CN113595731A - Protection method and device for shared link and computer readable storage medium - Google Patents
Protection method and device for shared link and computer readable storage medium Download PDFInfo
- Publication number
- CN113595731A CN113595731A CN202110605731.9A CN202110605731A CN113595731A CN 113595731 A CN113595731 A CN 113595731A CN 202110605731 A CN202110605731 A CN 202110605731A CN 113595731 A CN113595731 A CN 113595731A
- Authority
- CN
- China
- Prior art keywords
- link
- sharing link
- sharing
- shared
- random token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 72
- 238000012545 processing Methods 0.000 claims abstract description 99
- 238000012795 verification Methods 0.000 claims abstract description 94
- 238000013475 authorization Methods 0.000 claims abstract description 31
- 239000012634 fragment Substances 0.000 claims description 38
- 238000013507 mapping Methods 0.000 claims description 14
- 238000010200 validation analysis Methods 0.000 claims description 10
- 125000004122 cyclic group Chemical group 0.000 claims description 4
- 238000013467 fragmentation Methods 0.000 claims description 4
- 238000006062 fragmentation reaction Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 51
- 230000005540 biological transmission Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009466 transformation Effects 0.000 description 4
- 238000001914 filtration Methods 0.000 description 3
- 230000000295 complement effect Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001012 protector Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
Abstract
The invention relates to the technical field of network security, and discloses a protection method and a device for a shared link and a computer readable storage medium, wherein the protection method for the shared link comprises the following steps: when the sharing link is generated, a temporary random token is generated, and authorization information of the random token to the shared resource is stored in a server side; carrying out validity processing on the generated sharing link, and setting the validity period of the sharing link; and/or performing anti-tampering processing on the generated sharing link to prevent the sharing link from being tampered. The protection method for sharing links filters invalid or expired requests through a multi-layer verification mechanism so as to reduce the consumption of back-end resources as much as possible on the basis of ensuring the safety.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a protection method and device for shared links and a computer readable storage medium.
Background
In the internet era, when resource sharing is performed, a sharing link is generated and sent to a shared user, and in order to facilitate the query of a resource request of the shared user, a simple mode is that resource ID information is carried in a URL of the sharing link. However, in this resource sharing manner, once the sharing link is acquired by an unrelated person, the resource ID information is easily leaked, and there is a great security problem.
In order to solve the potential safety hazard of resource ID information leakage, a further processing mode is to perform encryption processing on the resource ID information through an encryption algorithm, although the confidentiality of the resource ID information is improved, how to transmit the encryption algorithm to a shared user is a key for ensuring the encryption effectiveness of the resource ID information, and the shared user can decrypt the resource ID information only by obtaining the encryption algorithm to realize resource access. The most reliable encryption algorithm transfer mode is the hand-to-hand transfer between the sharing user and the shared user, but the method does not accord with the use scene of internet resource sharing and has no feasibility at all. In addition, any mode of carrying out encryption algorithm transmission through the Internet has the risk of interception and leakage, and once the encryption algorithm is leaked, the resource ID information is cracked.
In view of this, the present invention is provided to solve the validity and confidentiality verification of the shared link during resource sharing, and to ensure that the resource is safely and effectively shared to the sharee.
Disclosure of Invention
In order to solve the technical problem, the invention provides a protection method, a protection device and a computer readable storage medium for shared links, and the specific technical scheme is as follows:
a method of securing a shared link, comprising:
when the sharing link is generated, a temporary random token is generated, and authorization information of the random token to the shared resource is stored in a server side;
carrying out validity processing on the generated sharing link, and setting the validity period of the sharing link;
and/or performing anti-tampering processing on the generated sharing link to prevent the sharing link from being tampered.
As an optional embodiment of the present invention, the generating a temporary random token and storing, at a server, authorization information of a real resource ID by the random token when generating a sharing link includes:
when the sharing client generates a sharing link, applying to a server side of the shared resource for generating a temporary random token;
the server side generates a temporary random token through application verification, writes the temporary random token into the URL of the sharing link and returns the URL to the sharing client side;
the server side stores authorization information of a random token to the shared resource, wherein the authorization information of the random token to the shared resource comprises: and mapping between the random token and the shared resource ID, and/or the validity period of the random token for accessing the shared resource, and/or the access authority of the random token for the shared resource.
As an optional implementation manner of the present invention, the performing validity processing on the generated sharing link includes:
writing the valid period in the authorization information of the random token for accessing the shared resource into the URL of the shared link;
optionally, the validity period is written in the URL of the sharing link in a clear text.
As an optional embodiment of the present invention, the performing tamper-resistant processing on the generated sharing link includes:
encrypting parameters in the generated sharing link to generate a digital signature of the sharing link;
optionally, encryption processing is performed on specified parameters or all parameters in the generated sharing link;
optionally, the parameters in the validity-processed sharing link are encrypted.
As an optional embodiment of the present invention, the encrypting the parameter in the generated sharing link to generate the digital signature of the sharing link includes:
setting a first key1 and a second key2 with equal number of bits;
extracting all parameters in the sharing link subjected to effectiveness processing and splicing into a character string p 0;
carrying out average fragmentation on the character string p0 according to bytes corresponding to the number of bits of the key, and when the bytes of the last fragment are insufficient, using a second key2 for completion to obtain data fragments ps;
performing logic operation on each data fragment ps and the first key1 to obtain data fragment psi, and processing the data fragment psi according to set encryption logic to obtain an encrypted ciphertext;
and writing the encrypted ciphertext into the URL of the sharing link for digital signature.
As an optional embodiment of the present invention, the performing a logic operation on each data slice ps and the first key1 to obtain data slice psi, and processing the data slice psi according to a set encryption logic to obtain an encrypted ciphertext includes:
performing logic exclusive or operation on each data fragment ps and new data after cyclic shift of the first key1 circularly to obtain data fragment psi;
judging whether the data slicing psi is a set value a, if so, dividing the data slicing psi into two sections and exchanging to obtain a data slicing psd, and if not, directly storing the data slicing psi as the data slicing psd;
performing modular operation on each data slice psd to generate a group of numbers;
and adding each group of numbers according to the bit, and performing logic operation to obtain a new number as an encryption ciphertext.
As an optional embodiment of the present invention, the protection method for shared links includes:
responding to the access request of the sharing link, and performing validity and/or tamper-proof verification on the sharing link;
after the authentication is passed, the server side acquires the random token in the sharing link to carry out identity information validity authentication;
after the verification is passed, the server side loads resource information to the authorization information of the shared resource according to the stored random token and responds to the access request.
As an optional implementation manner of the present invention, in the protection method for a shared link according to the present invention, in response to an access request of the shared link, validity verification is performed on the shared link first, and tamper-proof verification is performed after the verification is passed;
the validity verification of the sharing link comprises the following steps: responding to the access request of the sharing link, checking the validity period of the URL of the sharing link, judging the validity of the access of the sharing resource, and if the validity period check fails, prompting that the sharing resource is overdue;
the tamper-proof verification of the sharing link includes: the server side obtains parameters in the URL of the sharing link, carries out encryption processing according to a stored encryption algorithm to obtain a check ciphertext, compares the check ciphertext with the encryption ciphertext in the URL of the sharing link, if the check ciphertext is the same as the encryption ciphertext, the verification is passed, otherwise, the verification fails, and the current access request is rejected.
The invention also provides a protection device for sharing the link, which comprises:
the token protection module generates a temporary random token when the sharing link is generated, and stores authorization information of the random token to the shared resource at the server side;
the validity protection module is used for carrying out validity processing on the generated sharing link and setting the validity period of the sharing link;
and/or the anti-tampering protection module is used for carrying out anti-tampering processing on the generated sharing link so as to prevent the sharing link from being tampered.
The invention also provides a computer readable storage medium, which stores a computer executable program, when the computer executable program is executed, the protection method for the shared link is realized.
Compared with the prior art, the invention has the beneficial effects that:
in the protection method of the sharing link, when the sharing link is generated, a temporary random token is generated, and authorization information of the random token to the shared resource is stored at a server side; therefore, the ID information of the shared resource cannot be carried in the URL of the shared link, the information in the transmitted random token is acquired at the server side through the transmission of the temporary random token for verification, and the shared resource is loaded after the verification is passed and responds to the shared user. Because the token is random, the real resource id is not easy to be found and obtained when sharing link is carried out; and the random token is temporary and generally has a certain validity period, so that the shared resource can only be accessed within the validity period, and the shared resource is prevented from being leaked.
The protection method of the sharing link comprises the steps of carrying out validity processing on the generated sharing link, setting the validity period of the sharing link, carrying out validity period verification firstly when carrying out an access request of the sharing link, carrying out subsequent verification if the validity period verification passes, directly rejecting the access request if the validity period verification fails, and simultaneously giving prompt information of 'the sharing link is invalid'. Therefore, subsequent verification of the sharing link is not executed any more, unnecessary pressure on the server side is avoided, and resource consumption is reduced.
Further, the method for protecting the sharing link according to the present invention may further include performing tamper-resistant processing on the generated sharing link, so as to prevent the sharing link from being tampered, for example, tampering a failed sharing link with an effective sharing link, and then performing subsequent token verification may also increase processing pressure of the server. Therefore, the protection method for the sharing link in the embodiment can avoid tampering the sharing link to pass validity verification, reduce invalid request processing of the server, reduce operation pressure of the server, and reduce resource consumption.
In summary, in the protection method for the shared link of the present invention, a token mechanism, an expiration date processing mechanism and an anti-tamper processing mechanism are adopted for the shared link, and the expiration date processing mechanism can filter out invalid resource links at a very low cost; invalid links which are verified by illegal users by bypassing the validity period processing mechanism through the tampered links can be filtered out at low cost through the anti-tampering processing mechanism; the token mechanism can provide the highest level of protection for shared resources, and even under the conditions of mechanism leakage, source code leakage and key leakage, the resources can still be guaranteed to be effectively protected.
The protection method for sharing links filters invalid or expired requests through a multi-layer verification mechanism so as to reduce the consumption of back-end resources as much as possible on the basis of ensuring the safety.
Compared with the prior art, the protection method for sharing the links has the advantages that the security is enhanced, and meanwhile, a scheme with lower cost is used for filtering out invalid links.
Through a first re-protection mechanism, invalid resource links can be filtered out at extremely low cost; through a second protection mechanism, invalid links which are not authorized by illegal users to bypass the first re-authentication through tampered links can be filtered at low cost; through the third protection mechanism, the shared resource can be protected at the highest level, and even under the conditions of mechanism leakage, source code leakage and key leakage, the resource can still be guaranteed to be effectively protected.
Description of the drawings:
FIG. 1 is a general flow diagram of a method for securing a shared link according to the present invention;
FIG. 2 is a block diagram of a random token verification mechanism in the protection method for sharing links according to the present invention;
FIG. 3 is a first flowchart illustrating a tamper-proof process in the method for protecting a shared link according to the present invention;
FIG. 4 is a second flowchart illustrating a tamper-resistant process in the protection method for sharing links according to the present invention;
fig. 5 is a first flowchart of a sharing link access request verification mechanism in the method for protecting a sharing link according to the present invention;
fig. 6 is a second flowchart of a sharing link access request verification mechanism in the method for protecting a sharing link according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments.
Thus, the following detailed description of the embodiments of the invention is not intended to limit the scope of the invention as claimed, but is merely representative of some embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments of the present invention and the features and technical solutions thereof may be combined with each other without conflict.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present invention, it should be noted that the terms "upper", "lower", and the like refer to orientations or positional relationships based on those shown in the drawings, or orientations or positional relationships that are conventionally arranged when the products of the present invention are used, or orientations or positional relationships that are conventionally understood by those skilled in the art, and such terms are used for convenience of description and simplification of the description, and do not refer to or imply that the devices or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, the present embodiment provides a protection method for shared links, including:
when the sharing link is generated, a temporary random token is generated, and authorization information of the random token to the shared resource is stored in a server side;
carrying out validity processing on the generated sharing link, and setting the validity period of the sharing link;
and/or performing anti-tampering processing on the generated sharing link to prevent the sharing link from being tampered.
In the protection method for the sharing link in the embodiment, when the sharing link is generated, a temporary random token is generated, and authorization information of the random token to the shared resource is stored in a server; therefore, the ID information of the shared resource cannot be carried in the URL of the shared link, the information in the transmitted random token is acquired at the server side through the transmission of the temporary random token for verification, and the shared resource is loaded after the verification is passed and responds to the shared user. Because the token is random, the real resource id is not easy to be found and obtained when sharing link is carried out; and the random token is temporary and generally has a certain validity period, so that the shared resource can only be accessed within the validity period, and the shared resource is prevented from being leaked.
In the embodiment, after the shared link is processed by adopting the technical scheme, the security of the shared resource is guaranteed, but the method increases the resource consumption, and especially under the scene of setting failure mechanisms such as a valid period, a large number of expired requests bring unnecessary pressure to the server side.
Therefore, the protection method for the sharing link in this embodiment includes performing validity processing on the generated sharing link, setting a validity period of the sharing link, and when performing an access request of the sharing link, first performing validation of the validity period, and if the validation of the validity period passes, then performing subsequent validation, and if the validation of the validity period fails, directly rejecting the access request, and simultaneously providing a prompt message that the sharing link is invalid. Therefore, subsequent verification of the sharing link is not executed any more, unnecessary pressure on the server side is avoided, and resource consumption is reduced.
Further, the method for protecting the sharing link in this embodiment may further include performing tamper-resistant processing on the generated sharing link, so as to prevent the sharing link from being tampered, for example, tampering a failed sharing link with an effective sharing link, and then performing subsequent token verification may also increase processing pressure of the server. Therefore, the protection method for the sharing link in the embodiment can avoid tampering the sharing link to pass validity verification, reduce invalid request processing of the server, reduce operation pressure of the server, and reduce resource consumption.
In summary, in the protection method for the shared link according to this embodiment, a token mechanism, an expiration date processing mechanism, and an anti-tamper processing mechanism are adopted for the shared link, and a failed resource link can be filtered out at a very low cost through the expiration date processing mechanism; invalid links which are verified by illegal users by bypassing the validity period processing mechanism through the tampered links can be filtered out at low cost through the anti-tampering processing mechanism; the token mechanism can provide the highest level of protection for shared resources, and even under the conditions of mechanism leakage, source code leakage and key leakage, the resources can still be guaranteed to be effectively protected.
The protection method for sharing links filters invalid or expired requests through a multi-layer verification mechanism, so that the consumption of back-end resources is reduced as much as possible on the basis of ensuring the security.
Further, as shown in fig. 2, in the protection method for a sharing link according to this embodiment, when the sharing link is generated, generating a temporary random token, and storing, at a server, authorization information of the random token for a real resource ID includes:
when the sharing client generates a sharing link, applying to a server side of the shared resource for generating a temporary random token;
the server side generates a temporary random token through application verification, writes the temporary random token into the URL of the sharing link and returns the URL to the sharing client side;
the server side stores authorization information of a random token to the shared resource, wherein the authorization information of the random token to the shared resource comprises: and mapping between the random token and the shared resource ID, and/or the validity period of the random token for accessing the shared resource, and/or the access authority of the random token for the shared resource.
In the processing of the above steps, the server side mainly needs to verify the user ID information of the sharing client side through application and verification, and can generate the random token after verification.
In the processing of the above steps, a temporary random token is generated and written into the URL of the sharing link and returned to the sharing client, and the token parameter in the URL is the token.
In the above processing, the mapping between the random token and the shared resource ID indicates a correspondence relationship between the random token and the shared resource ID, and multiple random token verifications can be performed simultaneously; the mapping between the random token and the shared resource ID is stored when the random token is generated, and is deleted when the random token is invalid.
In the above processing steps, the valid period of the random token accessing the shared resource determines the valid period of the shared link, so that the shared client can only make an access request within the valid period, and the security of the resource is ensured.
In the above processing steps, the access right of the random token to the shared resource is used to specify which resources are allowed to be accessed by the shared link corresponding to the random token, and which resources are restricted, and generally, an authorization request may be sent to the sharing client through the server to determine the scope of authorized access.
As an optional implementation manner of this embodiment, the performing validity processing on the generated sharing link in the protection method for a sharing link of this embodiment includes: and writing the valid period in the authorization information of the random token access sharing resource into the URL of the sharing link. In the embodiment, the valid period is directly written into the URL of the sharing link, the client of the shared user can directly extract the valid period information from the URL, compare the valid period information with the local time and verify the valid period information, and determine whether the sharing link is still in the valid period.
Optionally, the validity period is written into the URL of the sharing link in a clear text manner, which facilitates writing and extracting of the validity period, and even the shared user can visually verify the validity of the sharing link. And putting basic verification parameters of non-sensitive information such as the resource expiration date and the like into the sharing link in a plaintext form, when a user requests the link, performing first verification on the plaintext parameters to judge the effectiveness of the resource, and if the resource is invalid, prompting the user that the resource is overdue without further processing.
As an optional implementation manner of this embodiment, in the method for protecting a shared link according to this embodiment, the performing tamper-resistant processing on the generated shared link includes: and encrypting the parameters in the generated sharing link to generate a digital signature of the sharing link.
And after the user passes the validity check (first re-check) of the sharing link, carrying out anti-tampering check (second re-protection check). The purpose of this re-check is to filter the scenario where a user with some manual ability tampers with the link by modifying the plaintext information. The protection method for the sharing link in this embodiment generates a digital signature by encrypting the parameter in the generated sharing link, and when the sharing link verifies the access request, the parameter (excluding the digital signature) can be encrypted according to the same encryption algorithm for the sharing link of the access request, and the generated digital signature is compared with the digital signature in the sharing link, if the generated digital signature is the same as the digital signature in the sharing link, the sharing link is not tampered, and if the generated digital signature is not the same as the digital signature in the sharing link, the access is denied.
Therefore, the tamper-proof processing in the protection method for the sharing link in this embodiment performs further protection verification for the problem that the validity period parameter written in the sharing link in a plaintext form is easily tampered, so as to ensure the security of the shared resource.
Optionally, encryption processing is performed on specified parameters or all parameters in the generated sharing link. The tamper-resistant processing of this embodiment may perform encryption processing on a specific parameter in the sharing link, for example, only the validity period part may be performed, or encryption processing may be performed on all parameters in the sharing link, and the encryption algorithm should be known by the server side.
Optionally, the parameters in the validity-processed sharing link are encrypted. This can prevent the validity period parameter part in the shared link whose validity period has been processed from being tampered.
As an optional implementation manner of this embodiment, referring to fig. 3, this embodiment provides a parameter encryption algorithm in tamper-resistant processing, and specifically, the encrypting the parameter in the generated shared link to generate the digital signature of the shared link includes:
setting a first key1 and a second key2 with equal number of bits;
extracting all parameters in the sharing link subjected to effectiveness processing and splicing into a character string p 0;
carrying out average fragmentation on the character string p0 according to bytes corresponding to the number of bits of the key, and when the bytes of the last fragment are insufficient, using a second key2 for completion to obtain data fragments ps;
performing logic operation on each data fragment ps and the first key1 to obtain data fragment psi, and processing the data fragment psi according to set encryption logic to obtain an encrypted ciphertext;
and writing the encrypted ciphertext into the URL of the sharing link for digital signature.
The encryption method which is designed aiming at the parameter pertinence in the sharing link can be better suitable for the parameter encryption in the sharing link, all the sharing links are ensured to be suitable for, the parameter encryption algorithm strategy of the embodiment is not easy to crack, and the effectiveness and the reliability of the parameter encryption in the sharing link are ensured.
Further, referring to fig. 4, in this embodiment, performing a logic operation on each data slice ps and the first key1 to obtain data slice psi, and performing a processing according to a set encryption logic on the data slice psi to obtain an encrypted ciphertext includes:
performing logic exclusive or operation on each data fragment ps and new data after cyclic shift of the first key1 circularly to obtain data fragment psi;
judging whether the data slicing psi is a set value a, if so, dividing the data slicing psi into two sections and exchanging to obtain a data slicing psd, and if not, directly storing the data slicing psi as the data slicing psd;
performing modular operation on each data slice psd to generate a group of numbers;
and adding each group of numbers according to the bit, and performing logic operation to obtain a new number as an encryption ciphertext.
As an optional implementation manner of this embodiment, this embodiment provides a specific parameter encryption algorithm for performing tamper-resistant processing on a sharing link, which specifically includes:
1. setting a 128-bit first key1 and a 128-bit second key2(128 bits are 16 bytes, i.e., the number of bits of 16 English strings);
2. all parameters in the URL of the sharing link are spliced into a character string p 0;
3. dividing the character string p0 into pieces according to 16 bytes, and using a second key2 to complement the last piece of character string p0 with less than 16 bytes to obtain data fragments ps;
4. carrying out exclusive or on each data fragment and the new data after the first key1 circularly moves right in a circulating manner to obtain new data fragments psi;
5. judging whether the data slicing psi is 0 or not if the last bit of the data slicing psi is 0, if so, dividing the data slicing psi into two sections and exchanging to generate new slicing data psd, and if not, directly storing the data slicing psi as the data slicing psd;
6. taking the remaining 10 for every four bits of each data fragment psd to obtain a number within 10, wherein each fragment can generate 32 numbers;
7. and adding each digit in the step 6 according to the bit without carrying to obtain a new 32-bit digit as a signature.
As another optional implementation manner of this embodiment, in this embodiment, performing tamper-resistant processing on the shared link may further generate a signature of the link by performing AES encryption on all parameters in the shared link and then performing hash; and after the user passes the first re-verification, performing second re-protection verification. The purpose of the re-check is to filter the scene that a user with certain manual capability tampers the link by modifying the plaintext information, so that whether the key and the encrypted vector data of the AES are exposed to the front end or not is not required. The Advanced Encryption Standard (AES) is the most common symmetric Encryption algorithm, i.e., the same key is used for Encryption and decryption. Hash, which is generally translated as a Hash, or transliteration, is a process of converting an input of arbitrary length (also called pre-map image) into an output of fixed length by a hashing algorithm, where the output is a Hash value. This transformation is a kind of compression mapping, i.e. the space of hash values is usually much smaller than the space of inputs, different inputs may hash to the same output, so it is not possible to determine a unique input value from a hash value. In short, it is a function of compressing a message of an arbitrary length to a message digest of a certain fixed length. In this embodiment, a hash operation is performed on a ciphertext generated after AES encryption to generate a hash value with a fixed length, so that structural consistency can be maintained when URL digital signature is performed.
According to the protection method for the sharing link, the generation of three protection mechanisms of the sharing link is realized through the scheme, and the effectiveness and the safety of the sharing link are greatly improved.
Referring to fig. 5, the protection method for a shared link of the present embodiment provides an access request verification mechanism for the shared link at the same time, and specifically includes:
responding to the access request of the sharing link, and performing validity and/or tamper-proof verification on the sharing link;
after the authentication is passed, the server side acquires the random token in the sharing link to carry out identity information validity authentication;
after the verification is passed, the server side loads resource information to the authorization information of the shared resource according to the stored random token and responds to the access request.
In the embodiment, when an access request of a sharing link is directed, first re-verification on whether the sharing link is valid or not needs to be performed, if the sharing link exceeds the validity period, the sharing link is determined to be invalid, the access request is rejected, and information of 'link invalidation' is returned; secondly, if the sharing link does not exceed the validity period, judging that the sharing link is valid, carrying out second re-verification on whether the sharing link is tampered, and if the sharing link is tampered, refusing access and returning information of 'link invalid' or 'access error'; and finally, if the sharing link is not tampered, carrying out third verification, obtaining information corresponding to the token by the server side for final verification, loading resource information after the verification is passed, and responding to the user.
The protection method for sharing links in this embodiment considers security, and adopts a mapping mechanism of token and resource ID, but the overhead is relatively large. The key point of the invention is that before the mapping of token and resource ID is obtained, lower-cost check is added, and a large number of invalid requests are filtered, so as to reduce the rear-end resource overhead.
Further, referring to fig. 6, the protection method for sharing a link in this embodiment includes: and responding to the access request of the sharing link, firstly carrying out validity verification on the sharing link, and then carrying out tamper-proof verification after the verification is passed.
The validity verification of the sharing link comprises the following steps: responding to the access request of the sharing link, checking the validity period of the URL of the sharing link, judging the validity of the access of the sharing resource, and if the validity period check fails, prompting that the sharing resource is overdue;
the tamper-proof verification of the sharing link includes: the server side obtains parameters in the URL of the sharing link, carries out encryption processing according to a stored encryption algorithm to obtain a check ciphertext, compares the check ciphertext with the encryption ciphertext in the URL of the sharing link, if the check ciphertext is the same as the encryption ciphertext, the verification is passed, otherwise, the verification fails, and the current access request is rejected.
Compared with the prior art, the protection method for sharing the links has the advantages that the security is enhanced, and meanwhile, a scheme with lower cost is used for filtering out the failed links.
Through a first re-protection mechanism, invalid resource links can be filtered out at extremely low cost; through a second protection mechanism, invalid links which are not authorized by illegal users to bypass the first re-authentication through tampered links can be filtered at low cost; through the third protection mechanism, the shared resource can be protected at the highest level, and even under the conditions of mechanism leakage, source code leakage and key leakage, the resource can still be guaranteed to be effectively protected.
The protection method of the sharing link in the embodiment can achieve similar effects through combination and transformation of the first protection and the second protection, and like simple use but customized encryption can also filter most invalid requests.
This embodiment provides a protector of sharing link simultaneously, includes:
the token protection module generates a temporary random token when the sharing link is generated, and stores authorization information of the random token to the shared resource;
the validity protection module is used for carrying out validity processing on the generated sharing link and setting the validity period of the sharing link;
and/or the anti-tampering protection module is used for carrying out anti-tampering processing on the generated sharing link so as to prevent the sharing link from being tampered.
When the protection device of the sharing link generates the sharing link, the token protection module generates a temporary random token and stores authorization information of the random token to the shared resource at the server side; therefore, the ID information of the shared resource cannot be carried in the URL of the shared link, the information in the transmitted random token is acquired at the server side through the transmission of the temporary random token for verification, and the shared resource is loaded after the verification is passed and responds to the shared user. Because the token is random, the real resource id is not easy to be found and obtained when sharing link is carried out; and the random token is temporary and generally has a certain validity period, so that the shared resource can only be accessed within the validity period, and the shared resource is prevented from being leaked. The token protection module of this embodiment may be disposed at a server side that shares resources.
In the embodiment, after the shared link is processed by adopting the technical scheme, the security of the shared resource is guaranteed, but the method increases the resource consumption, and especially under the scene of setting failure mechanisms such as a valid period, a large number of expired requests bring unnecessary pressure to the server side.
Therefore, the protection device for the sharing link of the embodiment includes the validity protection module, performs validity processing on the generated sharing link, and sets the validity period of the sharing link, and when an access request of the sharing link is performed, the validity protection module first performs validation of the validity period, and if validation of the validity period passes, then performs subsequent validation, and if validation of the validity period fails, directly rejects the access request, and simultaneously gives a prompt message that the sharing link is invalid. Therefore, subsequent verification of the sharing link is not executed any more, unnecessary pressure on the server side is avoided, and resource consumption is reduced.
Further, the protection device for the sharing link in this embodiment may further include an anti-tampering protection module, and perform anti-tampering processing on the generated sharing link to prevent the sharing link from being tampered, for example, tampering a failed sharing link with an effective sharing link, and then performing subsequent token verification may also increase processing pressure at the server side. Therefore, the tamper-resistant protection module of the embodiment can prevent the tamper sharing link from passing validity verification, reduce invalid request processing of the server, reduce operation pressure of the server, and reduce resource consumption.
In summary, the protection device for sharing links in this embodiment adopts a token mechanism, an expiration date processing mechanism, and an anti-tamper processing mechanism for the sharing links, and can filter out invalid resource links at a very low cost through the expiration date processing mechanism; invalid links which are verified by illegal users by bypassing the validity period processing mechanism through the tampered links can be filtered out at low cost through the anti-tampering processing mechanism; the token mechanism can provide the highest level of protection for shared resources, and even under the conditions of mechanism leakage, source code leakage and key leakage, the resources can still be guaranteed to be effectively protected.
The protection device for sharing the link filters invalid or expired requests through a multi-layer verification mechanism, so that the consumption of back-end resources is reduced as much as possible on the basis of ensuring the security.
Further, when the sharing client generates the sharing link, the token protection module applies to the server of the shared resource for generating a temporary random token;
the server side generates a temporary random token through application verification, writes the temporary random token into the URL of the sharing link and returns the URL to the sharing client side;
the server side stores authorization information of a random token to the shared resource, wherein the authorization information of the random token to the shared resource comprises: and mapping between the random token and the shared resource ID, and/or the validity period of the random token for accessing the shared resource, and/or the access authority of the random token for the shared resource.
In the processing of the above steps, the server side mainly needs to verify the user ID information of the sharing client side through application and verification, and can generate the random token after verification.
In the processing of the above steps, the token protection module generates a temporary random token, writes the temporary random token into the URL of the sharing link, and returns the temporary random token to the sharing client, where the token parameter in the URL is the token.
In the above processing, the mapping between the random token and the shared resource ID indicates a correspondence relationship between the random token and the shared resource ID, and multiple random token verifications can be performed simultaneously; the mapping between the random token and the shared resource ID is stored when the random token is generated, and is deleted when the random token is invalid.
In the above processing steps, the valid period of the random token accessing the shared resource determines the valid period of the shared link, so that the shared client can only make an access request within the valid period, and the security of the resource is ensured.
In the above processing steps, the access right of the random token to the shared resource is used to specify which resources are allowed to be accessed by the shared link corresponding to the random token, and which resources are restricted, and generally, an authorization request may be sent to the sharing client through the server to determine the scope of authorized access.
As an optional implementation manner of this embodiment, the performing, by the validity protection module in the protection device for sharing links of this embodiment, validity processing on the generated sharing links includes: and the validity protection module writes the validity period in the authorization information of the random token for accessing the shared resource into the URL of the shared link. The validity protection module of the embodiment directly writes the validity period into the URL of the sharing link, and the shared user client can directly extract the validity period information from the URL, compare the validity period information with the local time for verification, and determine whether the sharing link is still in the validity period.
Optionally, the validity period is written into the URL of the sharing link in a clear text manner, which facilitates writing and extracting of the validity period, and even the shared user can visually verify the validity of the sharing link. And putting basic verification parameters of non-sensitive information such as the resource expiration date and the like into the sharing link in a plaintext form, when a user requests the link, performing first verification on the plaintext parameters to judge the effectiveness of the resource, and if the resource is invalid, prompting the user that the resource is overdue without further processing.
As an optional implementation manner of this embodiment, the performing, by the tamper-resistant module in the protection device for a shared link of this embodiment, tamper-resistant processing on the generated shared link includes: and encrypting the parameters in the generated sharing link to generate a digital signature of the sharing link.
And after the user passes the validity check (first re-check) of the sharing link, carrying out anti-tampering check (second re-protection check). The purpose of this re-check is to filter the scenario where a user with some manual ability tampers with the link by modifying the plaintext information. The protection method for the sharing link in this embodiment generates a digital signature by encrypting the parameter in the generated sharing link, and when the sharing link verifies the access request, the parameter (excluding the digital signature) can be encrypted according to the same encryption algorithm for the sharing link of the access request, and the generated digital signature is compared with the digital signature in the sharing link, if the generated digital signature is the same as the digital signature in the sharing link, the sharing link is not tampered, and if the generated digital signature is not the same as the digital signature in the sharing link, the access is denied. Therefore, the tamper-proof processing in the protection method for the sharing link in this embodiment performs further protection verification for the problem that the validity period parameter written in the sharing link in a plaintext form is easily tampered, so as to ensure the security of the shared resource.
Optionally, encryption processing is performed on specified parameters or all parameters in the generated sharing link. The tamper-resistant processing of this embodiment may perform encryption processing on a specific parameter in the sharing link, for example, only the validity period part may be performed, or encryption processing may be performed on all parameters in the sharing link, and the encryption algorithm should be known by the server side.
Optionally, the parameters in the validity-processed sharing link are encrypted. This can prevent the validity period parameter part in the shared link whose validity period has been processed from being tampered.
As an optional implementation manner of this embodiment, this embodiment provides a parameter encryption algorithm in tamper-resistant processing, and specifically, the encrypting the parameter in the generated shared link to generate the digital signature of the shared link includes:
setting a first key1 and a second key2 with equal number of bits;
extracting all parameters in the sharing link subjected to effectiveness processing and splicing into a character string p 0;
carrying out average fragmentation on the character string p0 according to bytes corresponding to the number of bits of the key, and when the bytes of the last fragment are insufficient, using a second key2 for completion to obtain data fragments ps;
performing logic operation on each data fragment ps and the first key1 to obtain data fragment psi, and processing the data fragment psi according to set encryption logic to obtain an encrypted ciphertext;
and writing the encrypted ciphertext into the URL of the sharing link for digital signature.
The encryption method which is designed aiming at the parameter pertinence in the sharing link can be better suitable for the parameter encryption in the sharing link, all the sharing links are ensured to be suitable for, the parameter encryption algorithm strategy of the embodiment is not easy to crack, and the effectiveness and the reliability of the parameter encryption in the sharing link are ensured.
Further, the performing logic operation on each data slice ps and the first key1 to obtain data slice psi, and processing the data slice psi according to the set encryption logic to obtain the encrypted ciphertext includes:
performing logic exclusive or operation on each data fragment ps and new data after cyclic shift of the first key1 circularly to obtain data fragment psi;
judging whether the data slicing psi is a set value a, if so, dividing the data slicing psi into two sections and exchanging to obtain a data slicing psd, and if not, directly storing the data slicing psi as the data slicing psd;
performing modular operation on each data slice psd to generate a group of numbers; and adding each group of numbers according to the bit, and performing logic operation to obtain a new number as an encryption ciphertext.
As an optional implementation manner of this embodiment, this embodiment provides a specific parameter encryption algorithm for performing tamper-resistant processing on a sharing link, which specifically includes:
1. setting a 128-bit first key1 and a 128-bit second key2(128 bits are 16 bytes, i.e., the number of bits of 16 English strings);
2. all parameters in the URL of the sharing link are spliced into a character string p 0;
3. dividing the character string p0 into pieces according to 16 bytes, and using a second key2 to complement the last piece of character string p0 with less than 16 bytes to obtain data fragments ps;
4. carrying out exclusive or on each data fragment and the new data after the first key1 circularly moves right in a circulating manner to obtain new data fragments psi;
5. judging whether the data slicing psi is 0 or not if the last bit of the data slicing psi is 0, if so, dividing the data slicing psi into two sections and exchanging to generate new slicing data psd, and if not, directly storing the data slicing psi as the data slicing psd;
6. taking the remaining 10 for every four bits of each data fragment psd to obtain a number within 10, wherein each fragment can generate 32 numbers;
7. and adding each digit in the step 6 according to the bit without carrying to obtain a new 32-bit digit as a signature.
As another optional implementation manner of this embodiment, the tamper-resistant module in this embodiment may perform tamper-resistant processing on the shared link by performing AES encryption on all parameters in the shared link and then performing hash on the parameters to generate a signature of the link. And after the user passes the first re-verification, performing second re-protection verification. The purpose of the re-check is to filter the scene that a user with certain manual capability tampers the link by modifying the plaintext information, so that whether the key and the encrypted vector data of the AES are exposed to the front end or not is not required.
The Advanced Encryption Standard (AES) is the most common symmetric Encryption algorithm, i.e., the same key is used for Encryption and decryption. Hash, which is generally translated as a Hash, or transliteration, is a process of converting an input of arbitrary length (also called pre-map image) into an output of fixed length by a hashing algorithm, where the output is a Hash value. This transformation is a kind of compression mapping, i.e. the space of hash values is usually much smaller than the space of inputs, different inputs may hash to the same output, so it is not possible to determine a unique input value from a hash value. In short, it is a function of compressing a message of an arbitrary length to a message digest of a certain fixed length. In this embodiment, a hash operation is performed on a ciphertext generated after AES encryption to generate a hash value with a fixed length, so that structural consistency can be maintained when URL digital signature is performed.
The protection device of the sharing link of the embodiment realizes generation of three protection mechanisms of the sharing link through the scheme, and has great promotion on effectiveness and safety of the sharing link.
The protection device for a shared link of the present embodiment provides an access request verification mechanism for the shared link at the same time, and specifically includes:
responding to the access request of the sharing link, the effectiveness protection module performs effectiveness verification on the sharing link, and/or the anti-tampering protection module performs anti-tampering verification on the sharing link;
after the authentication is passed, the token protection module acquires a random token in the sharing link to carry out identity information validity authentication;
after the verification is passed, the server side loads resource information to the authorization information of the shared resource according to the stored random token and responds to the access request.
In the embodiment, when an access request of a sharing link is directed, first re-verification on whether the sharing link is valid or not needs to be performed, if the sharing link exceeds the validity period, the sharing link is determined to be invalid, the access request is rejected, and information of 'link invalidation' is returned; secondly, if the sharing link does not exceed the validity period, judging that the sharing link is valid, carrying out second re-verification on whether the sharing link is tampered, and if the sharing link is tampered, refusing access and returning information of 'link invalid' or 'access error'; and finally, if the sharing link is not tampered, performing third-time verification, acquiring information corresponding to the token by the token protection module to perform final verification, and loading resource information after the verification is passed to respond to the user. The protection method for sharing links in this embodiment considers security, and adopts a mapping mechanism of token and resource ID, but the overhead is relatively large. The key point of the invention is that before the mapping of token and resource ID is obtained, lower-cost check is added, and a large number of invalid requests are filtered, so as to reduce the rear-end resource overhead.
Further, the protection device for sharing a link of the embodiment includes: and responding to the access request of the sharing link, firstly carrying out validity verification on the sharing link, and then carrying out tamper-proof verification after the verification is passed.
The validity verification of the sharing link comprises the following steps: responding to the access request of the sharing link, checking the validity period of the URL of the sharing link, judging the validity of the access of the sharing resource, and if the validity period check fails, prompting that the sharing resource is overdue;
the tamper-proof verification of the sharing link includes: the server side obtains parameters in the URL of the sharing link, carries out encryption processing according to a stored encryption algorithm to obtain a check ciphertext, compares the check ciphertext with the encryption ciphertext in the URL of the sharing link, if the check ciphertext is the same as the encryption ciphertext, the verification is passed, otherwise, the verification fails, and the current access request is rejected.
Compared with the prior art, the protection device for sharing the link has the advantages that the security is enhanced, and meanwhile, a lower-cost scheme is used for filtering out the failed link.
Through a first re-protection mechanism, invalid resource links can be filtered out at extremely low cost; through a second protection mechanism, invalid links which are not authorized by illegal users to bypass the first re-authentication through tampered links can be filtered at low cost; through the third protection mechanism, the shared resource can be protected at the highest level, and even under the conditions of mechanism leakage, source code leakage and key leakage, the resource can still be guaranteed to be effectively protected.
The protection device of the sharing link of the embodiment can realize similar effects through combination and transformation of the first protection and the second protection, and like simple use but customized encryption, most invalid requests can be filtered out.
The embodiment also provides a computer-readable storage medium, which stores a computer-executable program, and when the computer-executable program is executed, the protection method for the shared link is realized.
The computer readable storage medium of the present embodiments may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
The embodiment also provides an electronic device, which comprises a processor and a memory, wherein the memory is used for storing a computer executable program, and when the computer program is executed by the processor, the processor executes the protection method for the shared link.
The electronic device is in the form of a general purpose computing device. The processor can be one or more and can work together. The invention also does not exclude that distributed processing is performed, i.e. the processors may be distributed over different physical devices. The electronic device of the present invention is not limited to a single entity, and may be a sum of a plurality of entity devices.
The memory stores a computer executable program, typically machine readable code. The computer readable program may be executed by the processor to enable an electronic device to perform the method of the invention, or at least some of the steps of the method.
The memory may include volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may also be non-volatile memory, such as read-only memory (ROM).
It should be understood that elements or components not shown in the above examples may also be included in the electronic device of the present invention. For example, some electronic devices further include a display unit such as a display screen, and some electronic devices further include a human-computer interaction element such as a button, a keyboard, and the like. Electronic devices are considered to be covered by the present invention as long as the electronic devices are capable of executing a computer-readable program in a memory to implement the method of the present invention or at least a part of the steps of the method. From the above description of the embodiments, those skilled in the art will readily appreciate that the present invention can be implemented by hardware capable of executing a specific computer program, such as the system of the present invention, and electronic processing units, servers, clients, mobile phones, control units, processors, etc. included in the system. The invention may also be implemented by computer software for performing the method of the invention, e.g. control software executed by a microprocessor, an electronic control unit, a client, a server, etc. It should be noted that the computer software for executing the method of the present invention is not limited to be executed by one or a specific hardware entity, and can also be realized in a distributed manner by non-specific hardware. For computer software, the software product may be stored in a computer readable storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or may be distributed over a network, as long as it enables the electronic device to perform the method according to the present invention.
The above embodiments are only used for illustrating the invention and not for limiting the technical solutions described in the invention, and although the present invention has been described in detail in the present specification with reference to the above embodiments, the present invention is not limited to the above embodiments, and therefore, any modification or equivalent replacement of the present invention is made; all such modifications and variations are intended to be included herein within the scope of this disclosure and the appended claims.
Claims (10)
1. A method for securing a shared link, comprising:
when the sharing link is generated, a temporary random token is generated, and authorization information of the random token to the shared resource is stored in a server side;
carrying out validity processing on the generated sharing link, and setting the validity period of the sharing link;
and/or performing anti-tampering processing on the generated sharing link to prevent the sharing link from being tampered.
2. The method according to claim 1, wherein the generating a temporary random token when generating the sharing link, and storing authorization information of the random token for the real resource ID at the server side comprises:
when the sharing client generates a sharing link, applying to a server side of the shared resource for generating a temporary random token;
the server side generates a temporary random token through application verification, writes the temporary random token into the URL of the sharing link and returns the URL to the sharing client side;
the server side stores authorization information of a random token to the shared resource, wherein the authorization information of the random token to the shared resource comprises: and mapping between the random token and the shared resource ID, and/or the validity period of the random token for accessing the shared resource, and/or the access authority of the random token for the shared resource.
3. The protection method for the shared link according to claim 1 or 2, wherein the performing validity processing on the generated shared link includes:
writing the valid period in the authorization information of the random token for accessing the shared resource into the URL of the shared link;
optionally, the validity period is written in the URL of the sharing link in a clear text.
4. The method for protecting the shared link according to any one of claims 1 to 3, wherein the performing tamper-resistant processing on the generated shared link includes:
encrypting parameters in the generated sharing link to generate a digital signature of the sharing link;
optionally, encryption processing is performed on specified parameters or all parameters in the generated sharing link;
optionally, the parameters in the validity-processed sharing link are encrypted.
5. The method according to claim 4, wherein the encrypting the parameter in the generated shared link to generate the digital signature of the shared link includes:
setting a first key1 and a second key2 with equal number of bits;
extracting all parameters in the sharing link subjected to effectiveness processing and splicing into a character string p 0;
carrying out average fragmentation on the character string p0 according to bytes corresponding to the number of bits of the key, and when the bytes of the last fragment are insufficient, using a second key2 for completion to obtain data fragments ps;
performing logic operation on each data fragment ps and the first key1 to obtain data fragment psi, and processing the data fragment psi according to set encryption logic to obtain an encrypted ciphertext;
and writing the encrypted ciphertext into the URL of the sharing link for digital signature.
6. The method according to claim 1, wherein the performing a logic operation on each data slice ps and the first key1 to obtain data slice psi, and the processing the data slice psi according to the set encryption logic to obtain the encrypted ciphertext comprises:
performing logic exclusive or operation on each data fragment ps and new data after cyclic shift of the first key1 circularly to obtain data fragment psi;
judging whether the data slicing psi is a set value a, if so, dividing the data slicing psi into two sections and exchanging to obtain a data slicing psd, and if not, directly storing the data slicing psi as the data slicing psd;
performing modular operation on each data slice psd to generate a group of numbers;
and adding each group of numbers according to the bit, and performing logic operation to obtain a new number as an encryption ciphertext.
7. The protection method for the shared link according to any one of claims 1 to 6, comprising:
responding to the access request of the sharing link, and performing validity and/or tamper-proof verification on the sharing link;
after the authentication is passed, the server side acquires the random token in the sharing link to carry out identity information validity authentication;
after the verification is passed, the server side loads resource information to the authorization information of the shared resource according to the stored random token and responds to the access request.
8. The method according to claim 7, wherein in response to the access request of the shared link, the shared link is validated first, and then tamper-proof validation is performed after validation is passed;
the validity verification of the sharing link comprises the following steps: responding to the access request of the sharing link, checking the validity period of the URL of the sharing link, judging the validity of the access of the sharing resource, and if the validity period check fails, prompting that the sharing resource is overdue;
the tamper-proof verification of the sharing link includes: the server side obtains parameters in the URL of the sharing link, carries out encryption processing according to a stored encryption algorithm to obtain a check ciphertext, compares the check ciphertext with the encryption ciphertext in the URL of the sharing link, if the check ciphertext is the same as the encryption ciphertext, the verification is passed, otherwise, the verification fails, and the current access request is rejected.
9. A shared link guard, comprising:
the token protection module generates a temporary random token when the sharing link is generated, and stores authorization information of the random token to the shared resource at the server side;
the validity protection module is used for carrying out validity processing on the generated sharing link and setting the validity period of the sharing link;
and/or the anti-tampering protection module is used for carrying out anti-tampering processing on the generated sharing link so as to prevent the sharing link from being tampered.
10. A computer-readable storage medium, having stored thereon a computer-executable program that, when executed, implements a method of shared link protection as claimed in any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110605731.9A CN113595731A (en) | 2021-05-31 | 2021-05-31 | Protection method and device for shared link and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110605731.9A CN113595731A (en) | 2021-05-31 | 2021-05-31 | Protection method and device for shared link and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113595731A true CN113595731A (en) | 2021-11-02 |
Family
ID=78243401
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110605731.9A Pending CN113595731A (en) | 2021-05-31 | 2021-05-31 | Protection method and device for shared link and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113595731A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113868209A (en) * | 2021-12-02 | 2021-12-31 | 天津联想协同科技有限公司 | Network disk-based external link sharing expiration date management method and device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020174341A1 (en) * | 2001-05-18 | 2002-11-21 | Logue Jay D. | Methods and systems for using digital signatures in uniform resource locators |
| CN1992594A (en) * | 2005-12-31 | 2007-07-04 | 中兴通讯股份有限公司 | URL extension method for streaming media system |
| CN102546579A (en) * | 2010-12-31 | 2012-07-04 | 北大方正集团有限公司 | Method, device and system used for providing system resources |
| CN107786504A (en) * | 2016-08-26 | 2018-03-09 | 腾讯科技(深圳)有限公司 | ELF file publishing methods, ELF file verifications method, server and terminal |
| CN110083786A (en) * | 2019-05-14 | 2019-08-02 | 秒针信息技术有限公司 | A kind of link verification method and device |
| CN110336678A (en) * | 2019-07-19 | 2019-10-15 | 东南大学 | A kind of signature algorithm anti-tamper for high-volume data in car networking |
| CN112650954A (en) * | 2020-12-30 | 2021-04-13 | 杭州趣链科技有限公司 | Block chain data sharing method, device, equipment and storage medium |
-
2021
- 2021-05-31 CN CN202110605731.9A patent/CN113595731A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020174341A1 (en) * | 2001-05-18 | 2002-11-21 | Logue Jay D. | Methods and systems for using digital signatures in uniform resource locators |
| CN1992594A (en) * | 2005-12-31 | 2007-07-04 | 中兴通讯股份有限公司 | URL extension method for streaming media system |
| CN102546579A (en) * | 2010-12-31 | 2012-07-04 | 北大方正集团有限公司 | Method, device and system used for providing system resources |
| CN107786504A (en) * | 2016-08-26 | 2018-03-09 | 腾讯科技(深圳)有限公司 | ELF file publishing methods, ELF file verifications method, server and terminal |
| CN110083786A (en) * | 2019-05-14 | 2019-08-02 | 秒针信息技术有限公司 | A kind of link verification method and device |
| CN110336678A (en) * | 2019-07-19 | 2019-10-15 | 东南大学 | A kind of signature algorithm anti-tamper for high-volume data in car networking |
| CN112650954A (en) * | 2020-12-30 | 2021-04-13 | 杭州趣链科技有限公司 | Block chain data sharing method, device, equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113868209A (en) * | 2021-12-02 | 2021-12-31 | 天津联想协同科技有限公司 | Network disk-based external link sharing expiration date management method and device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493202B (en) | Login token generation and verification method and device and server | |
| WO2020073513A1 (en) | Blockchain-based user authentication method and terminal device | |
| CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| US20130097419A1 (en) | Method and system for accessing e-book data | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| CN112257086B (en) | User privacy data protection method and electronic equipment | |
| CN111431707B (en) | Service data information processing method, device, equipment and readable storage medium | |
| JP2016531508A (en) | Data secure storage | |
| CN107040520B (en) | Cloud computing data sharing system and method | |
| CN110071937B (en) | Login method, system and storage medium based on block chain | |
| CN108431819B (en) | Method and system for protecting client access to service of DRM agent of video player | |
| CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
| WO2020243245A1 (en) | Protection of online applications and webpages using a blockchain | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| WO2019178440A1 (en) | System and method for securing private keys behind a biometric authentication gateway | |
| CN113676332A (en) | Two-dimensional code authentication method, communication device and storage medium | |
| JP6533542B2 (en) | Secret key replication system, terminal and secret key replication method | |
| CN112699404A (en) | Method, device and equipment for verifying authority and storage medium | |
| CN113595731A (en) | Protection method and device for shared link and computer readable storage medium | |
| CN110890979B (en) | Automatic deployment method, device, equipment and medium for fort machine | |
| CN114422143B (en) | Data dynamic encryption method, device, equipment and medium based on artificial intelligence | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN113794568A (en) | Interface security verification method, interface access method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |