CN113794568A - Interface security verification method, interface access method, device, equipment and medium - Google Patents
Interface security verification method, interface access method, device, equipment and medium Download PDFInfo
- Publication number
- CN113794568A CN113794568A CN202111071880.8A CN202111071880A CN113794568A CN 113794568 A CN113794568 A CN 113794568A CN 202111071880 A CN202111071880 A CN 202111071880A CN 113794568 A CN113794568 A CN 113794568A
- Authority
- CN
- China
- Prior art keywords
- request
- signature
- account
- timestamp
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 103
- 238000000034 method Methods 0.000 title claims abstract description 77
- 238000012163 sequencing technique Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 5
- 238000013475 authorization Methods 0.000 abstract description 21
- 230000007547 defect Effects 0.000 abstract description 9
- 230000007246 mechanism Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 11
- 230000011664 signaling Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an interface security verification method, an interface access device and an interface access medium. The server receives the access request, acquires a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request, verifies whether the first signature and the second signature are consistent, and allows the client to access the interface after the first signature and the second signature are consistent. Therefore, the method replaces the conventional token authorization mode for interface security verification, can realize the security verification of the interface authorization without redis, and overcomes the defect of the conventional token authorization mechanism.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to an interface security verification method, an interface access device, an interface access apparatus, and a medium.
Background
The Web API is a network application program interface, and the network application can realize functions such as storage service, message service, and computing service through the API interface. When the Web API receives an interface calling request, whether the transmitted signature needs to be verified to be safe and legal or not is needed, and the relevant interface is called after verification.
At present, the interface security verification mode is mainly through Token authorization, a client provides user authentication information (such as an account and a password) for a server, the server returns a Token to the client after the authentication is finished, when the user acquires the information again, the Token is taken, and if the Token is correct, the information can be acquired through the interface.
However, the token authorization mechanism has certain defects, such as only verifying the legitimacy of the token and not verifying the legitimacy of the parameters; the token needs to be set with an expiration date, and the token needs to be obtained again when the expiration date is out of the expiration date, so that the process is complicated; the token authorization mode needs to be stored by a Remote Dictionary service (redis), and some systems do not use the redis, which results in that the token cannot be normally used. Therefore, an interface security verification method is needed to overcome the defect of token authorization for interface security verification.
Disclosure of Invention
The application provides an interface security verification method, an interface access method, an interface security verification device, an interface access device and an interface access medium, which are used for solving the defect problem of security verification by token authorization.
In a first aspect, the present application provides an interface security verification method, where the method is used for a server, and includes:
sending an account and a password to a client, so that the client generates a first signature according to the account, the password, a timestamp, a random number, a request parameter name and a request address, and generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
receiving an access request sent by a client, acquiring a password corresponding to an account according to the account in the access request, and generating a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address;
and verifying whether the first signature and the second signature are consistent or not so as to allow the client to access the interface after the first signature and the second signature are consistent.
Optionally, the generating a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name, and the request address specifically includes:
and when the consistency verification identification exists in the access request, generating a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address.
Optionally, after verifying that the first signature and the second signature are consistent, the method further includes at least one of:
when the access request has a repeated verification identifier, verifying whether the same interface is repeatedly accessed by using a first signature;
when the access request has interval verification identification, verifying whether the submission time interval of the access request to the same interface is greater than a time threshold;
and when the access request has the normative verification identifier, verifying whether the request parameter name meets the preset requirement.
Optionally, before providing the account and the password to the client, the method further includes:
generating a first character string by using a unique identification code, and taking the first character string as an account;
and sequencing the first character string to obtain a second character string, carrying out binary processing on the second character string to obtain a third character string, and taking the third character string as a password.
Optionally, after receiving the access request of the client, before generating a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name, and the request address, the method further includes:
verifying whether the first signature is within a validity period according to the timestamp;
correspondingly, when the first signature is in the valid period, a second signature is generated according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address.
In a second aspect, the present application provides an interface security verification method, where the method is used for a server, and includes:
receiving an account number and a password sent by a server;
generating a first signature according to the account number, the password, the timestamp, the random number, the request parameter name and the request address, and generating an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
sending the access request to the server, so that the server acquires a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address, and verifies whether the first signature and the second signature are consistent;
and accessing the interface after the consistency is verified.
Optionally, the generating an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature, and the request parameter specifically includes:
and acquiring a verification identifier, and generating an access request according to the verification identifier, the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter.
Optionally, the verification identifier includes: one or more combinations of consistency verification identification, repeatability verification identification, interval verification identification and normative verification identification.
Optionally, the generating a first signature according to the account, the password, the timestamp, the random number, the request parameter name, and the request address specifically includes:
sequencing the account number, the password, the timestamp, the random number, the request parameter name and the request address to generate a fourth character string;
encrypting the fourth string using MD5 encryption or RSA encryption generates a first signature.
In a third aspect, the present application provides an interface security verification apparatus, including:
the sending module is used for sending an account and a password to a client so that the client generates a first signature according to the account, the password, a timestamp, a random number, a request parameter name and a request address and generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and a request parameter;
the receiving module is used for receiving an access request sent by a client, acquiring a password corresponding to the account according to the account in the access request, and generating a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address;
and the verification module is used for verifying whether the first signature and the second signature are consistent or not so as to allow the client to access the interface after the first signature and the second signature are consistent.
In a fourth aspect, the present application provides an apparatus for accessing an interface, comprising:
the receiving module is used for receiving the account and the password sent by the server;
the generation module is used for generating a first signature according to the account number, the password, the timestamp, the random number, the request parameter name and the request address, and generating an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
a sending module, configured to send the access request to the server, so that the server obtains a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name, and the request address, and verifies whether the first signature and the second signature are consistent;
and the access module is used for accessing the interface after the consistency is verified.
In a fifth aspect, the present application provides an electronic device, comprising: a memory and a processor;
the memory is used for storing instructions; the processor is used for calling the instruction in the memory to execute the interface security verification method in any one of the possible designs of the first aspect and the first aspect or the method for accessing the interface in any one of the possible designs of the second aspect and the second aspect.
In a sixth aspect, the present application provides a computer-readable storage medium having computer instructions stored thereon, which, when executed by at least one processor of an electronic device, cause the electronic device to perform the first aspect and
a method for interface security verification in any one of the possible designs of the first aspect or a method for accessing an interface in the second aspect and any one of the possible designs of the second aspect.
In a seventh aspect, the present application provides a computer program product, where the computer program product includes computer instructions, and when the computer instructions are executed by at least one processor of the electronic device, the electronic device performs the interface security verification method in any one of the possible designs of the first aspect and the first aspect, or the method for accessing the interface in any one of the possible designs of the second aspect and the second aspect.
According to the interface security verification method, the server sends the account and the password to the client, so that the client generates a first signature according to the account, the password, the timestamp, the random number, the request parameter name and the request address, generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter, and sends the access to the server. The server receives the access request, acquires a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request, verifies whether the first signature and the second signature are consistent or not, and allows the client to access the interface after the first signature and the second signature are consistent. By providing the interface security verification method to replace the existing token authorization for interface security verification, the interface authorization security verification can be realized without redis, and the defects of the existing token authorization mechanism are overcome.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario of an interface security verification method according to an embodiment of the present application;
fig. 2 is a signaling diagram of an interface security verification method according to an embodiment of the present application;
fig. 3 is a signaling interaction diagram of a method for accessing an interface according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an interface security verification apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus for accessing an interface according to an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
To make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, the interface security verification mode is mainly authorized through a token, and the token is a string of character strings generated by a server and used as a token when a client requests. The method comprises the steps that when a client logs in for the first time, an account and a password are provided for a server, and after the server confirms that the account and the password are correct, a token is generated and returned to the client. When the client acquires the information again, the client only needs to take the token without taking the user name and the password again.
However, the token authorization mechanism has certain defects, such as only verifying the legitimacy of the token, and not verifying the legitimacy of the account and the password, for example, the legitimacy of the account and the password; the token needs to be provided with an expiration date, the expiration date is usually not too long, the token needs to be obtained again when the token is out of the expiration date, and the process is complicated; the token authorization mode needs to be stored through redis, and some systems do not use redis, so that the token cannot be normally used.
The interface security verification mode can also be that the interface verification is realized through an interceptor, but for the interface which accords with the rule, the interceptor also intercepts, and the flexibility is poor.
In order to solve the problems, the application provides an interface security verification method, wherein a server sends an account and a password to a client, so that the client generates a first signature according to the account, the password, a timestamp, a random number, a request parameter name and a request address, generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter, and sends the access to the server. The server receives the access request, acquires a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request, verifies whether the first signature and the second signature are consistent or not, and allows the client to access the interface after the first signature and the second signature are consistent. By providing the interface security verification method to replace the existing token authorization for interface security verification, the interface authorization security verification can be realized without redis, and the defects of the existing token authorization mechanism are overcome.
Meanwhile, the interface safety verification method provided by the application only verifies the interface needing verification, and the flexibility is high.
The technical solution of the present application will be described in detail below with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 1 illustrates a scene diagram of interface security verification provided in an embodiment of the present application.
The server 101 sends an account number and password to the client 102. The client 102 generates a first signature according to the timestamp, the random number, the parameter name and the request address, then generates an access request according to the timestamp, the random number, the first signature and the request interface, and sends the access request to the server 101. The server 101 receives an access request of the client 102, generates a second signature according to an account number, a timestamp and a random number in the request, compares the first signature with the second signature after the server 101 generates the second signature, verifies whether the first signature and the second signature are consistent, and allows the client 102 to access a request interface according to a password after the first signature and the second signature are consistent.
In the present application, a server is used as an execution subject to execute the interface security verification method of the following embodiments. Specifically, the execution body may be a hardware device of the electronic device, or a software application implementing the following embodiments in the electronic device, or a computer-readable storage medium installed with the software application implementing the following embodiments, or code of the software application implementing the following embodiments.
Fig. 2 shows a signaling interaction diagram of an interface security verification method according to an embodiment of the present application. On the basis of the embodiment shown in fig. 1, as shown in fig. 2, with a server as an execution subject, the method of this embodiment may include the following steps:
s101, the server sends an account number and a password to the client.
The server generates a first character string by using a Unique Identifier (UUID), and the first character string is used as an account number (appkey). The UUID is composed of 32-bit numbers, and the code is 16-system, so that completely unique system information in time and space is defined. 1-8 bits of 32-bit numbers adopt system time, the uniqueness on the time is guaranteed by millisecond level in the system time, 9-16 bits adopt IP addresses of a bottom layer to guarantee the uniqueness in a server cluster, 17-24 bits adopt HashCode values of current objects to guarantee the uniqueness on an internal object, and 25-32 bits adopt a random number of a calling method to guarantee the uniqueness on the millisecond level in an object.
After the server generates the account, a password (appsecret) is generated according to the account. Specifically, the first character string as the account is sorted to obtain the second character string, for example, the first character string is sorted in a natural order or a reverse order. And then, carrying out binary processing on the second character string to obtain a third character string, and taking the third character string as a password.
And after generating the account and the password, the server sends the account and the password to the client.
S102, the client generates a first signature according to the account number, the password, the timestamp, the random number, the request parameter name and the request address.
The client generates a first signature according to the account, the password, the timestamp, the random number, the request parameter name and the request address after receiving the account and the password. The timestamp may be used to show the time at which the first signature was generated, the random number is an automatically randomly generated number, the request parameter name refers to the name of the request parameter, the request parameter may be understood as the request content, and the request address refers to the address of the client.
The client generates a fourth character string by naturally sequencing the account number, the password, the timestamp, the random number, the request parameter name and the request address, and then generates a first signature by using MD5 encryption or RSA encryption. MD5 encrypts incoming information that is processed in 512-bit packets, each of which is divided into 16 32-bit sub-packets, and after a series of processing, the output of the algorithm consists of four 32-bit packets, which are concatenated to produce a 128-bit hash value. The RSA encryption is that two prime numbers are randomly selected, the common modulus and the Euler number of the two prime numbers are calculated, then the encryption index and the inverse element of the modulus are calculated, the encryption index is generated into a public key, and the inverse element of the modulus is generated into a private key.
S103, the client generates an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request interface.
The client puts the account number, the timestamp, the random number, the request parameter name, the request address and the first signature into a request head, and generates an access request by the request head and the request parameter, wherein the request parameter comprises an interface for requesting access.
S104, the client sends an access request to the server.
And after the client generates an access request, the access request is sent to the server.
S105, the server receives an access request of the client, acquires a password corresponding to the account according to the account in the access request, and generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address.
The server receives an access request of a client, extracts an account number, a timestamp, a random number, a request parameter name and a request address from the access request, inquires a password corresponding to the account number in the server after extracting the account number from the access request, and generates a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address.
Specifically, the account, the password corresponding to the account, the timestamp, the random number, the request parameter name, and the request address may be naturally ordered to generate a string, and the string may be encrypted by MD5 encryption or RSA encryption to generate the second signature.
As an implementation manner, the access request may further include a consistency verification identifier, where the consistency verification identifier is an identifier of a note of the interface, and the identifier of the note of the interface is used to indicate that the interface needs to be accessed after security verification. Correspondingly, when the access request comprises the consistency verification identification, the server enters the tangent plane and generates a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address. The annotations may include: and verifying whether the same interface is repeatedly accessed by using the first signature, verifying whether submission of an access request of the same interface is actually larger than a time threshold value, and verifying whether the parameter name of the request parameter meets a preset requirement.
As an implementation manner, after receiving an access request sent by a client, a server may also verify whether a first signature is within a validity period according to a timestamp in the access request, and if the first signature is within the validity period, generate a second signature according to an account number, the timestamp, a random number, a request parameter name, and a request address in the request.
And S106, verifying whether the first signature and the second signature are consistent or not, and allowing the client to access the interface after the first signature and the second signature are consistent.
After the server generates a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address, verifying a first signature in the request sent by the client and the second signature generated by the server, and if the first signature and the second signature are consistent, passing the verification and allowing the client to access the interface.
After the server verifies that the first signature and the second signature are consistent, the server can also verify whether the first signature is used for repeatedly accessing the same interface when a repeated verification identifier exists in the access request, and/or verify whether the submission time interval of the access request to the same interface is greater than a time threshold when an intermittent verification identifier exists in the access request, and/or verify whether the request parameter name meets the preset requirement when a normative verification identifier exists in the access request.
After the server verifies the first signature and the second signature, whether the request parameter is legal or not can be verified, and the client is allowed to access the interface after the request parameter is legal.
According to the interface security verification method, when the client sends the access request, the server inquires the corresponding password according to the account in the access request, generates the second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address, carries out consistency verification on the second signature and the first signature in the request, and allows the client to access the interface after the second signature and the first signature in the request are verified to be consistent. The interface security verification method replaces the existing token authorization to carry out interface security verification, does not need redis to realize the security verification of the interface authorization, and overcomes the defect of the existing token authorization mechanism.
Fig. 3 shows a signaling interaction diagram of a method for accessing an interface according to an embodiment of the present application.
As shown in fig. 3, with the client as the execution subject, the method of this embodiment may include the following steps:
s201, receiving the account and the password sent by the server.
The client receives an account number generated by the server by using the unique identification code and a password generated according to the account number. The specific server sequences the first character string as the account to obtain a second character string, then performs binary processing on the second character string to obtain a third character string, and takes the third character string as the password.
S202, generating a first signature according to the account number, the password, the timestamp, the random number, the request parameter name and the request address, and generating an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter.
After receiving the account and the password, the client generates a fourth character string by naturally sequencing the account, the password, the timestamp, the random number, the request parameter name and the request address, and then generates a first signature by using MD5 encryption or RSA encryption. And then, putting the account number, the timestamp, the random number, the request parameter name, the request address and the first signature into a request header, and generating an access request by using the request header and the request parameters.
The client can also obtain a verification identifier and generate an access request according to the verification identifier, the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter. The verifying the identification comprises: one or more combinations of consistency verification identification, repeatability verification identification, interval verification identification and normative verification identification. The consistency verification mark is used for indicating whether the verification signatures are consistent or not, the repeatability verification mark is used for verifying whether the first signature repeatedly accesses the same interface or not, the interval verification mark is used for indicating whether the submission time of the access request of the first signature to the same interface is larger than a time threshold or not, and the normative verification mark is used for indicating whether the parameter name of the verification request meets the preset requirement or not.
S203, sending an access request to the server.
After generating the access request, the client sends the access request to the server.
S204, the server acquires the password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request, and verifies whether the first signature and the second signature are consistent.
The server receives an access request of a client, extracts an account number, a timestamp, a random number, a request parameter name and a request address from the access request, inquires a password corresponding to the account number in the server after extracting the account number from the access request, and generates a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address.
Specifically, the account, the password corresponding to the account, the timestamp, the random number, the request parameter name, and the request address may be naturally ordered to generate a string, and the string may be encrypted by MD5 encryption or RSA encryption to generate the second signature.
As an implementation manner, when the access request includes the consistency verification identifier, the server enters the tangent plane and generates a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address. When the access request comprises the repeated verification identification, the server verifies whether the first signature is used for repeatedly accessing the same interface or not after verifying that the first signature is consistent with the second signature. When the access request comprises the interval verification identification, the server verifies whether the submission of the access request to the same interface is actually larger than a time threshold value after verifying that the first signature is consistent with the second signature. When the access request comprises the normative verification identifier, after the server verifies that the first signature is consistent with the second signature, whether the parameter name of the request parameter meets the preset requirement is verified.
As another implementation manner, after receiving an access request sent by a client, a server may also verify whether the first signature is within a validity period according to a timestamp in the access request, and if the first signature is within the validity period, generate a second signature according to an account number, the timestamp, a random number, a request parameter name, and a request address in the request.
And S205, receiving the result of the consistency verification sent by the server and accessing the interface.
According to the method for accessing the interface, after a client receives an account and a password sent by a server, a first signature is generated according to the account, the password, a timestamp, a random number, a request parameter name and a request address, an access request is generated according to the account, the timestamp, the random number, the request parameter name and the request address, the first signature and a request parameter, the access request is sent to the server, the server generates a second signature according to the account, the timestamp, the random number, the request parameter name and the request address in the access request, and whether the first signature and the second signature are consistent or not is verified. And the client accesses the interface after the server verifies that the first signature is consistent with the second signature. The interface security verification mode in the interface access method can realize the security verification of the interface authorization without redis, and overcomes the defect of the existing token authorization mechanism.
Fig. 4 is a schematic structural diagram of an interface security verification apparatus according to an embodiment of the present application, and as shown in fig. 4, an interface security verification apparatus 10 according to this embodiment is used to implement operations corresponding to an electronic device in any one of the method embodiments described above, where the interface security verification apparatus 10 according to this embodiment includes:
the sending module 11 is configured to send an account and a password to the client, so that the client generates a first signature according to the account, the password, the timestamp, the random number, the request parameter name and the request address, and generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
the receiving module 12 is configured to receive an access request sent by a client, acquire a password corresponding to an account according to an account in the access request, and generate a second signature according to the account, the password corresponding to the account, a timestamp, a random number, a request parameter name, and a request address;
and the verification module 13 is configured to verify whether the first signature and the second signature are consistent, so as to allow the client to access the interface after the first signature and the second signature are consistent.
The interface security verification apparatus 10 provided in the embodiment of the present application may implement the above-mentioned interface security verification method embodiment, and for specific implementation principles and technical effects, reference may be made to the above-mentioned method embodiment, which is not described herein again.
Fig. 5 is a schematic structural diagram of an access device according to an embodiment of the present application, and as shown in fig. 5, an access device 20 of the present embodiment is used for implementing an operation corresponding to an electronic device in any method embodiment described above, where the access device 20 of the present embodiment includes:
the receiving module 21 is configured to receive an account and a password sent by the server;
the generation module 22 is configured to generate a first signature according to the account, the password, the timestamp, the random number, the request parameter name, and the request address, and generate an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature, and the request parameter;
the sending module 23 is configured to send an access request to a server, so that the server obtains a password corresponding to an account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, a timestamp, a random number, a request parameter name, and a request address, and verifies whether the first signature and the second signature are consistent;
and the access module 24 is used for accessing the interface after the consistency is verified.
The access device 20 provided in the embodiment of the present application may execute the above access interface method embodiment, and for details of implementation principles and technical effects, reference may be made to the above method embodiment, which is not described herein again.
Fig. 6 shows a hardware structure diagram of an electronic device according to an embodiment of the present application. As shown in fig. 6, the electronic device 30 is configured to implement the operations corresponding to the electronic device in any of the method embodiments described above, where the electronic device 30 of this embodiment may include: memory 31, processor 32 and communication interface 33.
A memory 31 for storing computer instructions.
The processor 32 is connected to the memory 31 and is used for executing the computer instructions stored in the memory 31 to implement the method for interface security authentication or the method for accessing the interface in the above-mentioned embodiments. Reference may be made in particular to the description relating to the method embodiments described above.
Alternatively, the memory 31 may be separate or integrated with the processor 32.
The communication interface 33 may be connected to the processor 31. Processor 32 may control communication interface 33 to perform the functions of receiving and transmitting signals.
The electronic device provided in this embodiment may be used to execute the interface security verification method or the interface access method, which are similar in implementation manner and technical effect and are not described herein again.
The present application also provides a computer readable storage medium, in which computer instructions are stored, and the computer instructions are executed by a processor to implement the methods provided by the above-mentioned various embodiments.
The present application also provides a computer program product comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read by at least one processor of the device from a computer-readable storage medium, and execution of the computer instructions by the at least one processor causes the device to perform the methods provided by the various embodiments described above.
The embodiment of the present application further provides a chip, which includes a memory and a processor, where the memory is used to store computer instructions, and the processor is used to call and execute the computer instructions from the memory, so that a device in which the chip is installed executes the method described in the above various possible embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same. Although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: it is also possible to modify the solutions described in the previous embodiments or to substitute some or all of them with equivalents. And the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (13)
1. An interface security verification method, for a server, comprising:
sending an account and a password to a client, so that the client generates a first signature according to the account, the password, a timestamp, a random number, a request parameter name and a request address, and generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
receiving an access request sent by a client, acquiring a password corresponding to an account according to the account in the access request, and generating a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address;
and verifying whether the first signature and the second signature are consistent or not so as to allow the client to access the interface after the first signature and the second signature are consistent.
2. The method of claim 1, wherein generating a second signature based on the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name, and the request address comprises:
and when the consistency verification identification exists in the access request, generating a second signature according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address.
3. The method of claim 2, wherein upon verifying that the first signature and the second signature are consistent, the method further comprises at least one of:
when the access request has a repeated verification identifier, verifying whether the same interface is repeatedly accessed by using a first signature;
when the access request has interval verification identification, verifying whether the submission time interval of the access request to the same interface is greater than a time threshold;
and when the access request has the normative verification identifier, verifying whether the request parameter name meets the preset requirement.
4. The method of claim 1, wherein prior to providing the account number and password to the client, the method further comprises:
generating a first character string by using a unique identification code, and taking the first character string as an account;
and sequencing the first character string to obtain a second character string, carrying out binary processing on the second character string to obtain a third character string, and taking the third character string as a password.
5. The method of claim 1, wherein after receiving the access request from the client, before generating a second signature according to the account number, a password corresponding to the account number, the timestamp, the random number, the request parameter name, and the request address, the method further comprises:
verifying whether the first signature is within a validity period according to the timestamp;
correspondingly, when the first signature is in the valid period, a second signature is generated according to the account number, the password corresponding to the account number, the timestamp, the random number, the request parameter name and the request address.
6. A method for accessing an interface, the method for a client, comprising:
receiving an account number and a password sent by a server;
generating a first signature according to the account number, the password, the timestamp, the random number, the request parameter name and the request address, and generating an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
sending the access request to the server, so that the server acquires a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address, and verifies whether the first signature and the second signature are consistent;
and accessing the interface after the consistency is verified.
7. The method of claim 6, wherein generating an access request according to the account number, the timestamp, the nonce, the request parameter name, the request address, the first signature, and the request parameter comprises:
and acquiring a verification identifier, and generating an access request according to the verification identifier, the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter.
8. The method of claim 7, wherein verifying the identity comprises: one or more combinations of consistency verification identification, repeatability verification identification, interval verification identification and normative verification identification.
9. The method of claim 6, wherein generating the first signature based on the account number, the password, the timestamp, the random number, the request parameter name, and the request address comprises:
sequencing the account number, the password, the timestamp, the random number, the request parameter name and the request address to generate a fourth character string;
encrypting the fourth string using MD5 encryption or RSA encryption generates a first signature.
10. An interface security verification apparatus, comprising:
the sending module is used for sending an account and a password to a client so that the client generates a first signature according to the account, the password, a timestamp, a random number, a request parameter name and a request address and generates an access request according to the account, the timestamp, the random number, the request parameter name, the request address, the first signature and a request parameter;
the receiving module is used for receiving an access request sent by a client, acquiring a password corresponding to the account according to the account in the access request, and generating a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name and the request address;
and the verification module is used for verifying whether the first signature and the second signature are consistent or not so as to allow the client to access the interface after the first signature and the second signature are consistent.
11. An apparatus for accessing an interface, comprising:
the receiving module is used for receiving the account and the password sent by the server;
the generation module is used for generating a first signature according to the account number, the password, the timestamp, the random number, the request parameter name and the request address, and generating an access request according to the account number, the timestamp, the random number, the request parameter name, the request address, the first signature and the request parameter;
a sending module, configured to send the access request to the server, so that the server obtains a password corresponding to the account according to the account in the access request, generates a second signature according to the account, the password corresponding to the account, the timestamp, the random number, the request parameter name, and the request address, and verifies whether the first signature and the second signature are consistent;
and the access module is used for accessing the interface after the consistency is verified.
12. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the interface security authentication method of any one of claims 1 to 5 or the method of accessing an interface of any one of claims 6 to 9.
13. A computer-readable storage medium having stored thereon computer instructions for implementing the interface security verification method of any one of claims 1 to 5 or the method of accessing an interface of any one of claims 6 to 9 when executed by a processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111071880.8A CN113794568A (en) | 2021-09-14 | 2021-09-14 | Interface security verification method, interface access method, device, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111071880.8A CN113794568A (en) | 2021-09-14 | 2021-09-14 | Interface security verification method, interface access method, device, equipment and medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113794568A true CN113794568A (en) | 2021-12-14 |
Family
ID=79183192
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111071880.8A Pending CN113794568A (en) | 2021-09-14 | 2021-09-14 | Interface security verification method, interface access method, device, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113794568A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114826778A (en) * | 2022-06-21 | 2022-07-29 | 杭州安恒信息技术股份有限公司 | Authentication method, device, equipment and medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106790238A (en) * | 2017-01-19 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | It is a kind of to forge CSRF defence authentication method and device across station request |
CN107395623A (en) * | 2017-08-18 | 2017-11-24 | 广州视源电子科技股份有限公司 | Interface access data verification method and device, computer storage medium and equipment |
CN108183907A (en) * | 2017-12-29 | 2018-06-19 | 浪潮通用软件有限公司 | A kind of authentication method, server and Verification System |
CN108494775A (en) * | 2018-03-26 | 2018-09-04 | 四川长虹电器股份有限公司 | It prevents from utilizing valid data or the method for distorting valid data progress network attack |
CN109450649A (en) * | 2018-12-28 | 2019-03-08 | 北京金山安全软件有限公司 | Gateway verification method and device based on application program interface and electronic equipment |
CN110674376A (en) * | 2019-09-09 | 2020-01-10 | 中国平安财产保险股份有限公司 | Interface parameter checking method, device, equipment and computer readable storage medium |
-
2021
- 2021-09-14 CN CN202111071880.8A patent/CN113794568A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106790238A (en) * | 2017-01-19 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | It is a kind of to forge CSRF defence authentication method and device across station request |
CN107395623A (en) * | 2017-08-18 | 2017-11-24 | 广州视源电子科技股份有限公司 | Interface access data verification method and device, computer storage medium and equipment |
CN108183907A (en) * | 2017-12-29 | 2018-06-19 | 浪潮通用软件有限公司 | A kind of authentication method, server and Verification System |
CN108494775A (en) * | 2018-03-26 | 2018-09-04 | 四川长虹电器股份有限公司 | It prevents from utilizing valid data or the method for distorting valid data progress network attack |
CN109450649A (en) * | 2018-12-28 | 2019-03-08 | 北京金山安全软件有限公司 | Gateway verification method and device based on application program interface and electronic equipment |
CN110674376A (en) * | 2019-09-09 | 2020-01-10 | 中国平安财产保险股份有限公司 | Interface parameter checking method, device, equipment and computer readable storage medium |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114826778A (en) * | 2022-06-21 | 2022-07-29 | 杭州安恒信息技术股份有限公司 | Authentication method, device, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110213276B (en) | Authorization verification method under micro-service architecture, server, terminal and medium | |
CN110099048B (en) | Cloud storage method and equipment | |
CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
CN112788036B (en) | Identity verification method and device | |
US8566952B1 (en) | System and method for encrypting data and providing controlled access to encrypted data with limited additional access | |
CN110311895B (en) | Session permission verification method and system based on identity authentication and electronic equipment | |
KR102137122B1 (en) | Security check method, device, terminal and server | |
CN107517194B (en) | Return source authentication method and device of content distribution network | |
CN114143108B (en) | Session encryption method, device, equipment and storage medium | |
CN110912689A (en) | Method and system for generating and verifying unique value | |
CN113434889B (en) | Service data access method, device, equipment and storage medium | |
CN115842680B (en) | Network identity authentication management method and system | |
CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
CN112948851A (en) | User authentication method, device, server and storage medium | |
CN116108416A (en) | Application program interface safety protection method and system | |
CN113505353B (en) | Authentication method, authentication device, authentication equipment and storage medium | |
CN108449568A (en) | Identity identifying method and device for video conference | |
CN108235067B (en) | Authentication method and device for video stream address | |
CN117879827A (en) | Token transmission verification method, device, system, equipment and medium | |
CN113794568A (en) | Interface security verification method, interface access method, device, equipment and medium | |
CN110890979B (en) | Automatic deployment method, device, equipment and medium for fort machine | |
CN112039857A (en) | Calling method and device of public basic module | |
CN110971609A (en) | Anti-cloning method of DRM client certificate, storage medium and electronic equipment | |
CN113595731A (en) | Protection method and device for shared link and computer readable storage medium | |
CN116318899B (en) | Data encryption and decryption processing method, system, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20211214 |
|
WD01 | Invention patent application deemed withdrawn after publication |