CN113810367A - Mixed data verification access control method based on dynamic token mode - Google Patents
Mixed data verification access control method based on dynamic token mode Download PDFInfo
- Publication number
- CN113810367A CN113810367A CN202110888600.6A CN202110888600A CN113810367A CN 113810367 A CN113810367 A CN 113810367A CN 202110888600 A CN202110888600 A CN 202110888600A CN 113810367 A CN113810367 A CN 113810367A
- Authority
- CN
- China
- Prior art keywords
- access
- server
- request
- token
- party client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013524 data verification Methods 0.000 title claims abstract description 13
- 238000012795 verification Methods 0.000 claims description 7
- 230000002035 prolonged effect Effects 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 230000007547 defect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a mixed data verification access control method based on a dynamic token mode, which relates to the technical field of data authority access control and comprises the following steps: the third-party client registers at the server, and the server distributes a corresponding application code appId and an application encryption key secreteKey to the third-party client as an identity identification mark; the server side sends an access permission code license to the registered third party client side at set time intervals, and the access permission code license is valid only in the set time; the third-party client acquires an access token accesstocken by using the acquired access permission code license, the application code appId and the application encryption key secretekey; and the third-party client accesses the interface of the server by using the access token within the specified time to acquire the data. The invention can verify the legality of the request source, ensure that the request parameter is not tampered and stolen, ensure the uniqueness of the request and improve the data security.
Description
Technical Field
The invention relates to the technical field of data authority access control, in particular to a mixed data verification access control method based on a dynamic token mode.
Background
Data is an important carrier of information, and the security problem of the data plays a very important role in information security. In order to safely and controllably transmit and use data, various technical means are required to be used as guarantee, and most of the existing technologies adopt a data encryption mode to solve the security problem. The method solves most of security problems to a certain extent, but has the defects that the data replay attack is easy to cause, and the security protection of the whole system can be completely lost once the static secret key is cracked.
Disclosure of Invention
Aiming at the requirements and the defects of the prior art development, the invention provides a mixed data verification access control method based on a dynamic token mode.
The invention discloses a mixed data verification access control method based on a dynamic token mode, which adopts the following technical scheme for solving the technical problems:
a mixed data verification access control method based on a dynamic token mode comprises the following steps:
the third-party client registers at the server, and the server distributes a corresponding application code appId and an application encryption key secreteKey to the third-party client as an identity identification mark;
the server side sends an access permission code license to the registered third party client side at set time intervals, and the access permission code license is valid only in the set time;
the third-party client acquires an access token accesstocken by using the acquired access permission code license, the application code appId and the application encryption key secretekey;
and the third-party client accesses the interface of the server by using the access token within the specified time to acquire the data.
Optionally, the access permission code license is generated by using the following method:
license ═ BASE64 code (MD5 (current time + random number)).
Optionally, the data format of the access token accesstocken is as follows:
{
"jti": John Doe ", unique ID
Exp 1234567890, expiration time
' alg ': HS256' encryption algorithm
}。
Optionally, before the third-party client accesses the server interface by using the access token within the specified time, the third-party client needs to perform signature verification on the request parameter, splice the parameter name and the parameter value to obtain a parameter string, add the secret key to the head of the parameter string, perform MD5 encryption, and obtain a signature if the encrypted string needs to be overwritten.
Further optionally, in the process of signature verification on the request parameter, the signature mode specifically includes:
sequencing all request parameters according to the letter sequence according to the request parameter names to obtain: key/value/key/value.
Further optionally, the request parameter includes a timestamp, and the timestamp is one of the request parameters, and is also encrypted by MD5, so that each request can only be used once.
Further optionally, the timestamp of each request is written into redis, a timeout is set, and if the timestamp of the request already exists in the redis, the request is discarded.
Optionally, the third-party client accesses the interface of the server using the access token within the specified time to obtain the data, and in this process,
when the obtained access token accesstocken is used for accessing the server interface each time, whether the access token accesstocken is expired is checked, and then the server interface can be accessed;
if the access token accessoken is expired, the access token accessoken can be refreshed, if the refreshing is successful, the server-side interface can be continuously accessed to obtain data, and meanwhile, the effective time of the access token accessoken is prolonged.
Compared with the prior art, the hybrid data verification access control method based on the dynamic token mode has the following beneficial effects:
(1) when the third-party client acquires data from the server, the third-party client firstly registers and receives the access permission code sent by the server, so that identity authentication is realized, and information is not tampered and stolen in the transmission process through signature and encryption of access parameters;
(2) according to the invention, the time stamp is added into the parameter and compared with the request stored in the background redis, so that the uniqueness of the request is realized, and the replay attack is prevented;
(3) the invention updates the access permission code at regular time and processes the expiration of the access token, thereby avoiding the serious data loss caused by stealing the token.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
Detailed Description
In order to make the technical scheme, the technical problems to be solved and the technical effects of the present invention more clearly apparent, the following technical scheme of the present invention is clearly and completely described with reference to the specific embodiments.
The first embodiment is as follows:
with reference to fig. 1, the present embodiment provides a hybrid data verification access control method based on a dynamic token mode, which includes the following steps:
the method comprises the following steps that (I) a third-party client registers at a server, and the server distributes a corresponding application code appId and an application encryption key secreteKey to the third-party client to serve as an identity identification mark.
And (II) the server sends the access permission code license to the registered third party client every 20 minutes, and the access permission code license is valid only within 20 minutes.
The access permission code license is generated using the following method:
license ═ BASE64 code (MD5 (current time + random number)).
And (III) the third-party client acquires the access token accesstocken by using the acquired access permission code license, the application code appId and the application encryption key secretKey.
The data format of the access token accesstocken is as follows:
{
"jti": John Doe ", unique ID
Exp 1234567890, expiration time
' alg ': HS256' encryption algorithm
}。
And (IV) the third-party client accesses the interface of the server by using the access token within the specified time to acquire the data.
Before the third-party client accesses the server interface by using the access token within the specified time, signature verification needs to be carried out on the request parameter, the parameter name and the parameter value are spliced to obtain a parameter character string, then the encryption key secretekey is added to the head of the parameter character string, MD5 encryption is carried out, and the encrypted character string needs to be overwritten to obtain the signature.
In the process of signature verification of the request parameters, the signature mode specifically comprises the following steps:
sequencing all request parameters according to the letter sequence according to the request parameter names to obtain: key/value/key/value.
The request parameters comprise a time stamp which is one of the request parameters, and MD5 encryption is also carried out to ensure that each request can only be used once. The timestamp of each request is written into the redis, a timeout is set, and if the timestamp of the request already exists in the redis, the request is discarded.
In this embodiment, the third party client uses the access token to access the interface of the server to obtain the data within the specified time, and in this process,
when the obtained access token accesstocken is used for accessing the server interface each time, whether the access token accesstocken is expired is checked, and then the server interface can be accessed;
if the access token accessoken is expired, the access token accessoken can be refreshed, if the refreshing is successful, the server-side interface can be continuously accessed to obtain data, and meanwhile, the effective time of the access token accessoken is prolonged.
In summary, the hybrid data verification access control method based on the dynamic token mode can verify the legality of the request source, ensure that the request parameter is not tampered and stolen, ensure the uniqueness of the request and improve the data security.
The principles and embodiments of the present invention have been described in detail using specific examples, which are provided only to aid in understanding the core technical content of the present invention. Based on the above embodiments of the present invention, those skilled in the art should make any improvements and modifications to the present invention without departing from the principle of the present invention, and therefore, the present invention should fall into the protection scope of the present invention.
Claims (8)
1. A mixed data verification access control method based on a dynamic token mode is characterized by comprising the following steps:
the third-party client registers at the server, and the server distributes a corresponding application code appId and an application encryption key secreteKey to the third-party client as an identity identification mark;
the server side sends an access permission code license to the registered third party client side at set time intervals, and the access permission code license is valid only in the set time;
the third-party client acquires an access token accesstocken by using the acquired access permission code license, the application code appId and the application encryption key secretekey;
and the third-party client accesses the interface of the server by using the access token within the specified time to acquire the data.
2. The hybrid data authentication access control method based on the dynamic token scheme as claimed in claim 1, wherein the access permission code license is generated by using the following method:
license ═ BASE64 code (MD5 (current time + random number)).
3. The mixed data verification access control method based on the dynamic token mode as claimed in claim 1, wherein the data format of the access token is:
{
"jti": John Doe ", unique ID
Exp 1234567890, expiration time
' alg ': HS256' encryption algorithm
}。
4. The method for controlling the verification and the access of the mixed data based on the dynamic token mode as claimed in claim 1, wherein a third party client needs to perform signature verification on a request parameter before using an access token accesstocken to access a server interface within a specified time, the parameter name and the parameter value are spliced to obtain a parameter string, then an application encryption key secretekey is added to the head of the parameter string, and MD5 encryption is performed, and the encrypted string needs to be overwritten to obtain a signature.
5. The method for controlling access to hybrid data verification based on the dynamic token method according to claim 4, wherein in the process of signature verification of the request parameters, the signature method specifically comprises:
sequencing all request parameters according to the letter sequence according to the request parameter names to obtain: key/value/key/value.
6. The method as claimed in claim 4, wherein the request parameter includes a timestamp, and the timestamp is one of the request parameters, and MD5 encryption is also performed to ensure that each request can only be used once.
7. The method according to claim 6, wherein the timestamp of each request is written into the redis, the timeout time is set, and the request is discarded if the timestamp of the request already exists in the redis.
8. The method as claimed in claim 1, wherein the third client obtains the data by using the interface of the access token accesstocken access server within a specified time, in the process,
when the obtained access token accesstocken is used for accessing the server interface each time, whether the access token accesstocken is expired is checked, and then the server interface can be accessed;
if the access token accessoken is expired, the access token accessoken can be refreshed, if the refreshing is successful, the server-side interface can be continuously accessed to obtain data, and meanwhile, the effective time of the access token accessoken is prolonged.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110888600.6A CN113810367A (en) | 2021-08-02 | 2021-08-02 | Mixed data verification access control method based on dynamic token mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110888600.6A CN113810367A (en) | 2021-08-02 | 2021-08-02 | Mixed data verification access control method based on dynamic token mode |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113810367A true CN113810367A (en) | 2021-12-17 |
Family
ID=78893304
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110888600.6A Pending CN113810367A (en) | 2021-08-02 | 2021-08-02 | Mixed data verification access control method based on dynamic token mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113810367A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103795692A (en) * | 2012-10-31 | 2014-05-14 | 中国电信股份有限公司 | Open authorization method, open authorization system and authentication and authorization server |
US20160262021A1 (en) * | 2015-03-06 | 2016-09-08 | Qualcomm Incorporated | Sponsored connectivity to cellular networks using existing credentials |
CN106295394A (en) * | 2016-07-22 | 2017-01-04 | 飞天诚信科技股份有限公司 | Resource authorization method and system and authorization server and method of work |
CN112039857A (en) * | 2020-08-14 | 2020-12-04 | 苏州浪潮智能科技有限公司 | Calling method and device of public basic module |
CN112671720A (en) * | 2020-12-10 | 2021-04-16 | 苏州浪潮智能科技有限公司 | Token construction method, device and equipment for cloud platform resource access control |
-
2021
- 2021-08-02 CN CN202110888600.6A patent/CN113810367A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103795692A (en) * | 2012-10-31 | 2014-05-14 | 中国电信股份有限公司 | Open authorization method, open authorization system and authentication and authorization server |
US20160262021A1 (en) * | 2015-03-06 | 2016-09-08 | Qualcomm Incorporated | Sponsored connectivity to cellular networks using existing credentials |
CN106295394A (en) * | 2016-07-22 | 2017-01-04 | 飞天诚信科技股份有限公司 | Resource authorization method and system and authorization server and method of work |
CN112039857A (en) * | 2020-08-14 | 2020-12-04 | 苏州浪潮智能科技有限公司 | Calling method and device of public basic module |
CN112671720A (en) * | 2020-12-10 | 2021-04-16 | 苏州浪潮智能科技有限公司 | Token construction method, device and equipment for cloud platform resource access control |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022121461A1 (en) | Method, apparatus and device for constructing token for cloud platform resource access control | |
US9729538B2 (en) | System, method and process for detecting advanced and targeted attacks with the recoupling of kerberos authentication and authorization | |
CN104216907A (en) | Method, device and system for providing database access control | |
CN109379192A (en) | A kind of login authentication processing method, system and device | |
CN109598104B (en) | Software authorization protection system and method based on timestamp and secret authentication file | |
CN115277168B (en) | Method, device and system for accessing server | |
CN101739361A (en) | Access control method, access control device and terminal device | |
CN114760065A (en) | Access control method and device for teaching resource sharing of online learning platform | |
CN110995661B (en) | Network card platform | |
CN116527341A (en) | Client-side calling rear-end interface authentication authorization security method | |
CN116108416A (en) | Application program interface safety protection method and system | |
CN110086818B (en) | Cloud file secure storage system and access control method | |
CN111427897A (en) | Data storage management method on block chain | |
CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
CN112039857B (en) | Calling method and device of public basic module | |
CN106096336B (en) | Software anti-crack method and system | |
CN113810367A (en) | Mixed data verification access control method based on dynamic token mode | |
CN116032643A (en) | Application layer implicit unidirectional isolation device penetration method for national network chain service call | |
CN110971609A (en) | Anti-cloning method of DRM client certificate, storage medium and electronic equipment | |
CN111382400B (en) | DCI-based block chain copyright implementation method and system | |
CN109672526B (en) | Method and system for managing executable program | |
CN107483462B (en) | Operation authority management system and method of outgoing USB flash disk | |
CN106209375A (en) | A kind of method utilizing digital certificate to carry out seed key of dynamic token injection and renewal | |
CN113836576A (en) | User privacy data protection method for taxi taking software | |
CN112104646A (en) | Method and system for safety transmission of app data interface |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211217 |