CN104980449A - Network request security certification method and system - Google Patents
Network request security certification method and system Download PDFInfo
- Publication number
- CN104980449A CN104980449A CN201510481542.XA CN201510481542A CN104980449A CN 104980449 A CN104980449 A CN 104980449A CN 201510481542 A CN201510481542 A CN 201510481542A CN 104980449 A CN104980449 A CN 104980449A
- Authority
- CN
- China
- Prior art keywords
- security
- user
- token
- service end
- user side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Abstract
The invention discloses a network request security certification method and system. The network request security certification method comprises the following steps: sending out a formal request by a client; generating a security token by adopting a security algorithm according to uid, a password and a random token generated by a server; sending the uid and the security token to the server; extracting records of a user by the server; if no records exist, determining that the certification is failed; judging whether expiration time and/or judging whether the available quantity is less than or equal to zero or not by the server; if any judging result is positive, deleting user information recorded by the server and determining that the certification is failed, otherwise, continuing; and calculating by adopting the security algorithm by the server to obtain a reference token, matching the reference token with the security token, and determining that the certification is succeeded if the matching is succeeded. According to the network request security certification method and system, disclosed by the invention, a request of the user can be responded and a request of an attacker is rejected; and security grades can be set according to security conditions, and the security and the execution speed and efficiency can be considered at the same time.
Description
Technical field
The present invention relates to the safety certification of network request, particularly relate to a kind of safety certifying method and system of network request.
Background technology
The security authentication mechanism of the main flow adopted in current network mainly contains two classes: symmetric cryptography: both sides arrange cryptographic algorithm and common key; Asymmetric encryption: openly, private key is privately owned for PKI and cryptographic algorithm.But all there are some defects in these two kinds current main security authentication mechanisms.May be cracked (cryptographic algorithm exposure) at client code, when client communication possibility is monitored, symmetric cryptography is safe not, and is difficult to change key, and this makes the hidden danger of its fail safe be difficult to eliminate.Although the fail safe of asymmetric encryption is better than the former, still have deficiency, execution speed is slow simultaneously.
Summary of the invention
The technical problem to be solved in the present invention is the defect that the security authentication mechanism fail safe in order to overcome network request in prior art is not high enough, easily under attack and execution speed slowly, efficiency is not high, provides a kind of safety certifying method and system of network request.
The present invention solves above-mentioned technical problem by following technical proposals:
A safety certifying method for network request, its feature is, comprises the following steps:
Step one, user side judge whether the user logged in is log in first, if then perform step 3, then performs step 2 if not;
Step 2, user side judge whether the security token (i.e. secure token) meeting first condition, if then perform step 6, then perform step 3 if not, this first condition be security token time-out, do not exceed default access times or time-out and do not exceed default access times;
The user identity of the user logged in is proved that (i.e. uid) is sent to service end by step 3, user side;
Step 4, service end generate a random token, and record this user identity prove as the first record value (usually also referred to as key), preset access times as can access times, this user identity prove transmitting time add that the first default duration is as expired time and this random token, and return this random token (i.e. random token) and point out user side send formal request;
Step 5, user side adopt that the security algorithm preset proves according to this user identity, the password of this user and this random token generate a security token;
Step 6, user side send this user identity to service end and prove and this security token;
Step 7, service end extract this user of record random token and can access times and/or expired time, if no record, return authentication failed and perform step 3;
Step 8, service end judge whether current time has exceeded expired time and/or judged whether can be less than or equal to zero by access times, if judged result is be arbitrarily, delete the information of this user of service end record, and the information of authentication failed is exported to user side, and stop security authentication process, if judged result is otherwise performs step 9;
Step 9, service end adopt that this security algorithm proves according to this first record value, this user identity of record, the password of this user, this random token calculate one with reference to token, judge that whether this security token that this reference token and user side send is identical, if be then proved to be successful, then perform step 10 if not;
Step 10, service end preset one the mac address (i.e. physical address) blocking user side in the time period of blockade duration.
The calculating that the present invention relates in safety verification is irreversible, even if assailant is by having intercepted or stolen cryptographic algorithm and security token, and also cannot the reverse password releasing user.Further, service end only needs to perform once safety algorithm, and such as, Secure Hash Algorithm in following preferred version, this makes whole safety verification process computation load low and ultrahigh in efficiency.
Preferably, this security algorithm preset is Secure Hash Algorithm.Secure Hash Algorithm is commonly referred to as SHA algorithm.
Secure Hash Algorithm is a kind of algorithm of making a summary to input information (such as message).Digest procedure can complete features: different input information can never have identical fingerprint: the output information of close input information after summary has larger difference, calculates above very difficult production one and given input simultaneously and has the input of identical fingerprints.This also just means that its algorithmic procedure is irreversible, thus can effectively prevent security algorithm to be reversed and crack.
Preferably, the password encryption to this user is also comprised in this security algorithm preset.Easy understand ground is only the sub-fraction in this security algorithm to the process of user cipher encryption, and the user cipher after encryption and other information can be used as in the complete computation process of security algorithm by this security algorithm on the whole together.
Preferably, the password of md5 encryption algorithm to this user is adopted to be encrypted computing in this security algorithm preset.
Preferably, after service end is proved to be successful, this formal request that service end response user side sends.
One of ordinary skill in the art will readily recognize that the response of asking type, object etc. depending on applied environment and request here.
Preferably, step 10 also comprises, and the mac address of user side pipes off by service end, and sends a network attack warning.Thus, the network operator of service end or owner (such as Internet service provider) are able to more positive and more effectively tackle network attack.
Present invention also offers a kind of security authentication systems of network request, comprise service end and user side.Wherein, user side and service end, by performing safe verification method as above, have carried out the safety verification of network request.
On the basis meeting this area general knowledge, above-mentioned each optimum condition, can combination in any, obtains the preferred embodiments of the invention.
Positive progressive effect of the present invention is:
The safety certifying method of network request of the present invention and system can respond the request of user, and the request of refusal assailant, can also set safe class according to security situation, and perform very efficient, can compromise between security and execution speed and efficiency.
Accompanying drawing explanation
Fig. 1 is the flow chart of the safety certifying method of the network request of the embodiment of the present invention 1.
Embodiment
Mode below by embodiment further illustrates the present invention, but does not therefore limit the present invention among described scope of embodiments.
Embodiment 1
Shown in figure 1, the safety certifying method of the network request of the present embodiment, comprises the following steps:
Step one, user side judge whether the user logged in is log in first, if then perform step 3, then performs step 2 if not;
Step 2, user side judge whether the security token (i.e. secure token) meeting first condition, if then perform step 6, then perform step 3 if not, this first condition be security token time-out, do not exceed default access times or time-out and do not exceed default access times;
The user identity of the user logged in is proved that (i.e. uid) is sent to service end by step 3, user side;
Step 4, service end generate a random token, and record this user identity prove as the first record value (usually also referred to as key), preset access times as can access times, this user identity prove transmitting time add that the first default duration is as expired time and this random token, and return this random token (i.e. random token) and point out user side send formal request;
Step 5, user side adopt that the security algorithm preset proves according to this user identity, the password of this user and this random token generate a security token;
Step 6, user side send this user identity to service end and prove and this security token;
Step 7, service end extract this user of record random token and can access times and/or expired time, if no record, return authentication failed and perform step 3;
Step 8, service end judge whether current time has exceeded expired time and/or judged whether can be less than or equal to zero by access times, if judged result is be arbitrarily, delete the information of this user of service end record, and the information of authentication failed is exported to user side, and stop security authentication process, if judged result is otherwise performs step 9;
Step 9, service end adopt that this security algorithm proves according to this first record value, this user identity of record, the password of this user, this random token calculate one with reference to token, judge that whether this security token that this reference token and user side send is identical, if be then proved to be successful, then perform step 10 if not;
Step 10, service end preset one the mac address (i.e. physical address) blocking user side in the time period of blockade duration, and the mac address of user side pipes off by service end, and send a network attack warning.
Wherein, this security algorithm is Secure Hash Algorithm, i.e. SHA algorithm.Also comprise in this Secure Hash Algorithm and adopt md5 encryption algorithm to the password encryption of this user.After service end is proved to be successful, this formal request that service end response user side sends.
Embodiment 2
The security authentication systems of the network request of the present embodiment, comprises service end and user side.Wherein, user side and service end, by performing the safe verification method of embodiment 1, have carried out the safety verification of network request.
Although the foregoing describe the specific embodiment of the present invention, it will be understood by those of skill in the art that these only illustrate, protection scope of the present invention is defined by the appended claims.Those skilled in the art, under the prerequisite not deviating from principle of the present invention and essence, can make various changes or modifications to these execution modes, but these change and amendment all falls into protection scope of the present invention.
Claims (7)
1. a safety certifying method for network request, is characterized in that, comprises the following steps:
Step one, user side judge whether the user logged in is log in first, if then perform step 3, then performs step 2 if not;
Step 2, user side judge whether the security token meeting first condition, if then perform step 6, then perform step 3 if not, this first condition be security token time-out, do not exceed default access times or time-out and do not exceed default access times;
The user identity of the user logged in proves to be sent to service end by step 3, user side;
Step 4, service end generate a random token, and record this user identity prove as the first record value, preset access times as can access times, this user identity prove transmitting time add that the first default duration is as expired time and this random token, and return this random token and prompting user side send formal request;
Step 5, user side adopt that the security algorithm preset proves according to this user identity, the password of this user and this random token generate a security token;
Step 6, user side send this user identity to service end and prove and this security token;
Step 7, service end extract this user of record random token and can access times and/or expired time, if no record, return authentication failed and perform step 3;
Step 8, service end judge whether current time has exceeded expired time and/or judged whether can be less than or equal to zero by access times, if judged result is be arbitrarily, delete the information of this user of service end record, and the information of authentication failed is exported to user side, and stop security authentication process, if judged result is otherwise performs step 9;
Step 9, service end adopt that this security algorithm proves according to this first record value, this user identity of record, the password of this user, this random token calculate one with reference to token, judge that whether this security token that this reference token and user side send is identical, if be then proved to be successful, then perform step 10 if not;
Step 10, service end preset one the mac address blocking user side in the time period of blockade duration.
2. safe verification method as claimed in claim 1, is characterized in that, this security algorithm preset is Secure Hash Algorithm.
3. safe verification method as claimed in claim 1, is characterized in that, also comprises the password encryption to this user in this security algorithm preset.
4. safe verification method as claimed in claim 3, is characterized in that, adopts the password of md5 encryption algorithm to this user to be encrypted computing in this security algorithm preset.
5., as the safe verification method in claim 1 as described in any one, it is characterized in that, after service end is proved to be successful, this formal request that service end response user side sends.
6. as the safe verification method in claim 1-5 as described in any one, it is characterized in that, step 10 also comprises, and the mac address of user side pipes off by service end, and sends a network attack warning.
7. the security authentication systems of a network request, comprise service end and user side, it is characterized in that, the user side in described security authentication systems and service end perform as the safe verification method in claim 1-6 as described in any one, to complete the safety verification of network request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510481542.XA CN104980449B (en) | 2015-08-03 | 2015-08-03 | The safety certifying method and system of network request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510481542.XA CN104980449B (en) | 2015-08-03 | 2015-08-03 | The safety certifying method and system of network request |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104980449A true CN104980449A (en) | 2015-10-14 |
| CN104980449B CN104980449B (en) | 2018-05-08 |
Family
ID=54276552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510481542.XA Active CN104980449B (en) | 2015-08-03 | 2015-08-03 | The safety certifying method and system of network request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104980449B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027469A (en) * | 2016-01-21 | 2016-10-12 | 李明 | Identity card authentication information processing request processing method and identity card cloud authentication device |
| CN106302539A (en) * | 2016-10-12 | 2017-01-04 | 广州市芯德电子技术有限公司 | A kind of embedded type WEB safety certifying method |
| CN106850592A (en) * | 2017-01-13 | 2017-06-13 | 咪咕视讯科技有限公司 | A kind of information processing method, server and terminal |
| CN106980687A (en) * | 2017-03-31 | 2017-07-25 | 北京奇艺世纪科技有限公司 | A kind of resource downloading system, method and reptile download system |
| CN109948333A (en) * | 2019-03-08 | 2019-06-28 | 北京顺丰同城科技有限公司 | A kind of safety defense method and device of account attack |
| CN110351333A (en) * | 2019-05-30 | 2019-10-18 | 中国地质大学(武汉) | A kind of request queue method and system having authentication mechanism |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5943423A (en) * | 1995-12-15 | 1999-08-24 | Entegrity Solutions Corporation | Smart token system for secure electronic transactions and identification |
| US20090235349A1 (en) * | 2008-03-12 | 2009-09-17 | Intuit Inc. | Method and apparatus for securely invoking a rest api |
| CN103188344A (en) * | 2013-02-22 | 2013-07-03 | 浪潮电子信息产业股份有限公司 | Method for safely invoking REST API (representational state transfer, application programming interface) |
| CN103647777A (en) * | 2013-12-13 | 2014-03-19 | 华为技术有限公司 | Safety certificate method and bidirectional forwarding detection BFD equipment |
| CN103888470A (en) * | 2014-04-02 | 2014-06-25 | 飞天诚信科技股份有限公司 | Dynamic token synchronizing method and system |
-
2015
- 2015-08-03 CN CN201510481542.XA patent/CN104980449B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5943423A (en) * | 1995-12-15 | 1999-08-24 | Entegrity Solutions Corporation | Smart token system for secure electronic transactions and identification |
| US20090235349A1 (en) * | 2008-03-12 | 2009-09-17 | Intuit Inc. | Method and apparatus for securely invoking a rest api |
| CN103188344A (en) * | 2013-02-22 | 2013-07-03 | 浪潮电子信息产业股份有限公司 | Method for safely invoking REST API (representational state transfer, application programming interface) |
| CN103647777A (en) * | 2013-12-13 | 2014-03-19 | 华为技术有限公司 | Safety certificate method and bidirectional forwarding detection BFD equipment |
| CN103888470A (en) * | 2014-04-02 | 2014-06-25 | 飞天诚信科技股份有限公司 | Dynamic token synchronizing method and system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027469A (en) * | 2016-01-21 | 2016-10-12 | 李明 | Identity card authentication information processing request processing method and identity card cloud authentication device |
| CN106027469B (en) * | 2016-01-21 | 2019-05-21 | 李明 | The processing method and identity card cloud authentication device of authentication ids information process request |
| CN106302539A (en) * | 2016-10-12 | 2017-01-04 | 广州市芯德电子技术有限公司 | A kind of embedded type WEB safety certifying method |
| CN106850592A (en) * | 2017-01-13 | 2017-06-13 | 咪咕视讯科技有限公司 | A kind of information processing method, server and terminal |
| CN106980687A (en) * | 2017-03-31 | 2017-07-25 | 北京奇艺世纪科技有限公司 | A kind of resource downloading system, method and reptile download system |
| CN106980687B (en) * | 2017-03-31 | 2020-05-22 | 北京奇艺世纪科技有限公司 | Resource downloading system, method and crawler downloading system |
| CN109948333A (en) * | 2019-03-08 | 2019-06-28 | 北京顺丰同城科技有限公司 | A kind of safety defense method and device of account attack |
| CN110351333A (en) * | 2019-05-30 | 2019-10-18 | 中国地质大学(武汉) | A kind of request queue method and system having authentication mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104980449B (en) | 2018-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
| CN104980449A (en) | Network request security certification method and system | |
| CN110278080B (en) | Method, system and computer readable storage medium for data transmission | |
| KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN105491062A (en) | Client software protection method and device, and client | |
| CN103517273A (en) | Authentication method, managing platform and Internet-of-Things equipment | |
| CN114422152B (en) | Industrial environment authentication method based on PUF and block chain | |
| CN107995148B (en) | File tamper-proofing method, system, terminal and trusted cloud platform | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| Dua et al. | Replay attack prevention in Kerberos authentication protocol using triple password | |
| CN113672897B (en) | Data communication method, device, electronic equipment and storage medium | |
| CN108809940A (en) | Network system server interacts encryption method with client | |
| CN104754571A (en) | User authentication realizing method, device and system thereof for multimedia data transmission | |
| CN113872944A (en) | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof | |
| Chen et al. | Security analysis and improvement of user authentication framework for cloud computing | |
| CN109729000B (en) | Instant messaging method and device | |
| CN112749232A (en) | Production data monitoring method and device, block chain node and storage medium | |
| CN110222085B (en) | Processing method and device for certificate storage data and storage medium | |
| Mishra et al. | MPoWS: Merged proof of ownership and storage for block level deduplication in cloud storage | |
| CN112671735B (en) | Data encryption sharing system and method based on block chain and re-encryption | |
| CN113612616A (en) | Vehicle communication method and device based on block chain | |
| CN104333541A (en) | Trusted self-help service system | |
| CN104394532A (en) | Anti-brute force safe log-in method for mobile terminal | |
| US10079680B2 (en) | Selective revocation of certificates | |
| Yang et al. | Provable Ownership of Encrypted Files in De-duplication Cloud Storage. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160204 Address after: 200335 Shanghai city Changning District Admiralty Road No. 968 Building No. 16 10 floor Applicant after: SHANGHAI XIECHENG BUSINESS CO., LTD. Address before: 200335 Shanghai City, Changning District Fuquan Road No. 99, Ctrip network technology building Applicant before: Ctrip computer technology (Shanghai) Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20181221 Address after: No. 99 Fuquan Road, Changning District, Shanghai, 2003 Patentee after: Ctrip Travel Network Technology (Shanghai) Co., Ltd. Address before: 10th Floor, Building 16, 968 Jinzhong Road, Changning District, Shanghai, 2003 Patentee before: SHANGHAI XIECHENG BUSINESS CO., LTD. |
|
| TR01 | Transfer of patent right |