TWI729812B - Computer program product and apparatus for encrypting and verifying sensitive parameters - Google Patents

Computer program product and apparatus for encrypting and verifying sensitive parameters Download PDF

Info

Publication number
TWI729812B
TWI729812B TW109116331A TW109116331A TWI729812B TW I729812 B TWI729812 B TW I729812B TW 109116331 A TW109116331 A TW 109116331A TW 109116331 A TW109116331 A TW 109116331A TW I729812 B TWI729812 B TW I729812B
Authority
TW
Taiwan
Prior art keywords
string
verification
sensitive
encrypted
prompt index
Prior art date
Application number
TW109116331A
Other languages
Chinese (zh)
Other versions
TW202145033A (en
Inventor
陳瑞泰
Original Assignee
昕力資訊股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 昕力資訊股份有限公司 filed Critical 昕力資訊股份有限公司
Priority to TW109116331A priority Critical patent/TWI729812B/en
Application granted granted Critical
Publication of TWI729812B publication Critical patent/TWI729812B/en
Publication of TW202145033A publication Critical patent/TW202145033A/en

Links

Images

Abstract

The disclosure discloses a computer program product for encrypting sensitive parameters being loaded and executed by a processing unit of a client to include program code to: encrypt a sensitive parameter using a BCrypt algorithm so as to obtain an encrypted string; obtain a prompt index corresponding to the sensitive parameter; generate a verification string according to the prompt index and the sensitive parameter; and transmit a request at least including the verification string to an application server through a network, thereby enabling the application server to determine whether a source side is legal by checking the content of the verification string.

Description

加密和驗證敏感參數的電腦程式產品和裝置Computer program products and devices that encrypt and verify sensitive parameters

本發明關連於一種通訊安全技術,特別是一種加密和驗證敏感參數的的電腦程式產品和裝置。 The invention relates to a communication security technology, especially a computer program product and device for encrypting and verifying sensitive parameters.

為了侵入應用程式伺服器並喬裝成合法用戶來完成惡意行為,例如竊取機密資料、竄改儲存的資料、發佈不實訊息等,駭客通常會攔截從客戶端發送給應用程式伺服器的請求,並觀察請求中的參數變化,據以猜測應用程式伺服器為反應不同請求參數會執行的功能。因此,需要一種電腦程式產品和裝置,用於加密和驗證敏感參數,避免駭客能夠成功解讀出參數意義後所做出的惡意行為。 In order to invade the application server and pretend to be a legitimate user to perform malicious actions, such as stealing confidential data, tampering with stored data, publishing false information, etc., hackers usually intercept requests sent from the client to the application server, and Observe the parameter changes in the request, and guess the function that the application server will perform in response to different request parameters. Therefore, there is a need for a computer program product and device for encrypting and verifying sensitive parameters, so as to avoid malicious behaviors made by hackers after successfully interpreting the meaning of the parameters.

有鑑於此,如何減輕或消除上述相關領域的缺失,實為有待解決的問題。 In view of this, how to reduce or eliminate the deficiencies in the above-mentioned related fields is indeed a problem to be solved.

本說明書涉及一種電腦程式產品,用於加密敏感參數,包含能夠被客戶端的處理單元載入並執行的程式碼:使用BCrypt演算法對敏感參數加密以產生加密字串;獲得對應於敏感參數的提示索引;依據提示索引和敏感參數產生驗證字串;以及經由網路傳送包含驗證字串的請求給應用程式伺服器,使得應用程式伺服器能通過檢查驗證字串的內容來判斷來源端是否為合法的用戶。 This manual relates to a computer program product used to encrypt sensitive parameters, including code that can be loaded and executed by the client's processing unit: use the BCrypt algorithm to encrypt sensitive parameters to generate encrypted strings; obtain prompts corresponding to the sensitive parameters Index; generate a verification string based on the prompt index and sensitive parameters; and send a request containing the verification string to the application server via the network, so that the application server can determine whether the source is legal by checking the content of the verification string User.

本說明書另涉及一種加密敏感參數的裝置,包含通訊介面和處理單元。處理單元使用BCrypt演算法對敏感參數加密以產生加密字串;獲得對應於敏感參數的提示索引;依據提示索引和敏感參數產生驗證字串;以及通過通訊介面經由網路傳送包含驗證字串的請求給應用程式伺服器,使得應用程式伺服器能通過檢查驗證字串的內容來判斷來源端是否為合法的用戶。 This specification also relates to a device for encrypting sensitive parameters, including a communication interface and a processing unit. The processing unit uses the BCrypt algorithm to encrypt sensitive parameters to generate an encrypted string; obtains the prompt index corresponding to the sensitive parameter; generates a verification string based on the prompt index and the sensitive parameter; and transmits a request containing the verification string via the communication interface via the network For the application server, the application server can determine whether the source is a legitimate user by checking the content of the verification string.

本說明書更涉及一種電腦程式產品,用於驗證敏感參數,包含能夠被應用程式伺服器的處理單元載入並執行的程式碼:經由網路從客戶端接收包含驗證字串的請求;從驗證字串獲得加密字串和提示索引;根據提示索引取得敏感參數;使用相應於BCrpyt演算法的驗證演算法來判斷加密字串是否相符於敏感參數;以及當加密字串不相符於敏感參數時,經由網路回覆參數錯誤的訊息給客戶端。 This manual also relates to a computer program product used to verify sensitive parameters, including code that can be loaded and executed by the processing unit of the application server: receiving a request containing a verification string from the client via the network; from the verification word String to obtain the encrypted string and prompt index; obtain sensitive parameters according to the prompt index; use the verification algorithm corresponding to the BCrpyt algorithm to determine whether the encrypted string matches the sensitive parameter; and when the encrypted string does not match the sensitive parameter, pass The network responds to the client with a parameter error message.

本說明書更另涉及一種加密敏感參數的裝置,包含通訊介面和處理單元。處理單元通過通訊介面經由網路從客戶端接收包含驗證字串的請求;從驗證字串獲得加密字串和提示索引;根據提示索引取得敏感參數;使用相應於BCrpyt演算法的驗證演算法來判斷加密字串是否相符於敏感參數;以及當加密字串不相符於敏感參數時,通過通訊介面經由網路回覆參數錯誤的訊息給客戶端。 This specification also relates to a device for encrypting sensitive parameters, including a communication interface and a processing unit. The processing unit receives the request containing the verification string from the client via the communication interface via the network; obtains the encrypted string and prompt index from the verification string; obtains sensitive parameters according to the prompt index; uses the verification algorithm corresponding to the BCrpyt algorithm to determine Whether the encrypted string matches the sensitive parameter; and when the encrypted string does not match the sensitive parameter, reply the parameter error message to the client via the communication interface via the network.

本發明的其他優點將搭配以下的說明和圖式進行更詳細的解說。 Other advantages of the present invention will be explained in more detail with the following description and drawings.

100:網路 100: Internet

110:應用程式伺服器 110: Application server

151:桌上型電腦 151: Desktop Computer

153:平板電腦 153: Tablet

155:手機 155: Mobile

210:處理單元 210: Processing Unit

220:顯示單元 220: display unit

230:輸入裝置 230: input device

240:儲存裝置 240: storage device

250:記憶體 250: memory

260:通訊介面 260: Communication interface

S310~S360:方法步驟 S310~S360: method steps

S410~S490:方法步驟 S410~S490: method steps

圖1係依據本發明實施例的網路系統架構圖。 FIG. 1 is a diagram of the network system architecture according to an embodiment of the present invention.

圖2係依據本發明實施例的運算裝置的系統架構圖。 FIG. 2 is a system architecture diagram of a computing device according to an embodiment of the present invention.

圖3係依據本發明實施例的請求執行服務的方法流程圖。 Fig. 3 is a flowchart of a method for requesting execution of a service according to an embodiment of the present invention.

圖4係依據本發明實施例的執行客戶端所請求服務的方法流程圖。 Fig. 4 is a flowchart of a method for executing a service requested by a client according to an embodiment of the present invention.

以下說明為完成發明的較佳實現方式,其目的在於描述本發明的基本精神,但並不用以限定本發明。實際的發明內容必須參考之後的權利要求範圍。 The following descriptions are preferred implementations for completing the invention, and their purpose is to describe the basic spirit of the invention, but not to limit the invention. The actual content of the invention must refer to the scope of the claims that follow.

必須了解的是,使用於本說明書中的“包含”、“包括”等詞,用以表示存在特定的技術特徵、數值、方法步驟、作業處理、元件以及/或組件,但並不排除可加上更多的技術特徵、數值、方法步驟、作業處理、元件、組件,或以上的任意組合。 It must be understood that the words "including" and "including" used in this specification are used to indicate the existence of specific technical features, values, method steps, operations, elements, and/or components, but they do not exclude the possibility of adding More technical features, values, method steps, job processing, components, components, or any combination of the above.

於權利要求中使用如“第一”、“第二”、“第三”等詞是用來修飾權利要求中的元件,並非用來表示之間具有優先順序,前置關係,或者是一個元件先於另一個元件,或者是執行方法步驟時的時間先後順序,僅用來區別具有相同名字的元件。 Words such as "first", "second", and "third" in the claims are used to modify the elements in the claims, not to indicate that there is a priority, prerequisite relationship, or an element Prior to another element, or the chronological order of execution of method steps, is only used to distinguish elements with the same name.

必須了解的是,當元件描述為“連接”或“耦接”至另一元件時,可以是直接連結、或耦接至其他元件,可能出現中間元件。相反地,當元件描述為“直接連接”或“直接耦接”至另一元件時,其中不存在任何中間元件。使用來描述元件之間關係的其他語詞也可類似方式解讀,例如“介於”相對於“直接介於”,或者是“鄰接”相對於“直接鄰接”等等。 It must be understood that when an element is described as being “connected” or “coupled” to another element, it can be directly connected or coupled to other elements, and intervening elements may appear. Conversely, when an element is described as being "directly connected" or "directly coupled" to another element, there are no intervening elements. Other terms used to describe the relationship between elements can also be interpreted in a similar manner, such as "between" versus "directly between", or "adjacent" versus "directly adjacent" and so on.

本發明實施例提出一種網路系統架構,包含伺服器(servers)與多部客戶端(clients)。圖1係依據本發明實施例的網路系統架構圖。應用程式伺服器110、桌上型電腦151、平板電腦153以及手機155之間可透過網路100彼此通訊,網路100可為網際網路(Internet)、有線區域網路(wired Local Area Network,LAN)、無線區域網路,或以上的任意組合。桌上型電腦151、平板電腦153以及手機155可稱為客戶端,通過網路100將應用程式部署到應用程式伺服器110上,或者是通過網路100執行應用程式伺服器110上運行的服務。應用程式通常由服務提供者(Service Provider)開發並部署到應用程式伺服器110,包含各式各樣的業務邏輯,可涵蓋但不限於數位銀行管理、網路銀行、行動客 服、企業內部流程管理、大數據存儲、大數據資料整合、大數據資料檢索等領域。 The embodiment of the present invention provides a network system architecture including servers and multiple clients. FIG. 1 is a diagram of the network system architecture according to an embodiment of the present invention. The application server 110, the desktop computer 151, the tablet computer 153, and the mobile phone 155 can communicate with each other through the network 100. The network 100 can be the Internet or a wired local area network (Wired Local Area Network, LAN), wireless local area network, or any combination of the above. The desktop computer 151, the tablet computer 153, and the mobile phone 155 can be called clients, which deploy applications to the application server 110 through the network 100, or execute services running on the application server 110 through the network 100 . The application is usually developed by a service provider and deployed to the application server 110. It contains a variety of business logics, including but not limited to digital bank management, online banking, and mobile customers. Services, enterprise internal process management, big data storage, big data data integration, big data data retrieval and other fields.

圖2係依據本發明實施例的運算裝置的系統架構圖。此系統架構可實施於應用程式伺服器110、桌上型電腦151、平板電腦153以及手機155中之任一者,至少包含處理單元210。處理單元210可使用多種方式實施,例如以專用硬體電路或通用硬體(例如,單一處理器、具平行處理能力的多處理器、圖形處理器或其他具運算能力的處理器),並且在執行程式碼或軟體時,提供之後所描述的功能。系統架構另包含記憶體250及儲存單元240,記憶體250儲存程式碼執行過程中需要的資料,例如,變數、資料表(Data Tables)等,儲存單元240儲存各式各樣的電子檔案,例如,網頁、文件、音訊檔、視訊檔等。系統架構另包含通訊介面260,讓處理單元210可藉以跟其他電子裝置進行溝通。通訊介面260可以是無線電信通訊模組(Wireless Telecommunications Module)、區域網路(Local Area Network,LAN)通訊模組或無線區域網路通訊模組(WLAN)。無線電信通訊模組(Wireless Telecommunications Module)可包含支援2G、3G、4G或以上技術世代的任意組合的調變解調器(Modem)。輸入裝置230可包含鍵盤、滑鼠、觸控面板等。使用者可按壓鍵盤上的硬鍵來輸入字元,藉由操作滑鼠來控制鼠標,或者是在觸控面板製造手勢來控制執行中的應用程式。手勢可包含單擊、雙擊、單指拖曳、多指拖曳等,但不限定於此。顯示單元220可包含顯示面板(例如,薄膜液晶顯示面板、有機發光二極體面板或其他具顯示能力的面板),用以顯示輸入的字元、數字、符號、拖曳鼠標的移動軌跡、繪製的圖案或應用程式所提供的畫面,提供給使用者觀看。 FIG. 2 is a system architecture diagram of a computing device according to an embodiment of the present invention. This system architecture can be implemented in any one of the application server 110, the desktop computer 151, the tablet computer 153, and the mobile phone 155, and at least includes the processing unit 210. The processing unit 210 can be implemented in a variety of ways, such as a dedicated hardware circuit or a general-purpose hardware (for example, a single processor, a multi-processor with parallel processing capabilities, a graphics processor, or other processors with computing capabilities). When running code or software, provide the functions described later. The system architecture also includes a memory 250 and a storage unit 240. The memory 250 stores data needed during the execution of the code, such as variables, data tables, etc., and the storage unit 240 stores various electronic files, such as , Web pages, documents, audio files, video files, etc. The system architecture further includes a communication interface 260, so that the processing unit 210 can communicate with other electronic devices. The communication interface 260 may be a wireless telecommunications module (Wireless Telecommunications Module), a local area network (LAN) communication module, or a wireless local area network communication module (WLAN). The Wireless Telecommunications Module can include a modem that supports any combination of 2G, 3G, 4G or above technology generations. The input device 230 may include a keyboard, a mouse, a touch panel, and so on. The user can press the hard keys on the keyboard to input characters, operate the mouse to control the mouse, or make gestures on the touch panel to control the running application. Gestures may include single-click, double-click, single-finger drag, multi-finger drag, etc., but are not limited to this. The display unit 220 may include a display panel (for example, a thin-film liquid crystal display panel, an organic light-emitting diode panel, or other panels with display capabilities) for displaying input characters, numbers, symbols, moving traces of dragging the mouse, and drawing Patterns or screens provided by applications are provided for users to watch.

應用程式伺服器110提供一個應用程式執行的環境,為每個應用程式提供多樣的服務,例如,請求分派與負載平衡、數位認證中心、應用程式介面(Application Programming Interface,API)授權管理、用戶 授權/流量/網際網路通訊協定(Internet Protocol,IP)控制、組織階層管理、資安連線(SSL/TLS)管理、數位簽章驗證、機敏資料加密、單一登入主動目錄(Single Sign-On Active Directory,SSO AD)整合、跨站指令(Cross-Site Scripting,XSS)防駭攻擊、API熱部署、區段故障切換(Session Fail-over)、預防重複交易機制、貴賓API優先、異質部署/多版本運行、API偵錯、API軌跡紀錄、伺服器監控/告警、逐API/用戶報表、(Java)DC主機綁定管理、.NET站台綁定管理、註冊主機管理、API服務註冊、API模組佈署發佈、API組合與設計等。從另一面來說,這些功能也可以被多種不同的應用程式使用,因此,如上所述應用程式執行的環境又稱為共用服務平台(Shared Service Platform)。 The application server 110 provides an application execution environment, providing various services for each application, such as request dispatch and load balancing, digital authentication center, application programming interface (API) authorization management, and user Authorization/flow/Internet Protocol (IP) control, organizational hierarchy management, information security connection (SSL/TLS) management, digital signature verification, smart data encryption, single sign-on active directory (Single Sign-On) Active Directory, SSO AD) integration, cross-site command (Cross-Site Scripting, XSS) anti-hacking attack, API hot deployment, session fail-over (Session Fail-over), duplicate transaction prevention mechanism, VIP API priority, heterogeneous deployment/ Multi-version operation, API debugging, API track record, server monitoring/alarm, report by API/user, (Java)DC host binding management, .NET site binding management, registered host management, API service registration, API model Organize deployment, release, API assembly and design, etc. On the other hand, these functions can also be used by a variety of different applications. Therefore, the environment in which the applications are executed as described above is also called the Shared Service Platform.

為了不讓駭客猜出請求中敏感參數的意義,桌上型電腦151、平板電腦153或手機155可使用BCrypt演算法對一個或多個敏感參數加密以產生加密字串,獲得分別對應於一個或多個敏感參數的提示索引,依據提示索引和加密字串產生驗證字串。接著,桌上型電腦151、平板電腦153或手機155經由網路100傳送包含驗證字串的請求給應用程式伺服器110,使得應用程式伺服器110能通過檢查驗證字串的內容來判斷來源端是否為合法的用戶。接著,應用程式伺服器110可從請求中的驗證字串獲得加密字串和提示索引,依據提示索引取得敏感參數,使用相應於BCrypt演算法的驗證演算法來判斷加密字串是否相符於取得的敏感參數。如果相符,則代表通過驗證,應用程式伺服器110依據參數執行請求的功能並通過網路100回覆執行結果給桌上型電腦151、平板電腦153或手機155。 In order to prevent hackers from guessing the meaning of the sensitive parameters in the request, the desktop computer 151, tablet computer 153 or mobile phone 155 can use the BCrypt algorithm to encrypt one or more sensitive parameters to generate an encrypted string, and obtain an encrypted string corresponding to one Or a prompt index of multiple sensitive parameters, and a verification string is generated based on the prompt index and the encrypted string. Then, the desktop computer 151, the tablet computer 153 or the mobile phone 155 sends a request containing the verification string to the application server 110 via the network 100, so that the application server 110 can determine the source by checking the content of the verification string Whether it is a legitimate user. Then, the application server 110 can obtain an encrypted string and a prompt index from the verification string in the request, obtain sensitive parameters according to the prompt index, and use a verification algorithm corresponding to the BCrypt algorithm to determine whether the encrypted string matches the obtained one. Sensitive parameters. If they match, it means that the verification is passed. The application server 110 executes the requested function according to the parameters and replies the execution result to the desktop computer 151, the tablet computer 153, or the mobile phone 155 via the network 100.

如果一個非法裝置攔截從桌上型電腦151、平板電腦153或手機155傳給應用程式伺服器110的請求,依據請求的內容假造出驗證字串,並且通過網路100傳送包含驗證字串的請求給應用程式伺服器110。由於敏感參數是使用BCrypt演算法加密,非法裝置假造出的驗證字串所返 回的加密字串和敏感參數通常是對不起來的,無法通過驗證。在應用程式伺服器110發現驗證不通過時,通過網路100回覆參數錯誤的訊息給非法裝置。 If an illegal device intercepts a request from a desktop computer 151, a tablet computer 153 or a mobile phone 155 to the application server 110, a verification string is faked based on the content of the request, and a request containing the verification string is sent through the network 100 To the application server 110. Since the sensitive parameters are encrypted using the BCrypt algorithm, the authentication string faked by the illegal device is returned The encrypted string and sensitive parameters returned are usually not correct and cannot be verified. When the application server 110 finds that the verification fails, it responds to the illegal device via the network 100 with a parameter error message.

圖3係依據本發明實施例的請求執行服務的方法流程圖,由桌上型電腦151、平板電腦153或手機155的處理單元210(以下簡稱處理單元210以求簡明)於載入並執行特定軟體模組時實施,用於請求應用程式伺服器110完成特定功能。詳細說明如下: 3 is a flowchart of a method for requesting execution of services according to an embodiment of the present invention. The processing unit 210 (hereinafter referred to as the processing unit 210 for brevity) of the desktop computer 151, tablet computer 153 or mobile phone 155 loads and executes specific Implemented when a software module is used to request the application server 110 to complete a specific function. The detailed description is as follows:

步驟S310:獲得相應於提示索引的參數,又稱為敏感參數。例如,表1顯示範例的資料表“TSMP_DP_ITEMS”:

Figure 109116331-A0305-02-0008-1
欄位“ITEM_NO”列出敏感參數,而欄位“SORT_BY”列出用來進行排序的數值。於一些實施例中,提示索引是欄位“SORT_BY”的值。於另一些實施例中,提示索引是由小到大排序結果的紀錄編號,例如,參數“MEMBER_REG_FLAG”的提示索引是“0”,參數“API_TYPE”的提示索引是“1”,依此類推。桌上型電腦151、平板電腦153或手機155的儲存裝置240(以下簡稱儲存裝置240以求簡 明)可儲存資料庫,包含如上所述的範例資料表“TSMP_DP_ITEMS”。處理單元210可發出結構化查詢語言(Structured Query Language,SQL)命令給資料庫管理系統,用於取得範例資料表“TSMP_DP_ITEMS”中的全部或者部分內容。 Step S310: Obtain a parameter corresponding to the prompt index, which is also called a sensitive parameter. For example, Table 1 shows the sample data table "TSMP_DP_ITEMS":
Figure 109116331-A0305-02-0008-1
 The field "ITEM_NO" lists sensitive parameters, and the field "SORT_BY" lists the values used for sorting. In some embodiments, the prompt index is the value of the field "SORT_BY". In other embodiments, the prompt index is the record number of the result sorted from small to large. For example, the prompt index of the parameter "MEMBER_REG_FLAG" is "0", the prompt index of the parameter "API_TYPE" is "1", and so on. The storage device 240 of the desktop computer 151, the tablet computer 153, or the mobile phone 155 (hereinafter referred to as the storage device 240 for brevity) can store a database, including the example data table "TSMP_DP_ITEMS" as described above. The processing unit 210 may issue a structured query language (Structured Query Language, SQL) command to the database management system for obtaining all or part of the content in the sample data table "TSMP_DP_ITEMS".

步驟S320:使用BCrypt演算法對敏感參數加密以產生加密字串。詳細來說,BCrypt演算法先根據目前時間隨機產生鹽值(Salt),然後將鹽值和敏感參數進行雜湊計算(Hashing),用於產生加密字串。由於BCrypt演算法會在不同的時間點產生不同鹽值,因此,在不同時間點加密同一個敏感參數,都會產生不同的加密字串。就算駭客攔截從桌上型電腦151、平板電腦153或手機155傳給應用程式伺服器110的多個請求,依然難以歸納出這些加密字串在請求中的意義、規則和邏輯性。 Step S320: Use the BCrypt algorithm to encrypt the sensitive parameters to generate an encrypted string. In detail, the BCrypt algorithm first randomly generates a salt value (Salt) according to the current time, and then hashes the salt value and sensitive parameters to generate an encrypted string. Since the BCrypt algorithm will generate different salt values at different time points, encrypting the same sensitive parameter at different time points will generate different encrypted strings. Even if a hacker intercepts multiple requests from the desktop computer 151, tablet computer 153, or mobile phone 155 to the application server 110, it is still difficult to generalize the meaning, rules, and logic of these encrypted strings in the request.

步驟S330:使用Base64演算法對加密字串編碼,用於產生編碼字串。使用Base64演算法的優點在於其編碼後的字串只會包含大寫英文字母“A”至“Z”、小寫英文字母“a”至“z”和數字“0”至“9”的任意組合,而不會包含其他的字元、特殊符號等。需要注意的是,經過Base64演算法的編碼後的字串會讓駭客更難歸納出這些加密字串在請求中的意義、規則和邏輯性。 Step S330: Use the Base64 algorithm to encode the encrypted string for generating the encoded string. The advantage of using the Base64 algorithm is that the encoded string will only contain any combination of uppercase English letters "A" to "Z", lowercase English letters "a" to "z" and numbers "0" to "9". It will not contain other characters, special symbols, etc. It should be noted that the strings encoded by the Base64 algorithm will make it more difficult for hackers to generalize the meaning, rules, and logic of these encrypted strings in the request.

步驟S340:組合編碼字串和提示索引以產生驗證字串。例如可以將驗證字串組織成以下格式:編碼字串+“,”+提示索引其中,“,”當作編碼字串和提示索引之間的分隔符號。在一些實施例中,分隔符號可以使用大寫英文字母“A”至“Z”、小寫英文字母“a”至“z”和數字“0”至“9”以外的任意字元。在另一些實施例中,編碼字串和提示索引的順序可以顛倒。 Step S340: Combine the code string and the prompt index to generate a verification string. For example, the verification string can be organized into the following format: code string + "," + prompt index, where "," is used as a separator between the code string and the prompt index. In some embodiments, the separator may use any characters other than uppercase English letters "A" to "Z", lowercase English letters "a" to "z", and numbers "0" to "9". In other embodiments, the order of the code string and the prompt index can be reversed.

在一些實施例中,步驟S330可以省略,而讓驗證字串組織成以下格式: 加密字串+“|”+提示索引其中,“|”當作加密字串和提示索引之間的分隔符號。在這裡需要注意的是,因為不使用Base64演算法做進一步的編碼,如果要使用其他符號來代替分隔符號“|”時,需要特別選用不會出現在加密字串的符號。 In some embodiments, step S330 can be omitted, and the verification string is organized into the following format: Encrypted string + "|" + prompt index Among them, "|" is used as the separator between the encrypted string and the prompt index. It should be noted here that because the Base64 algorithm is not used for further encoding, if you want to use other symbols to replace the delimiter "|", you need to specially select symbols that will not appear in the encrypted string.

步驟S350:將驗證字串加入請求。請求可以使用詢問字串(Query String)、格式物件(Form Object)或其他等同的格式包裝。 Step S350: Add the verification string to the request. The request can use query string (Query String), format object (Form Object) or other equivalent format packaging.

步驟S360:通過相應通訊介面260經由網路100傳送請求給應用程式伺服器110,用於請求應用程式伺服器110執行特定服務。處理單元210可使用超文本傳輸協定請求(Hypertext Transfer Protocol,HTTP Request)、超文本傳輸安全協定請求(Hypertext Transfer Protocol Secure,HTTPS Request)或其他通訊協定來傳送請求給應用程式伺服器110。 Step S360: Send a request to the application server 110 via the network 100 through the corresponding communication interface 260 for requesting the application server 110 to perform a specific service. The processing unit 210 may use Hypertext Transfer Protocol (HTTP Request), Hypertext Transfer Protocol Secure (HTTPS Request) or other communication protocols to send the request to the application server 110.

在這裡需要注意的是,請求中的所有參數並不一定都需要進行加密和編碼,可以有部分的參數維持明碼傳送,本發明並不因此侷限。 It should be noted here that all parameters in the request do not necessarily need to be encrypted and encoded, and some parameters may be transmitted in clear code, and the present invention is not limited thereby.

圖4係依據本發明實施例的執行客戶端所請求服務的方法流程圖,由應用程式伺服器110的處理單元210(以下簡稱處理單元210以求簡明)於載入並執行特定軟體模組時實施,用於驗證客戶端傳送的請求,並且依據驗證結果執行相應的操作。客戶端可以是合法客戶端,例如桌上型電腦151、平板電腦153以及手機155中之任一者,或者是非法裝置。 4 is a flowchart of a method for executing a service requested by a client according to an embodiment of the present invention. The processing unit 210 of the application server 110 (hereinafter referred to as the processing unit 210 for brevity) loads and executes a specific software module Implementation, used to verify the request sent by the client, and perform corresponding operations based on the verification result. The client can be a legitimate client, such as any one of the desktop computer 151, the tablet computer 153, and the mobile phone 155, or an illegal device.

步驟S410:通過應用程式伺服器110的通訊介面260(以下簡稱通訊介面260以求簡明)經由網路100從客戶端接收請求。請求可包裝於詢問字串、格式物件或其他等同的格式中。處理單元210可使用超文本傳輸協定請求、超文本傳輸安全協定請求或其他通訊協定來從客戶端接收請求。 Step S410: Receive a request from the client via the network 100 via the communication interface 260 of the application server 110 (hereinafter referred to as the communication interface 260 for brevity). The request can be packaged in a query string, format object, or other equivalent format. The processing unit 210 may use a hypertext transfer protocol request, a hypertext transfer security protocol request, or other communication protocols to receive the request from the client.

步驟S420:從請求取出驗證字串。處理單元210可依據如步驟S340中 提到的格式解析出驗證字串。 Step S420: Take out the verification string from the request. The processing unit 210 can be based on The mentioned format parses out the verification string.

步驟S430:依據預設的分隔符號分割驗證字串,用於獲得編碼字串和提示索引。 Step S430: Divide the verification string according to the preset separation symbol to obtain the code string and the prompt index.

步驟S440:使用Base64演算法對編碼字串解碼以產生解碼字串(也可稱為加密字串)。 Step S440: Use the Base64 algorithm to decode the encoded string to generate a decoded string (also called an encrypted string).

步驟S450:獲得相應於提示索引的敏感參數。應用程數伺服器110的儲存裝置240(以下簡稱儲存裝置240以求簡明)可儲存資料庫,包含如上所述的範例資料表“TSMP_DP_ITEMS”。處理單元210可發出SQL命令給資料庫管理系統,用於取得相應於提示索引的敏感參數。 Step S450: Obtain sensitive parameters corresponding to the prompt index. The storage device 240 of the application server 110 (hereinafter referred to as the storage device 240 for brevity) can store a database, including the example data table "TSMP_DP_ITEMS" as described above. The processing unit 210 can issue a SQL command to the database management system for obtaining sensitive parameters corresponding to the prompt index.

步驟S460:使用相應於BCrypt演算法的驗證演算法對解碼字串和參數進行驗證。處理單元210可從解碼字串取出鹽值,然後使用鹽值、解碼字串和敏感參數進行運算,用於驗證解碼字串是否相符於敏感參數。 Step S460: Use a verification algorithm corresponding to the BCrypt algorithm to verify the decoded string and parameters. The processing unit 210 can extract the salt value from the decoded string, and then use the salt value, the decoded string and the sensitive parameter to perform an operation to verify whether the decoded string matches the sensitive parameter.

於另一些實施例中,如果應用程式伺服器110和客戶端間已經約定不進行Base64演算法的編/解碼時,處理單元210可省略步驟S450的處理,而在步驟S440中依據預設的分隔符號分割出加密字串和提示索引,並且在步驟S460中使用BCrypt演算法直接對加密字串和敏感參數進行驗證。 In other embodiments, if the application server 110 and the client have agreed not to perform the encoding/decoding of the Base64 algorithm, the processing unit 210 may omit the processing of step S450, and in step S440 according to the preset separation The symbol separates the encrypted string and the prompt index, and in step S460, the BCrypt algorithm is used to directly verify the encrypted string and sensitive parameters.

步驟S470:判斷是否通過驗證。如果通過驗證,則繼續進行步驟S480的處理。如果無法通過驗證,則繼續進行步驟S490的處理。 Step S470: Determine whether the verification is passed. If the verification is passed, the process of step S480 is continued. If the verification fails, the process of step S490 is continued.

步驟S480:根據請求中的參數執行服務並回覆執行結果給客戶端。在另一些實施例中,其根據的參數可以不包含如上所述隱藏關聯到驗證字串的敏感參數,本發明並不因此侷限。 Step S480: Execute the service according to the parameters in the request and reply the execution result to the client. In other embodiments, the parameters based on it may not include the sensitive parameters that are hidden and associated with the verification string as described above, and the present invention is not limited thereby.

步驟S490:回覆參數錯誤訊息給客戶端。 Step S490: Reply the parameter error message to the client.

本發明所述的方法中的全部或部分步驟可以電腦程式實現,例如電腦的作業系統、電腦中特定硬體的驅動程式、或軟體應用程式。此外,也可實現於如上所示的其他類型程式。所屬技術領域具有通常知識者 可將本發明實施例的方法撰寫成電腦程式,為求簡潔不再加以描述。依據本發明實施例方法實施的電腦程式,可儲存於適當的電腦可讀取資料載具,例如DVD、CD-ROM、USB碟、硬碟,亦可置於可通過網路(例如,網際網路,或其他適當載具)存取的網路伺服器。 All or part of the steps in the method of the present invention can be implemented by a computer program, such as a computer operating system, a specific hardware driver in the computer, or a software application program. In addition, it can also be implemented in other types of programs as shown above. Those with general knowledge in the technical field The method of the embodiment of the present invention can be written into a computer program, and will not be described for brevity. The computer program implemented according to the method of the embodiment of the present invention can be stored in a suitable computer readable data carrier, such as DVD, CD-ROM, USB disk, hard disk, and can also be placed on the Internet (for example, the Internet). Road, or other appropriate vehicle) to access the network server.

雖然圖2中包含了以上描述的元件,但不排除在不違反發明的精神下,使用更多其他的附加元件,已達成更佳的技術效果。此外,雖然圖3和圖4的步驟採用指定的順序來執行,但是在不違反發明精神的情況下,熟習此技藝人士可以在達到相同效果的前提下,修改這些步驟間的順序,所以,本發明並不侷限於僅使用如上所述的順序。此外,熟習此技藝人士亦可以將若干步驟整合為一個步驟,或者是除了這些步驟外,循序或平行地執行更多步驟,本發明亦不因此而侷限。 Although FIG. 2 includes the above-described elements, it is not excluded that, without violating the spirit of the invention, more other additional elements can be used to achieve better technical effects. In addition, although the steps in Figures 3 and 4 are executed in a specified order, those skilled in the art can modify the order of these steps on the premise of achieving the same effect without violating the spirit of the invention. Therefore, this The invention is not limited to using only the sequence described above. In addition, those skilled in the art can also integrate several steps into one step, or in addition to these steps, perform more steps sequentially or in parallel, and the present invention is not limited thereby.

雖然本發明使用以上實施例進行說明,但需要注意的是,這些描述並非用以限縮本發明。相反地,此發明涵蓋了熟習此技藝人士顯而易見的修改與相似設置。所以,申請權利要求範圍須以最寬廣的方式解釋來包含所有顯而易見的修改與相似設置。 Although the present invention is described using the above embodiments, it should be noted that these descriptions are not intended to limit the present invention. On the contrary, this invention covers modifications and similar arrangements that are obvious to those skilled in the art. Therefore, the scope of applied claims must be interpreted in the broadest way to include all obvious modifications and similar settings.

S310~S360:方法步驟 S310~S360: method steps

Claims (11)

一種加密敏感參數的電腦程式產品,包含能夠被一客戶端的一處理單元載入並執行的程式碼:使用一BCrypt演算法對一敏感參數加密以產生一加密字串;獲得對應於上述敏感參數的一提示索引;依據上述提示索引和上述加密字串產生一驗證字串;以及經由一網路傳送包含上述驗證字串的一請求給一應用程式伺服器,使得上述應用程式伺服器能通過檢查上述驗證字串的內容來判斷來源端是否為合法的用戶。 A computer program product for encrypting sensitive parameters, including code that can be loaded and executed by a processing unit of a client: a BCrypt algorithm is used to encrypt a sensitive parameter to generate an encrypted string; and the corresponding sensitive parameter is obtained A prompt index; generate a verification string based on the prompt index and the encryption string; and send a request containing the verification string to an application server via a network, so that the application server can pass the inspection Verify the content of the string to determine whether the source is a legitimate user. 一種加密敏感參數的裝置,包含:一通訊介面;以及一處理單元,耦接上述通訊介面,用於使用一BCrypt演算法對一敏感參數加密以產生一加密字串;獲得對應於上述敏感參數的一提示索引;依據上述提示索引和上述加密字串產生一驗證字串;以及通過上述通訊介面經由一網路傳送包含上述驗證字串的一請求給一應用程式伺服器,使得上述應用程式伺服器能通過檢查上述驗證字串的內容來判斷來源端是否為合法的用戶。 A device for encrypting sensitive parameters includes: a communication interface; and a processing unit, coupled to the communication interface, for encrypting a sensitive parameter using a BCrypt algorithm to generate an encrypted string; and obtaining an encrypted string corresponding to the sensitive parameter A prompt index; generate a verification string based on the prompt index and the encryption string; and send a request containing the verification string to an application server via a network through the communication interface, so that the application server It can be judged whether the source end is a legitimate user by checking the content of the above verification string. 如請求項2所述的加密敏感參數的裝置,其中,上述驗證字串包含上述加密字串、一分隔符號和上述提示索引,並且上述分隔符號位於上述加密字串和上述提示索引之間。 The device for encrypting sensitive parameters according to claim 2, wherein the verification string includes the encrypted string, a separator, and the prompt index, and the separator is located between the encrypted string and the prompt index. 如請求項2所述的加密敏感參數的裝置,其中,上述處理單元使用Base64演算法對上述加密字串編碼以產生一編碼字串,上述驗證字串包含上述編碼字串、一分隔符號和上述提示索引,並且上述分隔符號位於上述編碼字串和上述提示索引之間。The device for encrypting sensitive parameters according to claim 2, wherein the processing unit uses the Base64 algorithm to encode the encrypted string to generate an encoded string, and the verification string includes the encoded string, a separator, and the The prompt index, and the above-mentioned separator is located between the above-mentioned code string and the above-mentioned prompt index. 如請求項2所述的加密敏感參數的裝置,其中,上述BCrypt演算法先依據目前時間隨機產生一鹽值,然後將上述鹽值和上述敏感參數進行雜湊計算,用於產生上述加密字串。The device for encrypting sensitive parameters according to claim 2, wherein the BCrypt algorithm first randomly generates a salt value according to the current time, and then performs a hash calculation on the salt value and the sensitive parameter to generate the encrypted string. 一種驗證敏感參數的電腦程式產品,包含能夠被一應用程式伺服器的一處理單元載入並執行的程式碼: 經由一網路從一客戶端接收包含一驗證字串的一請求; 從上述驗證字串獲得一加密字串和一提示索引; 根據上述提示索引取得一敏感參數; 使用相應於一BCrpyt演算法的一驗證演算法來判斷上述加密字串是否相符於上述敏感參數;以及 當上述加密字串不相符於上述敏感參數時,經由上述網路回覆一參數錯誤的訊息給上述客戶端。 A computer program product for verifying sensitive parameters, containing code that can be loaded and executed by a processing unit of an application server: Receiving a request including a verification string from a client via a network; Obtain an encrypted string and a prompt index from the above verification string; Obtain a sensitive parameter according to the above prompt index; Use a verification algorithm corresponding to a BCrpyt algorithm to determine whether the encrypted string matches the sensitive parameter; and When the encrypted string does not match the sensitive parameter, a parameter error message is returned to the client via the network. 一種驗證敏感參數的裝置,包含: 一通訊介面;以及 一處理單元,耦接上述通訊介面,用於通過上述通訊介面經由一網路從一客戶端接收包含一驗證字串的一請求;從上述驗證字串獲得一加密字串和一提示索引;根據上述提示索引取得一敏感參數;使用相應於一BCrpyt演算法的一驗證演算法來判斷上述加密字串是否相符於上述敏感參數;以及當上述加密字串不相符於上述敏感參數時,通過上述通訊介面經由上述網路回覆一參數錯誤的訊息給上述客戶端。 A device for verifying sensitive parameters, including: A communication interface; and A processing unit, coupled to the communication interface, for receiving a request including a verification string from a client through a network through the communication interface; obtaining an encrypted string and a prompt index from the verification string; The prompt index obtains a sensitive parameter; uses a verification algorithm corresponding to a BCrpyt algorithm to determine whether the encrypted string matches the sensitive parameter; and when the encrypted string does not match the sensitive parameter, through the communication The interface replies a parameter error message to the client via the network. 如請求項7所述的驗證敏感參數的裝置,其中,當上述加密字串相符於上述敏感參數時,根據上述請求中的參數執行服務並通過上述通訊介面經由上述網路回覆一執行結果給上述客戶端。The device for verifying sensitive parameters according to claim 7, wherein when the encrypted string matches the sensitive parameters, the service is executed according to the parameters in the request and an execution result is returned to the above via the communication interface via the network. Client. 如請求項7所述的驗證敏感參數的裝置,其中,上述處理單元分割上述驗證字串以獲得一編碼字串和提示索引,使用一Base64演算法對上述編碼字串解碼以獲得上述加密字串。The device for verifying sensitive parameters according to claim 7, wherein the processing unit divides the verification string to obtain an encoded string and a prompt index, and uses a Base64 algorithm to decode the encoded string to obtain the encrypted string . 如請求項7所述的驗證敏感參數的裝置,其中,上述編碼字串包含上述加密字串、一分隔符號和上述提示索引,上述分隔符號位於上述加密字串和上述提示索引之間。The device for verifying sensitive parameters according to claim 7, wherein the encoded string includes the encrypted string, a separator, and the prompt index, and the separator is located between the encrypted string and the prompt index. 如請求項7所述的驗證敏感參數的裝置,其中,上述驗證演算法從上述加密字串取出一鹽值,以及使用上述鹽值、上述加密字串和上述敏感參數進行運算,用於驗證上述加密字串是否相符於上述敏感參數。The device for verifying sensitive parameters according to claim 7, wherein the verification algorithm extracts a salt value from the encrypted string, and uses the salt value, the encrypted string and the sensitive parameter to perform operations to verify the above Whether the encrypted string matches the above-mentioned sensitive parameters.
TW109116331A 2020-05-15 2020-05-15 Computer program product and apparatus for encrypting and verifying sensitive parameters TWI729812B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109116331A TWI729812B (en) 2020-05-15 2020-05-15 Computer program product and apparatus for encrypting and verifying sensitive parameters

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109116331A TWI729812B (en) 2020-05-15 2020-05-15 Computer program product and apparatus for encrypting and verifying sensitive parameters

Publications (2)

Publication Number Publication Date
TWI729812B true TWI729812B (en) 2021-06-01
TW202145033A TW202145033A (en) 2021-12-01

Family

ID=77517570

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109116331A TWI729812B (en) 2020-05-15 2020-05-15 Computer program product and apparatus for encrypting and verifying sensitive parameters

Country Status (1)

Country Link
TW (1) TWI729812B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101166091A (en) * 2006-10-19 2008-04-23 阿里巴巴公司 A dynamic password authentication method and service end system
CN104704493A (en) * 2012-08-15 2015-06-10 维萨国际服务协会 Searchable encrypted data
CN105409186A (en) * 2013-06-06 2016-03-16 耐瑞唯信有限公司 System and method for user authentication
CN106664209A (en) * 2014-08-26 2017-05-10 国际商业机器公司 Password-based generation and management of secret cryptographic keys
CN109347858A (en) * 2018-11-16 2019-02-15 上海敬信软件技术有限公司 Cipher code protection method, auth method, device, equipment and storage medium
TW201928743A (en) * 2017-12-15 2019-07-16 安地卡及巴布達商區塊鏈控股有限公司 System and method for authenticating off-chain data based on proof verification
TWM602231U (en) * 2020-05-15 2020-10-01 昕力資訊股份有限公司 Apparatus for encrypting and verifying sensitive parameters

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101166091A (en) * 2006-10-19 2008-04-23 阿里巴巴公司 A dynamic password authentication method and service end system
CN104704493A (en) * 2012-08-15 2015-06-10 维萨国际服务协会 Searchable encrypted data
CN105409186A (en) * 2013-06-06 2016-03-16 耐瑞唯信有限公司 System and method for user authentication
CN106664209A (en) * 2014-08-26 2017-05-10 国际商业机器公司 Password-based generation and management of secret cryptographic keys
TW201928743A (en) * 2017-12-15 2019-07-16 安地卡及巴布達商區塊鏈控股有限公司 System and method for authenticating off-chain data based on proof verification
CN109347858A (en) * 2018-11-16 2019-02-15 上海敬信软件技术有限公司 Cipher code protection method, auth method, device, equipment and storage medium
TWM602231U (en) * 2020-05-15 2020-10-01 昕力資訊股份有限公司 Apparatus for encrypting and verifying sensitive parameters

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
10程式中(andy6804tw),[Day-29](實作)bcrypt將使用者密碼加密,西元2018年1月8日,網址:https://ithelp.ithome.com.tw/articles/10196477 *
10程式中(andy6804tw),[Day-29](實作)bcrypt將使用者密碼加密,西元2018年1月8日,網址:https://ithelp.ithome.com.tw/articles/10196477。

Also Published As

Publication number Publication date
TW202145033A (en) 2021-12-01

Similar Documents

Publication Publication Date Title
US11757641B2 (en) Decentralized data authentication
JP6902037B2 (en) Pattern matching based dataset extraction
EP2179532B1 (en) System and method for authentication, data transfer, and protection against phishing
US7734600B1 (en) Apparatus, method and system to implement an integrated data security layer
US8495358B2 (en) Software based multi-channel polymorphic data obfuscation
US9003531B2 (en) Comprehensive password management arrangment facilitating security
JP2008015733A (en) Log management computer
Hajiali et al. Preventing phishing attacks using text and image watermarking
TWM602231U (en) Apparatus for encrypting and verifying sensitive parameters
TWI729812B (en) Computer program product and apparatus for encrypting and verifying sensitive parameters
Sharif Web Attacks Analysis and Mitigation Techniques
Lemmou et al. Inside gandcrab ransomware
JP2016525750A (en) Identifying misuse of legal objects
AU2014200698B2 (en) A computer-implemented method for detecting domain injection or evasion
Msaad et al. Honeysweeper: Towards stealthy honeytoken fingerprinting techniques
Islam et al. Capable of Classifying the Tuples with Wireless Attacks Detection Using Machine Learning
Durai et al. Decision tree classification-N tier solution for preventing SQL injection attack on websites
US11240267B1 (en) Identifying and blocking fraudulent websites
US20230065787A1 (en) Detection of phishing websites using machine learning
Duque Anton et al. Creating It from SCRATCh: A Practical Approach for Enhancing the Security of IoT-Systems in a DevOps-Enabled Software Development Environment
Chughtai et al. Deep learning trends and future perspectives of web security and vulnerabilities
JP2024009256A (en) Authentication factor file, server, leakage detection method, and program
Tayal et al. Implementing Security on E-Commerce Website
BR102013030941A2 (en) automated method for banker detection