the system is not influenced.
Fig. 2 is a flowchart of a specific network request processing method provided in an embodiment of the present application, and is applied to a server. Referring to fig. 2, the network request processing method includes:
s21: and carrying out security configuration based on the target requirement to generate a corresponding target protocol, and transmitting the target protocol to the client.
In this embodiment, as to the specific process of step S21, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here. It should be added that fig. 3 and fig. 4 are schematic diagrams respectively illustrating that the Web client and the applet client provided in this embodiment process a network request by using the present solution, where the server is a node.js (a dynamic server is allowed to use JavaScript for programming) gateway, and includes a security configuration memory, a security configurator and a signature checker, where the security configuration memory stores the target protocol generated by the configuration controller and the security configuration buffer, and the security configurator in the node.js gateway accessing the Web client is a DOM injector, and the security configurator in the node.js gateway accessing the applet client is a security configuration interface. Before the embodiment is implemented, a development kit (SDK) suitable for node.
S22: and receiving a network request to be processed sent by the client and a first anti-tampering signature and a first anti-replay signature of the network request to be processed.
In this embodiment, the tampering attack and replay attack that may exist in the network transmission process are mainly verified, so when the client generates a data signature, a tamper-resistant signature and a replay-resistant signature should be generated simultaneously for the network request, and in order to distinguish from the corresponding tamper-resistant signature and replay-resistant signature generated by the server, the tamper-resistant signature and replay-resistant signature generated by the server are referred to as a first tamper-resistant signature and a first replay-resistant signature. And the processing process aiming at the server is to receive the network request to be processed sent by the client and the first anti-tampering signature and the first anti-replay signature of the network request to be processed.
S23: and extracting the data in the received network request to be processed according to the extraction rule of the target protocol to obtain target data.
S24: and generating a protocol key based on the encryption rule of the target protocol, and encrypting the target data and the protocol key by using an encryption mode corresponding to the encryption rule to obtain a second anti-tampering signature of the network request to be processed.
In this embodiment, based on the processing perspective of the server, the process of generating the second tamper-resistant signature by the server may be considered as the process of generating the first tamper-resistant signature by the server, and the specific generation process of the tamper-resistant signature is the key point of this embodiment. It should be noted that, here, the network request to be processed is understood as a request packet from a macro level, and data in the received network request to be processed needs to be extracted according to an extraction rule of the target protocol to obtain target data, where the target data is part or all of the data of the network request to be processed and includes key information. And then generating a protocol key based on the encryption rule of the target protocol, and encrypting the target data and the protocol key by using an encryption mode corresponding to the encryption rule to obtain a second anti-tampering signature of the network request to be processed. The protocol key is configurable, the character string generated according to the target protocol can be hashed Session Id, user authentication unique character string (Token), and the like, and the protocol key is used as a basis for generating the abstract. In addition, because the user authentication unique character string (Token) can distinguish the user, and the user can be expired and invalid after a certain time, the client needs to initiate the authentication handshake process again after the user authentication unique character string (Token) is invalid, and a brand new unique character string is generated to serve as the protocol key, so that the protocol key has timeliness and uniqueness.
For a clearer description of tamper-resistant signatures and replay-resistant signatures, a specific example is used for the following description. Aiming at the server, on a tamper-resistant level, a body part, namely a request body, in a network request received by the server is converted into a character string (json string) in a json format, and a pathName of a network request address and a queryString parameter of the address are obtained. And then splicing jsonString generated by the body and pathName and queryString, and encrypting the spliced character string and the protocol key by using an hmacSHA1 algorithm to obtain a tamper-proof encrypted character string corresponding to the network request received by the server. And generating a tamper-resistant signature consistent with the tamper-resistant signature of the server for the client, splicing the timestamp of the current client with the pathname and querystring by the client on a replay-resistant level, encrypting the spliced character string by using the hmacSHA1 algorithm to obtain a replay-resistant character string, and then adding the replay-resistant character string to the generated tamper-resistant spliced character string and encrypting. And putting the anti-replay character string into a request header x-tp-uuid, and putting the anti-tamper character string into an x-tp-signature.
S25: matching the first tamper-resistant signature with the second tamper-resistant signature, determining the first replay-resistant signature as a second replay-resistant signature if the first tamper-resistant is identical to the second tamper-resistant signature, and storing the second replay-resistant signature.
S26: and matching the first anti-replay signature with all the stored second anti-replay signatures, and intercepting the network request to be processed if the second anti-replay signature is consistent with the first anti-replay signature.
In this embodiment, for a tamper-resistant layer, the first tamper-resistant signature is matched with the second tamper-resistant signature, and if the first tamper-resistant signature is consistent with the second tamper-resistant signature, it is indicated that the network data is not illegally tampered in the transmission process, and the network request passes a tamper-resistant check. For the anti-replay layer, when the network request passes the anti-tamper check, determining the first anti-replay signature as a second anti-replay signature, and storing the second anti-replay signature. Further, according to the time length rule of the target protocol, a remote dictionary service (Redis, a log-type and Key-Value database which supports network, is written in ANSIC language and can be based on memory and can also be persistent) is used for storing the second replay signature.
It should be noted that, if the storage location of the first tamper-resistant signature is agreed in the target protocol and the client adjusts the location of the first tamper-resistant signature according to the agreement in the target protocol, in order to ensure accurate determination of the verification result, before the verification of the first tamper-resistant signature is completed, it is further necessary to further determine whether the location of the first replay-resistant signature in the data packet corresponding to the network request to be processed is consistent with the location specified in the target protocol, if so, a step of determining the first replay-resistant signature as a second replay-resistant signature is started, and if not, the network request to be processed is intercepted. Specifically, in the above example, it is also necessary to determine whether the anti-replay string is located in the request header x-tp-uuid, and whether the anti-tamper string is located in the x-tp-signature.
On the basis that the anti-replay signature is not illegally modified, the anti-replay signature is considered to be unique, if repeated anti-replay signatures appear within a protocol duration, the network request is considered to have a replay attack, and the server should intercept the network request, wherein the protocol duration is the duration specified by the duration rule of the target protocol. Specifically, the first anti-replay signature is matched with all the stored second anti-replay signatures, and if the second anti-replay signature is consistent with the first anti-replay signature, the network request to be processed is intercepted.
Therefore, the embodiment of the application simultaneously performs tamper-proof verification and replay-proof verification on the network request sent by the client at the application level through the dynamic configuration target protocol, improves the cracking difficulty of the data signature, and allows various existing services to complete the upgrading of the interface safety capability under the condition of not modifying the existing service codes and logics.
Referring to fig. 5, an embodiment of the present application further discloses a network request processing apparatus correspondingly, which is applied to a server and includes:
the configuration module 11 is configured to perform security configuration based on a target requirement to generate a corresponding target protocol, and transmit the target protocol to the client;
a receiving module 12, configured to receive a to-be-processed network request sent by the client and a first data signature of the to-be-processed network request; the first data signature is obtained after the client encrypts the network request to be processed according to the target protocol;
the encryption module 13 is configured to encrypt the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed;
and the matching module 14 is configured to match the first data signature with the second data signature, and perform corresponding processing on the network request based on a matching result.
Therefore, according to the embodiment of the application, security configuration is firstly carried out based on the target requirement to generate the corresponding target protocol, and the target protocol is transmitted to the client. And then receiving a network request to be processed sent by the client and a first data signature of the network request to be processed, wherein the first data signature is a data signature obtained by encrypting the network request to be processed according to a target protocol by the client. And finally, encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed, matching the first data signature with the second data signature, and correspondingly processing the network request based on the matching result. According to the embodiment of the application, the network request is correspondingly processed based on the target protocol meeting the target requirement, so that the global interface data verification based on the application layer is realized, the security loophole existing in the security transmission layer is avoided, and the security of the data in the network transmission process is improved.
In some embodiments, the receiving module 12 is specifically configured to receive the pending network request sent by the client and the first tamper-resistant signature and the first replay-resistant signature of the pending network request.
In some specific embodiments, the encryption module 13 specifically includes:
the extraction unit is used for extracting the data in the received network request to be processed according to the extraction rule of the target protocol so as to obtain target data;
and the generating unit is used for generating a protocol key based on the encryption rule of the target protocol and encrypting the target data and the protocol key by using the encryption mode corresponding to the encryption rule so as to obtain a second tamper-proof signature of the network request to be processed.
In some specific embodiments, the matching module 14 specifically includes:
a first matching unit configured to match the first tamper-resistant signature with the second tamper-resistant signature, determine the first replay-resistant signature as a second replay-resistant signature if the first tamper-resistant signature is identical with the second tamper-resistant signature, and store the second replay-resistant signature;
and the second matching unit is used for matching the first anti-replay signature with all the stored second anti-replay signatures, and intercepting the network request to be processed if the second anti-replay signature is consistent with the first anti-replay signature.
Further, the embodiment of the application also provides electronic equipment. FIG. 6 is a block diagram illustrating an electronic device 20 according to an exemplary embodiment, and the contents of the diagram should not be construed as limiting the scope of use of the present application in any way.
Fig. 6 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein, the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the network request processing method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically a server.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, request data 223, etc., and the storage may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the processor 21 on the massive request data 223 in the memory 22, and may be Windows Server, Netware, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the network request processing method performed by the electronic device 20 disclosed in any of the foregoing embodiments. Data 223 may include requested data collected by electronic device 20.
Further, an embodiment of the present application further discloses a storage medium, in which a computer program is stored, and when the computer program is loaded and executed by a processor, the steps of the network request processing method disclosed in any of the foregoing embodiments are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The network request processing method, apparatus, device and storage medium provided by the present invention are described in detail above, and a specific example is applied in the present disclosure to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A network request processing method is applied to a server side and is characterized by comprising the following steps:
performing security configuration based on target requirements to generate a corresponding target protocol, and transmitting the target protocol to a client;
receiving a network request to be processed sent by the client and a first data signature of the network request to be processed; the first data signature is a data signature obtained by the client encrypting the network request to be processed according to the target protocol;
encrypting the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed;
and matching the first data signature with the second data signature, and carrying out corresponding processing on the network request based on a matching result.
2. The method according to claim 1, wherein the receiving the pending network request sent by the client and the first data signature of the pending network request comprises:
and receiving a network request to be processed sent by the client and a first anti-tampering signature and a first anti-replay signature of the network request to be processed.
3. The method according to claim 2, wherein the encrypting the received pending network request based on the target protocol to obtain the second data signature of the pending network request comprises:
extracting the data in the received network request to be processed according to the extraction rule of the target protocol to obtain target data;
and generating a protocol key based on the encryption rule of the target protocol, and encrypting the target data and the protocol key by using an encryption mode corresponding to the encryption rule to obtain a second anti-tampering signature of the network request to be processed.
4. The method according to claim 3, wherein the matching the first data signature with the second data signature and the corresponding processing of the network request based on the matching result comprise:
matching the first tamper-resistant signature with the second tamper-resistant signature, determining the first replay-resistant signature as a second replay-resistant signature if the first tamper-resistant signature is identical to the second tamper-resistant signature, and storing the second replay-resistant signature;
and matching the first anti-replay signature with all the stored second anti-replay signatures, and intercepting the network request to be processed if the second anti-replay signature is consistent with the first anti-replay signature.
5. The network request processing method of claim 4, wherein the storing the second anti-replay signature comprises:
and storing the second replay signature by using a remote dictionary service according to the duration rule of the target protocol.
6. The network request processing method of claim 5, wherein prior to determining the first anti-replay signature as a second anti-replay signature, further comprising:
and judging whether the position of the first anti-replay signature in the data message corresponding to the network request to be processed is consistent with the position specified by the target protocol or not, if so, starting a step of determining the first anti-replay signature as a second anti-replay signature, and if not, intercepting the network request to be processed.
7. A network request processing method is applied to a client and comprises the following steps:
acquiring a target protocol sent by a server, and encrypting a network request to be processed based on the target protocol to obtain a first data signature of the network request to be processed;
and sending the network request to be processed and the first data signature to the server, so that the server encrypts the received network request to be processed based on the target protocol to obtain a second data signature of the network request to be processed, matches the first data signature with the second data signature, and performs corresponding processing on the network request based on a matching result.
8. A network request processing device applied to a server side is characterized by comprising:
the configuration module is used for carrying out security configuration based on target requirements to generate a corresponding target protocol and transmitting the target protocol to the client;
the receiving module is used for receiving the network request to be processed sent by the client and a first data signature of the network request to be processed; the first data signature is obtained after the client encrypts the network request to be processed according to the target protocol;
the encryption module is used for encrypting the received network request to be processed based on the target protocol so as to obtain a second data signature of the network request to be processed;
and the matching module is used for matching the first data signature with the second data signature and correspondingly processing the network request based on a matching result.
9. An electronic device, comprising a processor and a memory; wherein the memory is for storing a computer program that is loaded and executed by the processor to implement the network request processing method of any of claims 1 to 7.
10. A computer-readable storage medium storing computer-executable instructions which, when loaded and executed by a processor, carry out a network request processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110119780.1A CN112953720A (en) | 2021-01-28 | 2021-01-28 | Network request processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110119780.1A CN112953720A (en) | 2021-01-28 | 2021-01-28 | Network request processing method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112953720A true CN112953720A (en) | 2021-06-11 |
Family
ID=76238799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110119780.1A Pending CN112953720A (en) | 2021-01-28 | 2021-01-28 | Network request processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953720A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113449296A (en) * | 2021-07-20 | 2021-09-28 | 恒安嘉新(北京)科技股份公司 | System, method, apparatus, and medium for data security protection |
| CN113726743A (en) * | 2021-07-30 | 2021-11-30 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for detecting network replay attack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140149735A1 (en) * | 2012-11-29 | 2014-05-29 | Adobe Systems Incorporated | Distributive computation of a digital signature |
| CN110650014A (en) * | 2019-08-16 | 2020-01-03 | 威富通科技有限公司 | Signature authentication method, system, equipment and storage medium based on hessian protocol |
| CN110943840A (en) * | 2018-09-25 | 2020-03-31 | 杭州字符串科技有限公司 | Signature verification method and system |
| CN111431724A (en) * | 2020-03-27 | 2020-07-17 | 微梦创科网络科技(中国)有限公司 | Data transmission method and device and electronic equipment |
| CN111901124A (en) * | 2020-07-29 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Communication safety protection method and device and electronic equipment |
-
2021
- 2021-01-28 CN CN202110119780.1A patent/CN112953720A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140149735A1 (en) * | 2012-11-29 | 2014-05-29 | Adobe Systems Incorporated | Distributive computation of a digital signature |
| CN110943840A (en) * | 2018-09-25 | 2020-03-31 | 杭州字符串科技有限公司 | Signature verification method and system |
| CN110650014A (en) * | 2019-08-16 | 2020-01-03 | 威富通科技有限公司 | Signature authentication method, system, equipment and storage medium based on hessian protocol |
| CN111431724A (en) * | 2020-03-27 | 2020-07-17 | 微梦创科网络科技(中国)有限公司 | Data transmission method and device and electronic equipment |
| CN111901124A (en) * | 2020-07-29 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Communication safety protection method and device and electronic equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113449296A (en) * | 2021-07-20 | 2021-09-28 | 恒安嘉新(北京)科技股份公司 | System, method, apparatus, and medium for data security protection |
| CN113449296B (en) * | 2021-07-20 | 2024-04-23 | 恒安嘉新(北京)科技股份公司 | System, method, device and medium for data security protection |
| CN113726743A (en) * | 2021-07-30 | 2021-11-30 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for detecting network replay attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107483509B (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| CN108259437B (en) | HTTP access method, HTTP server and system | |
| JP4864289B2 (en) | Network user authentication system and method | |
| US9853964B2 (en) | System and method for authenticating the legitimacy of a request for a resource by a user | |
| CN109639661B (en) | Server certificate updating method, device, equipment and computer readable storage medium | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
| CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| CN110430065B (en) | Application service calling method, device and system | |
| CN112313648A (en) | Authentication system, authentication method, application providing device, authentication device, and authentication program | |
| US8924725B2 (en) | Authenticated file handles for network file systems | |
| JP3593979B2 (en) | Server and client with usage right control, service providing method and usage right certifying method | |
| CN112968910B (en) | Replay attack prevention method and device | |
| CN112804269B (en) | Method for realizing website interface anti-crawler | |
| CN112953720A (en) | Network request processing method, device, equipment and storage medium | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN111628871A (en) | Block chain transaction processing method and device, electronic equipment and storage medium | |
| CN111294354B (en) | Signature verification method, apparatus, device and storage medium for distributed environment | |
| CN112448930A (en) | Account registration method, device, server and computer readable storage medium | |
| CN114239072B (en) | Block chain node management method and block chain network | |
| Abdelrazig Abubakar et al. | Blockchain-based identity and authentication scheme for MQTT protocol | |
| CN107566393A (en) | A kind of dynamic rights checking system and method based on trust certificate | |
| CN111510442A (en) | User verification method and device, electronic equipment and storage medium | |
| CN113239308B (en) | Page access method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210611 |