WO2017193750A1 - 一种防止拷贝攻击的处理方法、服务器及客户端 - Google Patents

一种防止拷贝攻击的处理方法、服务器及客户端 Download PDF

Info

Publication number
WO2017193750A1
WO2017193750A1 PCT/CN2017/080006 CN2017080006W WO2017193750A1 WO 2017193750 A1 WO2017193750 A1 WO 2017193750A1 CN 2017080006 W CN2017080006 W CN 2017080006W WO 2017193750 A1 WO2017193750 A1 WO 2017193750A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
identification code
server
change
copy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/080006
Other languages
English (en)
French (fr)
Chinese (zh)
Inventor
李小峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to EP17795368.4A priority Critical patent/EP3457309B1/en
Priority to KR1020187036283A priority patent/KR102218572B1/ko
Priority to PH1/2018/502397A priority patent/PH12018502397B1/en
Priority to MYPI2018001905A priority patent/MY193643A/en
Priority to JP2018559753A priority patent/JP6880071B2/ja
Priority to SG11201809981QA priority patent/SG11201809981QA/en
Publication of WO2017193750A1 publication Critical patent/WO2017193750A1/zh
Priority to US16/186,197 priority patent/US10999321B2/en
Anticipated expiration legal-status Critical
Priority to US16/722,832 priority patent/US10887343B2/en
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/154Networked environment

Definitions

  • the present application belongs to the technical field of security authentication information data processing, and in particular, to a method, a server, and a client for preventing a copy attack.
  • the mobile terminal's APP generally uses soft and secure storage for data security storage.
  • the soft secure storage generally refers to a software running on the device system, such as an APP running on Android, which provides security for data local secure storage by adding anti-hacking means, and it is generally difficult for a hacker to crack the security.
  • Software stored data and algorithms But for this reason, hackers are now very likely to think of using a copy attack to attack, that is, the hacker copies the user's data and environment and directly simulates the user device, so that it is easy to forge the user with the data of the user on the device, thereby enabling Steal the user's information.
  • the hacker can run the user's account directly on the hacker's machine without hacking the data and algorithms inside the software.
  • the way to prevent copy attacks is to bind to the information of the user equipment. If the device is not originally bound, it is considered unsafe.
  • the existing method can be easily attacked by hackers, because the environmental information of these devices is obtained through the API of the system, and the hacker can use a more sophisticated algorithm to call the api of the system through a hook.
  • Device environment information using these apis to simulate device information, let the software mistakenly think that it is the originally bound device, thus breaking the device Bind this layer of protection to achieve the purpose of accessing the user account.
  • the security of a single data soft secure storage of a client is still low, and it is difficult to prevent a copy attack.
  • the device information bound by the user is usually built-in, and an attacker (such as a hacker) successfully implements a copy attack. It will cause an incalculable loss to the user.
  • the purpose of the present application is to provide a method for preventing a copy attack, a server, and a client, which can increase the difficulty of copying attacks, reduce the harm of copy attack implementation, improve the security of application data storage in the terminal device, and reduce user property loss. Protect user property.
  • a method for preventing a copy attack comprising:
  • the client sends service data to the server, where the service data includes a unique identifier and a change identifier sent by the server to the client locally for secure storage;
  • the server parses the unique identification code and the change identification code in the service data sent by the client, and compares the obtained unique identification code and the change identification code with the unique identification code and the change identification code of the client recorded by the server;
  • the server determines that the local security storage of the client is a copy attack, and performs a preset response action; otherwise, the server sends a new change identification code to the client;
  • the client updates the received new change identification code to the local secure storage.
  • a method for preventing a copy attack comprising:
  • the comparison result is no, it is determined that the local security storage of the client is a copy attack, and a preset response action is performed; otherwise, a new change identification code is sent to the client.
  • a method for preventing a copy attack comprising:
  • the service data including a unique identification code and a change identification code of the local secure storage
  • the received new change identification code is updated to the local secure storage.
  • a server for preventing copy attacks comprising:
  • a data receiving module configured to receive service data sent by the client, where the service data includes a unique identifier and a change identifier sent by the server to the client and stored by the server;
  • the comparison module is configured to parse and obtain the unique identifier and the change identifier in the service data sent by the client, and compare and parse the obtained unique identifier and the change identifier with whether the recorded unique identifier and the change identifier of the client are all the same. ;
  • the processing module is configured to: if the comparison result of the comparison module is negative, determine that the local security storage of the client is a copy attack, and perform a preset response action; otherwise, send a new change identification code to the client.
  • a client that prevents copy attacks including:
  • Secure storage module for storing by the server when the local secure storage is initialized Unique identification code and change identification code
  • a data sending module configured to send service data to the server, where the service data includes a unique identifier and a change identifier stored by the secure storage module;
  • the first receiving module is configured to receive a new change identification code sent by the server, where the new change identification code is a server that compares the unique identifier and the change identification code uploaded by the client with the unique identifier and the change of the client recorded by the server.
  • an update module configured to update the received new change identification code into the local secure storage.
  • the processing method, the server and the client for preventing copy attacks provided by the application can prevent the attacker from copying and attacking the conventional device binding, and also adopt the remote server to perform the judgment to identify the local application of the application in the verification client.
  • Whether the secure storage is subject to a copy attack In a real-world environment, an attacker usually attacks the device by using the device data and deploying the environment.
  • the application provided by the present application guarantees the attacker's copy by setting the timeliness of the stored data.
  • the information data that the attack steals is easy to be outdated, and the server side judges whether to perform a copy attack.
  • the storage and calculation security of the data on the server side is larger than that on the client side. It is difficult for an attacker to bypass the server side to verify this layer of protection. . In this way, the difficulty of the copy attack can be increased, the harm of the copy attack implementation is reduced as a whole, the security of the application data storage in the terminal device is improved, the user property loss is reduced, and the user property security is protected.
  • FIG. 1 is a flowchart of a method for processing a method for preventing a copy attack provided by the present application
  • FIG. 2 is a schematic diagram of an application scenario of client soft security storage initialization in the embodiment of the present application
  • FIG. 3 is a flowchart of a method for processing another method for preventing a copy attack provided by the present application
  • FIG. 4 is a flowchart of a method for another method for preventing a copy attack provided by the present application
  • FIG. 5 is a schematic structural diagram of a module of an embodiment of a server for preventing copy attacks provided by the present application
  • FIG. 6 is a schematic structural diagram of a module of another embodiment of a server for preventing copy attacks provided by the present application
  • FIG. 7 is a schematic structural diagram of a module of an embodiment of a client for preventing copy attacks provided by the present application
  • FIG. 8 is a schematic structural diagram of another embodiment of a client for preventing copy attacks provided by the present application.
  • FIG. 1 is a flow of a method for processing a copy prevention attack according to an embodiment of the present application. Cheng Tu. Although the present application provides method operational steps or apparatus structures as shown in the following embodiments or figures, more or fewer operational steps or modular structures may be included in the method or apparatus based on conventional or no inventive labor. . In the step or the structure in which the necessary causal relationship is not logically, the execution order of the steps or the module structure of the device is not limited to the execution order or the module structure provided by the embodiment of the present application. When the device or terminal product of the method or module structure is applied, it may be executed sequentially or in parallel according to the method or module structure shown in the embodiment or the drawing (for example, parallel processor or multi-thread processing or even distribution). Environment for processing).
  • a method for preventing a copy attack provided by an embodiment of the present application may include:
  • S1 The client sends service data to the server, where the service data includes a unique identifier and a change identifier sent by the server to the client locally for secure storage by the server.
  • the client local secure storage may include an application soft security storage in the client, and the application installed in the general client may apply to the server for identifying the unique identifier of the client and the current security storage initialization.
  • Initialized random code Generally, the unique identifier user marks the client identity, and usually does not change when it is determined that the client is not subjected to the copy attack, and the variable random code can be set to use local secure storage every time the client triggers. Changes are updated as related business.
  • the specific data format of the unique identifier and the variable random code described in this application may be designed according to the actual application scenario.
  • the unique identifier in the embodiment may include a unique ID generated according to the evolution of the client device information.
  • the change identification code may be a random number randomly generated by the server each time, such as 6 digits or letters, a combination of matches, and the like.
  • the client sends the unique to the server
  • the identification code and the change identification code can be encrypted, which can further enhance the security of data storage and improve the difficulty of data cracking.
  • the data communication process can adopt RSA asymmetric encryption of public and private keys, and AES symmetric encryption.
  • the unique identifier or the change identifier sent by the server to the client may also use symmetric or asymmetric encryption to improve the security of communication between the client and the server. Therefore, in another embodiment of the method for processing a copy attack prevention method, the information interaction between the client and the server and the unique identification and the change identifier may be performed by using asymmetric encryption or symmetric encryption. Any encryption method is implemented.
  • FIG. 2 is a schematic diagram of an application scenario of client soft security storage initialization in the embodiment of the present application.
  • the client soft security storage when the client soft security storage is initialized, the client requests the unique ID and the initialization random number from the security service on the server side, and the server generates the unique ID and the initialization random number of the client, and sends the encrypted number to the client.
  • the client securely maintains a unique ID and initializes a random number after decryption.
  • the service data in the embodiment includes a unique identification code and a change identification code sent by the server of the local security storage of the client to the client
  • the specific implementation scenario may include including the service data triggered by the client.
  • the information of the unique identification code, the change identification code, and the like is used as an overall service data that is sent to the server at this time, such as certain fields of the newly added service data, and the fields include the unique identification code and the change identification code, or other applications.
  • the scenario may also include separately identifying the service data unique identification code and the change identification code as separate data, and sending the three data together to the server.
  • the service data may also be a specific service operation, or may be a message information such as a client verification request. Therefore, it can be understood that the message sent by the client to the server includes the unique identifier and the change identifier of the client, and the specific implementation manner is not limited.
  • the service related to the local security storage of the client is sent to the server.
  • the service data may include a unique identification code and a change identification code sent by the server of the client local secure storage to the client.
  • S2 The server parses and obtains a unique identifier and a change identifier in the service data sent by the client, and compares the obtained unique identifier and the change identifier with the unique identifier and the change identifier of the client recorded by the server. the same.
  • the server may parse the service data, and obtain a unique identifier and a change identifier in the service data uploaded by the client. Since the server pre-stores the unique identification code assigned to the client and the last change identification code, the server can compare and parse the obtained unique identification code and the change identification code with the unique identification code and the change of the client stored by the server. Whether the identification codes are all the same. Of course, as described above, if the unique identification code and the change identification code uploaded by the client are encrypted, the server side obtains the unique identification code and the change after decrypting the corresponding decryption method corresponding to the domain encryption process. Identifier.
  • the server receives the service data sent by the client, obtains the unique identifier and the change identifier of the client, and compares and obtains the obtained unique identifier and the change identifier with whether the unique identifier and the change identifier of the client recorded by the server are all the same. .
  • the server compares the unique identifier and the change identification code obtained by the parsing with the unique identifier and the change identifier of the client recorded by the server. If the comparison result is that at least one of the differences is different, the server may send the service data. There is no abnormality at the end, especially the change identification code. If the random number in this embodiment is different, it indicates that the corresponding soft security storage of the client application is likely to be a copy attack and run the application, triggering the soft secure storage. Phase Close business.
  • the server can determine that the local secure storage of the client is subjected to a copy attack based on whether the unique identifier and the change identifier obtained by the parsing are compared with the unique identifier and the change identifier of the client recorded by the server. Further, a pre-set response action can be made, and the specific response action can be set in advance according to actual conditions, such as forcing offline, prohibiting user account fund operation, secret security verification, and the like.
  • the client that sends the service request may be considered as the real client of the user, and may The service is allowed to access, and further operations are performed. Then, the server can generate a new change identification code for the client, and then send the new change identification code to the client.
  • the server determines that the unique ID and the random number uploaded by the client are consistent with the unique ID of the client that stores the record and the random number sent last time, and then the identity authentication of the client passes, and the server generates a new one at this time. The random number is sent to the client.
  • the server when the server determines that the unique identifier and the change identification code uploaded by the client are all the same as the unique identifier and the change identifier of the client recorded by the server, the server sends a new change identifier to the client, the client.
  • the new change identification code can be updated to the client's local secure storage for use in the next delivery of business data.
  • the processing party for preventing copy attacks can prevent the attacker from copying and attacking the conventional device binding, and also uses the remote server to determine whether the local secure storage of the application in the verification client is copied.
  • attack In a real-world use environment, an attacker generally attacks the device data and deploys the environment, and the attacker usually lags behind the user's reuse of the terminal application.
  • the implementation provided by the present application sets the timeliness of the stored data. It is easy for the attacker to copy the data of the attack and steal the information. It is easy for the server to judge whether to perform the copy attack.
  • the storage and calculation security of the data on the server side is larger than that of the client. It is difficult for the attacker to bypass the server-side verification. This layer of protection. In this way, the difficulty of the copy attack can be increased, the harm of the copy attack implementation is reduced as a whole, the security of the application data storage in the terminal device is improved, the user property loss is reduced, and the user property security is protected.
  • the server obtains at least one of the unique identification code and the change identification code obtained by the analysis and the unique identification code and the change identification code of the client recorded by the server.
  • the client's local secure storage is subject to a copy attack, and further responses can be made.
  • the specific response actions of the present application can be set according to actual conditions, such as forcing offline, prohibiting user account funds operation, secret security verification, and the like.
  • the method of the present application provides a processing method for determining that the local security storage of the client is a copy attack. Specifically, in another embodiment of the method for preventing a copy attack, the pre-preparation Let the response action include:
  • S301 The server sends a message requesting the user corresponding to the service data to perform identity verification, and sends the re-assigned unique identifier and the change identifier to the client of the user after the identity verification is passed.
  • the client of the user performs identity verification based on the received identity verification message, such as password login, fingerprint login, face login, and the like.
  • the local secure storage can be initialized according to the unique identifier and the change identifier re-allocated by the received server for the client of the user.
  • the change identification code described in this application may take one or more combinations of data, letters, matches, and the like.
  • the timeliness of the variable identification code (such as a random integer) may be implemented by using an integer always accumulated. Therefore, in an embodiment of the method of the present application, the change identification code is set to be integer-by-incrementally Added way to generate.
  • the client C1 change identification code is initialized with a random 6-bit integer 013579, and each time the securely stored service triggers the update of the change identification code, it will accumulate 1 on the last change identification code value, as in Initialization Change ID 013579
  • the next generation of the change ID to be sent to the client C1 by the server is 013580, the next time is 013581, and so on.
  • the server can randomly generate different initialized random 6-bit integers for different clients.
  • the above-mentioned processing method for preventing copy attacks can be applied to the server side of the secure authentication.
  • the present application further provides a processing method for preventing a copy attack on the server side based on the foregoing.
  • the method may include:
  • S201 Receive service data sent by the client, where the service data includes a unique identifier and a change identifier sent by the server to the client by the server.
  • S202 Parse and obtain a unique identifier and a change identifier in the service data sent by the client, and compare and parse the obtained unique identifier and the change identifier with whether the recorded unique identifier and the change identifier of the client are all the same;
  • FIG. 3 is a flowchart of a method for preventing a copy attack according to an embodiment of the present disclosure.
  • the client sends the unique id and random number encryption in the soft secure storage together with the service data to the server, and the server decrypts the unique id and the random number. , and the unique id and random saved by the server If the number is consistent, it indicates that the soft secure storage has not been copied, then a new random number is updated to the soft secure storage, and the soft secure storage updates the local random number.
  • the server finds that the random number uploaded by the client is different from the server record, it may indicate that the soft secure storage is a copy attack and has been run. This allows the server to re-authenticate and initialize the user of the account. Therefore, in another embodiment of the method, when the server determines that the local security storage of the client is a copy attack, the preset response action may include:
  • the change identification code may also be set to be generated by using integer incrementing, and in other embodiments, the information of the unique identification and the change identification code between the client and the server is asymmetrically encrypted and symmetric. Any encryption method implemented in encryption. For specific data setting, generation, and interaction modes, refer to other embodiments of the present application, and details are not described herein.
  • the present invention provides a processing method for preventing a copy attack on the server side, which can be implemented on the server side to verify whether the client has undergone a copy attack, and the corresponding thing is executed according to the judgment result, and the user data stolen by the hacker is maximized.
  • Obsolete which in turn improves the security of the data storage of the client, and provides a way to prevent copy attacks and reduce the loss of the copy attack to the user.
  • the foregoing method for preventing copy attacks in the present application may be applied to a client side, a unique identifier configured by the client local secure storage server for the client, and a change identifier that is updated each time the service operation is updated.
  • the client interacts with the server, the client sends the local identification code and the change identification code to the server, and then performs local operations according to the judgment result of the server, such as account authentication, soft security storage initialization, and update random number. Wait.
  • the present application provides a processing method for preventing a copy attack on the client side, and the method may include:
  • S301 Store a unique identifier and a change identifier sent by the server when the local secure storage is initialized;
  • S302 Send service data to the server, where the service data includes a unique identifier and a change identifier of the local secure storage;
  • S303 Receive a new change identification code sent by the server, where the new change identification code is a server that compares the unique identifier and the change identification code uploaded by the client with the unique identifier and the change identifier of the client recorded by the server. a change identification code sent at the same time;
  • FIG. 4 is a flowchart of a method for another method for preventing a copy attack provided by the present application.
  • the foregoing method for processing a copy-protection attack on the client side may further include:
  • the authentication is performed based on the received authentication message; and after the authentication is passed, the local secure storage is initialized according to the received unique identifier and the change identification code re-allocated by the server.
  • the client, the server, and the method for processing the anti-copy attack can prevent the attacker from copying and attacking the conventional device binding, and also adopt the remote server to perform the judgment, and identify and verify the client.
  • an attacker usually attacks the device by using the device data and deploying the environment.
  • the application provided by the present application guarantees the attacker's copy by setting the timeliness of the stored data.
  • the information data that the attack steals is easy to be outdated, and the server side judges whether to perform a copy attack.
  • the storage and calculation security of the data on the server side is larger than that on the client side. It is difficult for an attacker to bypass the server side to verify this layer of protection. . In this way, the difficulty of the copy attack can be increased, and the overall implementation of the copy attack is reduced. Harmful, improve the security of application data storage in terminal equipment, reduce user property losses, and protect user property security.
  • FIG. 5 is a schematic structural diagram of a module of a server for preventing copy attacks provided by the present application.
  • the server may include:
  • the data receiving module 101 may be configured to receive service data sent by the client, where the service data includes a unique identifier and a change identifier sent by the server to the client by the server.
  • the comparison module 102 can be configured to parse the unique identifier and the change identifier in the service data sent by the client, and compare and analyze the obtained unique identifier and the change identifier with the recorded unique identifier and the change identifier of the client. All the same;
  • the processing module 103 may be configured to: if the comparison result of the comparison module 102 is negative, determine that the local security storage of the client is a copy attack, and perform a preset response action; otherwise, send a new change to the client. Identifier.
  • FIG. 6 is a schematic structural diagram of another embodiment of a processing server for preventing a copy attack provided by the present application.
  • the processing module 103 may include:
  • the first processing module 1031 may be configured to send a message requesting authentication of the user corresponding to the service data when the local security storage of the client is a copy attack, and send a re-allocation to the client of the user after the identity verification is passed.
  • Unique identification code and change identification code
  • the second processing module 1032 can be configured to determine that the local security storage of the client is not received.
  • the server sends a new change identification code to the client when copying the attack.
  • the change identification code is set to be generated by successively accumulating integers.
  • the information interaction between the client and the server for the unique identification and the change identifier is implemented by using any one of asymmetric encryption and symmetric encryption.
  • the processing server for preventing copy attacks described above can identify whether the local secure storage of the application in the verification client is subjected to a copy attack.
  • an attacker usually attacks the device by using the device data and deploying the environment.
  • the application provided by the present application guarantees the attacker's copy by setting the timeliness of the stored data.
  • the information data that the attack steals is easy to be outdated, and the server side judges whether to perform a copy attack.
  • the storage and calculation security of the data on the server side is larger than that on the client side. It is difficult for an attacker to bypass the server side to verify this layer of protection. . In this way, the difficulty of the copy attack can be increased, the harm of the copy attack implementation is reduced as a whole, the security of the application data storage in the terminal device is improved, the user property loss is reduced, and the user property security is protected.
  • the application further provides a client for preventing a copy attack, which can verify whether the local secure storage of the failed client is subjected to a copy attack in the process of interacting with the server based on the unique identifier and the change identifier assigned by the server, by changing the random number, etc.
  • the method makes the data of the hacker copy attack stolen easily obsolete, and implements verification on the server side to determine whether the client copies the attack, thereby effectively protecting the data of the client's local secure storage, improving the security of the data storage, and increasing the difficulty of the copy attack.
  • FIG. 7 is a schematic structural diagram of a module of a client for preventing a copy attack provided by the present application. As shown in FIG. 7, the client may include:
  • the secure storage module 201 can be configured to store a unique identifier and a change identifier sent by the server when the local secure storage is initialized;
  • the data sending module 202 may be configured to send service data to the server, where the service data includes a unique identifier and a change identifier stored by the secure storage module 201;
  • the first receiving module 203 may be configured to receive a new change identification code sent by the server, where the new change identification code is a server that compares the unique identifier and the change identifier of the client and the unique identifier of the client recorded by the server. a change identification code sent when the change identification code is all the same;
  • the update module 204 can be configured to update the received new change identification code into the local secure storage.
  • FIG. 8 is a schematic structural diagram of another embodiment of a client for preventing a copy attack provided by the present application. As shown in FIG. 8 , the client may further include:
  • the second receiving module 2051 may be configured to receive an identity verification message sent by the server, and a re-assigned unique identifier and a change identifier sent by the server after the identity verification is passed;
  • the verification processing module 2052 may be configured to perform identity verification based on the received identity verification message; and after the identity verification is passed, initialize the local secure storage according to the received unique identifier and the change identification code re-allocated by the server.
  • the client for preventing copy attacks provided by the present application can verify whether the local secure storage of the failed client is subjected to a copy attack during the process of interacting with the server based on the unique identifier and the change identifier assigned by the server, by changing the random number, etc.
  • the hacker copy attack data is easily obsolete, and the copy attack authentication is implemented on the server side to effectively protect the data of the client's local secure storage and improve the security of data storage.
  • the method or the server and the client described in the foregoing embodiments can achieve secure storage in a TEE (Trusted Execution Environment), and the effect is good.
  • TEE Trusted Execution Environment
  • the unit, device or module illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product having a certain function.
  • the above devices are described as being separately divided into various modules by function.
  • the functions of the modules may be implemented in the same software or software and/or hardware when implementing the present application, or the modules implementing the same functions may be implemented by multiple sub-modules or a combination of sub-units.
  • the controller can be logically programmed by means of logic gates, switches, ASICs, programmable logic controllers, and embedding.
  • program modules include routines, programs, objects, components, data structures, classes, and the like that perform particular tasks or implement particular abstract data types.
  • the present application can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are connected through a communication network.
  • program modules can be located in both local and remote computer storage media including storage devices.
  • the present application can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM or a disk. , an optical disk, etc., includes instructions for causing a computer device (which may be a personal computer, mobile terminal, server, or network device, etc.) to perform the methods described in various embodiments of the present application or portions of the embodiments.
  • a computer device which may be a personal computer, mobile terminal, server, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
PCT/CN2017/080006 2016-05-13 2017-04-11 一种防止拷贝攻击的处理方法、服务器及客户端 Ceased WO2017193750A1 (zh)

Priority Applications (8)

Application Number Priority Date Filing Date Title
EP17795368.4A EP3457309B1 (en) 2016-05-13 2017-04-11 Processing method for presenting copy attack, and server and client
KR1020187036283A KR102218572B1 (ko) 2016-05-13 2017-04-11 복제 공격을 방지하기 위한 처리 방법, 및 서버 및 클라이언트
PH1/2018/502397A PH12018502397B1 (en) 2016-05-13 2017-04-11 Processing method for presenting copy attack, and server and client
MYPI2018001905A MY193643A (en) 2016-05-13 2017-04-11 Processing method for preventing copy attack, and server and client
JP2018559753A JP6880071B2 (ja) 2016-05-13 2017-04-11 コピー攻撃を防ぐための処理方法並びにサーバ及びクライアント
SG11201809981QA SG11201809981QA (en) 2016-05-13 2017-04-11 Processing method for preventing copy attack, and server and client
US16/186,197 US10999321B2 (en) 2016-05-13 2018-11-09 Processing method for preventing copy attack, and server and client
US16/722,832 US10887343B2 (en) 2016-05-13 2019-12-20 Processing method for preventing copy attack, and server and client

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610318168.6A CN107368737A (zh) 2016-05-13 2016-05-13 一种防止拷贝攻击的处理方法、服务器及客户端
CN201610318168.6 2016-05-13

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/186,197 Continuation US10999321B2 (en) 2016-05-13 2018-11-09 Processing method for preventing copy attack, and server and client

Publications (1)

Publication Number Publication Date
WO2017193750A1 true WO2017193750A1 (zh) 2017-11-16

Family

ID=60267507

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/080006 Ceased WO2017193750A1 (zh) 2016-05-13 2017-04-11 一种防止拷贝攻击的处理方法、服务器及客户端

Country Status (10)

Country Link
US (2) US10999321B2 (cg-RX-API-DMAC7.html)
EP (1) EP3457309B1 (cg-RX-API-DMAC7.html)
JP (1) JP6880071B2 (cg-RX-API-DMAC7.html)
KR (1) KR102218572B1 (cg-RX-API-DMAC7.html)
CN (1) CN107368737A (cg-RX-API-DMAC7.html)
MY (1) MY193643A (cg-RX-API-DMAC7.html)
PH (1) PH12018502397B1 (cg-RX-API-DMAC7.html)
SG (1) SG11201809981QA (cg-RX-API-DMAC7.html)
TW (1) TWI669626B (cg-RX-API-DMAC7.html)
WO (1) WO2017193750A1 (cg-RX-API-DMAC7.html)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110247925A (zh) * 2019-06-26 2019-09-17 国网山东省电力公司临朐县供电公司 配电自动化信息交互方法、系统、终端及存储介质
CN110297651A (zh) * 2019-06-18 2019-10-01 广州华多网络科技有限公司 协议接口的常用变量的更新方法和装置

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107368737A (zh) * 2016-05-13 2017-11-21 阿里巴巴集团控股有限公司 一种防止拷贝攻击的处理方法、服务器及客户端
WO2019136407A1 (en) * 2018-01-08 2019-07-11 Equifax Inc. Facilitating entity resolution, keying, and search match without transmitting personally identifiable information in the clear
CN110445841B (zh) * 2019-07-12 2022-04-22 苏州浪潮智能科技有限公司 一种云物理机挂载云盘的方法、设备以及存储介质
CN111726334A (zh) * 2020-05-08 2020-09-29 深圳知路科技有限公司 防止网络攻击的方法、客户端、服务器及系统
CN112667151B (zh) * 2020-12-11 2022-09-20 苏州浪潮智能科技有限公司 一种存储设备的拷贝系统、方法及介质
CN113098880A (zh) * 2021-04-06 2021-07-09 杭州和利时自动化有限公司 一种重放攻击识别的方法、系统、设备及可读存储介质
CN115292697B (zh) * 2022-10-10 2022-12-16 北京安帝科技有限公司 一种基于入侵行为分析的内存保护方法及装置
CN115527243B (zh) * 2022-10-13 2025-08-19 东南大学 基于双任务学习的生物指纹识别方法及产品

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101166091A (zh) * 2006-10-19 2008-04-23 阿里巴巴公司 一种动态密码认证的方法及服务端系统
US20130204935A1 (en) * 2012-02-07 2013-08-08 Soaric Ab Dynamic sharing of a webservice
CN104301288A (zh) * 2013-07-16 2015-01-21 中钞信用卡产业发展有限公司 在线身份认证、在线交易验证、在线验证保护的方法与系统
CN104331801A (zh) * 2014-10-29 2015-02-04 重庆智韬信息技术中心 通过动态码授权实现安全支付的方法
CN104579694A (zh) * 2015-02-09 2015-04-29 浙江大学 一种身份认证方法及系统
CN105491077A (zh) * 2016-02-26 2016-04-13 浙江维尔科技股份有限公司 一种身份认证的系统

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH05336109A (ja) * 1992-05-29 1993-12-17 Toshiba Corp 無線通信システム
JPH06164493A (ja) * 1992-11-26 1994-06-10 N T T Idou Tsuushinmou Kk 移動通信方式
JP3278550B2 (ja) * 1995-06-08 2002-04-30 日本電気株式会社 移動無線通信システムにおけるクローン端末の通信拒否方式
JPH0984124A (ja) * 1995-09-19 1997-03-28 Fujitsu Ltd パーソナル通信端末の不正使用防止方法
JP2001308850A (ja) * 2000-03-31 2001-11-02 Internatl Business Mach Corp <Ibm> 通信端末装置によるネットワークへの接続方法および装置
US20030065919A1 (en) * 2001-04-18 2003-04-03 Albert Roy David Method and system for identifying a replay attack by an access device to a computer system
WO2005069295A1 (en) * 2004-01-16 2005-07-28 Matsushita Electric Industrial Co., Ltd. Authentication server, method and system for detecting unauthorized terminal
CN100470573C (zh) * 2004-12-13 2009-03-18 松下电器产业株式会社 非授权设备检测设备、非授权设备检测系统及其非授权设备检测方法
KR100764153B1 (ko) * 2006-03-15 2007-10-12 포스데이타 주식회사 휴대 인터넷 시스템에서의 단말 복제 검출 방법 및 장치
US20070245010A1 (en) 2006-03-24 2007-10-18 Robert Arn Systems and methods for multi-perspective optimization of data transfers in heterogeneous networks such as the internet
JP4928364B2 (ja) * 2007-06-25 2012-05-09 日本電信電話株式会社 認証方法、登録値生成方法、サーバ装置、クライアント装置及びプログラム
CN100531365C (zh) * 2007-07-09 2009-08-19 中国联合网络通信集团有限公司 Iptv认证鉴权方法、服务器及系统
KR101261678B1 (ko) * 2009-09-21 2013-05-09 한국전자통신연구원 분산된 신뢰기관을 이용하는 다운로더블 제한수신 시스템 및 상기 시스템의 동작 방법
JP5903190B2 (ja) * 2012-04-01 2016-04-13 オーセンティファイ・インクAuthentify Inc. マルチパーティシステムにおける安全な認証
EP2962485B1 (en) * 2013-03-01 2019-08-21 Intel IP Corporation Wireless local area network (wlan) traffic offloading
SG2014011308A (en) * 2014-02-11 2015-09-29 Smart Communications Inc Authentication system and method
CN105024813B (zh) * 2014-04-15 2018-06-22 中国银联股份有限公司 一种服务器、用户设备以及用户设备与服务器的交互方法
CN107368737A (zh) * 2016-05-13 2017-11-21 阿里巴巴集团控股有限公司 一种防止拷贝攻击的处理方法、服务器及客户端

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101166091A (zh) * 2006-10-19 2008-04-23 阿里巴巴公司 一种动态密码认证的方法及服务端系统
US20130204935A1 (en) * 2012-02-07 2013-08-08 Soaric Ab Dynamic sharing of a webservice
CN104301288A (zh) * 2013-07-16 2015-01-21 中钞信用卡产业发展有限公司 在线身份认证、在线交易验证、在线验证保护的方法与系统
CN104331801A (zh) * 2014-10-29 2015-02-04 重庆智韬信息技术中心 通过动态码授权实现安全支付的方法
CN104579694A (zh) * 2015-02-09 2015-04-29 浙江大学 一种身份认证方法及系统
CN105491077A (zh) * 2016-02-26 2016-04-13 浙江维尔科技股份有限公司 一种身份认证的系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3457309A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110297651A (zh) * 2019-06-18 2019-10-01 广州华多网络科技有限公司 协议接口的常用变量的更新方法和装置
CN110247925A (zh) * 2019-06-26 2019-09-17 国网山东省电力公司临朐县供电公司 配电自动化信息交互方法、系统、终端及存储介质

Also Published As

Publication number Publication date
PH12018502397B1 (en) 2023-08-18
JP2019517067A (ja) 2019-06-20
CN107368737A (zh) 2017-11-21
SG11201809981QA (en) 2018-12-28
EP3457309A1 (en) 2019-03-20
US10887343B2 (en) 2021-01-05
JP6880071B2 (ja) 2021-06-02
TW201810109A (zh) 2018-03-16
KR102218572B1 (ko) 2021-02-23
PH12018502397A1 (en) 2019-07-15
MY193643A (en) 2022-10-21
US20200128045A1 (en) 2020-04-23
US10999321B2 (en) 2021-05-04
TWI669626B (zh) 2019-08-21
EP3457309A4 (en) 2019-04-17
KR20190008333A (ko) 2019-01-23
US20190081979A1 (en) 2019-03-14
EP3457309B1 (en) 2021-08-25

Similar Documents

Publication Publication Date Title
TWI669626B (zh) 防止拷貝攻擊的處理方法、伺服器及用戶端
CN105260663B (zh) 一种基于TrustZone技术的安全存储服务系统及方法
CN101350723B (zh) 一种USB Key设备及其实现验证的方法
US20090150678A1 (en) Computer and method for sending security information for authentication
CN109412812B (zh) 数据安全处理系统、方法、装置和存储介质
JP5613596B2 (ja) 認証システム、端末装置、認証サーバ、およびプログラム
CN109831311B (zh) 一种服务器验证方法、系统、用户终端及可读存储介质
JP2019057167A (ja) コンピュータプログラム、デバイス及び判定方法
CN116362747A (zh) 一种区块链数字签名系统
CN110069241B (zh) 伪随机数的获取方法、装置、客户端设备和服务器
CN107204985A (zh) 基于加密密钥的权限认证方法、装置及系统
CN107277017A (zh) 基于加密密钥和设备指纹的权限认证方法、装置及系统
US20170201528A1 (en) Method for providing trusted service based on secure area and apparatus using the same
CN107835185A (zh) 一种基于ARM TrustZone的移动终端安全服务方法及装置
CN106992978B (zh) 网络安全管理方法及服务器
CN111901312A (zh) 一种网络访问控制的方法、系统、设备及可读存储介质
CN104955043B (zh) 一种智能终端安全防护系统
CN108900595B (zh) 访问云存储服务器数据的方法、装置、设备及计算介质
CN110971609A (zh) Drm客户端证书的防克隆方法、存储介质及电子设备
US9977907B2 (en) Encryption processing method and device for application, and terminal
CN112422292B (zh) 一种网络安全防护方法、系统、设备及存储介质
CN104866761B (zh) 一种高安全性安卓智能终端
Kim et al. Secure IoT Device Authentication Scheme using Key Hiding Technology
CN108848051B (zh) 应用数据的获取方法和装置
CN119203171B (zh) 一种数据安全存储和访问系统

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2018559753

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17795368

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20187036283

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2017795368

Country of ref document: EP

Effective date: 20181213