CN116582368B - Network information security protection method and system - Google Patents

Network information security protection method and system Download PDF

Info

Publication number
CN116582368B
CN116582368B CN202310855068.7A CN202310855068A CN116582368B CN 116582368 B CN116582368 B CN 116582368B CN 202310855068 A CN202310855068 A CN 202310855068A CN 116582368 B CN116582368 B CN 116582368B
Authority
CN
China
Prior art keywords
request
information
verification
application
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310855068.7A
Other languages
Chinese (zh)
Other versions
CN116582368A (en
Inventor
伍京华
周广娟
刘营
孙怡
曹瑞阳
张亚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China University of Mining and Technology Beijing CUMTB
Original Assignee
China University of Mining and Technology Beijing CUMTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China University of Mining and Technology Beijing CUMTB filed Critical China University of Mining and Technology Beijing CUMTB
Priority to CN202310855068.7A priority Critical patent/CN116582368B/en
Publication of CN116582368A publication Critical patent/CN116582368A/en
Application granted granted Critical
Publication of CN116582368B publication Critical patent/CN116582368B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a network information security protection method and system. The method comprises the following steps: intercepting the first session request by the application end plug-in, feeding back the generated information to the front end, and generating a first verification request by the front end plug-in; the server side performs validity verification on the information contained in the first verification request; when the validity verification is passed, the server side calculates the generated first request information to generate verification information, and feeds back the result of the passing validity verification and the verification information to the front end, and the front end plug-in generates a second session request and sends the second session request to the application end plug-in; the application end plug-in acquires second request information in a second session request, sends the second request information to the server end, and the server end searches the first request information and compares the first request information with the second request information according to the verification information; and when the server side does not find the second request information, or the comparison of the second request information and the stored information is inconsistent, confirming that the intermediate person hijacking is encountered.

Description

Network information security protection method and system
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and a system for protecting network information, a computer readable storage medium, and an electronic device.
Background
Https requests are request information from a client to a server, and are generally considered to have no security problem, but with the development of technology, a new form of man-in-the-middle attack against Https occurs. An attacker uses fake certificates through means of DNS hijacking, trojan virus inserting trust certificates into a user system, hijacking https requests, realizing man-in-the-middle attack and causing great potential safety hazards to property safety and information safety of users. Currently, there is no mature solution for this attack.
Thus, there is a need to provide a solution to the above-mentioned deficiencies of the prior art.
Disclosure of Invention
The present application aims to provide a method, a system, a computer readable storage medium and an electronic device for protecting network information, which solve or alleviate the problems in the prior art.
In order to achieve the above object, the present application provides the following technical solutions:
the application provides a network information security protection method, which comprises the following steps: introducing an application end plug-in at an application end, intercepting a first session request at the application end through the application end plug-in, feeding back generated temporary session hash, application information and a selected unique identifier of a server end to a front end, introducing a front end plug-in at the front end, intercepting the temporary session hash, the application information and the unique identifier through the front end plug-in, generating a first verification request and sending the first verification request to the server end; responding to a first verification request received by a server and sent by the front end, and performing validity verification on temporary session hash, application information and unique identification contained in the first verification request; responding to the passing of the validity verification, generating first request information by the server side according to the application information, processing the first request information to generate check information, feeding back the result of the passing of the validity verification and the check information to the front end, and processing by the front end plug-in unit to generate a second session request and sending the second session request to the application side; responding to the second session request received by the application end, processing the second session request by the application end plug-in, acquiring second request information of the second session request, and sending the second request information to the server end; the server searches the first request information according to the verification information contained in the received second request information, and compares the first request information with the second request information; if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent, the man-in-the-middle hijacking is confirmed.
Preferably, the application end plug-in selects one from a plurality of server ends, and feeds back the unique identifier of the selected server end to the front end plug-in.
Preferably, the validity verification is performed on the temporary session hash, the application information and the unique identifier based on a salified hash algorithm or an encryption algorithm.
Preferably, the first request information is subjected to a hash operation or an encryption operation to generate the verification information.
Preferably, in response to the validity verification passing, a result of the validity verification passing and the verification information are fed back to the front-end plug-in, so that the front-end plug-in adds the temporary session hash, the unique identifier and the verification information in the first session request to generate the second session request.
Preferably, after receiving the second session request, the application terminal sends the second session request to the application terminal plug-in for processing, and the application terminal plug-in judges whether the second session request is a legal request according to the temporary session hash, if the second session request is a legal request, the verification information and the second request information in the second session request are extracted and sent to the server terminal; and if the second session request is not a legal request, confirming that the man-in-middle hijacking is encountered.
Preferably, in response to the comparison result of the first request information and the second request information being consistent, the server returns a result to the application end, the application end plug-in generates a short-term session hash, the short-term session hash is returned to the front end, the front end stores the short-term session hash and adds the short-term session hash to a subsequent request parameter, the front end uses the short-term session hash to perform a subsequent request, and the application end does not intercept any more.
The embodiment of the application also provides a system for protecting the safety of the network information, which comprises the following steps: the first verification request generation unit is configured to introduce an application end plug-in at an application end, intercept a first session request at the application end through the application end plug-in, feed back generated temporary session hash, application information and a unique identifier of a selected server end to a front end, introduce the front end plug-in at the front end, intercept the temporary session hash, the application information and the unique identifier through the front end plug-in, and generate a first verification request to be sent to the server end; the validity verification unit is configured to respond to the first verification request sent by the front end received by the server, and perform validity verification on the temporary session hash, the application information and the unique identifier contained in the first verification request; the verification information generating unit is configured to respond to the passing of the validity verification, generate first request information according to the application information by the server side, process the first request information to generate verification information, feed back the result of the passing of the validity verification and the verification information to the front end, and process by the front end plug-in unit to generate a second session request and send the second session request to the application side; the second verification request generation unit is configured to respond to the application end receiving the second session request, process the second session request by the application end plug-in, acquire second request information of the second session request, and send the second request information to the server end; the information comparison unit is configured to search the first request information according to the verification information contained in the received second request information by the server side and compare the first request information with the second request information; and the confirmation unit is configured to confirm that the man-in-the-middle hijacking is met if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, the computer program being a network information security protection method as described in any one of the above.
The embodiment of the application also provides electronic equipment, which comprises: memory, a processor, and a program stored in the memory and executable on the processor, the processor implementing the network information security protection method according to any one of the above claims when executing the program.
Advantageous effects
In the technical scheme for protecting the network information, after the application end plug-in receives the first session request sent by the front end plug-in, generating a temporary session hash, application information and selecting one of a plurality of server ends, feeding back the temporary session hash, the application information and the unique identifier of the selected server end to the front end plug-in for processing, sending the generated first verification request to the selected server end by the front end plug-in, and carrying out validity verification on the temporary session hash, the application information and the unique identifier contained in the first verification request by the server end; if the validity verification is not passed, feeding back abnormal information to the front-end plug-in, namely, deeming that the man-in-the-middle hijacking is met; if the validity verification is passed, the server side generates first request information according to the application information, carries out encryption operation on the first request information to generate verification information, feeds back a result of the passing validity verification and the verification information to the front-end plug-in, generates a second session request by the front-end plug-in and sends the second session request to the application-end plug-in; when the application end plug-in receives the second session request, second request information in the second session request is obtained, second verification information is generated and sent to the server end, and the server end searches the first request information according to verification contained in the received second verification information and compares the first request information with the second request information; if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent, the man-in-the-middle hijacking is confirmed. By combining the plug-in at the application end with the server end and matching with mechanisms such as link detection, session expiration and the like, the method realizes more strict and accurate prevention of hijacking of the intermediate person and effectively improves information and property safety; in addition, the front end can be processed through JavaScript, equipment in charge is not needed, and the technology is more convenient to realize.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. Wherein:
fig. 1 is a flow chart of a method for protecting network information according to some embodiments of the present application;
FIG. 2 is a logic diagram of a method for securing network information according to some embodiments of the present application;
fig. 3 is a schematic architecture diagram of a network information security protection method according to some embodiments of the present application;
FIG. 4 is a data flow diagram of a method for securing network information according to some embodiments of the present application;
FIG. 5 is a schematic diagram of a network information security protection system according to some embodiments of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to some embodiments of the present application;
fig. 7 is a hardware configuration diagram of an electronic device according to some embodiments of the present application.
Detailed Description
The application will be described in detail below with reference to the drawings in connection with embodiments. The examples are provided by way of explanation of the application and not limitation of the application. Indeed, it will be apparent to those skilled in the art that modifications and variations can be made in the present application without departing from the scope or spirit of the application. For example, features illustrated or described as part of one embodiment can be used on another embodiment to yield still a further embodiment. Accordingly, it is intended that the present application encompass such modifications and variations as fall within the scope of the appended claims and their equivalents.
For the existing man-in-the-middle attack aiming at the Http, an attacker inserts trust certificates and other means into a user system in the modes of DNS hijacking, trojan viruses and the like, and uses fake certificates to hijack the Http request to finish the man-in-the-middle attack. For the attack mode, the industry does not have a mature solution, based on which, the applicant provides a network information security protection method, and the effective prevention of man-in-the-middle hijacking is realized by combining an application end plug-in and a server end and combining link detection, session expiration and other mechanisms.
As shown in fig. 1 to 4, the security protection method of network information includes:
step S101, introducing an application end plug-in at an application end, intercepting a first session request at the application end through the application end plug-in, and feeding back the generated temporary session hash, application information and a selected unique identifier of a server end to a front end; and introducing a front-end plug-in into the front end, intercepting the temporary session hash, the application information and the unique identifier through the front-end plug-in, generating a first verification request and sending the first verification request to the server.
In the application, when an application end plug-in receives a first session request, the generated temporary session hash, application information and a unique identifier of a selected server end are fed back to a front end for processing so as to generate a first verification request.
The request information and the feedback information are communicated between the front end and the server, wherein the server comprises an application end plug-in and a plurality of server ends. When the server ends are selected, each server end is provided with a unique identifier, one server end is randomly selected from a plurality of server ends through an application end plug-in, a request is verified, the unique identifier of the selected server end is fed back to the front end plug-in of the device, and the calibration of the server end can be realized through the unique identifier, so that the server end is effectively prevented from being forged. Here, the front end includes a browser and an Application (APP), which may be deployed on An Zhuoduan, apple, and window clients, but is not limited thereto. For easy understanding, in the embodiment of the present application, a browser is taken as an example for description.
The browser side requests the application side plug-in, sends a first session request to the application side plug-in, the first session request does not contain authentication information, the application side plug-in calls a signature module of the first session request, generates temporary session hash (hash 1) of the first session request and application information (such as application name, session token and the like), and can effectively identify which application and session the request comes from through the application information. Meanwhile, the application end plug-in selects one of the plurality of server ends, and returns the temporary session hash (hash 1), the application information and the unique identification of the selected server end to the browser end.
According to the security level of the plug-in configuration of the application end, the temporary session hash (hash 1), the application information and the unique identification of the selected server end are returned to the browser end in different modes such as simple redirection, simple AJAX communication, verification added redirection, verification added AJAX, encryption redirection, encryption AJAX communication and the like.
After receiving the temporary session hash (hash 1) returned by the plug-in of the application end, the application information and the unique identifier of the selected server end, the browser end directly forwards the data (such as 302 hops), encrypts RSA (rivest-Shamir-Adleman) and the like according to the configured security level, generates a first verification request and submits the first verification request to the selected server end. That is, the first verification request includes the temporary session hash (hash 1), the application information, and the unique identifier of the selected server.
Step S102, the server receives a first verification request sent by the front end, and performs validity verification on the temporary session hash, the application information and the unique identifier contained in the first verification request.
After receiving a first verification request submitted by a browser end, the server end invokes a verification module of the server end, and performs validity and effectiveness verification on temporary session hash, application information and a unique identifier contained in the first verification request based on a salified hash algorithm or an encryption algorithm (a symmetric encryption algorithm or an asymmetric encryption algorithm). That is, the server performs a hash operation (encryption operation) on the first verification request according to a preset rule, compares the obtained new information abstract with the information abstract included in the first verification request, and if the obtained new information abstract is consistent with the information abstract included in the first verification request, the validity verification of the first verification request is passed.
In the application, the server side supports a plurality of data verification algorithms with different security levels, the application side is appointed when the application side plug-in is initialized, and the verification algorithms with 5 levels such as simple redirection, hash verification, symmetric encryption (for data), asymmetric encryption (for data) and the like are sequentially arranged according to the security level from low to high. And according to different security levels of server configuration of the application end plug-in, carrying out distinguishing verification on the validity of the temporary session hash, the application information and the unique identifier contained in the first verification request.
The simple redirection is that the application end plug-in generates the verification address and requests the server end through the front end plug-in, and the server end directly processes the verification address. When the plug-in processing of the application end is carried out, extra salted hash of the request data is added, and the server end can also check the request parameters and the hash to prevent counterfeiting parameters. The application end can additionally attach the processed browser information, the front-end plug-in can also process the browser information, the request parameter is added with additional salted hash, and the server end can verify the browser information and the hash information. Symmetric encryption will perform DES encryption on the data at the front end and DES decryption at the server end. And (3) performing asymmetric encryption, namely performing RSA encryption on the data at the front-end plug-in and decrypting the data at the server.
When the security level of the server configuration to which the application end plug-in belongs is one level, verifying the configuration, ip, network node path and dns of the request server end; if the check is successful, if not, the direct jump 302 is made directly for hijacking.
When the security level of the server configuration of the application-side plug-in unit is two-level, performing salted hash verification on the temporary session hash, the application information and the unique identifier contained in the first verification request. Searching a HASH value and a salt value in a database according to the unique identifier in the first verification request; matching and checking the salt value and the hash with the hash value requested; if the verification is successful, if the verification is not successful, the hijacking is performed.
And when the security level of the server configuration to which the application-side plug-in belongs is three-level, symmetric encryption key verification is carried out on the temporary session hash, the application information and the unique identifier contained in the first verification request. The local symmetric encryption key algorithm may be DES, DESede or AES. The public key sent by the first verification request is decrypted by the server side through the local key, and then comparison is carried out; if the verification is successful, if the verification is not successful, the hijacking is performed.
When the security level of the server configuration to which the application-side plug-in belongs is four, asymmetric encryption verification is performed on the temporary session hash, the application information and the unique identifier contained in the first verification request, wherein the asymmetric encryption algorithm comprises: RSA, ECC (for mobile devices), diffie-Hellman, el Gamal, DSA, etc. The server decrypts the encrypted information by using the private key stored by the server; and comparing, if the test passes, checking successfully, and if the test does not pass, hijacking.
Step S103, in response to passing of the validity verification, the server side generates first request information according to the application information, processes the first request information to generate verification information, feeds back a result of passing of the validity verification and the verification information to the front end, and processes the result and the verification information by the front end plug-in to generate a second session request and sends the second session request to the application side.
If the server passes the validity verification of the first verification request, the application information is used to generate first request information (info 1), and the first request information includes, but is not limited to, a link of a requester, an IP of the requester, and the like.
Then, the server side stores the first request information into a storage module thereof, invokes a signature module thereof to operate the first request information to obtain verification information (hash 2), and particularly invokes the signature module thereof to perform salted hash operation or RSA operation on the first request information to generate the verification information.
The server side returns a result of the validity verification to the browser side (front-end plug-in), and if the server side fails the validity verification of the first verification request, an abnormal result which fails the verification is directly returned to the browser; if the server side passes the validity verification of the first verification request, returning the result of passing the validity verification and the verification information to the browser side.
After the browser receives feedback from the server, the next operation is executed according to the validity verification result, if the validity verification is not passed, the browser directly throws out the abnormality, namely, the man-in-the-middle hijacking is encountered. If the validity verification is passed, the browser side adds information such as temporary session hash (hash 1), verification information (hash 2) and the like to the request to generate a second call back request. Specifically, in response to the passing of the validity verification, a result of the passing of the validity verification and the verification information are fed back to the front-end plug-in, so that the front-end plug-in adds temporary session hash, unique identification and verification information into the first session request, generates a second session request, and requests the application end again.
Step S104, responding to the second session request received by the application end, processing the second session request by the application end plug-in, obtaining second request information of the second session request, and sending the second request information to the server end.
Specifically, after receiving the second session request, the application terminal sends the second session request to the application terminal plug-in for processing, the application terminal plug-in judges whether the second session request is a legal request according to the temporary session hash, and if the second session request is the legal request, the application terminal plug-in extracts verification information and second request information in the second session request and sends the verification information and the second request information to the server terminal; if the second session request is not a legal request, the man-in-the-middle hijacking is confirmed to be encountered.
That is, after the application terminal receives the second session request sent by the browser terminal, the application terminal plug-in (information module) is called, the temporary session hash is used to determine whether the second session request is a legal request, if the second session request is a legal request, the request information (i.e. the second request information (info 2)) and the verification information of the current request are obtained from the second session request, and the request information and the verification information are sent to the selected server terminal. Specifically, the application end finds the selected server end according to the temporary session hash (hash 1), and requests the server end by using parameters such as verification information (hash 2), second request information (info 2) and the like. When judging whether the second session request is legal or not through the temporary session hash, analyzing the Md5 value of the temporary session hash, comparing the Md5 value with the Md5 value stored when the application end requests the first session, and if the Md5 value of the temporary session hash is consistent with the Md5 value of the first session request stored by the application end, considering the second session request as a legal request.
Step 105, the server searches the first request information according to the verification information contained in the received second request information, and compares the first request information with the second request information.
After receiving the second request information sent by the application end, the server end searches the corresponding stored first request information (info 1) in the storage module according to the verification information (hash 2); if the corresponding stored first request information (info 1) is searched, the second request information (info 2) is compared with the first request information (info 1), and the comparison result is sent to the browser end. Specifically, the server compares the information abstract in the second request information (info 2) with the information abstract in the first request information (info 1), and if the information abstract in the second request information (info 2) is consistent with the information abstract in the first request information (info 1), the second request information (info 2) is considered to be consistent with the first request information (info 1). The obtaining of the information abstract is referred to step S102, and will not be described in detail herein.
Step S106, if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent, the man-in-the-middle hijacking is confirmed.
In the application, if the server side does not find the corresponding first request information (info 1) in the storage module, then the server side considers that man-in-the-middle attack is encountered, throws out errors and fails in verification; if the server side searches the corresponding first request information (info 1) in the storage module, the second request information (info 2) is compared with the first request information (info 1), and if the comparison result is inconsistent, man-in-the-middle attack (man-in-the-middle hijacking) is considered to be encountered, an error is thrown, and verification fails.
The server returns the comparison result to the application end plug-in, the application end plug-in processes according to the verification result (whether the comparison result is consistent or not and whether the first request information (info 1) is found or not), if the verification fails, the man-in-the-middle attack is considered to be encountered, and the verification abnormal result is returned.
If the verification is successful, the server returns a verification result which is consistent in comparison to the application side plug-in, and the application side plug-in calls a signature module of the application side plug-in to randomly generate effective call-back hash (namely short-term session hash, hash 3) in a short term and adds the call-back hash to the request return parameter. Specifically, in response to the comparison result of the first request information and the second request information being consistent, the server returns the comparison result to the application end, the application end plug-in generates a short-term session hash, returns the short-term session hash to the front end, the front end stores the short-term session hash and attaches the short-term session hash to the subsequent request parameter, the front end uses the short-term session hash to carry out the subsequent request, and the application end does not intercept any more.
That is, the browser end (front end) stores the short-term session hash (hash 3) locally when receiving the short-term session hash (hash 3), and in each subsequent request, appends the short-term session hash (hash 3) to the request, and the application end no longer intercepts the request appended with the short-term session hash (hash 3). When the short-term session hash (hash 3) expires and is requested again, the process of establishing the short-term session hash (hash 3) is repeated, and a new callback hash is established.
By combining the plug-in at the application end with the server end and matching with mechanisms such as link detection, session expiration and the like, the method realizes more strict and accurate prevention of hijacking of the intermediate person and effectively improves information and property safety; in addition, the processing can be performed on the browser end (front-end plug-in) through JavaScript, complex equipment is not needed, and the technology is more convenient to realize.
The embodiment of the application also provides a system for protecting the safety of the network information, as shown in fig. 5, the system for protecting the safety of the network information comprises: a first verification request generation unit 501, a validity verification unit 502, a verification information generation unit 503, a second verification request generation unit 504, an information comparison unit 505, and a confirmation unit 506.
The first verification request generating unit 501 is configured to introduce an application end plug-in at an application end, intercept a first session request at the application end through the application end plug-in, and feed back the generated temporary session hash, application information and a unique identifier of a selected server end to the front end; and introducing a front-end plug-in into the front end, intercepting the temporary session hash, the application information and the unique identifier through the front-end plug-in, generating a first verification request and sending the first verification request to the server.
The validity verification unit 502 is configured to perform validity verification on the temporary session hash, the application information and the unique identifier included in the first verification request in response to the server receiving the first verification request sent by the front end.
And the verification information generating unit 503 is configured to generate first request information according to the application information by the server side in response to the passing of the validity verification, process the first request information to generate verification information, feed back the result of the passing of the validity verification and the verification information to the front end, process the result by the front end plug-in, generate a second session request and send the second session request to the application side.
The second verification request generating unit 504 is configured to respond to the application end to receive the second session request, process the second session request by the application end plug-in, obtain second request information of the second session request, and send the second request information to the server end.
The information comparing unit 505 is configured to search the first request information according to the verification information contained in the received second request information, and compare the first request information with the second request information.
The confirmation unit 506 is configured to confirm that the man-in-the-middle hijacking is encountered if the server side does not find the first request information, or if the comparison result of the first request information and the second request information is inconsistent.
The network information security protection system provided by the embodiment of the application can realize the steps and the flow of the network information security protection method of any embodiment, and achieve the same technical effects, and is not described in detail herein.
Fig. 6 is a schematic structural diagram of an electronic device according to some embodiments of the present application; as shown in fig. 6, the electronic device includes:
one or more processors 601;
a computer readable medium may be configured to store one or more programs 602, the one or more processors 601, when executing the one or more programs 602, implement the steps of: introducing an application end plug-in at an application end, intercepting a first session request through the application end plug-in at the application end, feeding back the generated temporary session hash, application information and the selected unique identifier of the server end to the front end, introducing a front end plug-in at the front end, intercepting the temporary session hash, the application information and the unique identifier through the front end plug-in, generating a first verification request and sending the first verification request to the server end; the server receives a first verification request sent by the front end, and performs validity verification on the temporary session hash, the application information and the unique identifier contained in the first verification request; in response to passing the validity verification, generating first request information by the server side according to the application information, processing the first request information to generate verification information, feeding back a result of passing the validity verification and the verification information to the front end, and processing by the front end plug-in to generate a second session request and sending the second session request to the application side; responding to the second session request received by the application end, processing the second session request by the application end plug-in, obtaining second request information of the second session request, and sending the second request information to the server end; the server side searches the first request information according to the verification information contained in the received second request information and compares the first request information with the second request information; if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent, the man-in-the-middle hijacking is confirmed.
Fig. 7 is a hardware structure of an electronic device provided according to some embodiments of the application; as shown in fig. 7, the hardware structure of the electronic device may include: a processor 701, a communication interface 702, a computer readable medium 703 and a communication bus 704.
Wherein the processor 701, the communication interface 702, and the computer readable storage medium 703 communicate with each other via a communication bus 704.
Alternatively, the communication interface 702 may be an interface of a communication module, such as an interface of a GSM module.
The processor 701 may be specifically configured to: introducing an application end plug-in at an application end, feeding back the generated temporary session hash, application information and the selected unique identifier of the server end to the front end through the application end plug-in for a first session request at the application end, introducing a front end plug-in at the front end, intercepting the temporary session hash, the application information and the unique identifier through the front end plug-in, generating a first verification request and sending the first verification request to the server end; the server receives a first verification request sent by the front end, and performs validity verification on the temporary session hash, the application information and the unique identifier contained in the first verification request; in response to passing the validity verification, generating first request information by the server side according to the application information, processing the first request information to generate verification information, feeding back a result of passing the validity verification and the verification information to the front end, and processing by the front end plug-in to generate a second session request and sending the second session request to the application side; responding to the second session request received by the application end, processing the second session request by the application end plug-in, obtaining second request information of the second session request, and sending the second request information to the server end; the server side searches the first request information according to the verification information contained in the received second request information and compares the first request information with the second request information; if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent, the man-in-the-middle hijacking is confirmed.
The processor 701 may be a general purpose processor including a central processing unit (central processing unit, CPU for short), a network processor (Network Processor, NP for short), etc., and may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device of the embodiments of the present application exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction function.
It should be noted that, according to implementation requirements, each component/step described in the embodiments of the present application may be split into more components/steps, and two or more components/steps or part of operations of the components/steps may be combined into new components/steps, so as to achieve the purposes of the embodiments of the present application.
The above-described methods according to embodiments of the present application may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, RAM, floppy disk, hard disk, or magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine storage medium downloaded through a network and to be stored in a local recording medium, so that the methods described herein may be stored in such software processes on a recording medium using a general purpose computer, a special purpose processor, or programmable or dedicated hardware such as an ASIC or FPGA. It is understood that a computer, processor, microprocessor controller, or programmable hardware includes a memory component (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by the computer, processor, or hardware, implements the network information security protection methods described herein. Furthermore, when a general purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general purpose computer into a special purpose computer for performing the methods illustrated herein.
Those of ordinary skill in the art will appreciate that the elements and method steps of the examples described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment is mainly described in a different point from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, with reference to the description of the method embodiments in part.
The above-described apparatus and system embodiments are merely illustrative, in which elements that are not explicitly described may or may not be physically separated, and elements that are not explicitly described may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (8)

1. A method for protecting security of network information, comprising:
introducing an application end plug-in at an application end, intercepting a first session request at the application end through the application end plug-in, and feeding back the generated temporary session hash, application information and a unique identifier of a selected server end to a front end;
introducing a front-end plug-in into the front end, intercepting the temporary session hash, the application information and the unique identifier through the front-end plug-in, generating a first verification request and sending the first verification request to the server;
the server receives a first verification request sent by the front end, and performs validity verification on temporary session hash, application information and the unique identifier contained in the first verification request;
responding to the passing of the validity verification, generating first request information by the server side according to the application information, processing the first request information to generate check information, feeding back the result of the passing of the validity verification and the check information to the front end, and processing by the front end plug-in unit to generate a second session request and sending the second session request to the application side; the front-end plug-in adds the temporary session hash, the unique identifier and the verification information into the first session request to generate the second session request;
responding to the second session request received by the application end, processing the second session request by the application end plug-in, acquiring second request information of the second session request, and sending the second request information to the server end; the application end plug-in judges whether the second session request is a legal request according to the temporary session hash, and if the second session request is the legal request, the verification information and the second request information in the second session request are extracted and sent to the server end; if the second session request is not a legal request, confirming that the man-in-the-middle hijacking is encountered;
the server searches the first request information according to the verification information contained in the received second request information, and compares the first request information with the second request information;
if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent, the man-in-the-middle hijacking is confirmed.
2. The method for protecting network information according to claim 1, wherein the application-side plug-in selects one from a plurality of server-sides, and feeds back the unique identifier of the selected server-side to the front-side plug-in.
3. The method for protecting network information according to claim 1, wherein the temporary session hash, the application information and the unique identifier are validated based on a salified hash algorithm and an encryption algorithm.
4. The method according to claim 1, wherein the first request information is subjected to a hash operation and an encryption operation to generate the check information.
5. The method for protecting network information according to claim 1, further comprising:
and responding to the comparison result of the first request information and the second request information to be consistent, returning the comparison result to the application end by the server end, generating short-term session hash by the application end plug-in, returning the short-term session hash to the front end, storing the short-term session hash by the front end, adding the short-term session hash to a subsequent request parameter, and carrying out a subsequent request by the front end by using the short-term session hash, wherein the application end is not intercepted any more.
6. A system for securing network information, comprising:
the first verification request generation unit is configured to introduce an application end plug-in at an application end, intercept a first session request through the application end plug-in at the application end, and feed back the generated temporary session hash, application information and a unique identifier of a selected server end to the front end; introducing a front-end plug-in into the front end, intercepting the temporary session hash, the application information and the unique identifier through the front-end plug-in, generating a first verification request and sending the first verification request to the server;
the validity verification unit is configured to respond to the first verification request sent by the front end received by the server, and perform validity verification on the temporary session hash, the application information and the unique identifier contained in the first verification request;
the verification information generating unit is configured to respond to the passing of the validity verification, generate first request information according to the application information by the server side, process the first request information to generate verification information, feed back the result of the passing of the validity verification and the verification information to the front end, and process by the front end plug-in unit to generate a second session request and send the second session request to the application side; the front-end plug-in adds the temporary session hash, the unique identifier and the verification information into the first session request to generate the second session request;
the second verification request generation unit is configured to respond to the application end receiving the second session request, process the second session request by the application end plug-in, acquire second request information of the second session request, and send the second request information to the server end; the application end plug-in judges whether the second session request is a legal request according to the temporary session hash, and if the second session request is the legal request, the verification information and the second request information in the second session request are extracted and sent to the server end; if the second session request is not a legal request, confirming that the man-in-the-middle hijacking is encountered;
the information comparison unit is configured to search the first request information according to the verification information contained in the received second request information by the server side and compare the first request information with the second request information;
and the confirmation unit is configured to confirm that the man-in-the-middle hijacking is met if the server side does not find the first request information or the comparison result of the first request information and the second request information is inconsistent.
7. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements a method for securing network information according to any of claims 1-5.
8. An electronic device, comprising: memory, a processor, and a program stored in the memory and executable on the processor, the processor implementing the network information security protection method according to any one of claims 1-5 when executing the program.
CN202310855068.7A 2023-07-13 2023-07-13 Network information security protection method and system Active CN116582368B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310855068.7A CN116582368B (en) 2023-07-13 2023-07-13 Network information security protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310855068.7A CN116582368B (en) 2023-07-13 2023-07-13 Network information security protection method and system

Publications (2)

Publication Number Publication Date
CN116582368A CN116582368A (en) 2023-08-11
CN116582368B true CN116582368B (en) 2023-09-22

Family

ID=87538182

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310855068.7A Active CN116582368B (en) 2023-07-13 2023-07-13 Network information security protection method and system

Country Status (1)

Country Link
CN (1) CN116582368B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018081352A (en) * 2016-11-14 2018-05-24 Necプラットフォームズ株式会社 Meter reading system, meter reading method and meter reading program
CN109861947A (en) * 2017-11-30 2019-06-07 腾讯科技(武汉)有限公司 A kind of network abduction processing method and processing device, electronic equipment
CN111683045A (en) * 2020-04-28 2020-09-18 中国平安财产保险股份有限公司 Session information processing method, device, equipment and storage medium
CN114844644A (en) * 2022-03-16 2022-08-02 深信服科技股份有限公司 Resource request method, device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11621826B2 (en) * 2019-12-06 2023-04-04 Mastercard International Incorporated Method and system for HTTP session management using hash chains

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018081352A (en) * 2016-11-14 2018-05-24 Necプラットフォームズ株式会社 Meter reading system, meter reading method and meter reading program
CN109861947A (en) * 2017-11-30 2019-06-07 腾讯科技(武汉)有限公司 A kind of network abduction processing method and processing device, electronic equipment
CN111683045A (en) * 2020-04-28 2020-09-18 中国平安财产保险股份有限公司 Session information processing method, device, equipment and storage medium
CN114844644A (en) * 2022-03-16 2022-08-02 深信服科技股份有限公司 Resource request method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN116582368A (en) 2023-08-11

Similar Documents

Publication Publication Date Title
US9225532B2 (en) Method and system for providing registration of an application instance
CN106464499B (en) Communication network system, transmission node, reception node, message checking method, transmission method, and reception method
CN107404461B (en) Data secure transmission method, client and server method, device and system
CN108023874B (en) Single sign-on verification device and method and computer readable storage medium
CN109309685B (en) Information transmission method and device
CN110190955B (en) Information processing method and device based on secure socket layer protocol authentication
US9015819B2 (en) Method and system for single sign-on
US9787478B2 (en) Service provider certificate management
KR101729960B1 (en) Method and Apparatus for authenticating and managing an application using trusted platform module
CN109167802B (en) Method, server and terminal for preventing session hijacking
KR20150036104A (en) Method, client, server and system of login verification
US20140006781A1 (en) Encapsulating the complexity of cryptographic authentication in black-boxes
JP2020526146A (en) Symmetric mutual authentication method between first application and second application
WO2014074885A2 (en) Identity management with generic bootstrapping architecture
CN110113351B (en) CC attack protection method and device, storage medium and computer equipment
CN114553590B (en) Data transmission method and related equipment
JP2016111660A (en) Authentication server, terminal and authentication method
CN112491890A (en) Access method and device
CN114553480B (en) Cross-domain single sign-on method and device, electronic equipment and readable storage medium
CN114244530A (en) Resource access method and device, electronic equipment and computer readable storage medium
Sarvabhatla et al. A secure and light weight authentication service in hadoop using one time pad
CN107770183B (en) Data transmission method and device
US8875244B1 (en) Method and apparatus for authenticating a user using dynamic client-side storage values
CN116582368B (en) Network information security protection method and system
US10764065B2 (en) Admissions control of a device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant