CN115694902A - Killing-per-second request method, killing-per-second verification method, device, system and medium - Google Patents

Killing-per-second request method, killing-per-second verification method, device, system and medium Download PDF

Info

Publication number
CN115694902A
CN115694902A CN202211186416.8A CN202211186416A CN115694902A CN 115694902 A CN115694902 A CN 115694902A CN 202211186416 A CN202211186416 A CN 202211186416A CN 115694902 A CN115694902 A CN 115694902A
Authority
CN
China
Prior art keywords
character string
killing
request
key
parameter information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211186416.8A
Other languages
Chinese (zh)
Inventor
秦晔玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202211186416.8A priority Critical patent/CN115694902A/en
Publication of CN115694902A publication Critical patent/CN115694902A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The disclosure provides a killing-per-second request method and device, belongs to the field of information security, and can be applied to the field of finance. The second killing request method comprises the following steps: acquiring an unencrypted character string and parameter information related to a killing-by-second request, wherein the parameter information comprises N data; generating a key according to a key generation algorithm based on the parameter information; encrypting the unencrypted character string by a symmetric encryption algorithm by using a secret key to obtain an encrypted character string; and taking the parameter information, the encrypted character string and the unencrypted character string as components of the killing-by-second request, and sending the killing-by-second request to the back end. Wherein, the key generation algorithm comprises: extracting at least partial characters from the N data to be spliced into a first character string; converting the first character string through an irreversible encryption algorithm to obtain a second character string; and generating a key based on the second string. The disclosure also provides a killing-by-second verification method and device, a killing-by-second system, a computer system, a storage medium and a program product.

Description

Second killing request method, second killing verification method, device, system and medium
Technical Field
The present disclosure relates to the field of information security, and more particularly, to a method and apparatus for requesting and verifying kills of seconds, a killing system, a computer system, a medium, and a program product.
Background
In order to prevent attacks of network black products (such as malicious robbery, false second-taking stock killing and the like), the second-taking system mainly takes measures focused on page behavior verification, including graphic verification code verification, behavior verification code verification, short message verification code verification and the like. In the killing-by-second process, the killing-by-second process can be carried out only after passing the verification.
In the process of implementing the concept of the present invention, the inventor finds that the prior art has the following defects: the effect of the black product prevention means for page behavior verification is not obvious, because the black product can capture the second killing request message and complete the second killing by simulating the operation flow of a normal client through the script; and if multi-layer behavior safety verification is set, the operation difficulty of normal customers is increased, and the user experience is reduced.
Disclosure of Invention
In view of the above problems, the present disclosure provides a seckilling request method and a seckilling verification method, apparatus, a seckilling system, a computer system, a medium, and a program product that can significantly improve the ability to defend against network blackouts during seckilling.
In a first aspect of the embodiments of the present disclosure, a killing-by-second request method applied to a front end is provided. The method comprises the following steps: acquiring an unencrypted character string; acquiring parameter information related to a killing request of a second, wherein the parameter information comprises N data, and N is an integer greater than or equal to 2; generating a key according to a key generation algorithm based on the parameter information; encrypting the unencrypted character string by a symmetric encryption algorithm by using the secret key to obtain an encrypted character string; and taking the parameter information, the encrypted character string and the unencrypted character string as components of the killing-by-second request, and sending the killing-by-second request to a back end. Wherein the key generation algorithm comprises: extracting at least partial characters from the N data to form a first character string; converting the first character string through an irreversible encryption algorithm to obtain a second character string; generating the key based on the second string.
According to an embodiment of the present disclosure, the obtaining of the unencrypted character string includes: and splicing to obtain the unencrypted character string based on the information of the user sending the killing-by-second request.
According to an embodiment of the present disclosure, the extracting at least part of the characters from the N data to compose a first character string includes: the characters extracted from the same data in the first string are not completely grouped together.
According to an embodiment of the present disclosure, the extracting at least a part of characters from the N data to assemble a first character string includes: and extracting characters from the N data respectively according to different modes.
According to an embodiment of the present disclosure, the irreversible encryption algorithm comprises an MD5 message digest algorithm.
According to the embodiment of the disclosure, the N data include a session identifier of a session to which the killing-by-second request belongs and a random number generated for the killing-by-second request.
In a second aspect of the embodiments of the present disclosure, a second killing verification method applied to a backend is provided. The killing-by-second verification method comprises the following steps: receiving a killing-per-second request; extracting parameter information, an encrypted character string and an unencrypted character string in the killing request, wherein the parameter information comprises N data; generating a key according to a key generation algorithm based on the parameter information; decrypting the encrypted character string by using the key through a symmetric encryption algorithm to obtain a decrypted character string; and rejecting the killing-by-second request when the decryption string is inconsistent with the unencrypted string. Wherein the key generation algorithm comprises: extracting at least partial characters from the N data to be spliced into a first character string; converting the first character string through an irreversible encryption algorithm to obtain a second character string; and generating the key based on the second string.
In a third aspect of the embodiments of the present disclosure, a killing-by-second request device disposed at a front end is provided. The killing request device comprises a first obtaining module, a first key generation module, a first encryption module and a first sending module. The first acquisition module is used for acquiring an unencrypted character string and parameter information related to a killing-by-second request, wherein the parameter information comprises N data, and N is an integer greater than or equal to 2. The first key generation module is used for generating a key according to a key generation algorithm based on the parameter information; wherein the key generation algorithm comprises: extracting at least partial characters from the N data to combine into a first character string, converting the first character string through an irreversible encryption algorithm to obtain a second character string, and generating the key based on the second character string. The first encryption module is used for encrypting the unencrypted character string by a symmetric encryption algorithm by using the secret key to obtain an encrypted character string. And the first sending module is used for sending the killing request to a back end by taking the parameter information, the encrypted character string and the unencrypted character string as the components of the killing request.
In a fourth aspect of the embodiments of the present disclosure, a second killing verification device disposed at a back end is provided. The second-killing verification device comprises a second receiving module, a second extracting module, a second key generating module, a second decryption module and a second verification module. The second receiving module is used for receiving the killing-by-seconds request. The second extraction module is used for extracting parameter information, encrypted character strings and unencrypted character strings in the killing-by-second request, wherein the parameter information comprises N data. The second key generation module is used for generating a key according to a key generation algorithm based on the parameter information; wherein the key generation algorithm comprises: extracting at least partial characters from the N data to combine into a first character string, converting the first character string through an irreversible encryption algorithm to obtain a second character string, and generating the key based on the second character string. And the second decryption module is used for decrypting the encrypted character string by using the secret key through a symmetric encryption algorithm to obtain a decrypted character string. The second verification module is used for refusing the killing-by-second request when the decryption character string is inconsistent with the unencrypted character string.
In a fifth aspect of the disclosed embodiments, a killing by seconds system is provided. The killing-by-second system comprises a front end and a back end. The front end is configured to execute the killing-by-second request method provided by the first aspect. The backend is configured to perform the second-killing verification method provided by the second aspect. Wherein the front end and the back end use the key generation algorithm and the symmetric encryption algorithm which are agreed.
In a sixth aspect of the disclosed embodiments, a computer system is provided. The computer system includes one or more processors and memory. The memory is configured to store one or more programs, where the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the killing-by-second request method provided in the first aspect or the killing-by-second verification method provided in the second aspect.
In a seventh aspect of the disclosed embodiment, a computer-readable storage medium is further provided, where the executable instructions are stored on the computer-readable storage medium, and when executed by a processor, the instructions cause the processor to perform the second killing request method provided in the first aspect or the second killing verification method provided in the second aspect.
In an eighth aspect of the embodiments of the present disclosure, a computer program product is further provided, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the killing-by-second request method provided in the first aspect or the killing-by-second verification method provided in the second aspect.
One or more of the embodiments described above may have the following advantages or benefits: the information in the second killing process is encrypted, the validity of the parameters is verified through the back end, the information validity is verified under the condition that a user does not sense the information, the frequency that the black product tool directly calls an interface to complete second killing is reduced to a certain extent, the stability of a second killing system is improved by means of the back end verification of the validity of the parameters, the user experience can be improved while the black product is defended, and the normal user can be guaranteed to smoothly participate in second killing.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a killing-by-second request method and a killing-by-second verification method according to an embodiment of the disclosure;
FIG. 2 schematically illustrates a flow chart of a method of killing requests for seconds as applied to a front end, in accordance with an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow chart of a second kill verification method applied to a backend in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a kill-of-seconds request and verification according to an embodiment of the present disclosure;
fig. 5 is a block diagram schematically illustrating a second kill request apparatus provided at a head end according to an embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of a second killing verification device provided at a backend according to an embodiment of the present disclosure; and
fig. 7 schematically illustrates a block diagram of a computer system suitable for implementing the killing-by-second request method or the killing-by-second verification method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that these descriptions are illustrative only and are not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
In those instances where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more features.
The killing scene for the second time has the particularity that: usually, the flow rate is increased greatly within a few minutes after the start of the second killing, and the product stock for the second killing (called "second killing stock" for short) is always swept in a short time. The black product can simulate the behavior of a normal user to initiate a large amount of request messages by using a black product tool, so that the second killing stock is viciously attacked and occupied at the moment after the second killing starts. Aiming at the characteristics of the second killing scene and the attack characteristics of the black products, the malicious occupation of the black products on the second killing inventory can be remarkably reduced if the successful frequency of the network second killing of the black products can be effectively reduced in the initial period of the second killing.
Based on the above thought, the embodiments of the present disclosure provide a cescicidal request method and a cescicidal verification method and apparatus, a cescicidal system, a computer system, a medium, and a program product that improve the defense capability of the cescicidal system against black product attacks by verifying the validity of parameters through a backend cescicidal interface, and can effectively drag down the successful frequency of black product attacks within a short time from the beginning of cescicidal
Specifically, the embodiment of the disclosure is performed based on a framework mode of front-end encryption and back-end decryption verification, wherein the front end and the back end use a symmetric encryption algorithm to perform encryption and decryption, key generation in the encryption and decryption process depends on parameters in the killing-by-second process, and the parameters are updated along with different killing-by-second requests. According to the embodiment of the disclosure, through the design of the key generation algorithm and the verification of the back-end parameters, the blackout is difficult to rapidly initiate a large amount of effective second killing requests in a short time, and the attack rate of the network blackout is effectively reduced.
Fig. 1 schematically shows an application scenario diagram of a killing-by-second request method and a killing-by-second verification method according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
After the start of the second kill, the user can send a second kill request to the server 105 through the network 104 by operation in the terminal apparatuses 101, 102, 103. The server 105 may feed back information on whether the killing of the second was successful or not to the user according to the killing of the second request.
It should be noted that the killing-by-second request method applied to the front end provided by the embodiment of the present disclosure may be executed by the terminal devices 101, 102, and 103. Accordingly, the killing-by-second request device provided by the embodiment of the present disclosure and arranged at the front end can be arranged in the terminal equipment 101, 102, 103. The provided second killing verification method applied to the backend provided by the embodiments of the present disclosure may also be executed by the server 105. Accordingly, the second killing verification device provided by the embodiment of the present disclosure and disposed at the back end may also be disposed in a different server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
Fig. 2 schematically shows a flowchart of a killing-by-second request method applied to a front end according to an embodiment of the present disclosure.
As shown in fig. 2, the killing-by-second request method applied to the front end may include operations S210 to S250.
First, in operation S210, an unencrypted character string is acquired. In some embodiments, the unencrypted character string may be a character string spliced according to user information, or the like. In other implementations, the unencrypted string may be a randomly generated set of strings.
Then, in operation S220, parameter information related to the killing request is acquired, where the parameter information includes N data, where N is an integer greater than or equal to 2. The N data may be session identification, a random number generated for the session, a time random number based on a killing-by-second time recorded in milliseconds or even nanoseconds, a user account, a number of the user in a killing-by-second system, a user identification number, identification information of a device used by the user, and/or current login address information of the user.
Next, in operations S231 through S233, a key is generated according to a key generation algorithm based on the parameter information.
Specifically, at least a part of the characters are extracted from the N data to compose a first character string in operation S231.
In operation S232, the first character string is converted into a second character string through an irreversible encryption algorithm. The irreversible encryption algorithm may be an MD5 Message digest algorithm, a SHA Secure Hash Algorithm (SHA), or a Hash-based Message Authentication Code (HMAC) associated with an HMAC key.
In operation S233, a key is generated based on the second character string.
Thereafter, the unencrypted character string is encrypted by a symmetric encryption algorithm using the key to obtain an encrypted character string in operation S240. According to embodiments of the present disclosure, the symmetric encryption algorithm may be used to encrypt a string, for example, the XXTEA algorithm. Wherein, XXTEA is an Encryption Algorithm evolved from the Algorithm TEA (Tiny Encryption Algorithm) small-scale symmetric Encryption and decryption Algorithm. The XXTEA encryption and decryption algorithm is high in speed, high in efficiency and simple to implement. Of course, the symmetric encryption algorithm may be other existing encryption algorithms or encryption algorithms that are generated in the future with the development and evolution of new technology and can encrypt the character string according to the input key, besides the XXTEA algorithm.
In operation S250, the second kill request is transmitted to the backend with the parameter information, the encrypted string, and the unencrypted string as components of the second kill request. Thus, after receiving the killing request, the back end adopts the key generation algorithm to generate a key by using the parameter information in the killing request, then decrypts the encrypted character string and compares the decrypted character string with the unencrypted character string, and if the encrypted character string is consistent with the unencrypted character string, the request is passed again, and if the encrypted character string is inconsistent with the unencrypted character string, the request is rejected. Therefore, normal users cannot sense the blackout requests, and the blackout requests are effectively blocked.
According to the embodiment of the disclosure, a plurality of data are selected to generate a key when the key is generated, and in the process of generating the key, the plurality of data are not directly and completely used, but characters are extracted from the plurality of data to be combined into a new character string, and then a series of operations such as irreversible encryption algorithm conversion are combined to generate the key. Therefore, the irreversibility and the randomness of the key generation algorithm can be improved through the selection, combination or transformation and the like of the data, the character extraction mode, the character splicing mode and/or the irreversible encryption algorithm in the parameters of the second killing request, the difficulty in cracking the key generation algorithm in a short time is increased, the black products are difficult to submit a large number of effective second killing requests in a short time, and the attack frequency of the network black products at the beginning of second killing is effectively reduced.
Therefore, in the generation process of the second killing request, the key generation algorithm has irreversibility and is difficult to crack through limited observation in a short time, the frequency of submitting the effective second killing request of the black products at the initial stage of the second killing request can be effectively reduced, and the defense capability of the network black products is remarkably improved.
In some embodiments, when the first character string is pieced in operation S231, characters may be extracted in different manners from each other from the N data, respectively. For example, when N data are the session identifier and the random number generated for the current second, the 2 nd to 3 th bits and the 5 th to 7 th bits, etc. may be extracted from the session identifier, and the 2 nd to 3 rd bits and the 3 rd to 4 th bits may be extracted from the random number. Because the modes of extracting characters from N numbers are different and have randomness, the regularity is reduced, and the randomness and the cracking difficulty of the key generation algorithm are improved.
In some embodiments, in the process of splicing the N data into the first character string after extracting the characters from the N data in operation S231, the sequential splicing may be scrambled, so that the characters extracted from the same data in the first character string are not completely gathered together. For example, after extracting characters from the session identifier and the random number according to the above example, the first string may be spliced "random number 2-3 bits + string 3-5 bits + string 3-4 bits + string 5-7 bits" in the following order. The first character string is spliced by disordering the sequence of the extracted characters, the randomness of the first character string is improved, and the difficulty of the secret key generation algorithm in black products is further increased.
Therefore, the decryption difficulty of the key generation algorithm is increased through the randomness and any combination of the character extraction mode and the character splicing mode.
In some embodiments, the N data in the parameter information obtained in operation S220 may include a session identifier of a session to which the second kill request belongs and a random number generated for the second kill request. The session identifier is not only unique, but also can be used as a verification procedure before the back-end decryption verification. The random number can increase the uniqueness and the randomness of the generated key and can increase the difficulty of cracking the key generation algorithm.
In still other embodiments, the unencrypted character string obtained in operation S210 may be an unencrypted character string spliced based on information (such as a user account number, a name, an identification number, a telephone number, a mailbox, a bank account, and the like) of the user who sends the killing request. This has the advantage that when the kill-by-second request is sent to the back end, the user information in the unencrypted string can be used as a verification procedure before decryption verification. The back end can check whether the user information in the unencrypted character string is correct or not before decrypting the encrypted character string, and if the user information in the unencrypted character string is incorrect, the second killing request can be directly judged to be illegal. Further decryption of the encrypted string is only required if the user information in the unencrypted string is correct. This can further improve the efficiency of verification of the kill-second request. After the second end receives the second killing request, the user information in the unencrypted character string and the encrypted character string can be synchronously verified, and the disclosure is not limited to this.
Therefore, the embodiment of the disclosure encrypts the information in the killing-by-second process, verifies the validity of the parameter through the rear-end interface, realizes the validity verification of the information under the condition that the user does not sense the information, and avoids that the black-product tool directly calls the interface to complete the killing-by-second process to a certain extent. By means of a mode of verifying the effectiveness of parameters at the back end, the stability of the second killing system is improved, the user experience can be improved while black products are prevented, and normal users are guaranteed to smoothly participate in second killing.
Fig. 3 schematically illustrates a flow chart of a method for second kill verification applied to a backend according to an embodiment of the present disclosure.
As shown in fig. 3, the second killing verification method applied to the backend according to the embodiment may include operations S310 to S350.
First, in operation S310, a killing-by-second request is received.
Then, in operation S320, parameter information, an encrypted string, and an unencrypted string in the killing request are extracted, wherein the parameter information includes N data.
Next, in operations S331 to S333, a key is generated according to a key generation algorithm based on the parameter information.
Specifically, at least a part of the characters are extracted from the N data to assemble a first character string in operation S331.
In operation S332, the first character string is converted into a second character string through an irreversible encryption algorithm.
In operation S333, a key is generated based on the second character string.
Operations S331 to S333 correspond to operations S231 to S233 described above, and reference may be made to the above description.
Thereafter, the encrypted string is decrypted by a symmetric encryption algorithm using the key, resulting in a decrypted string in operation S340.
In operation S350, when the decrypted string is not identical to the unencrypted string, the second kill request is rejected. Thereby blocking black product attacks.
Accordingly, when the decrypted string is consistent with the unencrypted string, the second kill may be completed.
Of course, in other embodiments, such as the case where N data in the parameter information includes the session identifier, or the unencrypted character string is generated by the user information, when the decrypted character string is consistent with the unencrypted character string, it is necessary to cooperate with the confirmation that the verification of other information (e.g., the session identifier, various user information) is also correct, so as to complete the killing of seconds.
In some embodiments, when the parameter information includes the session identifier or the user information, and/or the unencrypted character string includes the user information, the correctness of the session identifier or the user information may be checked before operation S320. If the information check has errors, the illegal second killing request can be directly determined, so that the second killing is rejected. Only if the information check is correct, the next decryption verification is performed.
The second killing request method can be used independently as a means for preventing black-birth attack second killing requests. In some embodiments, the method can also be used as a supplementary means after the page behavior verification, that is, after the page behavior verification is passed, the backend verifies the parameters in the second killing request to further verify the request qualification.
FIG. 4 schematically illustrates a flow diagram of a kill-of-seconds request and verification according to an embodiment of the disclosure. It should be noted that the specific calculation process and the like in the method flow shown in fig. 4 are only exemplary, and do not limit the present disclosure in any way.
As shown in fig. 4, the method includes steps 1 to 5 performed by the front end, steps 6 to 7 performed by the back end, and the like.
First, steps 1 to 5 are executed at the front end.
Step 1, acquiring an unencrypted character string through parameter information input by a user from a front page element input box of a killing-by-second system. Specifically, the user may be spliced into the unencrypted string reqParams through at least one field provided in the front end page input box. The at least one field may include, for example, a user name, a phone number, an identification number, an account number, a user mailbox, a year of birth, a month of birth, etc. The information input by the user through the front-end page can be information input when the session is established for the second time, and can also be information input by the user at a registration stage before the session.
And 2, in the process of generating the killing-by-second request, the front end acquires the session identifier sessionId of the client through the killing-by-second request link and generates a corresponding random number randomId for the killing-by-second request. The length of the random number randomId can be freely set, for example, a random number of 20 bits. In some embodiments, the random number randomId may be a random number that is timed according to the generation time of the kill-by-second request, for example, a random number that is generated by taking millisecond or nanosecond data of the generation time of the kill-by-second request.
And 3, splicing the 'randomId character string 2-3 bits + sessionId character string 3-5 bits + randomId character string 3-4 bits + sessionId character string 5-7 bits' to form a first character string (namely, a request number randnum). Then, the MD5 value of the request number ranNum is taken to obtain a second sub-string, so that the request number ranNum is irreversibly converted. The key used by the XXTEA encryption method is next generated from bits 4-9 in the MD5 value of the request number ranNum. And taking the key and the unencrypted character string reqParams as the reference, and calling the XXTEA encryption method to generate the encrypted character string encrytParams.
And step 5, taking the client sessionId, the random number randomId, the encrypted character string encrytParams and the unencrypted character string reqParams as a part of the second killing request to participate, and initiating the second killing request to the back end.
In the process of generating the key in this embodiment, the character strings of randomId and sessionId are extracted in different ways, and the order is disturbed during splicing, so that the probability of being cracked by black products is reduced, and the difficulty of attack of the black products is increased. For example, even if the blackout can grab sessionId and random used in the encryption flow through the packet grabbing tool at the front end and find the key used in the XXTEA encryption, the blackout may find that the key gets sessionId and random before generation. However, according to the present embodiment, the relationship between ranNum, sessionId, and key is random and irreversible, so it is difficult for the blackproduction to break the key generation algorithm with a limited number of attempts, which can block the blackproduction from initiating the kill-by-second request in a large amount in a short time.
Then, the back end executes the steps 6 to 7 to verify the killing request.
And 6, the back end calls a second killing interface according to the received second killing request.
And step 7, generating a key by the killing-by-second interface according to the client sessionId and the random number randomId in the killing-by-second request and a key generation algorithm consistent with the front-end negotiation, taking the key and the encrypted character string encrytParams as parameters, and calling an XXTEA decryption method to generate a decrypted character string oriParams. And then comparing the decrypted character string oriParams with the unencrypted character string reqParams, if the decrypted character string oriParams is completely consistent with the unencrypted character string reqParams, the parameter information is checked to pass, the second killing request can be completed, and if the decrypted character string oriParams is not consistent with the unencrypted character string reqParams, the second killing request is rejected.
In this way, the unencrypted character string generated based on the information element of the transaction in the killing-by-second system in the embodiment of the present disclosure is used as the encrypted information block of the XXTEA algorithm, the MD5 value is taken after the characters of "client sessionId + random number randomId" are spliced, and then the characters are extracted as the key of the key. The final submission second killing interface includes four parts: the client sessionId, the random number randomId, the encrypted character string encrytParam and the unencrypted character string reqParams, the rear-end second killing interface generates a key according to the first two parts of the request parameters and then carries out string decryption, the decrypted character string oriParams and the unencrypted character string reqParams are verified, if the two parts are completely consistent, the parameter information is checked to be passed, the second killing request is completed, and if the two parts are not consistent, the second killing request is rejected.
In addition, it can also be seen from fig. 4 that the above steps 1 to 7 can be used as a supplementary means for checking page behavior, wherein the killing-by-second interface can be called only after the page behavior check passes. Therefore, the embodiment of the disclosure can verify the validity of the parameter under the condition that the client is unaware, effectively control the frequency of submitting the parameter information by the black product tool through the unique sessionId and the random randomId of the client, and solve the problem that the black product tool maliciously occupies stock resources to a certain extent as a supplement of a page behavior verification method.
The embodiment of the disclosure also provides a killing request device for seconds arranged at the front end. Reference may be made in particular to the detailed description of fig. 5.
Fig. 5 schematically shows a block diagram of a second killer request device 500 provided at a front end according to an embodiment of the present disclosure.
As shown in fig. 5, the front-end-arranged seckilling-requesting device 500 may include a first obtaining module 510, a first key generating module 520, a first encrypting module 530 and a first sending module 540. The killing-by-second request device 500 can be used to implement the killing-by-second request method described with reference to fig. 2.
The first obtaining module 510 is configured to obtain an unencrypted character string and parameter information related to a killing request, where the parameter information includes N data, where N is an integer greater than or equal to 2. In one embodiment, the first obtaining module 510 may perform operations S210 and S220 described previously.
The first key generation module 520 is configured to generate a key according to a key generation algorithm based on the parameter information; wherein, the key generation algorithm comprises: extracting at least partial characters from the N data to combine into a first character string, converting the first character string into a second character string through an irreversible encryption algorithm, and generating a key based on the second character string. In one embodiment, the first key generation module 520 may perform operations S231 to S233 described above.
The first encryption module 530 is configured to encrypt the unencrypted character string by a symmetric encryption algorithm using a key to obtain an encrypted character string. In one embodiment, the first encryption module 530 may perform operation S240 described above.
The first sending module 540 is configured to send the kill-by-second request to the backend with the parameter information, the encrypted character string, and the unencrypted character string as components of the kill-by-second request. In one embodiment, the first sending module 540 may perform the operation S250 described above.
According to an embodiment of the present disclosure, any plurality of the first obtaining module 510, the first key generating module 520, the first encrypting module 530, and the first transmitting module 540 may be combined in one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first obtaining module 510, the first key generating module 520, the first encrypting module 530 and the first sending module 540 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or an appropriate combination of any several of them. Alternatively, at least one of the first obtaining module 510, the first key generating module 520, the first encryption module 530 and the first sending module 540 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
The embodiment of the present disclosure further provides a second killing verification device disposed at the back end, which may specifically refer to the detailed description of fig. 6.
Fig. 6 schematically shows a block diagram of a second killing verification device 600 provided at the back end according to an embodiment of the present disclosure.
As shown in fig. 6, the seckilling verification apparatus 600 disposed at the back end may include a second receiving module 610, a second extracting module 620, a second key generating module 630, a second decrypting module 640, and a second verifying module 650. The second killing verification apparatus 600 may be used to implement the second killing verification method described with reference to fig. 3.
The second receiving module 610 is configured to receive a kill-of-seconds request. In one embodiment, the second receiving module 610 may perform the operation S310 described above.
The second extraction module 620 is configured to extract parameter information, an encrypted character string, and an unencrypted character string in the killing request, where the parameter information includes N data. In one embodiment, the second extraction module 620 may perform operation S320 described above.
The second key generation module 630 is configured to generate a key according to a key generation algorithm based on the parameter information. Wherein, the key generation algorithm comprises: extracting at least partial characters from the N data to combine into a first character string, converting the first character string into a second character string through an irreversible encryption algorithm, and generating a key based on the second character string. In one embodiment, the second key generation module 630 may perform operations S331 to S333 described above.
The second decryption module 640 is configured to decrypt the encrypted string through a symmetric encryption algorithm using the key to obtain a decrypted string. In one embodiment, the second decryption module 640 may perform operation S340 described above.
The second verification module 650 is configured to reject the kill-by-second request when the decrypted string is inconsistent with the unencrypted string. In one embodiment, the second verification module 650 may perform the operation S350 described above.
According to an embodiment of the present disclosure, any plurality of the second receiving module 610, the second extracting module 620, the second key generating module 630, the second decrypting module 640, and the second verifying module 650 may be combined in one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the second receiving module 610, the second extracting module 620, the second key generating module 630, the second decrypting module 640, and the second verifying module 650 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or by a suitable combination of any of them. Alternatively, at least one of the second receiving module 610, the second extracting module 620, the second key generating module 630, the second decrypting module 640 and the second verifying module 650 may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
The embodiment of the disclosure also provides a second killing system, which comprises a front end and a rear end. The front end is provided with a second killing request device 500 as shown in fig. 5, and the back end is provided with a second killing verification device 600 as shown in fig. 6. In the killing-by-second system, the front end and the back end use the key generation algorithm and the symmetric encryption algorithm which are agreed. The killing-by-second system may perform the method described with reference to fig. 4 above. The structure of the second killing system may refer to the related description in fig. 5 and fig. 6, and the working process of the second killing system may refer to the related description in fig. 4, which is not described herein again.
Fig. 7 schematically illustrates a block diagram of a computer system suitable for implementing the killing-by-second request method or the killing-by-second verification method according to an embodiment of the present disclosure.
As shown in fig. 7, a computer system 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the computer system 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, the computer system 700 may also include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The computer system 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that the computer program read out therefrom is mounted in the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be embodied in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement a stroboscopic request method or a stroboscopic verification method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated by the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the killing-by-second request method or the killing-by-second verification method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The above described systems, devices, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, and the like. In another embodiment, the computer program may also be transmitted in the form of a signal over a network medium, distributed, and downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiments of the present disclosure. The above described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the disclosure, and these alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (13)

1. A killing-by-second request method is applied to a front end and comprises the following steps:
acquiring an unencrypted character string;
acquiring parameter information related to a killing-by-second request, wherein the parameter information comprises N data, and N is an integer greater than or equal to 2;
generating a key according to a key generation algorithm based on the parameter information; wherein the key generation algorithm comprises:
extracting at least partial characters from the N data to be spliced into a first character string;
converting the first character string through an irreversible encryption algorithm to obtain a second character string;
generating the key based on the second string;
encrypting the unencrypted character string by a symmetric encryption algorithm by using the secret key to obtain an encrypted character string; and
and taking the parameter information, the encrypted character string and the unencrypted character string as components of the killing-by-second request, and sending the killing-by-second request to a back end.
2. The method of claim 1, wherein the obtaining an unencrypted string comprises:
and splicing to obtain the unencrypted character string based on the information of the user sending the killing-by-second request.
3. The method of claim 1, wherein said extracting at least some of the characters from the N data into a first string comprises:
characters extracted from the same data in the first character string are not completely gathered together.
4. The method of claim 1, wherein said extracting at least some of the characters from the N data into a first string comprises:
and respectively extracting characters from the N data in different modes.
5. The method of claim 1, wherein the irreversible encryption algorithm comprises an MD5 message digest algorithm.
6. The method of claim 1, wherein the N data includes a session identification of a session to which the suicidal request belongs and a random number generated for the suicidal request.
7. A killing-by-second verification method is applied to a back end and comprises the following steps:
receiving a killing-per-second request;
extracting parameter information, encrypted character strings and unencrypted character strings in the killing-per-second request; wherein the parameter information includes N data;
generating a key according to a key generation algorithm based on the parameter information; wherein the key generation algorithm comprises:
extracting at least partial characters from the N data to form a first character string;
converting the first character string through an irreversible encryption algorithm to obtain a second character string;
generating the key based on the second string;
decrypting the encrypted character string by using the key through a symmetric encryption algorithm to obtain a decrypted character string; and
and when the decryption character string is inconsistent with the unencrypted character string, rejecting the killing-by-seconds request.
8. A second killing request device is arranged at a front end and comprises:
the system comprises a first acquisition module, a second acquisition module and a first comparison module, wherein the first acquisition module is used for acquiring an unencrypted character string and parameter information related to a killing-by-second request, and the parameter information comprises N data, wherein N is an integer greater than or equal to 2;
the first key generation module is used for generating a key according to a key generation algorithm based on the parameter information; wherein the key generation algorithm comprises:
extracting at least partial characters from the N data to form a first character string;
converting the first character string through an irreversible encryption algorithm to obtain a second character string;
generating the key based on the second string;
the first encryption module is used for encrypting the unencrypted character string by a symmetric encryption algorithm by using the secret key to obtain an encrypted character string; and
and the first sending module is used for sending the killing-by-second request to a back end by taking the parameter information, the encrypted character string and the unencrypted character string as the components of the killing-by-second request.
9. The utility model provides a verification device is killed to second, sets up in the rear end, includes:
the second receiving module is used for receiving the killing-by-second request;
the second extraction module is used for extracting the parameter information, the encrypted character string and the unencrypted character string in the killing-by-second request; wherein the parameter information includes N data;
the second key generation module is used for generating a key according to a key generation algorithm based on the parameter information; wherein the key generation algorithm comprises:
extracting at least partial characters from the N data to form a first character string;
converting the first character string through an irreversible encryption algorithm to obtain a second character string;
generating the key based on the second string;
the second decryption module is used for decrypting the encrypted character string through a symmetric encryption algorithm by using the secret key to obtain a decrypted character string; and
and the second verification module is used for refusing the killing-by-second request when the decryption character string is inconsistent with the unencrypted character string.
10. A killing-by-second system comprising:
a front end for performing the method of killing a request for seconds according to any one of claims 1 to 6; and
a backend for performing the kill-by-seconds validation method of claim 7;
wherein the content of the first and second substances,
the front end and the back end use the key generation algorithm and the symmetric encryption algorithm which are agreed.
11. A computer system, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method for requesting kills by seconds of any one of claims 1-6, or the method for verifying kills by seconds of claim 7.
12. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method for requesting kills of seconds of any one of claims 1 to 6, or the method for verifying kills of seconds of claim 7.
13. A computer program product comprising computer program instructions which, when executed by a processor, implement the method of claim 1 to 6 or the method of claim 7.
CN202211186416.8A 2022-09-27 2022-09-27 Killing-per-second request method, killing-per-second verification method, device, system and medium Pending CN115694902A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211186416.8A CN115694902A (en) 2022-09-27 2022-09-27 Killing-per-second request method, killing-per-second verification method, device, system and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211186416.8A CN115694902A (en) 2022-09-27 2022-09-27 Killing-per-second request method, killing-per-second verification method, device, system and medium

Publications (1)

Publication Number Publication Date
CN115694902A true CN115694902A (en) 2023-02-03

Family

ID=85065480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211186416.8A Pending CN115694902A (en) 2022-09-27 2022-09-27 Killing-per-second request method, killing-per-second verification method, device, system and medium

Country Status (1)

Country Link
CN (1) CN115694902A (en)

Similar Documents

Publication Publication Date Title
US9892404B2 (en) Secure identity authentication in an electronic transaction
TWI796675B (en) Blockchain-based identity verification method and related hardware
CN108322416B (en) Security authentication implementation method, device and system
WO2018149004A1 (en) Authentication method and system
CN109450868A (en) Verification method, device and the readable storage medium storing program for executing of web browser input data
US20210399897A1 (en) Protection of online applications and webpages using a blockchain
CN105516066A (en) Method and device for identifying existence of intermediary
CN110572392A (en) Identity authentication method based on HyperLegger network
CN112566121B (en) Method for preventing attack, server and storage medium
CN110166471A (en) A kind of portal authentication method and device
CN117313759A (en) Method, device, equipment and storage medium for data security transmission
CN111385258B (en) Data communication method, device, client, server and storage medium
CN106850592A (en) A kind of information processing method, server and terminal
CN114615087B (en) Data sharing method, device, equipment and medium
CN110890979A (en) Automatic deploying method, device, equipment and medium for fortress machine
CN115694902A (en) Killing-per-second request method, killing-per-second verification method, device, system and medium
CN114640524A (en) Method, apparatus, device and medium for processing transaction replay attack
CN108289102B (en) Micro-service interface safe calling device
CN113065160A (en) Intelligent court data transmission method and system
CN114915462B (en) Cross-station request forgery attack defense method and device, electronic equipment and medium
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
WO2024082866A1 (en) Two-dimensional code anti-counterfeiting system and method, and related device
CN110532741B (en) Personal information authorization method, authentication center and service provider
CN115037515A (en) Stateless verification code verification method and device in open data network and electronic equipment
CN115134152A (en) Data transmission method, data transmission device, storage medium, and electronic apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination