Summary of the invention
The technical problem to be solved in the present invention is the defect that the security authentication mechanism fail safe in order to overcome network request in prior art is not high enough, easily under attack and execution speed slowly, efficiency is not high, provides a kind of safety certifying method and system of network request.
The present invention solves above-mentioned technical problem by following technical proposals:
A safety certifying method for network request, its feature is, comprises the following steps:
Step one, user side judge whether the user logged in is log in first, if then perform step 3, then performs step 2 if not;
Step 2, user side judge whether the security token (i.e. secure token) meeting first condition, if then perform step 6, then perform step 3 if not, this first condition be security token time-out, do not exceed default access times or time-out and do not exceed default access times;
The user identity of the user logged in is proved that (i.e. uid) is sent to service end by step 3, user side;
Step 4, service end generate a random token, and record this user identity prove as the first record value (usually also referred to as key), preset access times as can access times, this user identity prove transmitting time add that the first default duration is as expired time and this random token, and return this random token (i.e. random token) and point out user side send formal request;
Step 5, user side adopt that the security algorithm preset proves according to this user identity, the password of this user and this random token generate a security token;
Step 6, user side send this user identity to service end and prove and this security token;
Step 7, service end extract this user of record random token and can access times and/or expired time, if no record, return authentication failed and perform step 3;
Step 8, service end judge whether current time has exceeded expired time and/or judged whether can be less than or equal to zero by access times, if judged result is be arbitrarily, delete the information of this user of service end record, and the information of authentication failed is exported to user side, and stop security authentication process, if judged result is otherwise performs step 9;
Step 9, service end adopt that this security algorithm proves according to this first record value, this user identity of record, the password of this user, this random token calculate one with reference to token, judge that whether this security token that this reference token and user side send is identical, if be then proved to be successful, then perform step 10 if not;
Step 10, service end preset one the mac address (i.e. physical address) blocking user side in the time period of blockade duration.
The calculating that the present invention relates in safety verification is irreversible, even if assailant is by having intercepted or stolen cryptographic algorithm and security token, and also cannot the reverse password releasing user.Further, service end only needs to perform once safety algorithm, and such as, Secure Hash Algorithm in following preferred version, this makes whole safety verification process computation load low and ultrahigh in efficiency.
Preferably, this security algorithm preset is Secure Hash Algorithm.Secure Hash Algorithm is commonly referred to as SHA algorithm.
Secure Hash Algorithm is a kind of algorithm of making a summary to input information (such as message).Digest procedure can complete features: different input information can never have identical fingerprint: the output information of close input information after summary has larger difference, calculates above very difficult production one and given input simultaneously and has the input of identical fingerprints.This also just means that its algorithmic procedure is irreversible, thus can effectively prevent security algorithm to be reversed and crack.
Preferably, the password encryption to this user is also comprised in this security algorithm preset.Easy understand ground is only the sub-fraction in this security algorithm to the process of user cipher encryption, and the user cipher after encryption and other information can be used as in the complete computation process of security algorithm by this security algorithm on the whole together.
Preferably, the password of md5 encryption algorithm to this user is adopted to be encrypted computing in this security algorithm preset.
Preferably, after service end is proved to be successful, this formal request that service end response user side sends.
One of ordinary skill in the art will readily recognize that the response of asking type, object etc. depending on applied environment and request here.
Preferably, step 10 also comprises, and the mac address of user side pipes off by service end, and sends a network attack warning.Thus, the network operator of service end or owner (such as Internet service provider) are able to more positive and more effectively tackle network attack.
Present invention also offers a kind of security authentication systems of network request, comprise service end and user side.Wherein, user side and service end, by performing safe verification method as above, have carried out the safety verification of network request.
On the basis meeting this area general knowledge, above-mentioned each optimum condition, can combination in any, obtains the preferred embodiments of the invention.
Positive progressive effect of the present invention is:
The safety certifying method of network request of the present invention and system can respond the request of user, and the request of refusal assailant, can also set safe class according to security situation, and perform very efficient, can compromise between security and execution speed and efficiency.
Embodiment
Mode below by embodiment further illustrates the present invention, but does not therefore limit the present invention among described scope of embodiments.
Embodiment 1
Shown in figure 1, the safety certifying method of the network request of the present embodiment, comprises the following steps:
Step one, user side judge whether the user logged in is log in first, if then perform step 3, then performs step 2 if not;
Step 2, user side judge whether the security token (i.e. secure token) meeting first condition, if then perform step 6, then perform step 3 if not, this first condition be security token time-out, do not exceed default access times or time-out and do not exceed default access times;
The user identity of the user logged in is proved that (i.e. uid) is sent to service end by step 3, user side;
Step 4, service end generate a random token, and record this user identity prove as the first record value (usually also referred to as key), preset access times as can access times, this user identity prove transmitting time add that the first default duration is as expired time and this random token, and return this random token (i.e. random token) and point out user side send formal request;
Step 5, user side adopt that the security algorithm preset proves according to this user identity, the password of this user and this random token generate a security token;
Step 6, user side send this user identity to service end and prove and this security token;
Step 7, service end extract this user of record random token and can access times and/or expired time, if no record, return authentication failed and perform step 3;
Step 8, service end judge whether current time has exceeded expired time and/or judged whether can be less than or equal to zero by access times, if judged result is be arbitrarily, delete the information of this user of service end record, and the information of authentication failed is exported to user side, and stop security authentication process, if judged result is otherwise performs step 9;
Step 9, service end adopt that this security algorithm proves according to this first record value, this user identity of record, the password of this user, this random token calculate one with reference to token, judge that whether this security token that this reference token and user side send is identical, if be then proved to be successful, then perform step 10 if not;
Step 10, service end preset one the mac address (i.e. physical address) blocking user side in the time period of blockade duration, and the mac address of user side pipes off by service end, and send a network attack warning.
Wherein, this security algorithm is Secure Hash Algorithm, i.e. SHA algorithm.Also comprise in this Secure Hash Algorithm and adopt md5 encryption algorithm to the password encryption of this user.After service end is proved to be successful, this formal request that service end response user side sends.
Embodiment 2
The security authentication systems of the network request of the present embodiment, comprises service end and user side.Wherein, user side and service end, by performing the safe verification method of embodiment 1, have carried out the safety verification of network request.
Although the foregoing describe the specific embodiment of the present invention, it will be understood by those of skill in the art that these only illustrate, protection scope of the present invention is defined by the appended claims.Those skilled in the art, under the prerequisite not deviating from principle of the present invention and essence, can make various changes or modifications to these execution modes, but these change and amendment all falls into protection scope of the present invention.