Disclosure of Invention
The embodiment of the invention aims to provide an API (application program interface) message protection method, an API message protection system, electronic equipment and a storage medium, which are used for solving the problems that in the prior art, a secret key form is fixed, a verification method is traditional, and the verification method is easy to crack.
In order to achieve the above object, an embodiment of the present invention further illustrates a technical solution through four aspects, and in a first aspect, provides an API interface message protection method, including the following steps:
forming different key tables by the generated keys and distributing the key tables to the first terminal, the second terminal and the third terminal;
acquiring key information of the other party before the information interaction of the first terminal, the second terminal and the third terminal;
acquiring a corresponding key from a key table according to the key information;
calculating the obtained key, and matching according to the calculation result;
if the key matching is successful, the information interaction is carried out between the terminals, if the matching is unsuccessful, the information interaction is terminated, and meanwhile, the used key is abolished.
With reference to the first aspect, a method for distributing a plurality of generated keys to a first terminal, a second terminal and a third terminal in different key tables includes the following steps:
generating a plurality of keys according to a key generation rule, and dividing the keys into a plurality of groups according to the number of terminals to form a key table;
and distributing the key table to each terminal, wherein the keys in each key table are not repeated.
With reference to the first aspect, the method for obtaining the key information of the other party before the information interaction between the first terminal, the second terminal and the third terminal includes the following steps:
before the information interaction of the first terminal, the second terminal and the third terminal, sending the key information of the first terminal, the second terminal and the third terminal to the terminal needing the information interaction;
the two interactive parties respectively receive the key information sent by the other party.
With reference to the first aspect, the key table includes a key table ID, a key sequence number, and a key, where the key sequence number corresponds to the key one to one;
the key information comprises a key table ID, a key sequence number, a check code and a key result, and the key result is obtained after operation according to the key and the check code.
With reference to the first aspect, the method for obtaining a corresponding key from a key table according to the key information includes the following steps:
before information interaction, firstly, key information of an interactive terminal needs to be acquired;
extracting a key table ID and a key sequence number from the key information;
searching a key table corresponding to the ID in a key database according to the ID of the key table;
finding out a corresponding key in a key table according to the key sequence number;
the key store is a repository for storing all key tables.
With reference to the first aspect, the method for calculating the obtained key and matching according to the calculation result includes the following steps:
performing joint calculation on the key searched in the key table and the acquired check code;
after the calculation is finished, comparing the calculation result with the obtained key result;
if the two results can correspond to each other, the matching is successful, otherwise, the matching is unsuccessful.
With reference to the first aspect, if the key matching is successful, the terminals perform information interaction, and if the key matching is unsuccessful, the information interaction is terminated, and the method for revoking the used key includes the following steps:
after the key matching is successful, information interaction is carried out between the successfully matched terminals;
both interactive parties delete or lock the used key in the key table and keep the key serial numbers of other keys unchanged;
and if the matching is unsuccessful, terminating the information interaction.
In a second aspect, an API interface message protection system is provided, where the system includes:
the key distribution module: the key distribution system is used for forming different key tables by the generated keys and distributing the key tables to the first terminal, the second terminal and the third terminal;
the first key acquisition module is used for acquiring key information of the other party before the information interaction of the first terminal, the second terminal and the third terminal;
the second key obtaining module is used for obtaining a corresponding key from a key table according to the key information;
the key calculation module is used for calculating the acquired key and matching according to the calculation result;
and the key processing module is used for judging whether the key matching is successful or not, carrying out information interaction between the terminals if the key matching is successful, terminating the information interaction if the key matching is unsuccessful, and simultaneously abandoning the used key.
In a third aspect, an electronic device is provided, which includes: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform the API interface message protection method of any one of the first aspects.
In a fourth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the API interface message protection method according to any one of the first aspect.
The embodiment of the invention has the following advantages:
1. the key forms generated by the key generation rule are different, so that the key cannot be cracked even if the key is acquired unintentionally, and the security of the key is improved;
2. when the secret key is sent, the calculated secret key result is sent, and even if the secret key result is intercepted, the secret key result can only be known, but the secret key itself is not known, so that the safety of the secret key is ensured;
3. the used key is discarded, so that the loss of transmission data caused by repeated utilization after leakage is avoided.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The invention is further illustrated by the following two examples:
example 1
As shown in fig. 1, a schematic method flow diagram provided in an embodiment of the present invention provides a method for protecting an API interface message, where the method includes the following steps:
s1: forming different key tables by the generated keys and distributing the key tables to the first terminal, the second terminal and the third terminal;
the specific implementation method comprises the following steps:
generating a plurality of keys according to a key generation rule, and dividing the keys into a plurality of groups according to the number of terminals to form a key table;
distributing a key table to each terminal, wherein keys in each key table are not repeated;
the key generation rule comprises the content of key generation, and the key needs to comprise capital and lower English letters, Greek letters, Arabic numerals, computer symbols and the like and is generated by random staggered arrangement;
according to different terminals, a specific rule can be selected for constraint, for example, in a first terminal, the first two characters must be capital letters, the first two characters of a second terminal must be letters plus numbers, and in a third terminal, the first two characters must be symbols plus numbers;
after the key is generated, a key table is formed, and the key table can be distributed according to the rule of each terminal or only can be randomly distributed;
distributing the formed key table to each terminal, and each terminal obtains the key table with the same content and quantity;
s2: acquiring key information of the other party before the information interaction of the first terminal, the second terminal and the third terminal;
the specific implementation method comprises the following steps:
before the information interaction of the first terminal, the second terminal and the third terminal, sending own key information to a terminal needing information interaction;
the interactive two parties respectively receive the key information sent by the opposite party;
the key table comprises a key table ID, a key serial number and a key, wherein the key serial number corresponds to the key one to one;
the key information comprises a key table ID, a key sequence number, a check code and a key result, and the key result is obtained after operation according to the key and the check code;
before sending information, a terminal firstly needs to form own key information, firstly selects a key table ID as a head of head key information, namely a first item of the key information, then takes a check code corresponding to the key table as a second item of the key information, then selects a key in the key table, takes a key serial number of the key as a third item of the key information, and finally carries out operation on the key and the check code to obtain a key result, and takes the key result as a fourth item of the key information;
the operation of the check code and the secret key is a calculation formula agreed in advance between the terminals;
s3: acquiring a corresponding key from a key table according to the key information;
the specific implementation method comprises the following steps:
before information interaction, firstly, key information of an interactive terminal needs to be acquired;
extracting a key table ID and a key sequence number from the key information;
searching a key table corresponding to the ID in a key database according to the ID of the key table;
finding a corresponding key in a key table according to the key sequence number;
the key bank is a storage bank for storing all key tables, a plurality of key tables are arranged in the key bank, each key table is distinguished through an ID number, and the composition form or the coding form of each ID is different;
the terminal searches the corresponding key table ID in the key base after obtaining the key table ID, then obtains the corresponding key in the key table according to the key sequence number, if the key table ID which is not provided in the key base or the corresponding key sequence number does not exist in the key table is found in the searching process, the searching failure information is returned, and the terminal immediately stops continuing the information interaction according to the feedback.
S4: calculating the obtained key, and matching according to the calculation result;
the specific implementation method comprises the following steps:
performing joint calculation on the key searched in the key table and the acquired check code;
after the calculation is finished, comparing a calculation result with the obtained key result;
if the two results can correspond to each other, the matching is successful, otherwise, the matching is unsuccessful;
calculating according to the searched key and check code, wherein the calculation method comprises the steps of performing one or more combinations of addition operation, subtraction operation, multiplication operation, character increase and decrease operation and NOR operation on the key and the check code;
s5: if the key matching is successful, the information interaction is carried out between the terminals, if the matching is unsuccessful, the information interaction is terminated, and meanwhile, the used key is discarded;
the specific implementation method comprises the following steps:
after the key matching is successful, information interaction is carried out between the successfully matched terminals;
both interactive parties delete or lock the used key in the key table and keep the key serial numbers of other keys unchanged;
if the matching is unsuccessful, terminating the information interaction;
after matching is successful, the used key needs to be deleted, namely, deleted in the key table, or the key is locked in a state that the key can only be displayed and found but cannot be used, and after deletion or locking, the key serial numbers of other keys are not changed, namely, the key serial numbers are not changed after the key serial numbers are matched with the key from the beginning.
An API interface message protection system, the system comprising:
the key distribution module: the key distribution system is used for forming different key tables by the generated keys and distributing the key tables to the first terminal, the second terminal and the third terminal;
the first key acquisition module is used for acquiring key information of the other party before the information interaction of the first terminal, the second terminal and the third terminal;
the second key obtaining module is used for obtaining a corresponding key from a key table according to the key information;
the key calculation module is used for calculating the acquired key and matching according to the calculation result;
the key processing module is used for judging whether the key matching is successful or not, carrying out information interaction between the terminals if the key matching is successful, and simultaneously abandoning the used key, and terminating the information interaction if the key matching is unsuccessful;
wherein the content of the first and second substances,
the key distribution module: the key list generation device is used for forming a plurality of generated keys into different key lists and distributing the key lists to the first terminal, the second terminal and the third terminal;
distributing a key table to each terminal, wherein keys in each key table are not repeated;
the key generation rule comprises the content of key generation, and the key needs to comprise capital and lower English letters, Greek letters, Arabic numerals, computer symbols and the like and is generated by random staggered arrangement;
according to different terminals, a specific rule can be selected for constraint, for example, in a first terminal, the first two characters must be capital letters, the first two characters of a second terminal must be letters plus numbers, and in a third terminal, the first two characters must be symbols plus numbers;
after the key is generated, a key table is formed, and can be distributed according to the rule of each terminal or only randomly distributed;
distributing the formed key table to each terminal, wherein the key table with the same content and number is obtained by each terminal;
the first key acquisition module is used for acquiring key information of the other party before the information interaction of the first terminal, the second terminal and the third terminal;
before the information interaction of the first terminal, the second terminal and the third terminal, sending own key information to a terminal needing information interaction;
the two interactive parties respectively receive the key information sent by the other party;
the key table comprises a key table ID, a key serial number and a key, wherein the key serial number corresponds to the key one to one;
the key information comprises a key table ID, a key sequence number, a check code and a key result, and the key result is obtained by operation according to the key and the check code;
before sending information, a terminal firstly needs to form own key information, firstly selects a key table ID as a head of head key information, namely a first item of the key information, then takes a check code corresponding to the key table as a second item of the key information, then selects a key in the key table, takes a key serial number of the key as a third item of the key information, and finally carries out operation on the key and the check code to obtain a key result, and takes the key result as a fourth item of the key information;
the operation of the check code and the secret key is a calculation formula agreed in advance between the terminals;
the second key obtaining module is used for obtaining a corresponding key from a key table according to the key information;
before information interaction, firstly, key information of an interactive terminal needs to be acquired;
extracting a key table ID and a key sequence number from the key information;
searching a key table corresponding to the ID in a key database according to the ID of the key table;
finding out a corresponding key in a key table according to the key sequence number;
the key bank is a storage bank for storing all key tables, a plurality of key tables are arranged in the key bank, each key table is distinguished through an ID number, and the composition form or the coding form of each ID is different;
the terminal searches the corresponding key table ID in the key base after obtaining the key table ID, then obtains the corresponding key in the key table according to the key sequence number, if the key table ID which is not provided in the key base or the corresponding key sequence number does not exist in the key table is found in the searching process, the searching failure information is returned, and the terminal immediately stops continuing the information interaction according to the feedback.
The key calculation module is used for calculating the acquired key and matching according to the calculation result;
performing joint calculation on the key searched in the key table and the acquired check code;
after the calculation is finished, comparing the calculation result with the obtained key result;
if the two results can correspond to each other, the matching is successful, otherwise, the matching is unsuccessful;
calculating according to the searched key and check code, wherein the calculation method comprises the steps of performing one or more combinations of addition operation, subtraction operation, multiplication operation, character increase and decrease operation and NOR operation on the key and the check code;
the key processing module is used for judging whether the key matching is successful or not, carrying out information interaction between the terminals if the key matching is successful, and simultaneously abandoning the used key, and terminating the information interaction if the key matching is unsuccessful;
after the key matching is successful, information interaction is carried out between the successfully matched terminals;
both interactive parties delete or lock the used key in the key table and keep the key serial numbers of other keys unchanged;
if the matching is unsuccessful, terminating the information interaction;
after matching is successful, the used key needs to be deleted, namely, deleted in the key table, or the key is locked in a state that the key can only be displayed and found but cannot be used, and after deletion or locking, the key serial numbers of other keys are not changed, namely, the key serial numbers are not changed after the key serial numbers are matched with the key from the beginning.
The embodiment of the invention also comprises an electronic device, which comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform the API interface message protection method described above.
The embodiment of the present invention further includes a computer-readable storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the API interface message protection method is implemented.
Example 2
As shown in fig. 1, a schematic method flow diagram provided by the embodiment of the present invention provides a method for protecting API interface messages, where the method includes the following steps:
s1: forming different key tables by the generated keys and distributing the key tables to the first terminal, the second terminal and the third terminal;
the specific implementation method comprises the following steps:
generating a plurality of keys according to a key generation rule, and dividing the keys into a plurality of groups according to the number of terminals to form a key table;
distributing a key table to each terminal, wherein keys in each key table are not repeated;
the key generation rule comprises the content of key generation, and the key needs to comprise capital and lower English letters, Greek letters, Arabic numerals, computer symbols and the like and is generated by random staggered arrangement;
according to different terminals, specific rules can be selected for constraint, such as that in a first terminal, the first two characters must be capital letters, the first two characters of a second terminal must be letters plus numbers, and the first two characters of a third terminal must be symbols plus numbers;
after the key is generated, a key table is formed, and can be distributed according to the rule of each terminal or only randomly distributed;
distributing the formed key table to each terminal, wherein the key table with the same content and number is obtained by each terminal;
s2: acquiring key information of the other party before the information interaction of the first terminal, the second terminal and the third terminal;
the specific implementation method comprises the following steps:
before the information interaction of the first terminal, the second terminal and the third terminal, sending the key information of the first terminal, the second terminal and the third terminal to the terminal needing the information interaction;
the two interactive parties respectively receive the key information sent by the other party;
the key table comprises a key table ID, a key serial number and a key, wherein the key serial number corresponds to the key one to one;
the key information comprises a key table ID, a key sequence number, a check code and a key result, and the key result is obtained after operation according to the key and the check code;
before sending information, a terminal firstly needs to form own key information, firstly selects a key table ID as a head of head key information, namely a first item of the key information, then takes a check code corresponding to the key table as a second item of the key information, then selects a key in the key table, takes a key serial number of the key as a third item of the key information, and finally carries out operation on the key and the check code to obtain a key result, and takes the key result as a fourth item of the key information;
the operation of the check code and the secret key is a calculation formula agreed in advance between the terminals;
s3: acquiring a corresponding key from a key table according to the key information;
the specific implementation method comprises the following steps:
before information interaction, firstly, key information of an interactive terminal needs to be acquired;
extracting a key table ID and a key sequence number from the key information;
searching a key table corresponding to the ID in a key database according to the ID of the key table;
finding a corresponding key in a key table according to the key sequence number;
the key bank is a storage bank for storing all key tables, a plurality of key tables are arranged in the key bank, each key table is distinguished through an ID number, and the composition form or the coding form of each ID is different;
after the terminal obtains the key table ID, the corresponding key table ID is searched in the key base, then the corresponding key is obtained in the key table according to the key serial number, if the key table ID which is not provided in the key base or the corresponding key serial number is not provided in the key table is found in the searching process, the searching failure information is returned, and the terminal immediately stops continuing information interaction according to the feedback.
S4: calculating the obtained key, and matching according to the calculation result;
the specific implementation method comprises the following steps:
performing joint calculation on the key searched in the key table and the acquired check code;
after the calculation is finished, comparing the calculation result with the obtained key result;
if the two results can correspond to each other, the matching is successful, otherwise, the matching is unsuccessful;
calculating according to the searched key and check code, wherein the calculation method comprises the steps of performing one or more combinations of addition operation, subtraction operation, multiplication operation, character increase and decrease operation and NOR operation on the key and the check code;
s5: if the key matching is successful, the information interaction is carried out between the terminals, if the matching is unsuccessful, the information interaction is terminated, and meanwhile, the used key is discarded;
the specific implementation method comprises the following steps:
after the key matching is successful, information interaction is carried out between the successfully matched terminals;
both interactive parties delete or lock the used key in the key table and keep the key serial numbers of other keys unchanged;
if the matching is unsuccessful, terminating the information interaction;
after matching is successful, the used key needs to be deleted, namely, deleted in the key table, or the key is locked in a state that the key can only be displayed and found but cannot be used, and after deletion or locking, the key serial numbers of other keys are not changed, namely, the key serial numbers are not changed after the key serial numbers are matched with the key from the beginning.
As shown in fig. 2, a schematic connection diagram of a key management module and each terminal provided in the embodiment of the present invention, where a key management module is integrated, and the module includes:
a key production unit: the system comprises a key generation rule, a key table and a key generation module, wherein the key generation rule is used for randomly generating a plurality of keys according to the key generation rule and dividing the keys into a plurality of key tables;
a key service unit: the system is used for distributing the generated key table to other units or terminals, calculating the key, searching and matching the key according to the ID of the key table and the key sequence number;
a key exchange unit: the system comprises a key acquisition module, a key distribution module and a key distribution module, wherein the key acquisition module is used for acquiring key information of a terminal and exchanging the acquired key information according to two information interaction parties;
the optical machine control unit: the optical channel is used for establishing information interaction for a plurality of interactive terminals;
a task scheduling unit: the unit is used for acquiring the task instruction and scheduling the corresponding unit according to the content of the task instruction;
the operation and maintenance management unit: the system is used for managing and maintaining the operation of each unit and monitoring the safety condition of each unit;
a safeguard key management unit: and the system is used for providing a guarantee key and performing information interaction with the key production unit, the task scheduling unit and the operation and maintenance management unit in a manual mode.
The manual mode, namely information can not be directly sent between the units, and the information can be sent only after manual confirmation, so that information leakage or information bombing is avoided, and the safety of data is further ensured.
The embodiment of the invention also provides a terminal, which comprises a plurality of ground stations, wherein the ground stations are connected with the key management module and comprise a key management module for managing the key management module,
the ground station receives user demand information sent by a user and sends the user demand information to a service management center;
the service management center plans a task plan for three days in the future according to the user demand information, and the task plan generates a task instruction after on-satellite arbitration is carried out through a communication satellite;
receiving a task instruction, and executing a task according to the task instruction;
meanwhile, the safety of data and keys during communication with a service management center and a communication satellite is ensured, a plurality of ground stations are mutually connected through a network, and when the ground stations output key information, the key information of the ground stations is obtained and checked through the key management module, so that the safety and the correctness of the keys output by the ground stations are ensured;
the embodiment of the invention also provides a terminal which comprises a communication satellite, wherein the communication satellite is connected with the key management module and comprises the steps of acquiring a task plan and carrying out on-satellite conflict arbitration to obtain an arbitration result;
the service management center sends the task plan to an operation and maintenance management center;
the service operation and maintenance management center sends the task plan to a communication satellite;
the communication satellite carries out on-satellite conflict arbitration according to the task plan and transmits an arbitration result to the operation and maintenance management center 12h in advance;
the operation and maintenance management center sends the received arbitration result to the service management center;
after receiving the arbitration result, the service management center analyzes and judges the arbitration result;
if the arbitration is passed, namely the task plan can be implemented, sending an execution instruction to the ground station;
if the arbitration is not passed, namely the task plan conflicts with other tasks, the service management center replans the task plan according to the conflict factor and the user demand information;
the re-planned task plan needs to carry out on-satellite conflict arbitration again until the on-satellite conflict arbitration passes;
meanwhile, in order to ensure the safety of data and keys when the communication satellite outputs key information, the key information of the communication satellite is obtained and checked through the key management module when the communication satellite outputs the key information, so that the safety and the correctness of the keys output by the communication satellite are ensured.
The embodiment of the invention also provides a terminal, which comprises a service management center, wherein the service management center is connected with the key management module and is used for,
receiving a user demand request sent by a ground station, and generating a task plan according to the user demand request;
receiving an arbitration result from a communication satellite, and sending a task instruction to a ground station according to the arbitration result, wherein the arbitration result is made by the satellite through on-satellite arbitration according to a task plan;
and receiving task result feedback from the ground station, and managing a key table according to the feedback result, wherein the task result feedback is made by the ground station according to the arbitration result.
Although the invention has been described in detail with respect to the general description and the specific embodiments, it will be apparent to those skilled in the art that modifications and improvements may be made based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.