CN113779538A - Identity verification method for improving server performance by using singleton mode - Google Patents

Identity verification method for improving server performance by using singleton mode Download PDF

Info

Publication number
CN113779538A
CN113779538A CN202111117476.XA CN202111117476A CN113779538A CN 113779538 A CN113779538 A CN 113779538A CN 202111117476 A CN202111117476 A CN 202111117476A CN 113779538 A CN113779538 A CN 113779538A
Authority
CN
China
Prior art keywords
server
token
user
class
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111117476.XA
Other languages
Chinese (zh)
Inventor
邓建洲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202111117476.XA priority Critical patent/CN113779538A/en
Publication of CN113779538A publication Critical patent/CN113779538A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an identity verification method for improving the performance of a server by utilizing a Singleton Pattern. Each time the user successfully logs in, taking out the key encryption token from the type variable of the type, and sending the ciphertext to the client browser for storage; when a user initiates access to the browser carrying the encrypted message of the token, the server takes out the key from the type variable of the type to decrypt the encrypted message of the token, and judges whether the user identity is legal or not according to the decrypted result. The method and the system mainly use the key of the token encrypted and decrypted by the class cache in the singleton mode, thereby not only reducing the pressure of the server for storing the authentication information, but also avoiding the performance overhead when the server is connected with the database in the authentication process, and finally achieving the effect of improving the overall performance of the server.

Description

Identity verification method for improving server performance by using singleton mode
Technical Field
The invention relates to the field of web architecture design, in particular to an identity authentication method for improving the performance of a server by using a singleton mode.
Background
In modern web architecture design, identity recognition is a necessary precondition for a user to access a system, and how the system recognizes the identity of the user through a safe and reasonable means is a topic with great potential value, which specifically includes the problems of user login verification, online state maintenance, identity anti-counterfeiting, account anti-theft and the like which have great significance in web system construction. In order to solve the above problems in a single system, many conventional authentication methods cannot achieve the effect of balancing security and performance. Most of the authentication methods have the effects of improving the security of user identity identification and reducing the overall performance of the system.
The conventional authentication method has been studied in recent years, for example: chinese patent publication No. CN113268759A introduces a token authority authentication method based on web architecture, which reduces the possibility of illegal identity theft by adding a transfer server, and improves security to a certain extent. But the disadvantage is that it stores the user service information directly in the background database, and the need to connect the database for each verification reduces the overall performance of the system, and additionally increases the risk of such denial of service attacks against the backend database that are challenged by a Challenge blackhole (Challenge Collapsar attach).
Chinese patent publication No. CN108123932B introduces a method for identifying the identity of a database terminal in a three-layer architecture, which puts identity authentication information into a session, and can accurately identify the identity of a user by a back-end database. But the disadvantage is that under the request of a large number of users, the pressure of storing data in the session area is very large, and further the performance of the server is possibly reduced; and if the application is deployed under load balancing, synchronization of session authentication information among the servers can consume a large amount of performance of the servers.
Disclosure of Invention
According to the defects of the prior art, the invention aims to provide the identity authentication method for improving the performance of the server by using the singleton mode, which can well improve the speed and efficiency of the server for identifying the user identity, relieve the pressure of data storage, improve the performance of the server, and directly and greatly reduce or even eliminate the damage of the attack to the denial of service attack of a back-end database to the greatest extent.
In order to solve the above disadvantages, the technical scheme adopted by the invention is as follows:
an identity authentication method for improving the performance of a server by using a singleton mode comprises the following steps:
s1, the server predefines the original legal token format of user identity authentication;
s2, the server generates a key special for encrypting the token and stores the key in a variable of a class under a Singleton Pattern (Singleton Pattern) of the system;
s3, after the user login verification is passed, the server encrypts the original legal token by using the key in the class stored in the Singleton Pattern of the system, and returns and stores the encrypted token in the client;
s4, when the user accesses the content needing identity authentication, the client submits the token carrying the encryption as a parameter to the server;
s5, the server takes out the key from the variable of the class in the Singleton Pattern, intercepts and decrypts the token, compares the decrypted token with the original legal token format predefined in advance, if the two formats are the same, the token is released, and if the two formats are not the same, the token is logged in again.
Further, the specific format of the legal token is that the user only identifies id + salt value; the identification id is a constant which can uniquely identify the identity of a user in the system; the salt value may be a random combination of numbers, letters, characters that are random and, once determined, will not be modified by default.
Further, step S2 specifically includes:
s201, a server firstly creates a global unique class of a system and ensures that variables under the unique instance object of the class can be globally shared by the system;
s202, the server ensures that no other instances are created in the class and only one instance object capable of being globally shared exists in the system operation process;
s203, the server creates a type variable special for storing the AES key in the global unique class;
s204, the server calls a correlation function to generate an AES key, and the generated AES key is stored in the type variable of the created global unique type.
Further, step S3 specifically includes:
s301, the server generates an original token according to a unique identifier id of a user and a salt value, wherein the unique identifier id of the user is the identifier id of a user who successfully logs in, and the salt value is a combination of random numbers, letters and characters predefined in a program code by the server in advance;
s302, the server calls an instantiation function of a global unique class created in advance, the class is allowed to automatically return to a global unique instantiation object, and an AES key stored in advance in the object is taken out of a type variable of the object;
s303, the server uses the extracted AES key to encrypt the generated original token by an AES algorithm, and writes the encrypted result back to the localstorage domain of the client browser for storage.
Further, step S4 specifically includes:
when a user accesses the content needing the login authority, the client acquires the encrypted token stored in the browser cache domain localstorage through the javascript code and transmits the encrypted token serving as a parameter to the back-end server.
Further, step S5 specifically includes:
s501, the server receives the encrypted token transmitted by the user as a parameter;
s502, calling a globally unique instantiation function by the server to obtain an instance object, and taking out an AES key from a type variable in the instance object to decrypt the token transmitted;
s503, the server carries out validity check on the decrypted token format, and judges whether the decrypted token format meets a format of a user unique identifier id salt value predefined in advance; if the content meets the requirement, the user is authorized to access the specified content, and if the content does not meet the requirement, the user is required to log in again.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. the method has the following advantages in the speed of user identity authentication: the key of the encrypted token is directly stored in the system variable, and the system directly takes out the key from the variable without establishing any connection with the database every time a user logs in or requests access, so that the performance overhead of establishing connection with the database and inquiring data is saved, and the response speed of the server for verifying the identity is greatly increased.
2. The storage space overhead of the system is greatly reduced: because the key of the encrypted token is directly stored in the system variable, the data related to the user identity authentication does not need to be stored in the session domain, the cookies domain and any database of the server, the data storage pressure of the server is greatly reduced, and particularly the storage space overhead of the server can be greatly reduced under the condition of mass users.
3. Greatly reducing the harm of CC (challenge Collapsar) attack on a back-end database: because the invention does not need to store any data related to user identity authentication in the database, denial of service attack aiming at the back-end database cannot be developed, and the system security is improved to a certain extent.
Drawings
The drawings provided herein are for illustration purposes only and are not to be construed as limiting the invention. In the drawings:
FIG. 1 is a flow chart of an embodiment of the present invention.
Detailed Description
For a complete understanding of the present invention, reference will now be made in detail to specific embodiments of the present invention, examples of which are illustrated in the accompanying drawings, but it will be understood by those skilled in the art that the present invention is not limited thereto, and all other embodiments obtained without the exercise of inventive faculty are within the scope of the present invention.
The embodiment shown in fig. 1 is an authentication method for improving server performance by using a singleton mode, and includes the following steps:
a1, predefining a legal token format, wherein the token format must contain an identification id capable of uniquely identifying the identity of a user, and adding a salt value to the id to generate a legal token, wherein the salt value can be one or more random combinations of numbers, letters and characters, and once the salt value is determined, the default is not modified in the system operation process, so the salt value can be directly written in the code in the embodiment to facilitate the user authentication.
A2, the system creates a global unique class adopting a singleton mode, and defines variables which can be used for storing AES keys in the class, and the specific implementation process is as follows:
in the class created by the system, firstly, importing all class files named java, crypto and java, security, under a self-contained package of java into an import in a head code of the class, and then transferring to the second step;
step two, the system created class must contain two variables A, B, where one variable a is used to save its instance, for example: assuming the created class is named Singleton, the variable a is also named Singleton, with the main purpose of having it save its own instance. Another variable B is used for storing an AES key, where the variable B is defined as secretekey in this embodiment, and the secretekey type variable may be used for storing the AES key, but the premise is that import of java, crypto, secretekey, which is a java self-contained class in the code;
step three, the class created by the system must contain a method function which can instantiate the object of the self class, and the function is named getInstance here, which means "get instance". The getInstance function judges whether the Singleton class is empty each time, if the Singleton class is empty, a Singleton object is newly instantiated, and if the Singleton class is not empty, the existing object in the variable A is directly returned, and the main purpose is to ensure that the class has one and only one instance object in the system. It should be noted here that each time the class needs to be instantiated, the external code program can only obtain its unique instance through the getInstance function inside the class, and cannot be created through the external code new.
The substantial meaning of creating the class is to cache the AES key used for identity recognition, store and take the AES key from the variable of the globally unique instance object of the class to recognize the identity of the user, and further avoid directly storing the information used for identity recognition into the database.
A3, the server can call a generateKey () function carried by itself under the java. The AES key generated by calling the generateKey () function here must be deposited in the secretekey type variable under the global unique class that has been created at the a2 step.
A4, logging in again if the user login verification fails; when the verification is passed, the server should timely obtain the identity unique identifier id input at the time of login, and perform a hash operation on the identifier id and the salt value that has been written to death in the code in the step a1, so as to generate a legal token format, that is, legal token = identifier id + salt value. After obtaining the legal token, calling a getInstance function in the singleton model class to return to a global unique instance object, taking out the AES key which is already stored in the step A3 from a SecretKey type variable under the object, finally calling a doFinal function under the class javax.
A5, the user initiates access at the client end every time, the browser uniformly obtains the encrypted token in the localstorage domain through the javascript code, and the obtained value is uniformly transmitted to the back-end server as a parameter no matter whether the obtained value is null or not. The server judges whether the user access content needs the login authority or not at this time, if not, the access is directly authorized, and if so, the authentication is carried out according to the following steps: the server obtains the token ciphertext transmitted by the user, calls a getInstance function in a singleton model class to return to a globally unique instance object, extracts an AES (advanced encryption standard) key stored in the step A3 from a SecretKey type variable under the instance object, decrypts the token ciphertext by using the AES key, wherein the decryption method is consistent with the encryption method in the step A4 (only different from transmission), and if the decrypted token is not in a format (user identification id + salt value) predefined in the step A1, or if the decrypted token is found that the salt value transmitted by the user is inconsistent with a salt value (combination of random numbers, letters and characters) written in a code in advance, the token ciphertext is judged to be illegally accessed and required to be logged in again. If the decrypted token is consistent with the format (user identification id + salt value) predefined in step A1, the user is authorized to access the interface content.
Finally, it should be noted that the above-mentioned embodiments are only preferred embodiments of the present invention, and are not intended to limit the present invention, and those skilled in the art can still modify the technical solutions and the specific embodiments of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. An identity authentication method for improving the performance of a server by using a singleton mode is characterized by comprising the following steps:
s1, the server predefines the original legal token format of user identity authentication;
s2, the server generates a key special for encrypting the token and stores the key in a variable of a class under a Singleton Pattern (Singleton Pattern) of the system;
s3, after the user login verification is passed, the server encrypts the original legal token by using the key in the class stored in the Singleton Pattern of the system, and returns and stores the encrypted token in the client;
s4, when the user accesses the content needing identity authentication, the client submits the token carrying the encryption as a parameter to the server;
s5, the server takes out the key from the variable of the class in the Singleton Pattern, intercepts and decrypts the token, compares the decrypted token with the original legal token format predefined in advance, if the two formats are the same, the token is released, and if the two formats are not the same, the token is logged in again.
2. The identity authentication method for improving the performance of the server by using the singleton mode as claimed in claim 1, wherein the predefined legal token format is defined as legal token format = user unique identifier id + salt value; the identification id is a constant which can uniquely identify the identity of a user in the system; the salt value may be a random combination of numbers, letters, characters that are random and, once determined, will not be modified by default.
3. The identity verification method of claim 1, wherein the step S2 specifically includes:
s201, a server firstly creates a global unique class of a system and ensures that variables under the unique instance object of the class can be globally shared by the system;
s202, the server ensures that no other instances are created in the class and only one instance object capable of being globally shared exists in the system operation process;
s203, the server creates a type variable (named SecretKey) specially used for storing the AES key in the global unique class;
s204, the server calls a correlation function to generate an AES key, and the generated AES key is stored in the type variable of the created global unique type.
4. The identity verification method of claim 1, wherein the step S3 specifically includes:
s301, the server generates an original token according to a unique identifier id of a user and a salt value, wherein the unique identifier id of the user is the identifier id of a user who successfully logs in, and the salt value is a combination of random numbers, letters and characters predefined in a program code by the server in advance;
s302, the server calls an instantiation function of a global unique class created in advance, the class is allowed to automatically return to a global unique instantiation object, and an AES key stored in advance in the object is taken out of a type variable of the object;
s303, the server uses the extracted AES key to encrypt the generated original token by an AES algorithm, and writes the encrypted result back to the localstorage domain of the client browser for storage.
5. The identity verification method of claim 1, wherein the step S4 specifically includes: when a user accesses the content needing the login authority, the client acquires the encrypted token stored in the browser cache domain localstorage through the javascript code and transmits the encrypted token serving as a parameter to the back-end server.
6. The identity verification method of claim 1, wherein the step S5 specifically includes:
s501, the server receives the encrypted token transmitted by the user as a parameter;
s502, calling a globally unique instantiation function by the server to obtain an instance object, and taking out an AES key from a type variable in the instance object to decrypt the token transmitted;
s503, the server carries out validity check on the decrypted token format, and judges whether the decrypted token format meets a format of a user unique identifier id salt value predefined in advance; if the content meets the requirement, the user is authorized to access the specified content, and if the content does not meet the requirement, the user is required to log in again.
CN202111117476.XA 2021-09-24 2021-09-24 Identity verification method for improving server performance by using singleton mode Pending CN113779538A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111117476.XA CN113779538A (en) 2021-09-24 2021-09-24 Identity verification method for improving server performance by using singleton mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111117476.XA CN113779538A (en) 2021-09-24 2021-09-24 Identity verification method for improving server performance by using singleton mode

Publications (1)

Publication Number Publication Date
CN113779538A true CN113779538A (en) 2021-12-10

Family

ID=78852856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111117476.XA Pending CN113779538A (en) 2021-09-24 2021-09-24 Identity verification method for improving server performance by using singleton mode

Country Status (1)

Country Link
CN (1) CN113779538A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506188A (en) * 2023-05-04 2023-07-28 北京众谊越泰科技有限公司 Operation method and system of asymmetric encryption algorithm based on B/S architecture

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506188A (en) * 2023-05-04 2023-07-28 北京众谊越泰科技有限公司 Operation method and system of asymmetric encryption algorithm based on B/S architecture
CN116506188B (en) * 2023-05-04 2024-03-29 北京众谊越泰科技有限公司 Operation method and system of asymmetric encryption algorithm based on B/S architecture

Similar Documents

Publication Publication Date Title
US8185942B2 (en) Client-server opaque token passing apparatus and method
US7890634B2 (en) Scalable session management
CN101051904B (en) Method for landing by account number cipher for protecting network application sequence
CN110489996B (en) Database data security management method and system
CN109413000B (en) Anti-stealing-link method and anti-stealing-link network relation system
CN108810017B (en) Service processing security verification method and device
JP2002175010A (en) Home page falsification preventing system
CN102946392A (en) URL (Uniform Resource Locator) data encrypted transmission method and system
KR102146940B1 (en) Method for verifying fogery of token
US20020129239A1 (en) System for secure communication between domains
CN111954211A (en) Novel authentication key negotiation system of mobile terminal
CN112566121B (en) Method for preventing attack, server and storage medium
CN114244508A (en) Data encryption method, device, equipment and storage medium
CN116743470A (en) Service data encryption processing method and device
CN110225014B (en) Internet of things equipment identity authentication method based on fingerprint centralized issuing mode
CN109726578B (en) Dynamic two-dimensional code anti-counterfeiting solution
CN106992978A (en) Network safety managing method and server
CN110572392A (en) Identity authentication method based on HyperLegger network
CN113779538A (en) Identity verification method for improving server performance by using singleton mode
CN114726606B (en) User authentication method, client, gateway and authentication server
CN111611620A (en) Access request processing method of access platform and related device
CN102098282B (en) Secure encryption method for database
CN114697113A (en) Hardware accelerator card-based multi-party privacy calculation method, device and system
JP2011203900A (en) Information providing apparatus
Renault et al. Toward a security model for the future network of information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication