WO2021129676A1 - Uri construction method and apparatus, and medium and device - Google Patents

Uri construction method and apparatus, and medium and device Download PDF

Info

Publication number
WO2021129676A1
WO2021129676A1 PCT/CN2020/138676 CN2020138676W WO2021129676A1 WO 2021129676 A1 WO2021129676 A1 WO 2021129676A1 CN 2020138676 W CN2020138676 W CN 2020138676W WO 2021129676 A1 WO2021129676 A1 WO 2021129676A1
Authority
WO
WIPO (PCT)
Prior art keywords
uri
character string
serial number
encrypted
key2
Prior art date
Application number
PCT/CN2020/138676
Other languages
French (fr)
Chinese (zh)
Inventor
李逸骏
蔡少君
Original Assignee
贵州白山云科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 贵州白山云科技股份有限公司 filed Critical 贵州白山云科技股份有限公司
Publication of WO2021129676A1 publication Critical patent/WO2021129676A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/38Telephone uniform resource identifier [URI]

Definitions

  • This article relates to Internet technology, especially to URI construction methods, devices, media and equipment.
  • the client HTTP access request is usually a plain text URL.
  • the access intention will be completely exposed, leading to further hijacking or exposing the client's privacy records.
  • the server uses scheduling technology such as 302
  • the redirect URL is also in plain text, which can easily reveal the scheduling strategy.
  • this article provides a URI construction method, device, medium and equipment.
  • a URI construction method which is applied to the sender, including:
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • the second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first sequence number KEY1 includes:
  • a random value is generated by a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, it is calculated according to a predetermined algorithm to obtain the second serial number KEY2.
  • the remaining fields after extracting the key fields from the first character string and the target URI are spliced according to preset rules or After splicing according to preset rules, specific fields are inserted to form an encrypted URI.
  • the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm
  • the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
  • Applied to the receiving end including:
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • a decryption operation is performed on the encrypted key field to obtain the key field.
  • the second sequence number KEY2 obtained after calculation based on the pre-defined first sequence number KEY1 includes: obtaining the second sequence number KEY2 after decoding the second character string Random value, after splicing the random value with the first serial number KEY1, calculate according to a predetermined algorithm to obtain the second serial number KEY2.
  • a URI construction device which is applied to the sender, and includes:
  • the key field extraction module is used to extract the key fields in the target URI;
  • An encryption module for encrypting the key field, and the encrypted key field is encoded to generate a first character string
  • An encrypted URI generating module configured to generate an encrypted URI based on the first character string
  • the sending module is used to send the encrypted URI.
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • the second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first sequence number KEY1 includes:
  • a random number is generated by a random number generator or a time stamp, and after the random number is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
  • the encryption module is also used to generate a second character string after encoding the random value
  • the remaining fields after the key fields are extracted from the first character string and the target URI are spliced according to preset rules Or insert specific fields after splicing according to preset rules to form an encrypted URI.
  • the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm
  • the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
  • URI construction device applied to the receiving end, including:
  • the receiving module is used to receive encrypted URI requests
  • a character string extraction module which extracts the first character string
  • a decryption module to decrypt the first character string to obtain a key field
  • the restoration module is configured to replace the first encrypted character string in the encrypted URI with the key field, and restore the encrypted URI to the target URI.
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • a decryption operation is performed on the encrypted key field to obtain the key field.
  • the second sequence number KEY2 obtained after calculation based on the pre-defined first serial number KEY1 according to a predetermined algorithm includes: the pre-defined first serial number KEY1 Operate according to a predetermined algorithm to obtain the second serial number KEY2;
  • the second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first serial number KEY1 includes: A random value is obtained after decoding, and after the random value is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
  • a computer-readable storage medium on which a computer program is stored, which implements the steps of the URI construction method when the computer program is executed.
  • a computer device including a processor, a memory, and a computer program stored on the memory, and the processor implements the steps of the URI construction method when the processor executes the computer program.
  • This article uses the RUI construction method to realize that the sender encrypts the target URI and sends it to the receiver. After receiving the encrypted URI request, the receiver decrypts the encrypted URI and restores it to the original target URI. It can effectively prevent intermediate hijacking to obtain real access intentions and private information. At the same time, due to the addition of random values, even if the same resource is obtained, different encrypted URIs will be generated, avoiding cache pollution caused by intermediate hijacking.
  • the URI encryption method in this article there is no need to carry out complicated transformations on the existing server, and only a simple encoding device and/or decryption device is set on the server or client side.
  • Fig. 1 is a flow chart showing a method for constructing a URI according to an exemplary embodiment.
  • Fig. 2 is a flow chart showing a method for constructing a URI according to an exemplary embodiment.
  • Fig. 3 is a block diagram showing a URI construction device according to an exemplary embodiment.
  • Fig. 4 is a block diagram showing a URI construction device according to an exemplary embodiment.
  • Fig. 5 is a block diagram showing a computer device according to an exemplary embodiment.
  • FIG. 1 is a flowchart of the URI construction method. As shown in Figure 1, the URI construction method is applied to the sender, including:
  • Step S11 extract key fields in the target URI
  • Step S12 encrypting the key field, and encoding the encrypted key field to generate a first character string
  • Step S13 generating an encrypted URI based on the first character string
  • Step S14 Send the encrypted URI.
  • the sender In order to prevent intermediate hijacking, the sender encrypts the key fields in the target URI to be sent and sends the encrypted URI.
  • the request sent by the client is no longer a plaintext URI, and the scheduling information sent by the server is no longer a plaintext URI, which can effectively prevent intermediate hijacking.
  • the key field determined according to actual conditions, can be the name of the target file to be accessed, or the entire path of the file, to achieve the purpose of hiding the access intent.
  • step S12 encrypting the key field, and generating the first character string after encoding includes:
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • the sender obtains the second serial number KEY2 based on the first serial number KEY1 according to a predetermined algorithm, and uses the second serial number KEY2 to encrypt the extracted key field.
  • the decryptor also obtains the second serial number KEY2 based on the first serial number KEY1 according to the same predetermined algorithm, and uses the second serial number KEY2 to perform the inverse operation on the encrypted key field for decryption.
  • the predetermined algorithm in this article can be any algorithm, such as calculating a hash value, or splicing a specific character string, etc.
  • the purpose is to make the sending end and the receiving end calculate the second sequence number KEY2 according to the predefined first sequence number, and use The same second serial number KEY2 is encrypted or decrypted.
  • the sender uses the second serial number to encrypt the key field, the first character string is generated.
  • the original URI is http://www.baidu.com/doc/2019/readme.txt
  • the client first determines the key field according to the access intention.
  • the key field is determined to be /doc/2019/readme.txt;
  • the pre-defined first serial number KEY1 is text
  • the second sequence number key2 is obtained after a predetermined algorithm.
  • path is the key field. In this embodiment, it is /doc/2019/readme.txt. After the key field is encrypted, the hexadecimal encoding is :
  • the second sequence number KEY2 obtained after calculation according to a predetermined algorithm includes:
  • the above encryption process for the original URI of http://www.baidu.com/doc/2019/readme.txt after being encrypted in this way, may cause the same URI request of different clients to be completely the same after encryption. Therefore, the URI construction method in this article also provides the following method to generate a random value through a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, a predetermined algorithm is used to calculate the second serial number KEY2.
  • the second sequence number KEY2 used for encryption and decryption is generated based on the random value of the sender and the first sequence number KEY1. Different senders generate different KEY2, so that the encryption requests sent by different senders are unique, which further avoids being The possibility of hijacking and tampering in the middle.
  • the URI construction method in this article also includes generating a second string after encoding a random value
  • the remaining fields after extracting the key fields from the first string and the target URI are spliced according to preset rules or after splicing according to preset rules Then insert specific fields to form an encrypted URI.
  • the second serial number KEY2 After concatenating the random value with the first serial number KEY1, calculate the second serial number KEY2 through predefined rules, extract the first string, the second string, and the target URI to the remaining fields after extracting the key fields, press Splicing by preset rules or inserting specific fields after splicing by preset rules to form an encrypted URI. If the key field is encrypted, the second serial number KEY2 used is calculated from the first serial number KEY1 and a random value. In order to enable the receiving end to calculate the second serial number KEY2 according to the first serial number KEY1, it also needs The second character string is sent to the receiving end, so that the receiving end calculates a random value according to the second character string through the inverse operation of the preset algorithm.
  • the encrypted request will be different.
  • the client sends an encrypted URI request
  • the first string ⁇ new_path ⁇ , the second string ⁇ new_nonce ⁇ (if any) and the remaining fields after extracting the key fields from the target URI can be spliced according to the preset rules. For example: https://domain ⁇ new_nonce ⁇ new_path ⁇ .
  • specific fields are also inserted, such as: https://domain/diaodu/ ⁇ new_nonce ⁇ new_path ⁇ , the first After the second string is spliced with the domain, a specific field is inserted: diaodu.
  • the receiving end can know that the received URI is the scheduled URI.
  • FIG 2 is a flowchart of the URI construction method. As shown in Figure 1, the URI construction method is applied to the receiving end, including:
  • Step S21 receiving an encrypted URI request
  • Step S22 Extract the first character string in the encrypted URI request
  • Step S23 Decrypt the first character string to obtain key fields
  • Step S24 Use the key field to replace the first encrypted character string in the encrypted URI, and restore the encrypted URI to the target URI.
  • the receiver After receiving the encrypted URI request, the receiver extracts the first string, and uses the inverse algorithm corresponding to the encryption algorithm to decrypt the first string, so as to restore the encrypted URI to the original target URI, and proceed according to the original target URI. response.
  • step S23 decrypts the first character string, and obtaining the key field includes:
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • the encrypted key field is decrypted to obtain the key field.
  • the second serial number KEY2 obtained after the encryption operation includes: the pre-defined first serial number KEY1 is calculated according to the predetermined algorithm, and the result is obtained.
  • the second serial number KEY2 obtained after calculation according to a predetermined algorithm includes: obtaining a random value after decoding the second character string, After splicing the random value with the first serial number KEY1, calculate according to a predetermined algorithm to obtain the second serial number KEY2. If the sending end calculates the second sequence number KEY2 based on the first sequence number and random value, the receiving end needs to decode the second string first to obtain the corresponding random number in order to obtain the same second sequence number KEY2 The numerical value is calculated based on the first serial number and the random value to obtain the same second serial number KEY2.
  • the receiver also obtains the second sequence number KEY2 after the same encryption operation according to the pre-defined first sequence number KEY1, which guarantees the second sequence number used in the encryption process with the sender KEY2 is exactly the same and can decrypt the encrypted key field.
  • the strategy for extracting key fields is: extract all strings after the URI domain name; generate random values through a random number generator, the strings are binary, [0x4,0x8,0x6,0x7], and the random values are represented by nonce; pre-defined The first serial number KEY1 is "test"; the binary sequence is converted into a string using hexadecimal notation; the predetermined algorithm is to calculate the hash value MD5 after the first serial number KEY1 and the nonce are spliced, and the original URI is:
  • the sending end can be a client or a server. Before sending the above URI, an encrypted URI is generated first.
  • the key field extracted by the sender is /doc/2019/readme.txt.
  • new_path which is 7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4 f088
  • the encrypted URI is:
  • the key field decrypted by AES128_GCM is /doc/2019/readme.txt.
  • both the client and the server can encrypt the URI sent by themselves to prevent intermediate hijacking, protect privacy and security, and ensure system security.
  • the dispatch server After the dispatch server receives the client's original URI request or the encrypted URI request, it will generate a 302 response according to the dispatch policy.
  • the original redirect URI is:
  • new_nonce is the result of encoding the random number
  • new_path is the result of encrypting the key field
  • the dispatch server constructs the encrypted URI, it can also insert a specific field (diaodu) into the encrypted URI according to its own settings:
  • the dispatch server can encrypt the URI of the target business server, hide the real address of the business server, and prevent the real address of the business server from being exposed after the response is hijacked, thereby protecting the dispatching strategy and improving the security of the business server.
  • the RUL construction method provided in this article provides a method of encrypting and decrypting URIs.
  • the sender encrypts the target URI and sends it to the receiver.
  • the receiver After receiving the encrypted URI request, the receiver sends the encrypted URI to the encrypted URI. Decrypt and restore to the original target URI. It can effectively prevent intermediate hijacking to obtain real access intentions and private information.
  • due to the addition of random values even requests for the same resource will generate different encrypted URIs, avoiding cache pollution caused by intermediate hijacking.
  • to implement the URI encryption method in this article there is no need to carry out complicated transformations on the existing server, and only a simple encoding device and/or decryption device is set on the server or client side.
  • FIG. 3 is a block diagram of a URI construction device.
  • the URI construction device is applied to the sending end and includes: a key field extraction module 301, an encryption module 302, an encrypted URI generation module 303, and a sending module 304.
  • the key field extraction module 301 is configured to extract key fields in the target URI;
  • the encryption module 302 is configured to encrypt the key field, and the encrypted key field is encoded to generate a first character string;
  • the encrypted URI generating module 303 is configured to generate an encrypted URI based on the first character string
  • the sending module 304 is used to send the encrypted URI.
  • the first character string generated by the encryption module 302 includes:
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • the second serial number KEY2 obtained after calculation according to a predetermined algorithm includes:
  • a random value is generated by a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
  • the encryption module 302 is also used to: generate a second character string after encoding the random value
  • generating an encrypted URI includes:
  • the remaining fields after the key fields are extracted from the first character string and the target URI are spliced according to preset rules Or insert specific fields after splicing according to preset rules to form an encrypted URI.
  • the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm
  • the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
  • FIG. 4 is a block diagram of a URI construction device.
  • the URI construction device applied to the receiving end includes: a receiving module 401, a character string extraction module 402, a decryption module 403, and a restoration module 404.
  • the receiving module 401 is configured to receive encrypted URI requests
  • the character string extraction module 402 is configured to extract the first character string
  • the decryption module 403 is configured to decrypt the first character string to obtain key fields
  • the restoration module 404 is configured to replace the first encrypted character string in the encrypted URI with the key field, and restore the encrypted URI to the target URI.
  • the second serial number KEY2 is obtained after calculation according to a predetermined algorithm
  • the encrypted key field is decrypted to obtain the key field.
  • the second serial number KEY2 is calculated according to the predetermined algorithm, including: the pre-defined first serial number KEY1 is calculated according to the predetermined algorithm to obtain The second serial number KEY2;
  • the second serial number KEY2 obtained after calculation according to a predetermined algorithm includes: obtaining a random value after decoding the second character string, After the random value is spliced with the first serial number KEY1, it is calculated according to a predetermined algorithm to obtain the second serial number KEY2.
  • Fig. 5 is a block diagram showing a computer device 500 for URI construction according to an exemplary embodiment.
  • the computer device 500 may be provided as a server. 5
  • the computer device 500 includes a processor 501, and the number of processors can be set to one or more as required.
  • the computer device 500 further includes a memory 502 for storing instructions executable by the processor 501, such as application programs.
  • the number of memories can be set to one or more as required.
  • the stored application programs can be one or more.
  • the processor 501 is configured to execute instructions to execute the URI construction method.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storing information (such as computer readable instructions, data structures, program modules, or other data) , Including but not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or can be used for Any other medium that stores desired information and can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media. .
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the sender When the sender sends a URI request, it encrypts the target URI and sends it to the receiver. After receiving the encrypted URI request, the receiver decrypts the encrypted URI and restores it to the original target URI. It can effectively prevent intermediate hijacking to obtain real access intentions and private information. At the same time, due to the addition of random values, even if the same resource is obtained, different encrypted URIs will be generated, avoiding cache pollution caused by intermediate hijacking.

Abstract

The present disclosure relates to a URI construction method and apparatus, and a medium and a device. The URI construction method comprises: extracting a key field from a target URI; encrypting the key field, encoding the encrypted key field, and then generating a first character string; generating an encrypted URI on the basis of the first character string; and sending the encrypted URI. The present invention can effectively prevent intermediate hijacking, expose access intent, and protect the user's privacy, is used for scheduling, and can also hide a scheduling policy, thereby protecting the security of a scheduling system and a service server.

Description

一种URI构造方法、装置、介质及设备A URI construction method, device, medium and equipment
本申请要求在2019年12月27日提交中国专利局、申请号为201911372781.6、发明名称为“URI构造方法、装置、介质及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201911372781.6, and the title of the invention is "URI construction method, device, medium and equipment" on December 27, 2019, the entire content of which is incorporated herein by reference. Applying.
技术领域Technical field
本文涉及互联网技术,尤其涉及URI构造方法、装置、介质及设备。This article relates to Internet technology, especially to URI construction methods, devices, media and equipment.
背景技术Background technique
相关技术中,客户端HTTP访问请求,通常是明文的URL。在中间人劫持下,会完全暴露访问意图,从而导致进一步劫持或者暴露客户端隐私的记录。进一步地,如果服务端使用302等调度技术,重定向URL也是明文的,极易泄露调度策略。In related technologies, the client HTTP access request is usually a plain text URL. Under the hijacking of the middleman, the access intention will be completely exposed, leading to further hijacking or exposing the client's privacy records. Furthermore, if the server uses scheduling technology such as 302, the redirect URL is also in plain text, which can easily reveal the scheduling strategy.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this article. This summary is not intended to limit the scope of protection of the claims.
为克服相关技术中存在的问题,本文提供一种URI构造方法、装置、介质及设备。In order to overcome the problems in related technologies, this article provides a URI construction method, device, medium and equipment.
根据本文的第一方面,提供一种URI构造方法,应用于发送端,包括:According to the first aspect of this article, a URI construction method is provided, which is applied to the sender, including:
提取目标URI中的关键字段;Extract the key fields in the target URI;
对所述关键字段进行加密,加密的关键字段编码后生成第一字符串;Encrypt the key field, and encode the encrypted key field to generate a first character string;
基于所述第一字符串,生成加密URI;Generating an encrypted URI based on the first character string;
发送所述加密URI。Send the encrypted URI.
所述对所述关键字段进行加密,编码后生成第一字符串包括:The encrypting the key field and generating a first character string after encoding includes:
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于所述第二序列号KEY2,对所述关键字段进行加密运算,编码后生成第一字符串。Based on the second serial number KEY2, an encryption operation is performed on the key field, and a first character string is generated after encoding.
所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:The second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first sequence number KEY1 includes:
对所述第一序列号KEY1按预定算法计算,得到所述第二序列号KEY2;Calculate the first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
或者,通过随机数生成器或者时间戳生成随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法计算,得到所述第二序列号KEY2。Alternatively, a random value is generated by a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, it is calculated according to a predetermined algorithm to obtain the second serial number KEY2.
还包括:Also includes:
对所述随机数值编码后生成第二字符串;Generate a second character string after encoding the random value;
所述基于所述第一字符串,生成加密URI包括:The generating an encrypted URI based on the first character string includes:
当对所述第一序列号KEY1按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串与所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the first serial number KEY1 is calculated according to a predetermined algorithm to obtain the second serial number KEY2, the remaining fields after extracting the key fields from the first character string and the target URI are spliced according to preset rules or After splicing according to preset rules, specific fields are inserted to form an encrypted URI.
当将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串、所述第二字符串、所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm, the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
应用于接收端,包括:Applied to the receiving end, including:
接收加密URI请求;Receive encrypted URI request;
提取所述加密URI请求中的第一字符串;Extracting the first character string in the encrypted URI request;
对所述第一字符串解密,获取关键字段;Decrypt the first character string to obtain key fields;
使用所述关键字段替换加密URI中的第一字符串,将加密URI还原为目标URI。Use the key field to replace the first character string in the encrypted URI, and restore the encrypted URI to the target URI.
所述对所述第一字符串解密,获取关键字段包括:The decrypting the first character string and obtaining the key field includes:
对所述第一字符串解码,获得加密的关键字段;Decode the first character string to obtain an encrypted key field;
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于所述第二序列号KEY2,对所述加密的关键字段进行解密运算,获取所述关键字段。Based on the second serial number KEY2, a decryption operation is performed on the encrypted key field to obtain the key field.
当所述加密URI请求包括第一字符串和第二字符串时,所述基于预先定义的第一序列号KEY1,运算后得到第二序列号KEY2包括:对所述第二字符串解码后获得随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。When the encrypted URI request includes the first character string and the second character string, the second sequence number KEY2 obtained after calculation based on the pre-defined first sequence number KEY1 includes: obtaining the second sequence number KEY2 after decoding the second character string Random value, after splicing the random value with the first serial number KEY1, calculate according to a predetermined algorithm to obtain the second serial number KEY2.
根据本文的另一方面,提供一种URI构造装置,应用于发送端,包括:According to another aspect of this article, a URI construction device is provided, which is applied to the sender, and includes:
关键字段提取模块,用于提取目标URI中关键字段;The key field extraction module is used to extract the key fields in the target URI;
加密模块,用于对所述关键字段进行加密,加密的关键字段编码后生成第一字符串;An encryption module for encrypting the key field, and the encrypted key field is encoded to generate a first character string;
加密URI生成模块,用于基于所述第一字符串,生成加密URI;An encrypted URI generating module, configured to generate an encrypted URI based on the first character string;
发送模块,用于发送所述加密URI。The sending module is used to send the encrypted URI.
所述加密模块生成第一字符串包括:The first character string generated by the encryption module includes:
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于所述第二序列号KEY2,对所述关键字段进行加密运算,编码后生成第一字符串。Based on the second serial number KEY2, an encryption operation is performed on the key field, and a first character string is generated after encoding.
所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:The second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first sequence number KEY1 includes:
对所述第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2;Calculate the first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
或者,通过随机数生成器或者时间戳生成随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。Alternatively, a random number is generated by a random number generator or a time stamp, and after the random number is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
所述加密模块还用于对所述随机数值编码后生成第二字符串;The encryption module is also used to generate a second character string after encoding the random value;
所述基于所述第一字符串,生成加密URI包括:The generating an encrypted URI based on the first character string includes:
当对所述第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串与所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the first serial number KEY1 is calculated according to a predetermined algorithm to obtain the second serial number KEY2, the remaining fields after the key fields are extracted from the first character string and the target URI are spliced according to preset rules Or insert specific fields after splicing according to preset rules to form an encrypted URI.
当将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到 所述第二序列号KEY2时,将所述第一字符串、所述第二字符串、所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm, the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
URI构造装置,应用于接收端,包括:URI construction device, applied to the receiving end, including:
接收模块,用于接收加密URI请求;The receiving module is used to receive encrypted URI requests;
字符串提取模块,提取所述第一字符串;A character string extraction module, which extracts the first character string;
解密模块,对所述第一字符串解密获取关键字段;A decryption module to decrypt the first character string to obtain a key field;
还原模块,用于使用所述关键字段替换加密URI中的第一加密字符串,将加密URI还原为目标URI。The restoration module is configured to replace the first encrypted character string in the encrypted URI with the key field, and restore the encrypted URI to the target URI.
所述对所述第一字符串解密,获取原始关键字段包括:The decrypting the first character string and obtaining the original key field includes:
对所述第一字符串解码,获得加密的关键字段;Decode the first character string to obtain an encrypted key field;
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于所述第二序列号KEY2,对所述加密的关键字段进行解密运算,获取所述关键字段。Based on the second serial number KEY2, a decryption operation is performed on the encrypted key field to obtain the key field.
当所述加密URI请求只包括第一字符串时,所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对所述预先定义的第一序列号KEY1按预定算法运算,得到所述第二序列号KEY2;When the encrypted URI request only includes the first character string, the second sequence number KEY2 obtained after calculation based on the pre-defined first serial number KEY1 according to a predetermined algorithm includes: the pre-defined first serial number KEY1 Operate according to a predetermined algorithm to obtain the second serial number KEY2;
当所述加密URI请求包括第一字符串和第二字符串时,所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对所述第二字符串解码后获得随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。When the encrypted URI request includes the first character string and the second character string, the second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first serial number KEY1 includes: A random value is obtained after decoding, and after the random value is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
根据本文的另一方面,提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被执行时实现URI构造方法的步骤。According to another aspect of this document, there is provided a computer-readable storage medium on which a computer program is stored, which implements the steps of the URI construction method when the computer program is executed.
根据本文的另一方面,提供一种计算机设备,包括处理器、存储器和存储于所述存储器上的计算机程序,所述处理器执行所述计算机程序时实现URI构造方法的步骤。According to another aspect of this document, there is provided a computer device including a processor, a memory, and a computer program stored on the memory, and the processor implements the steps of the URI construction method when the processor executes the computer program.
本文通过RUI构造方法,可以实现发送端将目标URI加密后发送给接收端, 接收端收到加密URI请求后,对加密的URI解密,还原为原始目标URI。可以有效防止中间劫持获取真实的访问意图及隐私信息,同时,由于加入随机数值,即使同一资源的获取,也会产生不同的加密URI,避免中间劫持的缓存污染。而实现本文的URI加密方法,不需要对现有服务器进行复杂的改造,只需要在服务器端或客户端设置简单的编码装置和/或解密装置,即可实现。This article uses the RUI construction method to realize that the sender encrypts the target URI and sends it to the receiver. After receiving the encrypted URI request, the receiver decrypts the encrypted URI and restores it to the original target URI. It can effectively prevent intermediate hijacking to obtain real access intentions and private information. At the same time, due to the addition of random values, even if the same resource is obtained, different encrypted URIs will be generated, avoiding cache pollution caused by intermediate hijacking. However, to implement the URI encryption method in this article, there is no need to carry out complicated transformations on the existing server, and only a simple encoding device and/or decryption device is set on the server or client side.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本文。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and should not limit this text.
附图说明Description of the drawings
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明实施例的示意性实施例及其说明用于解释本发明实施例,并不构成对本发明实施例的不当限定。在附图中:The drawings described here are used to provide a further understanding of the embodiments of the present invention and constitute a part of this application. The schematic embodiments of the embodiments of the present invention and their descriptions are used to explain the embodiments of the present invention, and do not constitute an example of the embodiments of the present invention. The improper qualification. In the attached picture:
图1是根据一示例性实施例示出的一种URI构造方法的流程图。Fig. 1 is a flow chart showing a method for constructing a URI according to an exemplary embodiment.
图2是根据一示例性实施例示出的一种URI构造方法的流程图。Fig. 2 is a flow chart showing a method for constructing a URI according to an exemplary embodiment.
图3是根据一示例性实施例示出的一种URI构造装置的框图。Fig. 3 is a block diagram showing a URI construction device according to an exemplary embodiment.
图4是根据一示例性实施例示出的一种URI构造装置的框图。Fig. 4 is a block diagram showing a URI construction device according to an exemplary embodiment.
图5是根据一示例性实施例示出的一种计算机设备的框图。Fig. 5 is a block diagram showing a computer device according to an exemplary embodiment.
具体实施方式Detailed ways
为使本文实施例的目的、技术方案和优点更加清楚,下面将结合本文实施例中的附图,对本文实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本文一部分实施例,而不是全部的实施例。基于本文中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本文保护的范围。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solutions and advantages of the embodiments of this document clearer, the technical solutions in the embodiments of this document will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of this document. Obviously, the described embodiments are of this document. Some embodiments, not all embodiments. Based on the embodiments herein, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the scope of protection herein. It should be noted that the embodiments in the application and the features in the embodiments can be combined with each other arbitrarily if there is no conflict.
图1是URI构造方法的流程图。如图1所示,URI构造方法应用于发送端,包括:Figure 1 is a flowchart of the URI construction method. As shown in Figure 1, the URI construction method is applied to the sender, including:
步骤S11,提取目标URI中的关键字段;Step S11, extract key fields in the target URI;
步骤S12,对所述关键字段进行加密,加密的关键字段编码后生成第一字符串;Step S12, encrypting the key field, and encoding the encrypted key field to generate a first character string;
步骤S13,基于所述第一字符串,生成加密URI;Step S13, generating an encrypted URI based on the first character string;
步骤S14,发送所述加密URI。Step S14: Send the encrypted URI.
为了防止中间劫持,发送端将待发送的目标URI中的关键字段加密,发送加密的URI。客户端发送的请求不再是明文的URI,服务器发送的调度信息也不再是明文的URI,可以有效防止中间劫持。关键字段,根据实际情况确定,可以是待访问的目标文件名称,或者文件的整个路径,达到隐藏访问意图的目的。In order to prevent intermediate hijacking, the sender encrypts the key fields in the target URI to be sent and sends the encrypted URI. The request sent by the client is no longer a plaintext URI, and the scheduling information sent by the server is no longer a plaintext URI, which can effectively prevent intermediate hijacking. The key field, determined according to actual conditions, can be the name of the target file to be accessed, or the entire path of the file, to achieve the purpose of hiding the access intent.
在一实施例中,步骤S12中,对关键字段进行加密,编码后生成第一字符串包括:In an embodiment, in step S12, encrypting the key field, and generating the first character string after encoding includes:
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于第二序列号KEY2,对关键字段进行加密运算,编码后生成第一字符串。Based on the second serial number KEY2, an encryption operation is performed on the key field, and the first character string is generated after encoding.
在本文的URI构造方法中,为了保证发送端发送的加密URI能够被解析,需要预先定义第一序列号,并约定预定算法。发送方基于第一序列号KEY1按预定算法运算后得到第二序列号KEY2,使用第二序列号KEY2对提取的关键字段进行加密。解密方也基于第一序列号KEY1按同样的预定算法运算后得到第二序列号KEY2,使用第二序列号KEY2对加密关键字段进行逆运算,进行解密。本文中的预定算法可以为任意算法,比如计算哈希值,或者拼接特定的字符串等,其目的是使发送端和接收端分别根据预先定义第一序列号计算出第二序列号KEY2,使用相同的第二序列号KEY2进行加密或者解密。In the URI construction method in this article, in order to ensure that the encrypted URI sent by the sender can be parsed, it is necessary to predefine the first serial number and agree on a predetermined algorithm. The sender obtains the second serial number KEY2 based on the first serial number KEY1 according to a predetermined algorithm, and uses the second serial number KEY2 to encrypt the extracted key field. The decryptor also obtains the second serial number KEY2 based on the first serial number KEY1 according to the same predetermined algorithm, and uses the second serial number KEY2 to perform the inverse operation on the encrypted key field for decryption. The predetermined algorithm in this article can be any algorithm, such as calculating a hash value, or splicing a specific character string, etc. The purpose is to make the sending end and the receiving end calculate the second sequence number KEY2 according to the predefined first sequence number, and use The same second serial number KEY2 is encrypted or decrypted.
发送端使用第二序列号加密关键字段后,生成第一字符串。After the sender uses the second serial number to encrypt the key field, the first character string is generated.
例如,原始URI为http://www.baidu.com/doc/2019/readme.txtFor example, the original URI is http://www.baidu.com/doc/2019/readme.txt
客户端首先根据访问意图确定关键字段,本实施例中,确定关键字段为/doc/2019/readme.txt;The client first determines the key field according to the access intention. In this embodiment, the key field is determined to be /doc/2019/readme.txt;
预先定义的第一序列号KEY1为text;The pre-defined first serial number KEY1 is text;
对[’t’,’e’,’s’,’t’],按预定算法运算后得到第二序列号key2。For [’t’,’e’,’s’,’t’], the second sequence number key2 is obtained after a predetermined algorithm.
通过预设的加密算法fn(key2,path),path为关键字段,在本实施例中,为/doc/2019/readme.txt,对关键字段进行加密后,进行十六进制编码为:Through the preset encryption algorithm fn(key2,path), path is the key field. In this embodiment, it is /doc/2019/readme.txt. After the key field is encrypted, the hexadecimal encoding is :
7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c8 90b4f0887a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c8 90b4f088
按照顺序拼接规则,组成新的URI:Follow the sequence of splicing rules to form a new URI:
http://www.baidu.com/7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4f088http://www.baidu.com/7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4f088
如此,即使该访问请求被劫持,劫持者也不能知道具体的请求内容,保护了客户端隐私信息。In this way, even if the access request is hijacked, the hijacker cannot know the specific request content, which protects the client's private information.
在一实施例中,基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:In one embodiment, based on the pre-defined first sequence number KEY1, the second sequence number KEY2 obtained after calculation according to a predetermined algorithm includes:
对预先定义的第一序列号KEY1按预定算法运算,得到第二序列号KEY2;Calculate the pre-defined first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
如上述对原始URI为http://www.baidu.com/doc/2019/readme.txt的加密过程,按此种方式加密后,有可能导致不同客户端的相同的URI请求加密后完全一致。因此本文中URI构造方法还提供如下方法,通过随机数生成器或者时间戳生成随机数值,将随机数值与第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。用于加密解密的第二序列号KEY2,基于发送端的随机数值和第一序列号KEY1生成,不同的发送端生成不同的KEY2,使得不同发送端发送的加密请求都是唯一的,进一步避免了被中间劫持篡改的可能。For example, the above encryption process for the original URI of http://www.baidu.com/doc/2019/readme.txt, after being encrypted in this way, may cause the same URI request of different clients to be completely the same after encryption. Therefore, the URI construction method in this article also provides the following method to generate a random value through a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, a predetermined algorithm is used to calculate the second serial number KEY2. The second sequence number KEY2 used for encryption and decryption is generated based on the random value of the sender and the first sequence number KEY1. Different senders generate different KEY2, so that the encryption requests sent by different senders are unique, which further avoids being The possibility of hijacking and tampering in the middle.
本文URI构造方法还包括,对随机数值编码后生成第二字符串;The URI construction method in this article also includes generating a second string after encoding a random value;
当对第一序列号KEY1通过预先定义的规则计算,得到第二序列号KEY2时,将第一字符串与目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the first serial number KEY1 is calculated through the predefined rules to obtain the second serial number KEY2, the remaining fields after extracting the key fields from the first string and the target URI are spliced according to preset rules or after splicing according to preset rules Then insert specific fields to form an encrypted URI.
当将随机数值与第一序列号KEY1拼接后,通过预先定义的规则计算,得到第二序列号KEY2时,将第一字符串、第二字符串、目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。如果对关键字段加密时,使用的第二序列号KEY2是通过第一序列号KEY1和随机数值计算得到的,为了使接收端能够根据第一序列号KEY1计算出第二序列号KEY2,还需要将第二字符串发送个接收端,以使接收端根据第二字符串,通过预设算法的反运算计算出随机数值。After concatenating the random value with the first serial number KEY1, calculate the second serial number KEY2 through predefined rules, extract the first string, the second string, and the target URI to the remaining fields after extracting the key fields, press Splicing by preset rules or inserting specific fields after splicing by preset rules to form an encrypted URI. If the key field is encrypted, the second serial number KEY2 used is calculated from the first serial number KEY1 and a random value. In order to enable the receiving end to calculate the second serial number KEY2 according to the first serial number KEY1, it also needs The second character string is sent to the receiving end, so that the receiving end calculates a random value according to the second character string through the inverse operation of the preset algorithm.
因为第二字符串是根据机器随机数或者时间戳生成的,从而使得同一用户即使访问相同的内容,其加密后的请求也会不同。Because the second character string is generated based on the machine random number or timestamp, even if the same user accesses the same content, the encrypted request will be different.
同时,由于不同的使用场景,在构造加密URI时,也会采用不同的方式。例如,客户端发送加密URI请求时,将第一字符串{new_path},第二字符串{new_nonce}(如果有)与目标URI提取关键字段后剩余字段,按预设规则拼接后即可,如:https://domain{new_nonce}{new_path}。在某些特殊场景下,如调度场景,除了将需要拼接的内容按预设规则进行拼接,还会插入特定字段,比如:https://domain/diaodu/{new_nonce}{new_path},将第一字符串,第二字符串与domain拼接后,还插入特定字段:diaodu,接收端可以知道接收的是调度后的URI。At the same time, due to different usage scenarios, different methods will be used when constructing encrypted URIs. For example, when the client sends an encrypted URI request, the first string {new_path}, the second string {new_nonce} (if any) and the remaining fields after extracting the key fields from the target URI, can be spliced according to the preset rules. For example: https://domain{new_nonce}{new_path}. In some special scenarios, such as scheduling scenarios, in addition to splicing the content to be spliced according to preset rules, specific fields are also inserted, such as: https://domain/diaodu/{new_nonce}{new_path}, the first After the second string is spliced with the domain, a specific field is inserted: diaodu. The receiving end can know that the received URI is the scheduled URI.
图2是URI构造方法的流程图。如图1所示,URI构造方法应用于接收端,包括;Figure 2 is a flowchart of the URI construction method. As shown in Figure 1, the URI construction method is applied to the receiving end, including:
步骤S21,接收加密URI请求;Step S21, receiving an encrypted URI request;
步骤S22,提取所述加密URI请求中的第一字符串;Step S22: Extract the first character string in the encrypted URI request;
步骤S23,对所述第一字符串解密,获取关键字段;Step S23: Decrypt the first character string to obtain key fields;
步骤S24,使用所述关键字段替换加密URI中的第一加密字符串,将加密URI还原为目标URI。Step S24: Use the key field to replace the first encrypted character string in the encrypted URI, and restore the encrypted URI to the target URI.
接收方收到加密的URI请求后,提取第一字符串,使用与加密算法对应的逆算法,对第一字符串解密,从而将加密的URI还原为原始的目标URI,根据原始的目标URI进行响应。After receiving the encrypted URI request, the receiver extracts the first string, and uses the inverse algorithm corresponding to the encryption algorithm to decrypt the first string, so as to restore the encrypted URI to the original target URI, and proceed according to the original target URI. response.
在一实施例中,步骤S23对第一字符串解密,获取关键字段包括:In an embodiment, step S23 decrypts the first character string, and obtaining the key field includes:
对第一字符串解码,获得加密的关键字段;Decode the first character string to obtain the encrypted key field;
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于第二序列号KEY2,对加密的关键字段进行解密运算,获取关键字段。Based on the second serial number KEY2, the encrypted key field is decrypted to obtain the key field.
当加密URI请求只包括第一字符串时,基于预先定义的第一序列号KEY1,加密运算后得到第二序列号KEY2包括:对预先定义的第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2;此时,接收端只需根据预设的第一序列号KEY1,按预定算法运算,即可计算出第二序列号KEY2。When the encrypted URI request only includes the first character string, based on the pre-defined first serial number KEY1, the second serial number KEY2 obtained after the encryption operation includes: the pre-defined first serial number KEY1 is calculated according to the predetermined algorithm, and the result is obtained. The second serial number KEY2; at this time, the receiving end only needs to calculate the second serial number KEY2 according to the preset first serial number KEY1 and the predetermined algorithm.
当加密URI请求包括第一字符串和第二字符串时,基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对第二字符串解码后获得随机数值,将该随机数值与第一序列号KEY1拼接后,按预定算法计算,得 到第二序列号KEY2。如果发送端在计算第二序列号KEY2时,是根据第一序列号和随机数值进行计算的,接收端为了得到相同的第二序列号KEY2,需要先对第二字符串解码,获取对应的随机数值,再根据第一序列号和随机数值进行计算,得到相同的第二序列号KEY2。When the encrypted URI request includes the first character string and the second character string, based on the pre-defined first serial number KEY1, the second serial number KEY2 obtained after calculation according to a predetermined algorithm includes: obtaining a random value after decoding the second character string, After splicing the random value with the first serial number KEY1, calculate according to a predetermined algorithm to obtain the second serial number KEY2. If the sending end calculates the second sequence number KEY2 based on the first sequence number and random value, the receiving end needs to decode the second string first to obtain the corresponding random number in order to obtain the same second sequence number KEY2 The numerical value is calculated based on the first serial number and the random value to obtain the same second serial number KEY2.
由此可见,在解密过程中,接收方同样根据预先定义的第一序列号KEY1,经过同样的加密运算后,得到第二序列号KEY2,保证与发送方进行加密过程所使用的第二序列号KEY2完全相同,能够对加密的关键字段进行解密。It can be seen that in the decryption process, the receiver also obtains the second sequence number KEY2 after the same encryption operation according to the pre-defined first sequence number KEY1, which guarantees the second sequence number used in the encryption process with the sender KEY2 is exactly the same and can decrypt the encrypted key field.
为更好地理解本文中的URI构造方法,举例如下:In order to better understand the URI construction method in this article, an example is as follows:
具体实施例一:Specific embodiment one:
假定提取关键字段的策略为:提取URI域名后所有字符串;通过随机数生成器生成随机数值,字符串为二进制,[0x4,0x8,0x6,0x7],随机数值以nonce表示;预先定义的第一序列号KEY1为“test”;二进制序列转换为字符串使用十六进制表示;预定算法为将第一序列号KEY1与nonce拼接后计算哈希值MD5,原始URI为:Assume that the strategy for extracting key fields is: extract all strings after the URI domain name; generate random values through a random number generator, the strings are binary, [0x4,0x8,0x6,0x7], and the random values are represented by nonce; pre-defined The first serial number KEY1 is "test"; the binary sequence is converted into a string using hexadecimal notation; the predetermined algorithm is to calculate the hash value MD5 after the first serial number KEY1 and the nonce are spliced, and the original URI is:
http://www.baidu.com/doc/2019/readme.txt。http://www.baidu.com/doc/2019/readme.txt.
发送端可以为客户端,也可以为服务器端,在发送上述URI前,先生成加密URI。发送端提取关键字段为/doc/2019/readme.txt。The sending end can be a client or a server. Before sending the above URI, an encrypted URI is generated first. The key field extracted by the sender is /doc/2019/readme.txt.
首先将随机数值nonce和第一序列号KEY进行拼接,[’t’,’e’,’s’,’t’,0x4,0x8,0x6,0x7],然后计算MD5后得到第二序列号KEY2为:First, splice the random value nonce and the first serial number KEY, ['t','e','s','t',0x4,0x8,0x6,0x7], and then calculate the MD5 to get the second serial number KEY2 for:
[0x94,0xa4,0x8b,0x86,0x99,’w’,0xbe,0x88,0x17,0xff,0xc9,0x96,’E’,0xe1,0xaa,0x1a][0x94,0xa4,0x8b,0x86,0x99,’w’,0xbe,0x88,0x17,0xff,0xc9,0x96,’E’,0xe1,0xaa,0x1a]
使用例如AES128_GCM加密算法,使用第二序列号KEY2,对关键字段/doc/2019/readme.txt进行加密计算,结果为[0x7a,0x0a,0x07,0x16,0x22,0xde,0xc2,0x11,0x8e,0xcc,0xc5,0xa4,0xb6,0xb1,0x11,0x0e,0x85,0xa3,0x98,0x9a,0xaf,0xd6,0x7e,0x59,0x4b,0x87,0xc4,0x6d,0x28,0xdd,0xe2,0xc8,0x90,0xb4,0xf0,0x88]Use, for example, the AES128_GCM encryption algorithm and the second sequence number KEY2 to encrypt the key field /doc/2019/readme.txt, and the result is [0x7a,0x0a,0x07,0x16,0x22,0xde,0xc2,0x11, 0xcc,0xc5,0xa4,0xb6,0xb1,0x11,0x0e,0x85,0xa3,0x98,0x9a,0xaf,0xd6,0x7e,0x59,0x4b,0x87,0xc4,0x6d,0x28,0x90,0xe2 0xf0,0x88]
通过十六进制编码后,加密的关键字段以new_path表示,为7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4 f088After hexadecimal encoding, the encrypted key field is represented by new_path, which is 7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4 f088
对随机数值nonce:[0x4,0x8,0x6,0x7],通过十六进制编码,以new_nonce表示,new_nonce为04080607。For the random value nonce:[0x4,0x8,0x6,0x7], it is coded in hexadecimal and expressed as new_nonce, and new_nonce is 04080607.
按照顺序拼接规则,组成加密的URI:Follow the sequence of splicing rules to form an encrypted URI:
拼接第一字符串和第二字符串后,与目标URI提取关键字段后剩余字段组成加密URI:http://www.baidu.com/[new_nonce][new_path]。After concatenating the first character string and the second character string, the remaining fields after extracting the key fields with the target URI form an encrypted URI: http://www.baidu.com/[new_nonce][new_path].
即加密后的URI为:That is, the encrypted URI is:
http://www.baidu.com/040806077a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4f088。http://www.baidu.com/040806077a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4f088.
服务器收到加密URI后,After the server receives the encrypted URI,
提取new_nonce为04080607,new_path为:Extract new_nonce as 04080607, and new_path as:
7a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4f0887a0a071622dec2118eccc5a4b6b1110e85a3989aafd67e594b87c46d28dde2c890b4f088
将new_nonce逆十六进制编码为[0x4,0x8,0x6,0x7],将new_path逆十六进制编码为:The inverse hexadecimal encoding of new_nonce is [0x4,0x8,0x6,0x7], and the inverse hexadecimal encoding of new_path is:
[0x7a,0x0a,0x07,0x16,0x22,0xde,0xc2,0x11,0x8e,0xcc,0xc5,0xa4,0xb6,0xb1,0x11,0x0e,0x85,0xa3,0x98,0x9a,0xaf,0xd6,0x7e,0x59,0x4b,0x87,0xc4,0x6d,0x28,0xdd,0xe2,0xc8,0x90,0xb4,0xf0,0x88][0x7a,0x0a,0x07,0x16,0x22,0xde,0xc2,0x11,0x8e,0xcc,0xc5,0xa4,0xb6,0xb1,0x11,0x0e,0x85,0xa3,0x98,0x9a,0x0xaf,0x4b, ,0x87,0xc4,0x6d,0x28,0xdd,0xe2,0xc8,0x90,0xb4,0xf0,0x88]
将随机数值nonce和第一序列号KEY进行拼接,[’t’,’e’,’s’,’t’,0x4,0x8,0x6,0x7],然后计算MD5后得到第二序列号KEY2为:Join the random value nonce and the first serial number KEY, ['t','e','s','t',0x4,0x8,0x6,0x7], and then calculate the MD5 to get the second serial number KEY2 as :
[0x94,0xa4,0x8b,0x86,0x99,’w’,0xbe,0x88,0x17,0xff,0xc9,0x96,’E’,0xe1,0xaa,0x1a][0x94,0xa4,0x8b,0x86,0x99,’w’,0xbe,0x88,0x17,0xff,0xc9,0x96,’E’,0xe1,0xaa,0x1a]
通过AES128_GCM解密关键字段为/doc/2019/readme.txt。The key field decrypted by AES128_GCM is /doc/2019/readme.txt.
使用关键字段替换加密URI中的第一加密字符串,删除第二字符串,将加密URI还原为目标URI:http://www.baidu.com/doc/2019/readme.txt。Use key fields to replace the first encrypted string in the encrypted URI, delete the second string, and restore the encrypted URI to the target URI: http://www.baidu.com/doc/2019/readme.txt.
通过以上方法,客户端和服务器都可以将自己发出的URI进行加密,防止中间劫持,保护隐私安全,保证系统安全。Through the above methods, both the client and the server can encrypt the URI sent by themselves to prevent intermediate hijacking, protect privacy and security, and ensure system security.
具体实施例二:Specific embodiment two:
在调度场景下,调度服务器接收到客户端的原始URI请求,或者加密的URI请求后,根据调度策略,会生成302响应,需要生成重定向URI时,例如:原始重定向URI为:In the dispatch scenario, after the dispatch server receives the client's original URI request or the encrypted URI request, it will generate a 302 response according to the dispatch policy. When a redirect URI needs to be generated, for example: the original redirect URI is:
HTTP/1.1 302 FoundHTTP/1.1 302 Found
Location:https://www.baidu.com/xxxLocation: https://www.baidu.com/xxx
加密后,将URI重新构造为加密的URI:After encryption, reconstruct the URI into an encrypted URI:
HTTP/1.1 302 FoundHTTP/1.1 302 Found
Location:https://www.baidu.com/{new_nonce}{new_path}。Location: https://www.baidu.com/{new_nonce}{new_path}.
这里,new_nonce是对随机数编码后的结果,new_path是对关键字段加密后的结果。Here, new_nonce is the result of encoding the random number, and new_path is the result of encrypting the key field.
调度服务器在构造加密URI时,还可以根据自身的设定,将特定字段(diaodu)插入上述加密的URI中:When the dispatch server constructs the encrypted URI, it can also insert a specific field (diaodu) into the encrypted URI according to its own settings:
HTTP/1.1 302 FoundHTTP/1.1 302 Found
Location:https://www.baidu.com/diaodu/{new_nonce}{new_path}。Location: https://www.baidu.com/diaodu/{new_nonce}{new_path}.
调度服务器可以将目标业务服务器的URI进行加密,隐藏业务服务器的真实地址,防止响应被劫持后,暴露业务服务器的真实地址,从而保护调度策略,并提高业务服务器的安全性。The dispatch server can encrypt the URI of the target business server, hide the real address of the business server, and prevent the real address of the business server from being exposed after the response is hijacked, thereby protecting the dispatching strategy and improving the security of the business server.
由以上实施例可知,本文提供的RUL构造方法,提供了一种对URI加密及解密的方法,发送端将目标URI加密后发送给接收端,接收端收到加密URI请求后,对加密的URI解密,还原为原始目标URI。可以有效防止中间劫持获取真实的访问意图及隐私信息,同时,由于加入随机数值,即使对同一资源的请求,也会产生不同的加密URI,避免中间劫持的缓存污染。而实现本文的URI加密方法,不需要对现有服务器进行复杂的改造,只需要在服务器端或客户端设置简单的编码装置和/或解密装置,即可实现。It can be seen from the above embodiments that the RUL construction method provided in this article provides a method of encrypting and decrypting URIs. The sender encrypts the target URI and sends it to the receiver. After receiving the encrypted URI request, the receiver sends the encrypted URI to the encrypted URI. Decrypt and restore to the original target URI. It can effectively prevent intermediate hijacking to obtain real access intentions and private information. At the same time, due to the addition of random values, even requests for the same resource will generate different encrypted URIs, avoiding cache pollution caused by intermediate hijacking. However, to implement the URI encryption method in this article, there is no need to carry out complicated transformations on the existing server, and only a simple encoding device and/or decryption device is set on the server or client side.
图3是一种URI构造装置的框图,参考图3,URI构造装置应用于发送端,包括:关键字段提取模块301,加密模块302,加密URI生成模块303,发送模块304。FIG. 3 is a block diagram of a URI construction device. Referring to FIG. 3, the URI construction device is applied to the sending end and includes: a key field extraction module 301, an encryption module 302, an encrypted URI generation module 303, and a sending module 304.
该关键字段提取模块301被配置为用于用于提取目标URI中关键字段;The key field extraction module 301 is configured to extract key fields in the target URI;
该加密模块302被配置为用于对所述关键字段进行加密,加密的关键字段编码后生成第一字符串;The encryption module 302 is configured to encrypt the key field, and the encrypted key field is encoded to generate a first character string;
该加密URI生成模块303被配置为用于基于所述第一字符串,生成加密URI;The encrypted URI generating module 303 is configured to generate an encrypted URI based on the first character string;
该发送模块304,用于发送所述加密URI。The sending module 304 is used to send the encrypted URI.
加密模块302生成第一字符串包括:The first character string generated by the encryption module 302 includes:
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于第二序列号KEY2,对所述关键字段进行加密运算,编码后生成第一字符串。Based on the second serial number KEY2, an encryption operation is performed on the key field, and the first character string is generated after encoding.
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:Based on the pre-defined first serial number KEY1, the second serial number KEY2 obtained after calculation according to a predetermined algorithm includes:
对第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2;Calculate the first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
或者,通过随机数生成器或者时间戳生成随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到第二序列号KEY2。Alternatively, a random value is generated by a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
该加密模块302还用于:对随机数值编码后生成第二字符串;The encryption module 302 is also used to: generate a second character string after encoding the random value;
基于第一字符串,生成加密URI包括:Based on the first string, generating an encrypted URI includes:
当对所述第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串与所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the first serial number KEY1 is calculated according to a predetermined algorithm to obtain the second serial number KEY2, the remaining fields after the key fields are extracted from the first character string and the target URI are spliced according to preset rules Or insert specific fields after splicing according to preset rules to form an encrypted URI.
当将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串、所述第二字符串、所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm, the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
图4是一种URI构造装置的框图,参考图4,URI构造装置应用于接收端包括:接收模块401,字符串提取模块402,解密模块403,还原模块404。FIG. 4 is a block diagram of a URI construction device. Referring to FIG. 4, the URI construction device applied to the receiving end includes: a receiving module 401, a character string extraction module 402, a decryption module 403, and a restoration module 404.
该接收模块401被配置为用于接收加密URI请求;The receiving module 401 is configured to receive encrypted URI requests;
该字符串提取模块402被配置为用于提取所述第一字符串;The character string extraction module 402 is configured to extract the first character string;
该解密模块403被配置为用于对第一字符串解密获取关键字段;The decryption module 403 is configured to decrypt the first character string to obtain key fields;
该还原模块404被配置为用于使用关键字段替换加密URI中的第一加密字 符串,将加密URI还原为目标URI。The restoration module 404 is configured to replace the first encrypted character string in the encrypted URI with the key field, and restore the encrypted URI to the target URI.
对第一字符串解密,获取原始关键字段包括:Decrypt the first string to obtain the original key fields including:
对第一字符串解码,获得加密的关键字段;Decode the first character string to obtain the encrypted key field;
基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
基于第二序列号KEY2,对加密的关键字段进行解密运算,获取关键字段。Based on the second serial number KEY2, the encrypted key field is decrypted to obtain the key field.
当加密URI请求只包括第一字符串时,基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对预先定义的第一序列号KEY1按预定算法运算,得到第二序列号KEY2;When the encrypted URI request only includes the first character string, based on the pre-defined first serial number KEY1, the second serial number KEY2 is calculated according to the predetermined algorithm, including: the pre-defined first serial number KEY1 is calculated according to the predetermined algorithm to obtain The second serial number KEY2;
当加密URI请求包括第一字符串和第二字符串时,基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对第二字符串解码后获得随机数值,将随机数值与第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。When the encrypted URI request includes the first character string and the second character string, based on the pre-defined first serial number KEY1, the second serial number KEY2 obtained after calculation according to a predetermined algorithm includes: obtaining a random value after decoding the second character string, After the random value is spliced with the first serial number KEY1, it is calculated according to a predetermined algorithm to obtain the second serial number KEY2.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the device in the foregoing embodiment, the specific manner in which each module performs operation has been described in detail in the embodiment of the method, and detailed description will not be given here.
图5是根据一示例性实施例示出的一种用于URI构造的计算机设备500的框图。例如,计算机设备500可以被提供为一服务器。参照图5,计算机设备500包括处理器501,处理器的个数可以根据需要设置为一个或者多个。计算机设备500还包括存储器502,用于存储可由处理器501的执行的指令,例如应用程序。存储器的个数可以根据需要设置一个或者多个。其存储的应用程序可以为一个或者多个。处理器501被配置为执行指令,以执行URI构造方法。Fig. 5 is a block diagram showing a computer device 500 for URI construction according to an exemplary embodiment. For example, the computer device 500 may be provided as a server. 5, the computer device 500 includes a processor 501, and the number of processors can be set to one or more as required. The computer device 500 further includes a memory 502 for storing instructions executable by the processor 501, such as application programs. The number of memories can be set to one or more as required. The stored application programs can be one or more. The processor 501 is configured to execute instructions to execute the URI construction method.
本领域技术人员应明白,本文的实施例可提供为方法、装置(设备)、或计算机程序产品。因此,本文可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本文可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质上实施的计算机程序产品的形式。计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质,包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他 的介质等。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those skilled in the art should understand that the embodiments herein can be provided as methods, devices (equipment), or computer program products. Therefore, this specification may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this document may take the form of a computer program product implemented on one or more computer-usable storage media containing computer-usable program codes. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storing information (such as computer readable instructions, data structures, program modules, or other data) , Including but not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or can be used for Any other medium that stores desired information and can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media. .
本文是参照根据本文实施例的方法、装置(设备)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。This article is described with reference to flowcharts and/or block diagrams of methods, apparatuses (equipment) and computer program products according to the embodiments of this article. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括……”限定的要素,并不排除在包括所述要素的物品或者设备中还存在另外的相同要素。In this article, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that an article or device that includes a series of elements includes not only those elements, but also other elements that are not explicitly listed. Elements, or also include elements inherent to such items or equipment. If there are no more restrictions, the element defined by the sentence "including..." does not exclude the existence of another same element in the article or equipment that includes the element.
尽管已描述了本文的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本文范围的所有变更和修改。Although the preferred embodiments herein have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of this document.
显然,本领域的技术人员可以对本文进行各种改动和变型而不脱离本文的精神和范围。这样,倘若本文的这些修改和变型属于本文权利要求及其等同技术的范围之内,则本文的意图也包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to this article without departing from the spirit and scope of this article. In this way, if these modifications and variations of this text fall within the scope of the claims of this text and their equivalent technologies, the intention of this text also includes these modifications and variations.
工业实用性Industrial applicability
发送端发送URI请求时,将目标URI加密后发送给接收端,接收端收到加密URI请求后,对加密的URI解密,还原为原始目标URI。可以有效防止中间劫持获取真实的访问意图及隐私信息,同时,由于加入随机数值,即使同一资源的获取,也会产生不同的加密URI,避免中间劫持的缓存污染。When the sender sends a URI request, it encrypts the target URI and sends it to the receiver. After receiving the encrypted URI request, the receiver decrypts the encrypted URI and restores it to the original target URI. It can effectively prevent intermediate hijacking to obtain real access intentions and private information. At the same time, due to the addition of random values, even if the same resource is obtained, different encrypted URIs will be generated, avoiding cache pollution caused by intermediate hijacking.

Claims (16)

  1. 一种URI构造方法,应用于发送端,其特征在于,包括:A URI construction method, applied to the sender, characterized in that it includes:
    提取目标URI中的关键字段;Extract the key fields in the target URI;
    对所述关键字段进行加密,加密的关键字段编码后生成第一字符串;Encrypt the key field, and encode the encrypted key field to generate a first character string;
    基于所述第一字符串,生成加密URI;Generating an encrypted URI based on the first character string;
    发送所述加密URI。Send the encrypted URI.
  2. 如权利要求1所述的URI构造方法,其特征在于,所述对所述关键字段进行加密,编码后生成第一字符串包括:The URI construction method according to claim 1, wherein said encrypting said key field and generating a first character string after encoding comprises:
    基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
    基于所述第二序列号KEY2,对所述关键字段进行加密运算,编码后生成第一字符串。Based on the second serial number KEY2, an encryption operation is performed on the key field, and a first character string is generated after encoding.
  3. 如权利要求2所述的URI构造方法,其特征在于,所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:The URI construction method according to claim 2, characterized in that the second sequence number KEY2 obtained after calculating according to a predetermined algorithm based on the pre-defined first sequence number KEY1 comprises:
    对所述第一序列号KEY1按预定算法计算,得到所述第二序列号KEY2;Calculate the first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
    或者,通过随机数生成器或者时间戳生成随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法计算,得到所述第二序列号KEY2。Alternatively, a random value is generated by a random number generator or a timestamp, and after the random value is spliced with the first serial number KEY1, it is calculated according to a predetermined algorithm to obtain the second serial number KEY2.
  4. 如权利要求3所述的URI构造方法,其特征在于,还包括:The URI construction method according to claim 3, further comprising:
    对所述随机数值编码后生成第二字符串;Generate a second character string after encoding the random value;
    所述基于所述第一字符串,生成加密URI包括:The generating an encrypted URI based on the first character string includes:
    当对所述第一序列号KEY1按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串与所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI;When the first serial number KEY1 is calculated according to a predetermined algorithm to obtain the second serial number KEY2, the remaining fields after extracting the key fields from the first character string and the target URI are spliced according to preset rules or After splicing according to preset rules, insert specific fields to form an encrypted URI;
    当将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串、所述第二字符串、所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定 字段,组成加密URI。When the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm, the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
  5. 一种URI构造方法,应用于接收端,其特征在于,包括:A URI construction method, applied to the receiving end, is characterized in that it includes:
    接收加密URI请求;Receive encrypted URI request;
    提取所述加密URI请求中的第一字符串;Extracting the first character string in the encrypted URI request;
    对所述第一字符串解密,获取关键字段;Decrypt the first character string to obtain key fields;
    使用所述关键字段替换加密URI中的第一字符串,将加密URI还原为目标URI。Use the key field to replace the first character string in the encrypted URI, and restore the encrypted URI to the target URI.
  6. 如权利要求5所述的URI的构造方法,其特征在于,所述对所述第一字符串解密,获取关键字段包括:The method for constructing a URI according to claim 5, wherein said decrypting said first character string and obtaining key fields comprises:
    对所述第一字符串解码,获得加密的关键字段;Decode the first character string to obtain an encrypted key field;
    基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
    基于所述第二序列号KEY2,对所述加密的关键字段进行解密运算,获取所述关键字段。Based on the second serial number KEY2, a decryption operation is performed on the encrypted key field to obtain the key field.
  7. 如权利要求6所述的URI的构造方法,其特征在于,The URI construction method according to claim 6, characterized in that,
    当所述加密URI请求包括第一字符串和第二字符串时,所述基于预先定义的第一序列号KEY1,运算后得到第二序列号KEY2包括:对所述第二字符串解码后获得随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。When the encrypted URI request includes the first character string and the second character string, the second sequence number KEY2 obtained after calculation based on the pre-defined first sequence number KEY1 includes: obtaining the second sequence number KEY2 after decoding the second character string Random value, after splicing the random value with the first serial number KEY1, calculate according to a predetermined algorithm to obtain the second serial number KEY2.
  8. 一种URI构造装置,应用于发送端,其特征在于,包括:A URI construction device applied to a sending end, and is characterized in that it includes:
    关键字段提取模块,用于提取目标URI中关键字段;The key field extraction module is used to extract the key fields in the target URI;
    加密模块,用于对所述关键字段进行加密,加密的关键字段编码后生成第一字符串;An encryption module for encrypting the key field, and the encrypted key field is encoded to generate a first character string;
    加密URI生成模块,用于基于所述第一字符串,生成加密URI;An encrypted URI generating module, configured to generate an encrypted URI based on the first character string;
    发送模块,用于发送所述加密URI。The sending module is used to send the encrypted URI.
  9. 如权利要求8所述的URI构造装置,其特征在于,所述加密模块生成第一字符串包括:The URI construction device according to claim 8, wherein the encryption module generating the first character string comprises:
    基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
    基于所述第二序列号KEY2,对所述关键字段进行加密运算,编码后生成第一字符串。Based on the second serial number KEY2, an encryption operation is performed on the key field, and a first character string is generated after encoding.
  10. 如权利要求9所述的URI构造装置,其特征在于,所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:9. The URI construction device according to claim 9, wherein the second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the pre-defined first sequence number KEY1 comprises:
    对所述第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2;Calculate the first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
    或者,通过随机数生成器或者时间戳生成随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2。Alternatively, a random number is generated by a random number generator or a time stamp, and after the random number is spliced with the first serial number KEY1, a predetermined algorithm is used to obtain the second serial number KEY2.
  11. 如权利要求9所述的URI构造装置,其特征在于,The URI construction device according to claim 9, wherein:
    所述加密模块还用于对所述随机数值编码后生成第二字符串;The encryption module is also used to generate a second character string after encoding the random value;
    所述基于所述第一字符串,生成加密URI包括:The generating an encrypted URI based on the first character string includes:
    当对所述第一序列号KEY1,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串与所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI;When the first serial number KEY1 is calculated according to a predetermined algorithm to obtain the second serial number KEY2, the remaining fields after the key fields are extracted from the first character string and the target URI are spliced according to preset rules Or insert specific fields after splicing according to preset rules to form an encrypted URI;
    当将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算,得到所述第二序列号KEY2时,将所述第一字符串、所述第二字符串、所述目标URI提取关键字段后剩余字段,按预设规则拼接或者按预设规则拼接后再插入特定字段,组成加密URI。When the random value is spliced with the first serial number KEY1, and the second serial number KEY2 is obtained according to a predetermined algorithm, the first character string, the second character string, and the target After the URI extracts the key fields, the remaining fields are spliced according to preset rules or specific fields are inserted after splicing according to preset rules to form an encrypted URI.
  12. 一种URI构造装置,应用于接收端,其特征在于,包括:A URI construction device applied to the receiving end, characterized in that it includes:
    接收模块,用于接收加密URI请求;The receiving module is used to receive encrypted URI requests;
    字符串提取模块,提取所述第一字符串;A character string extraction module, which extracts the first character string;
    解密模块,对所述第一字符串解密获取关键字段;A decryption module to decrypt the first character string to obtain a key field;
    还原模块,用于使用所述关键字段替换加密URI中的第一加密字符串,将加密URI还原为目标URI。The restoration module is configured to replace the first encrypted character string in the encrypted URI with the key field, and restore the encrypted URI to the target URI.
  13. 如权利要求12所述的URI构造装置,其特征在于,所述对所述第一字符串解密,获取原始关键字段包括:The URI construction device according to claim 12, wherein said decrypting said first character string to obtain the original key field comprises:
    对所述第一字符串解码,获得加密的关键字段;Decode the first character string to obtain an encrypted key field;
    基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2;Based on the pre-defined first serial number KEY1, the second serial number KEY2 is obtained after calculation according to a predetermined algorithm;
    基于所述第二序列号KEY2,对所述加密的关键字段进行解密运算,获取所述关键字段。Based on the second serial number KEY2, a decryption operation is performed on the encrypted key field to obtain the key field.
  14. 如权利要求13所述的URI构造装置,其特征在于,当所述加密URI请求只包括第一字符串时,所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对所述预先定义的第一序列号KEY1按预定算法运算,得到所述第二序列号KEY2;The URI construction device according to claim 13, wherein when the encrypted URI request only includes the first character string, the second sequence is obtained based on the pre-defined first sequence number KEY1 and calculated according to a predetermined algorithm. The number KEY2 includes: performing operations on the pre-defined first serial number KEY1 according to a predetermined algorithm to obtain the second serial number KEY2;
    当所述加密URI请求包括第一字符串和第二字符串时,所述基于预先定义的第一序列号KEY1,按预定算法运算后得到第二序列号KEY2包括:对所述第二字符串解码后获得随机数值,将所述随机数值与所述第一序列号KEY1拼接后,按预定算法运算后,得到所述第二序列号KEY2。When the encrypted URI request includes the first character string and the second character string, the second sequence number KEY2 obtained after the operation according to a predetermined algorithm based on the predefined first sequence number KEY1 includes: A random value is obtained after decoding, and after the random value is spliced with the first serial number KEY1, and after a predetermined algorithm is calculated, the second serial number KEY2 is obtained.
  15. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被执行时实现如权利要求1-7中任意一项所述方法的步骤。A computer-readable storage medium having a computer program stored thereon, wherein the computer program implements the steps of the method according to any one of claims 1-7 when the computer program is executed.
  16. 一种计算机设备,包括处理器、存储器和存储于所述存储器上的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1-7中任意一项所述方法的步骤。A computer device, comprising a processor, a memory, and a computer program stored on the memory, wherein the processor implements the method according to any one of claims 1-7 when the processor executes the computer program step.
PCT/CN2020/138676 2019-12-27 2020-12-23 Uri construction method and apparatus, and medium and device WO2021129676A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911372781.6A CN113055343B (en) 2019-12-27 2019-12-27 URI construction method, device, medium and equipment
CN201911372781.6 2019-12-27

Publications (1)

Publication Number Publication Date
WO2021129676A1 true WO2021129676A1 (en) 2021-07-01

Family

ID=76506042

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/138676 WO2021129676A1 (en) 2019-12-27 2020-12-23 Uri construction method and apparatus, and medium and device

Country Status (2)

Country Link
CN (1) CN113055343B (en)
WO (1) WO2021129676A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785505A (en) * 2022-06-22 2022-07-22 中科雨辰科技有限公司 Data processing system for acquiring abnormal equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777090A (en) * 2004-11-18 2006-05-24 国际商业机器公司 Stateless methods for resource hiding and access control support
JP2006216002A (en) * 2005-02-02 2006-08-17 Foward Network:Kk Url security system
CN103701761A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Authentication method for invoking open interface and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104009989B (en) * 2014-05-22 2018-02-16 Tcl集团股份有限公司 A kind of anti-stealing link method of media file, system and server
CN108737442B (en) * 2018-06-12 2019-05-10 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
CN109547201B (en) * 2018-12-14 2023-04-14 平安科技(深圳)有限公司 Encryption method of root key, computer readable storage medium and terminal equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777090A (en) * 2004-11-18 2006-05-24 国际商业机器公司 Stateless methods for resource hiding and access control support
JP2006216002A (en) * 2005-02-02 2006-08-17 Foward Network:Kk Url security system
CN103701761A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Authentication method for invoking open interface and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785505A (en) * 2022-06-22 2022-07-22 中科雨辰科技有限公司 Data processing system for acquiring abnormal equipment
CN114785505B (en) * 2022-06-22 2022-08-23 中科雨辰科技有限公司 Data processing system for acquiring abnormal equipment

Also Published As

Publication number Publication date
CN113055343B (en) 2023-04-28
CN113055343A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
US11818262B2 (en) Method and system for one-to-many symmetric cryptography and a network employing the same
CN101340279B (en) Method, system and apparatus for data ciphering and deciphering
CN109728914B (en) Digital signature verification method, system, device and computer readable storage medium
US20140143542A1 (en) Method and Apparatus for Managing Encrypted Folders in Network System
JP2010004269A (en) Communication device, key server, and data
KR20180108008A (en) Apparatus and method for generating key, apparatus and method for encryption
CA3056814A1 (en) Symmetric cryptographic method and system and applications thereof
CN110049032A (en) A kind of the data content encryption method and device of two-way authentication
CN110149312B (en) Data processing method, device, system and computer readable storage medium
WO2021129676A1 (en) Uri construction method and apparatus, and medium and device
JP5992651B2 (en) ENCRYPTION METHOD, PROGRAM, AND SYSTEM
CN110149311B (en) Data processing method, device, server and readable storage medium
KR102050890B1 (en) Server to secure video based on streaming, method for providing secured video between sever and client, and computer-readable recording media
WO2021129681A1 (en) Scheduling method and apparatus, and medium and device
Lei et al. Towards efficient re-encryption for secure client-side deduplication in public clouds
Aghili Improving security using blow fish algorithm on deduplication cloud storage
Kumar et al. A review and analysis on text data encryption techniques
JP2020155801A (en) Information management system and method therefor
Adkinson-Orellana et al. Sharing secure documents in the cloud-a secure layer for Google Docs
CN108718235A (en) A kind of stream encryption and decryption method
US20240097886A1 (en) End to end file-sharing schema using signed merkle tree randomly originated keys
CN106611130A (en) File processing method and device
Das et al. Towards a novel cross-media encryption-cum-obfuscation technique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20907303

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20907303

Country of ref document: EP

Kind code of ref document: A1