[go: up one dir, main page]

CN103944900B - It is a kind of that attack prevention method and its device are asked across station based on encryption - Google Patents

It is a kind of that attack prevention method and its device are asked across station based on encryption Download PDF

Info

Publication number
CN103944900B
CN103944900B CN201410158128.0A CN201410158128A CN103944900B CN 103944900 B CN103944900 B CN 103944900B CN 201410158128 A CN201410158128 A CN 201410158128A CN 103944900 B CN103944900 B CN 103944900B
Authority
CN
China
Prior art keywords
request
client
random number
user
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410158128.0A
Other languages
Chinese (zh)
Other versions
CN103944900A (en
Inventor
崔肖君
蒋东辰
孙毓忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongke Flux Technology Co ltd
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201410158128.0A priority Critical patent/CN103944900B/en
Publication of CN103944900A publication Critical patent/CN103944900A/en
Application granted granted Critical
Publication of CN103944900B publication Critical patent/CN103944900B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

Attack prevention method is asked across station based on encryption the invention discloses a kind of, applied to the system for including client and server end, methods described includes:Authentication step, client side attack take precautions against step and server end attack-defending step;Authentication step is used to carry out authentication to client by server end;Client side attack takes precautions against the random number token that step is verified as the client the reception server end transmission of validated user by authentication step, and follow-up request is encrypted as CIPHERING REQUEST using random number token;Server end attack-defending step is used in the follow-up CIPHERING REQUEST of the client of received server-side validated user, and checking is decrypted using random number token, and attack-defending is asked across station to realize.Attack-defending device is asked across station based on encryption the invention also discloses a kind of.

Description

一种基于加密的跨站请求攻击防范方法及其装置An encryption-based cross-site request attack prevention method and device thereof

技术领域technical field

本发明涉及网络安全,主要是浏览器安全与web应用安全。更具体地,涉及一种盗用用户权限的跨站请求伪造攻击的防御方法和系统。The invention relates to network security, mainly browser security and web application security. More specifically, it relates to a method and system for defending against cross-site request forgery attacks by embezzling user rights.

背景技术Background technique

跨站请求伪造(Cross Site Request Forgery,CSRF)攻击,是一种挟制终端用户在已登录的Web应用程序上执行非用户意愿操作的攻击方法。其攻击的目标是用户而不是web应用,并且不需要利用任何浏览器漏洞,而是利用已进行过身份认证的会话进行攻击,即利用隐式认证漏洞来达到攻击。A Cross Site Request Forgery (CSRF) attack is an attack method that coerces an end user to perform an operation not intended by the user on a logged-in web application. The target of its attack is users rather than web applications, and it does not need to exploit any browser vulnerabilities, but uses authenticated sessions to attack, that is, exploits implicit authentication vulnerabilities to achieve attacks.

跨站请求伪造是一种比较隐晦的攻击,受害者很可能不小心点击一个恶意链接,就会被攻击者利用,其本质是攻击者盗用了受害者的身份,以受害者的名义发送恶意请求,能够做的事情包括:发送邮件,消息,盗取账号,甚至于购买商品,虚拟货币转账等。造成的问题包括:个人隐私泄露以及财产安全。攻击后果取决于所利用的漏洞以及受害者的权限。Cross-site request forgery is a relatively subtle attack. The victim may accidentally click a malicious link and be exploited by the attacker. The essence is that the attacker steals the identity of the victim and sends a malicious request in the name of the victim. , Things that can be done include: sending emails, messages, stealing accounts, even purchasing goods, transferring virtual currency, etc. The problems caused include: leakage of personal privacy and property safety. The consequences of an attack depend on the vulnerability exploited and the privileges of the victim.

现有技术中,由于超文本传输协议(Hyper Text Transfer Protocol,HTTP)自身是一种无状态协议,即无法关联两次连续的请求,因此通过Cookie、Session和HTTP等身份验证信息来记录状态,关联同一个用户连续的请求。例如,当用户成功进行身份验证之后浏览器就会得到一个标识其身份的Cookie,只要不关闭浏览器或者退出登录,每当向该站点发送请求的时候,浏览器都会“自动地”连同该Cookie一起发出,无须用户干预,而不管这个请求是源自于应用程序提供的链接、从其他地方收到的统一资源定位符(UniformResource Locator,URL)或是其他来源。站点服务器是通过Cookie来识别用户的,即如果站点服务器收到了带有受害者的Cookie的请求,那么它就会把这个请求看作是已登录的受害者发来的,站点服务器会认为这是经过确认的有效请求,所以会执行这个“可信的动作”,从而为攻击提供了机会。Web站点的这种的身份验证机制虽然可以向目标站点保证一个请求来自于某个用户的浏览器,但是却无法保证该请求的确是那个用户发出的,或者是经过那个用户批准的。跨站请求伪造攻击之所以会发生,根本原因就是Web站点所验证的是Web浏览器而非用户本身。In the prior art, since the Hyper Text Transfer Protocol (Hyper Text Transfer Protocol, HTTP) itself is a stateless protocol, that is, two consecutive requests cannot be associated, so the status is recorded through authentication information such as Cookie, Session, and HTTP. Associate consecutive requests from the same user. For example, when the user successfully authenticates, the browser will get a cookie that identifies his identity. As long as the browser is not closed or logged out, whenever a request is sent to the site, the browser will "automatically" include the cookie issued together without user intervention, regardless of whether the request originates from an application-provided link, a Uniform Resource Locator (URL) received from elsewhere, or another source. The site server uses cookies to identify users, that is, if the site server receives a request with the victim's cookie, it will treat the request as a log-in victim, and the site server will think it is Confirmed valid request, so this "credible action" will be performed, thus providing an opportunity for attack. Although this authentication mechanism of the Web site can assure the target site that a request comes from a certain user's browser, it cannot guarantee that the request is indeed sent by that user, or approved by that user. The root cause of cross-site request forgery attacks is that the Web site authenticates the Web browser rather than the user itself.

图1为CSRF攻击相关流程图。图中步骤1为用户请求保护站点的保护页面;然后步骤2为站点服务器提示用户输入认证信息;步骤3为用户提交自己的用户名与密码信息;步骤4为站点服务器验证用户信息建立合法的会话,并且向用户生成标识用户的Cookie信息;步骤5-8为用户正常向站点服务器发送请求,并且站点服务器对其进行业务处理发送回应;步骤9-11为攻击者的攻击过程,其中步骤9为受害者及用户访问恶意站点,步骤10为恶意站点返回用户请求的内容,其中返回的内容中含有发向保护站点的恶意请求,步骤11为用户不小心点击恶意链接向保护站点发起请求或者网页中的恶意请求自动向保护站点发起请求,浏览器会自动将该站点下用户的Cookie携带然后发出这个请求,由于请求中含有Cookie信息,站点服务器会以为是已登录用户发出的合法请求,从而进行业务处理,执行攻击者的恶意动作。Figure 1 is a flowchart related to CSRF attacks. Step 1 in the figure is for the user to request the protection page of the protected site; then step 2 is for the site server to prompt the user to enter authentication information; step 3 is for the user to submit his user name and password information; step 4 is for the site server to verify user information and establish a legal session , and generate cookie information identifying the user to the user; step 5-8 is that the user normally sends a request to the site server, and the site server sends a response for its business processing; steps 9-11 are the attack process of the attacker, and step 9 is The victim and the user visit the malicious site, step 10 is that the malicious site returns the content requested by the user, and the returned content contains a malicious request to the protected site, and step 11 is that the user accidentally clicks a malicious link to initiate a request to the protected site or the The malicious request automatically initiates a request to the protected site, and the browser will automatically carry the cookie of the user under the site and then send this request. Since the request contains cookie information, the site server will think that it is a legitimate request sent by the logged-in user, so as to conduct business Processing, performing malicious actions of the attacker.

目前,针对跨站请求伪造,主要有两种方法:Currently, there are two main methods for cross-site request forgery:

第一种是使用POST请求进行跨站请求伪造攻击,对重要的写操作,网站只接受POST请求,以此来防御跨站请求伪造攻击。但是该方法的缺点是,任何GET请求都可以构造表单通过POST请求来发送,因此此方法只能增加攻击者实现攻击的难度,并不能防范跨站请求伪造。The first is to use POST requests for cross-site request forgery attacks. For important write operations, the website only accepts POST requests to prevent cross-site request forgery attacks. However, the disadvantage of this method is that any GET request can construct a form and send it through a POST request, so this method can only increase the difficulty for attackers to implement attacks, and cannot prevent cross-site request forgery.

第二种是通过验证token来实现跨站请求伪造攻击的防范,可以在HTTP请求中以参数的形式加入一个随机产生的token,并在服务器端建立一个拦截器来验证这个token,如果请求中没有token或者token内容不正确,则认为可能是CSRF攻击而拒绝改请求。这个“验证token”应该不能轻易的被未登录的用户猜测出来。但是开发者常常忘记实施这一防范,该方法还有一个缺点是难以保证token本身的安全,有可能通过URL或者HTTP Refererheader泄露token给其他站点。在期刊名为:In IEEE International Conference onSecurity and Privacy in Communication Networks(SecureComm),2006.,文献名称为:Preventing cross site request forgery attacks,作者名称为:Nenad Jovanovic,Engin Kirda,and Christopher Kruegel的文献中公开了该方法。The second is to prevent cross-site request forgery attacks by verifying the token. You can add a randomly generated token as a parameter in the HTTP request, and establish an interceptor on the server side to verify the token. If there is no If the token or token content is incorrect, it is considered that it may be a CSRF attack and the request is rejected. This "authentication token" should not be easily guessed by a non-logged-in user. However, developers often forget to implement this precaution. Another disadvantage of this method is that it is difficult to guarantee the security of the token itself, and it is possible to leak the token to other sites through the URL or HTTP Refererheader. Disclosed in the journal titled: In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006., document titled: Preventing cross site request forgery attacks, author names: Nenad Jovanovic, Engin Kirda, and Christopher Kruegel the method.

第三种是验证HTTP Referer header,(HTTP Referer是header的一部分,当浏览器向web服务器发送请求的时候,一般会带上Referer,告诉服务器我是从哪个页面链接过来的,服务器籍此可以获得一些信息用于处理。)通过验证HTTP Referer header,只接受来自可信源的请求,但是由于Referrer内容中涉及用户浏览记录等隐私内容,因此HTTP请求中绝大多数禁止了Referer头文件的使用,在期刊名称为:Proc.15th ACM Conf.Computerand Communications Security,ACM Press,2008,pp.75–87.,文献名称为:RobustDefenses for Cross-Site Request Forgery,作者名称为:A.Barth,C.Jackson,andJ.C.Mitchell的文献中公开了该方法。The third is to verify the HTTP Referer header, (HTTP Referer is a part of the header, when the browser sends a request to the web server, it will usually bring the Referer and tell the server which page I am linking from, so the server can get Some information is used for processing.) By verifying the HTTP Referer header, only requests from trusted sources are accepted. However, since the Referrer content involves privacy content such as user browsing records, most HTTP requests prohibit the use of the Referer header file. In the journal name: Proc.15th ACM Conf. Computer and Communications Security, ACM Press, 2008, pp.75–87., the document name: RobustDefenses for Cross-Site Request Forgery, the author name: A.Barth, C.Jackson , and J.C. Mitchell discloses this method in the literature.

可见,针对现存服务器,现有技术中存在的一些解决方法不能很好的防范跨站请求伪造攻击,因此,需要一种方法有效的防范跨站请求伪造攻击。It can be seen that for existing servers, some solutions in the prior art cannot prevent cross-site request forgery attacks well. Therefore, a method is needed to effectively prevent cross-site request forgery attacks.

发明内容Contents of the invention

本发明所要解决的技术问题在于提供一种基于加密的跨站请求攻击防范方法及其装置,以克服现有技术中存在的不能很好防范跨站请求攻击的问题。The technical problem to be solved by the present invention is to provide an encryption-based cross-site request attack prevention method and its device, so as to overcome the problem that the cross-site request attack cannot be well prevented in the prior art.

为达上述目的,本发明提供了一种基于加密的跨站请求攻击防范方法,应用于包含客户端和服务器端的系统,其特征在于,所述方法包括:In order to achieve the above purpose, the present invention provides an encryption-based cross-site request attack prevention method, which is applied to a system including a client and a server, and is characterized in that the method includes:

身份验证步骤:用于通过所述服务器端对所述客户端进行身份验证;Authentication step: for authenticating the client through the server;

客户端攻击防范步骤:通过所述身份验证步骤验证为合法用户的客户端接收所述服务器端发送的随机数token,并采用所述随机数token对后续的请求进行加密成为加密请求;Client attack prevention step: the client who is authenticated as a legitimate user by the identity verification step receives the random number token sent by the server, and uses the random number token to encrypt subsequent requests to become an encrypted request;

服务器端攻击防范步骤:在所述服务器端接收所述合法用户的客户端的后续所述加密请求时,采用所述随机数token进行解密验证,以实现跨站请求攻击防范。A server-side attack prevention step: when the server receives the subsequent encrypted request from the legitimate user's client, the random number token is used for decryption verification, so as to realize cross-site request attack prevention.

上述基于加密的跨站请求攻击防范方法,其特征在于,所述服务器端防范步骤包括:The above encryption-based cross-site request attack prevention method is characterized in that the server-side defense steps include:

页面判断步骤:判断所述客户端登陆的页面为受保护页面或公共访问页面;Page judging step: judging that the page logged in by the client is a protected page or a public access page;

随机数token生成步骤:针对通过验证的所述合法用户的客户端生成所述随机数token,并将所述随机数token发送给所述合法用户的客户端,所述随机数token与所述合法用户的会话id相关联。Random number token generation step: generate the random number token for the client of the legal user through verification, and send the random number token to the client of the legal user, the random number token and the legal The user's session id is associated.

上述基于加密的跨站请求攻击防范方法,其特征在于,所述客户端防范步骤包括:The above encryption-based cross-site request attack prevention method is characterized in that the client defense steps include:

提取token步骤:所述合法用户的客户端接收从所述服务器端发送的所述随机数token,并进行提取所述随机数token;Step of extracting token: the client of the legitimate user receives the random number token sent from the server, and extracts the random number token;

判断请求步骤:根据源网站服务器的域名与目的网站服务器的域名是否相同判断所述请求是否为本客户端应用发出,如果为所述本客户端应用请求,则通过所述随机数token进行加密,如果为非所述本客户端应用请求,则直接发送;Judging the request step: judging whether the request is sent by the client application according to whether the domain name of the source website server is the same as the domain name of the destination website server, if it is the request of the client application, then encrypt it by the random number token, If it is not the client application request, it will be sent directly;

加密请求步骤:对所述合法用户的客户端向所述服务器端发送的请求内容通过所述随机数token进行加密;Encrypting the request step: encrypting the request content sent by the client of the legal user to the server through the random number token;

发送请求步骤:将加密后的所述请求发送给所述服务器端。Sending the request step: sending the encrypted request to the server.

上述基于加密的跨站请求攻击防范方法,其特征在于,所述服务器端防范步骤还包括:The above encryption-based cross-site request attack prevention method is characterized in that the server-side defense step also includes:

解密步骤:对所述客户端发送的所述加密请求采用所述token作为密钥进行解密,以验证所述加密请求的合法性;Decryption step: decrypting the encrypted request sent by the client using the token as a key to verify the legitimacy of the encrypted request;

业务处理步骤:根据解密后的所述加密请求,进行相应的业务处理。Business processing step: perform corresponding business processing according to the encrypted request after decryption.

上述基于加密的跨站请求攻击防范方法,其特征在于,所述随机数token生成步骤还包括:The above encryption-based cross-site request attack prevention method is characterized in that the random number token generation step also includes:

用户未登录步骤:查询用户的会话id不存在,判断所述用户未登录,则重新进行登录认证,针对认证通过的合法用户的客户端生成所述随机数token和会话id;The user does not log in step: the session id of querying the user does not exist, and judging that the user is not logged in, then re-login authentication, generate the random number token and session id for the client of the legal user passed through the authentication;

用户已登录步骤:查询用户的会话id存在,判断所述用户已登录,则为所述合法用户的客户端。The user has logged in step: inquire about the existence of the session id of the user, if it is judged that the user has logged in, then it is the client of the legal user.

上述基于加密的跨站请求攻击防范方法,其特征在于,所述解密步骤还包括:The above encryption-based cross-site request attack prevention method is characterized in that the decryption step also includes:

查找token步骤:通过与所述合法用户的会话id,查找与所述会话id相关联的所述随机数token;Find token step: through the session id with described legal user, search described random number token associated with described session id;

原始请求解密步骤:采用查找token步骤获取的所述随机数token解密所述客户端发送的请求,获取所述客户端的原始请求。Original request decryption step: using the random number token obtained in the token search step to decrypt the request sent by the client, and obtain the original request of the client.

上述基于加密的跨站请求攻击防范方法,其特征在于,所述业务处理步骤还包括:The above encryption-based cross-site request attack prevention method is characterized in that the business processing step also includes:

解密成功步骤:如果采用所述原始请求解密步骤解密所述请求成功,则按照所述请求进行业务处理;Successful decryption step: if the original request decryption step is used to decrypt the request successfully, then perform business processing according to the request;

解密失败步骤:如果采用所述原始请求解密步骤解密所述请求失败,则不进行业务处理,并对所述合法用户发出警告信息。Decryption failure step: if the original request decryption step fails to decrypt the request, no business processing is performed, and a warning message is issued to the legitimate user.

本发明还提供一种基于加密的跨站请求攻击防范装置,采用如所述基于加密的跨站请求攻击防范方法,所述方法应用于包含客户端和服务器端的系统,其特征在于,所述装置包括:The present invention also provides an encryption-based cross-site request attack prevention device, adopting the encryption-based cross-site request attack prevention method, the method is applied to a system including a client and a server, and the device is characterized in that include:

身份验证模块:用于通过所述服务器端对所述客户端进行身份验证;Identity verification module: used to authenticate the client through the server;

客户端攻击防范模块:通过所述身份验证步骤验证为合法用户的客户端接收所述服务器端发送的随机数token,并采用所述随机数token对后续的请求进行加密成为加密请求;Client attack defense module: the client that is authenticated as a legitimate user by the identity verification step receives the random number token sent by the server, and uses the random number token to encrypt subsequent requests to become an encrypted request;

服务器端攻击防范模块:在所述服务器端接收所述合法用户的客户端的后续所述加密请求时,采用所述随机数token进行解密验证,以实现跨站请求攻击防范。Server-side attack defense module: when the server side receives the subsequent encrypted request from the legal user's client, it uses the random number token to perform decryption verification, so as to realize cross-site request attack defense.

上述基于加密的跨站请求攻击防范装置,其特征在于,所述服务器端防范模块包括:The above encryption-based cross-site request attack prevention device is characterized in that the server-side defense module includes:

页面判断模块:判断所述客户端登陆的页面为受保护页面或公共访问页面;Page judging module: judging that the page logged in by the client is a protected page or a public access page;

随机数token生成模块:针对通过验证的所述合法用户的客户端生成所述随机数token,并将所述随机数token发送给所述合法用户的客户端,所述随机数token与所述合法用户的会话id相关联。Random number token generation module: generate the random number token for the client of the legal user who has passed the verification, and send the random number token to the client of the legal user, the random number token is consistent with the legal The user's session id is associated.

上述基于加密的跨站请求攻击防范装置,其特征在于,所述客户端防范模块包括:The above encryption-based cross-site request attack prevention device is characterized in that the client defense module includes:

提取token模块:所述合法用户的客户端接收从所述服务器端发送的所述随机数token,并进行提取所述随机数token;extract token module: the client of the legal user receives the random number token sent from the server, and extracts the random number token;

判断请求模块:根据源网站服务器的域名与目的网站服务器的域名是否相同判断所述请求是否为本客户端应用发出,如果为所述本客户端应用请求,则通过所述随机数token进行加密,如果为非所述本客户端应用请求,则直接发送;Judgment request module: according to whether the domain name of the source website server is the same as the domain name of the destination website server, it is judged whether the request is sent by the client application, if it is the client application request, it is encrypted by the random number token, If it is not the client application request, it will be sent directly;

加密请求模块:对所述合法用户的客户端向所述服务器端发送的请求内容通过所述随机数token进行加密;An encryption request module: encrypting the content of the request sent by the client of the legal user to the server through the random number token;

发送请求模块:将加密后的所述请求发送给所述服务器端。Sending request module: sending the encrypted request to the server.

上述基于加密的跨站请求攻击防范装置,其特征在于,所述服务器端防范模块还包括:The above encryption-based cross-site request attack defense device is characterized in that the server-side defense module also includes:

解密模块:对所述客户端发送的所述加密请求采用所述token作为密钥进行解密,以验证所述加密请求的合法性;Decryption module: decrypt the encrypted request sent by the client using the token as a key to verify the legitimacy of the encrypted request;

业务处理模块:根据解密后的所述加密请求,进行相应的业务处理。Business processing module: perform corresponding business processing according to the encrypted request after decryption.

上述基于加密的跨站请求攻击防范装置,其特征在于,所述随机数token生成模块还包括:The above-mentioned encryption-based cross-site request attack prevention device is characterized in that the random number token generation module also includes:

用户未登录模块:查询用户的会话id不存在,判断所述用户未登录,则重新进行登录认证,针对认证通过的合法用户的客户端生成所述随机数token和会话id;The user does not log in module: the session id of querying the user does not exist, and judging that the user is not logged in, then re-login authentication, generate the random number token and session id for the client of the legal user who passed the authentication;

用户已登录模块:查询用户的会话id存在,判断所述用户已登录,则为所述合法用户的客户端。The user has logged in module: query the existence of the user's session id, and judge that the user has logged in, then it is the client of the legal user.

上述基于加密的跨站请求攻击防范装置,其特征在于,所述解密模块还包括:The above encryption-based cross-site request attack prevention device is characterized in that the decryption module also includes:

查找token模块:通过与所述合法用户的会话id,查找与所述会话id相关联的所述随机数token;Find token module: through the session id with described legitimate user, search described random number token associated with described session id;

原始请求解密模块:采用查找token步骤获取的所述随机数token解密所述客户端发送的请求,获取所述客户端的原始请求。Original request decryption module: use the random number token obtained in the token search step to decrypt the request sent by the client, and obtain the original request of the client.

上述基于加密的跨站请求攻击防范装置,其特征在于,所述业务处理模块还包括:The above encryption-based cross-site request attack prevention device is characterized in that the business processing module also includes:

解密成功模块:如果采用所述原始请求解密步骤解密所述请求成功,则按照所述请求进行业务处理;Successful decryption module: if the original request decryption step is used to decrypt the request successfully, then perform business processing according to the request;

解密失败模块:如果采用所述原始请求解密步骤解密所述请求失败,则不进行业务处理,并对所述合法用户发出警告信息。Decryption failure module: if the original request decryption step fails to decrypt the request, no business processing is performed, and a warning message is issued to the legal user.

本发明与现有的跨站请求攻击防范技术相比,本发明的有益效果在于:Compared with the existing cross-site request attack prevention technology, the present invention has the beneficial effects of:

1、不需要修改现有的站点服务器代码:通过简单的配置就可以防范跨站请求伪造攻击,现有的防范技术有的需要修改站点服务器代码才能实现,对很多已经发展很成熟的应用来讲,要想使用这种防范技术,意味着必须重新开发或者修改应用,这不仅会耗费大量资源,而且会造成很多性能的降低,因此这种需要修改站点服务器的防范方法,发展很慢;1. There is no need to modify the existing site server code: cross-site request forgery attacks can be prevented through simple configuration. Some existing defense technologies need to modify the site server code to achieve this. For many mature applications , if you want to use this prevention technology, it means that you must redevelop or modify the application, which will not only consume a lot of resources, but also cause a lot of performance degradation, so the development of this prevention method that requires modifying the site server is very slow;

2、适用性强:对需要进行防范的应用没有特殊的要求,不需要应用使用特定的开发技术,JAVA,PHP,ASP等开发技术开发的应用都可以使用本发明提出的方法;2. Strong applicability: there are no special requirements for applications that need to be protected, and no specific development technology is required for applications. Applications developed by development technologies such as JAVA, PHP, and ASP can use the method proposed by the present invention;

3、使用简单:不需要用户交互,不需要用户定义白名单,使用应用的用户不需要有相关的安全知识,减少了用户使用的难度;3. Easy to use: no user interaction is required, no user-defined whitelist is required, and users who use the application do not need to have relevant security knowledge, which reduces the difficulty for users to use;

4、通过对URL请求加密,使攻击者无法知道请求的具体格式(调用页面,参数等),加大了攻击者对要攻击应用了解的难度,即加大了攻击者实现攻击的难度。4. By encrypting the URL request, the attacker cannot know the specific format of the request (call page, parameters, etc.), which increases the difficulty for the attacker to understand the application to be attacked, that is, increases the difficulty for the attacker to realize the attack.

附图说明Description of drawings

图1为 CSRF攻击相关流程图;Figure 1 is a flowchart related to CSRF attacks;

图2为本发明方法步骤流程示意图;Fig. 2 is a schematic flow chart of the method steps of the present invention;

图3为本发明方法详细步骤流程示意图;Fig. 3 is a schematic flow chart of the detailed steps of the method of the present invention;

图4为本发明提供的防御CSRF攻击的服务器端流程示意图;Fig. 4 is the server-side schematic diagram of defense CSRF attack that the present invention provides;

图5为本发明跨站攻击防范方法的客户端流程示意图;FIG. 5 is a schematic diagram of the client flow of the cross-site attack prevention method of the present invention;

图6为本发明跨站请求攻击防范装置的结构示意图;FIG. 6 is a schematic structural diagram of a cross-site request attack prevention device of the present invention;

图7为本发明跨站请求攻击防范装置的详细结构示意图。FIG. 7 is a schematic diagram of the detailed structure of the cross-site request attack prevention device of the present invention.

其中,附图标记:Among them, reference signs:

100 身份验证模块 200 客户端攻击防范模块100 Authentication module 200 Client attack defense module

300 服务器端攻击防范模块300 server-side attack defense module

201 提取token模块 202 判断请求模块201 Extract token module 202 Judgment request module

203 加密请求模块 204 发送请求模块203 Encryption request module 204 Send request module

301 页面判断模块 302 随机数token生成模块301 Page judgment module 302 Random number token generation module

303 解密模块 304 业务处理模块303 Decryption module 304 Business processing module

S1~S3、S21~S24、S31~S34、S321~S322、S331~S332、S341~S342:本发明各实施例的施行步骤S1~S3, S21~S24, S31~S34, S321~S322, S331~S332, S341~S342: implementation steps of each embodiment of the present invention

具体实施方式detailed description

下面给出本发明的具体实施方式,结合附图和具体实施实例对本发明做详细描述。The specific implementation manner of the present invention is given below, and the present invention will be described in detail in conjunction with the drawings and specific implementation examples.

本发明提出一种利用随机数(token)作为密钥对URL进行加密的方法,实现跨站请求伪造攻击的防范。为了达到上述目的,本发明利用站点服务器生成的攻击者难以猜测的随机数,并使用随机数加密URL,由于攻击者无法通过嗅探抓包等手段截获随机数,他无法伪造正确的请求。即便浏览器会将登录用户的Cookie自动附带到伪造的请求上,由于请求不是站点服务器认可的,故站点服务器不予处理,从而实现跨站请求伪造攻击的防范。The invention proposes a method for encrypting a URL by using a random number (token) as a key to prevent cross-site request forgery attacks. In order to achieve the above object, the present invention utilizes the random number generated by the site server which is difficult for the attacker to guess, and uses the random number to encrypt the URL. Since the attacker cannot intercept the random number by means of sniffing and capturing packets, he cannot forge the correct request. Even if the browser automatically attaches the logged-in user's cookie to the forged request, the site server will not process the request because the request is not approved by the site server, thereby preventing cross-site request forgery attacks.

本发明主要涉及两类实体:客户端(用户通过浏览器来访问应用站点)和服务端(应用站点部署的服务器)。The present invention mainly involves two types of entities: client (the user accesses the application site through a browser) and server (the server deployed by the application site).

本发明提供的一种基于加密的跨站请求攻击防范方法,应用于包含客户端和服务器端的系统,图2为本发明方法步骤流程示意图,如图2所示,该方法包括:An encryption-based cross-site request attack prevention method provided by the present invention is applied to a system including a client and a server. FIG. 2 is a schematic flow chart of the steps of the method of the present invention. As shown in FIG. 2, the method includes:

身份验证步骤S1:用于通过服务器端对客户端进行身份验证;Authentication step S1: for authenticating the client through the server;

客户端攻击防范步骤S2:通过身份验证步骤验证为合法用户的客户端接收服务器端发送的随机数token,并采用随机数token对后续的请求进行加密成为加密请求;Client-side attack prevention step S2: the client that is authenticated as a legitimate user through the identity verification step receives the random number token sent by the server, and uses the random number token to encrypt subsequent requests to become encrypted requests;

服务器端攻击防范步骤S3:在服务器端接收合法用户的客户端的后续加密请求时,采用随机数token进行解密验证,以实现跨站请求攻击防范。Server-side attack prevention step S3: When the server side receives the subsequent encrypted request from the legitimate user's client, it uses a random number token for decryption verification, so as to realize cross-site request attack prevention.

其中,客户端攻击防范步骤S2包括:Wherein, the client attack defense step S2 includes:

提取token步骤S21:合法用户的客户端接收从服务器端发送的随机数token,并进行提取随机数token;Extract token step S21: the client of the legitimate user receives the random number token sent from the server, and extracts the random number token;

判断请求步骤S22:根据源网站服务器的域名与目的网站服务器的域名是否相同判断请求是否为本客户端应用发出,如果为本客户端应用请求,则通过随机数token进行加密,如果为非本客户端应用请求,则直接发送;Judgment request step S22: According to whether the domain name of the source website server is the same as that of the destination website server, it is judged whether the request is sent by the client application. If the request is from the client application, it will be encrypted with a random number token. If it is not from the client end application request, send it directly;

加密请求步骤S23:对合法用户的客户端向服务器端发送的请求内容通过随机数token进行加密;Encryption request step S23: Encrypt the request content sent by the legal user's client to the server through a random number token;

发送请求步骤S24:将加密后的所述请求发送给所述服务器端。Sending the request step S24: sending the encrypted request to the server.

其中,服务器端攻击防范步骤S3包括:Wherein, the server-side attack defense step S3 includes:

页面判断步骤S31:判断客户端登陆的页面为受保护页面或公共访问页面;Page judging step S31: judging that the page logged in by the client is a protected page or a public access page;

随机数token生成步骤S32:针对通过验证的合法用户的客户端生成随机数token,并将随机数token发送给合法用户的客户端,随机数token与合法用户的会话id相关联;Random number token generating step S32: generate a random number token for the client of the legal user through verification, and send the random number token to the client of the legal user, and the random number token is associated with the session id of the legal user;

解密步骤S33:对客户端发送的加密请求采用token作为密钥进行解密,以验证加密请求的合法性;Decryption step S33: decrypt the encrypted request sent by the client using token as a key to verify the legitimacy of the encrypted request;

业务处理步骤S34:根据解密后的加密请求,进行相应的业务处理。Business processing step S34: Perform corresponding business processing according to the decrypted encrypted request.

其中,图3为本发明方法详细步骤流程示意图,如图3所示,随机数token生成步骤S32还包括:Wherein, Fig. 3 is a schematic flow chart of the detailed steps of the method of the present invention, as shown in Fig. 3, the random number token generation step S32 also includes:

用户未登录步骤S321:查询用户的会话id不存在,判断用户未登录,则重新进行登录认证,针对认证通过的合法用户的客户端生成所述随机数token和会话id;The user does not log in step S321: the session id of the query user does not exist, and if it is judged that the user is not logged in, the login authentication is performed again, and the random number token and session id are generated for the client of the legal user who has passed the authentication;

用户已登录步骤S322:查询用户的会话id存在,判断用户已登录,则为合法用户的客户端。The user has logged in step S322: query the existence of the user's session id, if it is judged that the user has logged in, then it is a client of a legitimate user.

其中,解密步骤S33还包括:Wherein, the decryption step S33 also includes:

查找token步骤S331:通过与合法用户的会话id,查找与会话id相关联的随机数token;Search token step S331: search for a random number token associated with the session id through the session id of the legal user;

原始请求解密步骤S332:采用查找token步骤获取的随机数token解密客户端发送的请求,获取客户端的原始请求。Original request decryption step S332: use the random number token obtained in the token search step to decrypt the request sent by the client, and obtain the original request of the client.

其中,业务处理步骤S34还包括:Wherein, the business processing step S34 also includes:

解密成功步骤S341:如果采用原始请求解密步骤解密请求成功,则按照请求进行业务处理;Successful decryption step S341: if the original request decryption step is used to decrypt the request successfully, perform business processing according to the request;

解密失败步骤S342:如果采用原始请求解密步骤解密请求失败,则不进行业务处理,并对合法用户发出警告信息。Decryption failure step S342: If the original request decryption step fails to decrypt the request, no business processing is performed, and a warning message is sent to the legal user.

以下为了更好的对本发明技术方案的原理进行介绍,首先针对跨站请求伪造攻击给出一个具体实施例。In order to better introduce the principle of the technical solution of the present invention, a specific embodiment is firstly given for the cross-site request forgery attack.

假设用户A已经登录了自己的银行账户,站点服务器为A返回了相应的会话session id认证信息,A在银行有一笔存款,此时通过对银行的网站发送HTTP请求http://bank.example/withdraw?account=A&amount=10000&for=B可以让A把10000的存款转到B的账号下,该请求发送到银行网站后,站点服务器会先验证该请求是否来自合法的会话,并且这个会话的用户是否已经登录,若此请求上附带有A的session id认证信息,则站点服务器会认为这个请求操作是已登录用户A发出的。Assuming that user A has logged into his bank account, the site server returns the corresponding session id authentication information for A, and A has a deposit in the bank. At this time, he sends an HTTP request to the bank's website http://bank.example/ withdraw?account=A&amount=10000&for=B allows A to transfer the deposit of 10000 to B's account. After the request is sent to the bank website, the site server will first verify whether the request comes from a legitimate session, and whether the user of this session is Already logged in, if the request is accompanied by A's session id authentication information, the site server will think that this request operation is sent by the logged-in user A.

如果有一个攻击者B在该银行也有账户,并且他通过对银行网站的了解,知道通过上文中的URL可以进行转账操作。B可以自己发送一个请求给银行:http://bank.example/withdraw?account=A&amount=10000&for=B。但是由于这个请求来自B本身而非A,因此并没有包含A的相关认证信息,不能通过安全认证,该请求不会起作用。If there is an attacker B who also has an account in the bank, and he knows that the transfer operation can be performed through the above URL through his understanding of the bank website. B can send a request to the bank by itself: http://bank.example/withdraw?account=A&amount=10000&for=B. However, since this request comes from B itself instead of A, it does not contain the relevant authentication information of A, and cannot pass the security authentication, so the request will not work.

这时,B想到使用CSRF的攻击方式,他在一个自己可以控制的网站,放入如下代码:src=“http://bank.example/withdraw?account=A&amount=10000&for=B”,并且通过广告,中奖信息等诱使A来访问他的网站。若A此时已经登录银行网站,并且打开新的标签来访问该恶意网站时,上述URL会从A的浏览器以GET的方式发送HTTP请求到银行,由于A此时已经登录银行网站,浏览器就会将A的session id一起附带发出,如果A的浏览器与银行的会话还未过期,由于站点服务器是通过session id识别用户的,因此银行网站会认为这是A发出的请求,悲剧发生了,银行网站将上述请求视为合法的请求进行处理,钱将从A的账号转移到B的账号,而A当时毫不知情。当A发现账户钱少了,去银行查询日志,他也只能发现确实有一个来自于他本人的合法请求转移了资金,没有任何被攻击的痕迹。At this time, B thought of using the CSRF attack method. He put the following code in a website he could control: src="http://bank.example/withdraw?account=A&amount=10000&for=B", and passed the advertisement , winning information, etc. to induce A to visit his website. If A has logged into the bank website at this time and opens a new tab to visit the malicious website, the above URL will send an HTTP request to the bank from A’s browser in the form of GET. Since A has logged into the bank website at this time, the browser will A’s session id will be sent out together. If the session between A’s browser and the bank has not expired, since the site server identifies the user through the session id, the bank’s website will think that this is a request sent by A, and a tragedy will happen. , the bank website will treat the above request as a legitimate request, and the money will be transferred from A's account to B's account without A's knowledge at the time. When A finds that the account has less money, he goes to the bank to check the logs, and he can only find that there is indeed a legal request from himself to transfer the funds, without any trace of being attacked.

上面简要介绍了跨站请求伪造攻击的原理,本发明中站点服务器判断请求访问的内容是否是保护内容,如果是提示用户输入用户名和密码等验证信息,并生成会话相应的session id与随机数token,发送给客户端。用户后续的请求中,客户端会用随机数token对URL请求内容进行加密,然后发送请求。站点服务器会根据相应的session id找到对应的token,并且对URL请求解密,对于解密成功的请求,说明请求是利用随机数token加密的,而这个随机数只有客户端用户知道,是合法请求,因此站点服务器会根据请求内容进行相关业务处理。由于攻击者无法获得随机数,无法对伪造的请求进行正确加密,即便浏览器会将登录用户的session id自动附带到伪造的请求上,解密也会失败,站点服务器不仅不会进行业务处理,并且会向用户发出警告,这样便可以防范跨站请求伪造攻击。The above briefly introduces the principle of cross-site request forgery attack. In the present invention, the site server judges whether the content requested to be accessed is protected content, and if it prompts the user to input verification information such as user name and password, and generates a corresponding session id and random number token , sent to the client. In the user's subsequent request, the client will encrypt the content of the URL request with a random number token, and then send the request. The site server will find the corresponding token according to the corresponding session id, and decrypt the URL request. For a successfully decrypted request, it means that the request is encrypted with a random number token, and this random number is only known by the client user, which is a legal request, so The site server will perform relevant business processing according to the request content. Since the attacker cannot obtain the random number and cannot correctly encrypt the forged request, even if the browser automatically attaches the session id of the logged-in user to the forged request, the decryption will fail, and the site server will not perform business processing, and A warning is issued to the user, which protects against cross-site request forgery attacks.

以下将结合上述实施例以及附图对本发明实施例的步骤进行详细说明。The steps of the embodiments of the present invention will be described in detail below in conjunction with the above embodiments and the accompanying drawings.

图4为本发明提供的防御CSRF攻击的服务器端流程示意图,如图4所示,服务器端的主要步骤包括:Fig. 4 is the server-side schematic diagram of defense CSRF attack that the present invention provides, and as shown in Fig. 4, the main steps of server-side include:

10、判断是否是保护页面;10. Determine whether it is a protected page;

20、判断用户是否登录;20. Determine whether the user is logged in;

30、对加密的请求进行解密;30. Decrypt the encrypted request;

40、业务处理。40. Business processing.

具体的一种实施方式如下:A specific implementation is as follows:

10、判断是否是保护页面。一般应用都分为保护页面和公共页面。10. Determine whether it is a protected page. General applications are divided into protected pages and public pages.

1)公共页面不需要用户登录就可以访问,如login.html,index.html等,因为没有重要操作,不会造成危害,因此站点服务器可以直接根据请求进行相应的业务处理。1) Public pages can be accessed without user login, such as login.html, index.html, etc., because there are no important operations and will not cause harm, so the site server can directly perform corresponding business processing according to the request.

2)保护页面需要用户登录才能访问,即需要用户进行认证,比如修改用户密码,个人信息,转账等。因此站点服务器需要判断用户是否登录,当前是否是合法的会话。2) The protected page requires the user to log in to access, that is, the user needs to authenticate, such as changing the user password, personal information, transfer, etc. Therefore, the site server needs to determine whether the user is logged in and whether the current session is legal.

20、判断用户是否登录。根据session id是否合法有效来判断用户是否登录,是否存在一个合法的会话。20. Determine whether the user is logged in. According to whether the session id is valid or not, it is judged whether the user is logged in or not, and whether there is a legal session.

1)如果不存在session id则说明用户没有登录,或者会话已过期,需要重新进行登录认证。具体主要包括以下步骤:1) If there is no session id, it means that the user has not logged in, or the session has expired, and login authentication is required again. Specifically, it mainly includes the following steps:

11)跳转到登录界面,提示用户输入认证信息(一般为用户名与密码)。11) Jump to the login interface, prompting the user to enter authentication information (usually user name and password).

12)站点服务器验证用户输入的用户名与密码是否正确,不正确的话,重新跳转到登录页面,要求用户重新输入认证信息。12) The site server verifies whether the user name and password entered by the user are correct. If not, it will redirect to the login page and require the user to re-enter the authentication information.

13)验证通过后,站点服务器会创建一个合法会话,并且生成关联用户会话的session id及随机数token,返回用户请求的页面,并且将session id及随机数token返回给客户端。13) After passing the verification, the site server will create a valid session, generate a session id and a random number token associated with the user session, return the page requested by the user, and return the session id and random number token to the client.

2)如果存在session id,说明用户已经成功登录,客户端拥有站点服务器发送过来的随机数token,此时后续的请求,如果是合法的,是应用发出的,应该是利用token随机数进行过加密的。2) If there is a session id, it means that the user has successfully logged in, and the client has the random number token sent by the site server. At this time, if the subsequent request is legal and sent by the application, it should be encrypted with the random number of the token of.

30、对加密的请求进行解密,已登录的用户,会拥有站点服务器发送回来的随机数token,因此后续本应用发出的请求都应该是利用token作为密钥加密的,因为攻击者没有token,不能正确解密的请求有可能是攻击者伪造的。30. Decrypt the encrypted request, and the logged-in user will have the random number token sent back by the site server, so subsequent requests sent by this application should be encrypted using the token as the key, because the attacker does not have the token and cannot A properly decrypted request could have been forged by an attacker.

1)在站点服务器存储的session id与token的关联表中,根据请求中的sessionid找到对应的token。1) In the session id and token association table stored on the site server, find the corresponding token according to the session id in the request.

2)用token解密请求中加密的部分(调用页面,参数等),就可以得到客户端发送的原始请求。2) Use the token to decrypt the encrypted part of the request (call page, parameters, etc.), and you can get the original request sent by the client.

40、业务处理。40. Business processing.

1)、用token解密成功,说明请求时利用站点服务器发送的token加密的,是应用发出的合法请求,因此站点服务器会按照请求进行相应的业务处理。1) Successful decryption with the token means that the request is encrypted with the token sent by the site server, which is a legal request sent by the application, so the site server will perform corresponding business processing according to the request.

2)、解密失败,说明请求使用的加密密钥是错误的,有可能是攻击者猜测的token,用猜测的token对伪造的请求进行了加密;或者请求没有加密,解密失败,因此对其不进行业务处理,并且向用户发出相应警告信息。2) Decryption fails, indicating that the encryption key used in the request is wrong, it may be the token guessed by the attacker, and the forged request is encrypted with the guessed token; or the request is not encrypted and decryption fails, so it is not valid Perform business processing and issue corresponding warning messages to users.

图5为本发明跨站攻击防范方法的客户端流程示意图,如图5所示,客户端的主要步骤包括:Fig. 5 is a schematic diagram of the client process of the cross-site attack prevention method of the present invention. As shown in Fig. 5, the main steps of the client include:

50、提取token;50. Extract token;

60、判断请求是否是本应用发出的;60. Determine whether the request is sent by this application;

70、加密请求;70. Encryption request;

80、发送请求。80. Send request.

具体的一种实施方式如下:A specific implementation is as follows:

50、提取token。客户端从站点服务器的响应中提取服务端发送给客户端的token。token可以放在站点服务器的响应页面中带回,也可以单独传送。50. Extract the token. The client extracts the token sent by the server to the client from the response of the web server. The token can be brought back in the response page of the site server, or it can be sent separately.

60、判断请求是否是本应用发出的。判断发出请求的源网站服务器的是否与目的网站的完整域名匹配,如果匹配则可以认为请求时本应用发出的,否则认为请求不是本应用发出的。60. Determine whether the request is sent by the application. Determine whether the source website server that sends the request matches the complete domain name of the destination website. If it matches, it can be considered that the request was sent by this application, otherwise it is considered that the request was not sent by this application.

1)如果请求时本应用发出的,利用token对其加密。1) If the request is sent by this application, use token to encrypt it.

2)如果请求不是本应用发出的,则不作处理,直接发送。2) If the request is not sent by this application, it will not be processed and sent directly.

70、加密请求。对URL请求中的部分内容(调用页面,参数等)加密,URL请求中的应用的服务器地址等还是以明文形式发送,以保证请求可以正确的发送到服务端。其中加密操作,可以通过应用发布的一个插件来完成。70. Encrypt the request. Part of the content in the URL request (call page, parameters, etc.) is encrypted, and the server address of the application in the URL request is still sent in plain text to ensure that the request can be sent to the server correctly. The encryption operation can be completed through a plug-in released by the application.

例如上述例子中,http://bank.example/withdraw?account=A&amount=10000&for=B,利用服务器发送的token对“withdraw?account=A&amount=10000&for=B”部分加密。应当理解,本发明可以采用其他方式进行加密,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。For example, in the above example, http://bank.example/withdraw?account=A&amount=10000&for=B, use the token sent by the server to encrypt part of "withdraw?account=A&amount=10000&for=B". It should be understood that the present invention may be encrypted in other ways, and the specific embodiments described here are only used to explain the present invention, and are not intended to limit the present invention.

80、发送请求。将加密后的请求发给服务端。80. Send request. Send the encrypted request to the server.

本发明还提供一种基于加密的跨站请求攻击防范装置,采用所述基于加密的跨站请求攻击防范方法,该方法应用于包含客户端和服务器端的系统,图6为本发明跨站请求攻击防范装置的结构示意图,如图6所示,该装置包括:The present invention also provides an encryption-based cross-site request attack prevention device, using the encryption-based cross-site request attack prevention method, which is applied to a system including a client and a server. Figure 6 shows the cross-site request attack of the present invention The structural schematic diagram of the preventive device, as shown in Figure 6, the device includes:

身份验证模块100:用于通过服务器端对客户端进行身份验证;Identity verification module 100: used for authenticating the client through the server;

客户端攻击防范模块200:通过身份验证步骤验证为合法用户的客户端接收服务器端发送的随机数token,并采用随机数token对后续的请求进行加密成为加密请求;Client-side attack prevention module 200: the client that is authenticated as a legitimate user through the identity verification step receives the random number token sent by the server, and uses the random number token to encrypt subsequent requests to become an encrypted request;

服务器端攻击防范模块300:在服务器端接收合法用户的客户端的后续加密请求时,采用随机数token进行解密验证,以实现跨站请求攻击防范。Server-side attack defense module 300: when the server side receives a subsequent encrypted request from a legal user's client, it uses a random number token for decryption verification, so as to realize cross-site request attack defense.

其中,客户端攻击防范模块200包括:Wherein, the client attack defense module 200 includes:

提取token模块201:合法用户的客户端接收从服务器端发送的随机数token,并进行提取随机数token;Extracting token module 201: the client of the legal user receives the random number token sent from the server, and extracts the random number token;

判断请求模块202:根据源网站服务器的域名与目的网站服务器的域名是否相同判断请求是否为本客户端应用发出,如果为本客户端应用请求,则通过随机数token进行加密,如果为非本客户端应用请求,则直接发送;Judgment request module 202: According to whether the domain name of the source website server is the same as the domain name of the destination website server, it is judged whether the request is sent by the client application, if it is the request of the client application, it is encrypted by a random number token, if it is not the client end application request, send it directly;

加密请求模块203:对合法用户的客户端向服务器端发送的请求内容通过随机数token进行加密;Encryption request module 203: Encrypt the request content sent by the client of the legal user to the server through a random number token;

发送请求模块204:将加密后的请求发送给服务器端。Sending request module 204: sending the encrypted request to the server.

其中,服务器端攻击防范模块300包括:Wherein, the server-side attack defense module 300 includes:

页面判断模块301:判断客户端登陆的页面为受保护页面或公共访问页面;Page judging module 301: judging that the page logged in by the client is a protected page or a public access page;

随机数token生成模块302:针对通过验证的合法用户的客户端生成随机数token,并将随机数token发送给合法用户的客户端,随机数token与合法用户的会话id相关联;Random number token generating module 302: generate a random number token for the client of the legal user through verification, and send the random number token to the client of the legal user, and the random number token is associated with the session id of the legal user;

解密模块303:对客户端发送的加密请求采用token作为密钥进行解密,以验证加密请求的合法性;Decryption module 303: decrypt the encrypted request sent by the client using token as a key to verify the legitimacy of the encrypted request;

业务处理模块304:根据解密后的加密请求,进行相应的业务处理。Business processing module 304: perform corresponding business processing according to the decrypted encrypted request.

其中,图7为本发明跨站请求攻击防范装置的详细结构示意图,如图7所示,随机数token生成模块302还包括:Wherein, FIG. 7 is a schematic diagram of the detailed structure of the cross-site request attack prevention device of the present invention. As shown in FIG. 7, the random number token generation module 302 also includes:

用户未登录模块3021:查询用户的会话id不存在,判断用户未登录,则重新进行登录认证,针对认证通过的合法用户的客户端生成所述随机数token和会话id;The user does not log in module 3021: the session id of querying the user does not exist, and judging that the user is not logged in, then re-login authentication, generate the random number token and session id for the client of the legal user who has passed the authentication;

用户已登录模块3022:查询用户的会话id存在,判断用户已登录,则为合法用户的客户端。User has logged in module 3022: Query the existence of the user's session id, if it is judged that the user has logged in, then it is a client of a legitimate user.

其中,解密模块303还包括:Wherein, the decryption module 303 also includes:

查找token模块3031:通过与合法用户的会话id,查找与会话id相关联的随机数token;Find token module 3031: through the session id with legal user, search the random number token associated with session id;

原始请求解密模块3032:采用查找token步骤获取的随机数token解密客户端发送的请求,获取客户端的原始请求。The original request decryption module 3032: use the random number token obtained in the token search step to decrypt the request sent by the client, and obtain the original request of the client.

其中,业务处理模块304还包括:Wherein, the business processing module 304 also includes:

解密成功模块3041:如果采用原始请求解密步骤解密请求成功,则按照请求进行业务处理;Successful decryption module 3041: if the original request decryption step is used to decrypt the request successfully, then perform business processing according to the request;

解密失败模块3042:如果采用原始请求解密步骤解密请求失败,则不进行业务处理,并对合法用户发出警告信息。Decryption failure module 3042: If the original request decryption step fails to decrypt the request, no business processing will be performed, and a warning message will be issued to the legal user.

综上所述,本发明提供的基于加密的跨站请求攻击防范方法及其装置,不需要修改现有的站点服务器,便可以进行很好的跨站请求攻击防御。To sum up, the encryption-based cross-site request attack prevention method and device provided by the present invention can perform good cross-site request attack defense without modifying the existing site server.

当然,本发明还可有其它多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明做出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。Of course, the present invention can also have other various embodiments, and those skilled in the art can make various corresponding changes and deformations according to the present invention without departing from the spirit and essence of the present invention. All changes and deformations should belong to the protection scope of the appended claims of the present invention.

Claims (14)

1.一种基于加密的跨站请求攻击防范方法,应用于包含客户端和服务器端的系统,其特征在于,所述方法包括:1. An encryption-based cross-site request attack prevention method, applied to a system comprising a client and a server, is characterized in that the method comprises: 身份验证步骤:用于通过所述服务器端对所述客户端进行身份验证;Authentication step: for authenticating the client through the server; 客户端攻击防范步骤:通过所述身份验证步骤验证为合法用户的客户端接收所述服务器端发送的随机数token,并采用所述随机数token对后续的URL请求进行加密成为加密请求;Client attack prevention step: the client that is authenticated as a legal user by the identity verification step receives the random number token sent by the server, and adopts the random number token to encrypt subsequent URL requests to become an encrypted request; 服务器端攻击防范步骤:在所述服务器端接收所述合法用户的客户端的后续所述加密请求时,采用所述随机数token进行解密验证,以实现跨站请求攻击防范。A server-side attack prevention step: when the server receives the subsequent encrypted request from the legitimate user's client, the random number token is used for decryption verification, so as to realize cross-site request attack prevention. 2.根据权利要求1所述基于加密的跨站请求攻击防范方法,其特征在于,所述服务器端攻击防范步骤包括:2. The encryption-based cross-site request attack prevention method according to claim 1, wherein the server-side attack prevention step comprises: 页面判断步骤:判断所述客户端登陆的页面为受保护页面或公共访问页面;Page judging step: judging that the page logged in by the client is a protected page or a public access page; 随机数token生成步骤:针对通过验证的所述合法用户的客户端生成所述随机数token,并将所述随机数token发送给所述合法用户的客户端,所述随机数token与所述合法用户的会话id相关联。Random number token generation step: generate the random number token for the client of the legal user through verification, and send the random number token to the client of the legal user, the random number token and the legal The user's session id is associated. 3.根据权利要求1所述基于加密的跨站请求攻击防范方法,其特征在于,所述客户端攻击防范步骤包括:3. The encryption-based cross-site request attack prevention method according to claim 1, wherein the client attack prevention step comprises: 提取token步骤:所述合法用户的客户端接收从所述服务器端发送的所述随机数token,并进行提取所述随机数token;Step of extracting token: the client of the legitimate user receives the random number token sent from the server, and extracts the random number token; 判断请求步骤:根据源网站服务器的域名与目的网站服务器的域名是否相同判断所述请求是否为本客户端应用发出,如果为所述本客户端应用请求,则通过所述随机数token进行加密,如果为非所述本客户端应用请求,则直接发送;Judging the request step: judging whether the request is sent by the client application according to whether the domain name of the source website server is the same as the domain name of the destination website server, if it is the request of the client application, then encrypt it by the random number token, If it is not the client application request, it will be sent directly; 加密请求步骤:对所述合法用户的客户端向所述服务器端发送的请求内容通过所述随机数token进行加密;Encrypting the request step: encrypting the request content sent by the client of the legal user to the server through the random number token; 发送请求步骤:将加密后的所述请求发送给所述服务器端。Sending the request step: sending the encrypted request to the server. 4.根据权利要求1所述基于加密的跨站请求攻击防范方法,其特征在于,所述服务器端攻击防范步骤还包括:4. The encryption-based cross-site request attack prevention method according to claim 1, wherein the server-side attack prevention step further comprises: 解密步骤:对所述客户端发送的所述加密请求采用所述token作为密钥进行解密,以验证所述加密请求的合法性;Decryption step: decrypting the encrypted request sent by the client using the token as a key to verify the legitimacy of the encrypted request; 业务处理步骤:根据解密后的所述加密请求,进行相应的业务处理。Business processing step: perform corresponding business processing according to the encrypted request after decryption. 5.根据权利要求2所述基于加密的跨站请求攻击防范方法,其特征在于,所述随机数token生成步骤还包括:5. according to the described encryption-based cross-site request attack prevention method according to claim 2, it is characterized in that, described random number token generation step also comprises: 用户未登录步骤:查询用户的会话id不存在,判断所述用户未登录,则重新进行登录认证,针对认证通过的合法用户的客户端生成所述随机数token和会话id;The user does not log in step: the session id of querying the user does not exist, and judging that the user is not logged in, then re-login authentication, generate the random number token and session id for the client of the legal user passed through the authentication; 用户已登录步骤:查询用户的会话id存在,判断所述用户已登录,则为所述合法用户的客户端。The user has logged in step: inquire about the existence of the session id of the user, if it is judged that the user has logged in, then it is the client of the legal user. 6.根据权利要求4所述基于加密的跨站请求攻击防范方法,其特征在于,所述解密步骤还包括:6. The encryption-based cross-site request attack prevention method according to claim 4, wherein the decryption step further comprises: 查找token步骤:通过与所述合法用户的会话id,查找与所述会话id相关联的所述随机数token;Find token step: through the session id with described legal user, search described random number token associated with described session id; 原始请求解密步骤:采用查找token步骤获取的所述随机数token解密所述客户端发送的请求,获取所述客户端的原始请求。Original request decryption step: using the random number token obtained in the token search step to decrypt the request sent by the client, and obtain the original request of the client. 7.根据权利要求6所述基于加密的跨站请求攻击防范方法,其特征在于,所述业务处理步骤还包括:7. The encryption-based cross-site request attack prevention method according to claim 6, wherein the business processing step further comprises: 解密成功步骤:如果采用所述原始请求解密步骤解密所述请求成功,则按照所述请求进行业务处理;Successful decryption step: if the original request decryption step is used to decrypt the request successfully, then perform business processing according to the request; 解密失败步骤:如果采用所述原始请求解密步骤解密所述请求失败,则不进行业务处理,并对所述合法用户发出警告信息。Decryption failure step: if the original request decryption step fails to decrypt the request, no business processing is performed, and a warning message is issued to the legal user. 8.一种基于加密的跨站请求攻击防范装置,采用如权利要求1-7中任一项所述基于加密的跨站请求攻击防范方法,所述方法应用于包含客户端和服务器端的系统,其特征在于,所述装置包括:8. An encryption-based cross-site request attack prevention device, adopting the encryption-based cross-site request attack prevention method according to any one of claims 1-7, said method being applied to a system comprising a client and a server, It is characterized in that the device includes: 身份验证模块:用于通过所述服务器端对所述客户端进行身份验证;Identity verification module: used to authenticate the client through the server; 客户端攻击防范模块:通过所述身份验证步骤验证为合法用户的客户端接收所述服务器端发送的随机数token,并采用所述随机数token对后续的URL请求进行加密成为加密请求;Client attack defense module: the client that is authenticated as a legitimate user by the identity verification step receives the random number token sent by the server, and uses the random number token to encrypt subsequent URL requests to become an encrypted request; 服务器端攻击防范模块:在所述服务器端接收所述合法用户的客户端的后续所述加密请求时,采用所述随机数token进行解密验证,以实现跨站请求攻击防范。Server-side attack defense module: when the server side receives the subsequent encrypted request from the legal user's client, it uses the random number token to perform decryption verification, so as to realize cross-site request attack defense. 9.根据权利要求8所述基于加密的跨站请求攻击防范装置,其特征在于,所述服务器端攻击防范模块包括:9. The encryption-based cross-site request attack prevention device according to claim 8, wherein the server-side attack prevention module includes: 页面判断模块:判断所述客户端登陆的页面为受保护页面或公共访问页面;Page judging module: judging that the page logged in by the client is a protected page or a public access page; 随机数token生成模块:针对通过验证的所述合法用户的客户端生成所述随机数token,并将所述随机数token发送给所述合法用户的客户端,所述随机数token与所述合法用户的会话id相关联。Random number token generation module: generate the random number token for the client of the legal user who has passed the verification, and send the random number token to the client of the legal user, the random number token is consistent with the legal The user's session id is associated. 10.根据权利要求8所述基于加密的跨站请求攻击防范装置,其特征在于,所述客户端攻击防范模块包括:10. The encryption-based cross-site request attack defense device according to claim 8, wherein the client attack defense module includes: 提取token模块:所述合法用户的客户端接收从所述服务器端发送的所述随机数token,并进行提取所述随机数token;extract token module: the client of the legal user receives the random number token sent from the server, and extracts the random number token; 判断请求模块:根据源网站服务器的域名与目的网站服务器的域名是否相同判断所述请求是否为本客户端应用发出,如果为所述本客户端应用请求,则通过所述随机数token进行加密,如果为非所述本客户端应用请求,则直接发送;Judgment request module: according to whether the domain name of the source website server is the same as the domain name of the destination website server, it is judged whether the request is sent by the client application, if it is the client application request, it is encrypted by the random number token, If it is not the client application request, it will be sent directly; 加密请求模块:对所述合法用户的客户端向所述服务器端发送的请求内容通过所述随机数token进行加密;An encryption request module: encrypting the content of the request sent by the client of the legal user to the server through the random number token; 发送请求模块:将加密后的所述请求发送给所述服务器端。Sending request module: sending the encrypted request to the server. 11.根据权利要求9所述基于加密的跨站请求攻击防范装置,其特征在于,所述服务器端攻击防范模块还包括:11. The encryption-based cross-site request attack defense device according to claim 9, wherein the server-side attack defense module further comprises: 解密模块:对所述客户端发送的所述加密请求采用所述token作为密钥进行解密,以验证所述加密请求的合法性;Decryption module: decrypt the encrypted request sent by the client using the token as a key to verify the legitimacy of the encrypted request; 业务处理模块:根据解密后的所述加密请求,进行相应的业务处理。Business processing module: perform corresponding business processing according to the encrypted request after decryption. 12.根据权利要求11所述基于加密的跨站请求攻击防范装置,其特征在于,所述随机数token生成模块还包括:12. The encryption-based cross-site request attack prevention device according to claim 11, wherein the random number token generation module further comprises: 用户未登录模块:查询用户的会话id不存在,判断所述用户未登录,则重新进行登录认证,针对认证通过的合法用户的客户端生成所述随机数token和会话id;The user does not log in module: the session id of querying the user does not exist, and judging that the user is not logged in, then re-login authentication, generate the random number token and session id for the client of the legal user who passed the authentication; 用户已登录模块:查询用户的会话id存在,判断所述用户已登录,则为所述合法用户的客户端。The user has logged in module: query the existence of the user's session id, and judge that the user has logged in, then it is the client of the legal user. 13.根据权利要求12所述基于加密的跨站请求攻击防范装置,其特征在于,所述解密模块还包括:13. The encryption-based cross-site request attack prevention device according to claim 12, wherein the decryption module further comprises: 查找token模块:通过与所述合法用户的会话id,查找与所述会话id相关联的所述随机数token;Find token module: through the session id with described legitimate user, search described random number token associated with described session id; 原始请求解密模块:采用查找token步骤获取的所述随机数token解密所述客户端发送的请求,获取所述客户端的原始请求。Original request decryption module: use the random number token obtained in the token search step to decrypt the request sent by the client, and obtain the original request of the client. 14.根据权利要求12所述基于加密的跨站请求攻击防范装置,其特征在于,所述业务处理模块还包括:14. The encryption-based cross-site request attack prevention device according to claim 12, wherein the business processing module further comprises: 解密成功模块:如果采用所述原始请求解密步骤解密所述请求成功,则按照所述请求进行业务处理;Successful decryption module: if the original request decryption step is used to decrypt the request successfully, then perform business processing according to the request; 解密失败模块:如果采用所述原始请求解密步骤解密所述请求失败,则不进行业务处理,并对所述合法用户发出警告信息。Decryption failure module: if the original request decryption step fails to decrypt the request, no business processing is performed, and a warning message is issued to the legal user.
CN201410158128.0A 2014-04-18 2014-04-18 It is a kind of that attack prevention method and its device are asked across station based on encryption Active CN103944900B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410158128.0A CN103944900B (en) 2014-04-18 2014-04-18 It is a kind of that attack prevention method and its device are asked across station based on encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410158128.0A CN103944900B (en) 2014-04-18 2014-04-18 It is a kind of that attack prevention method and its device are asked across station based on encryption

Publications (2)

Publication Number Publication Date
CN103944900A CN103944900A (en) 2014-07-23
CN103944900B true CN103944900B (en) 2017-11-24

Family

ID=51192384

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410158128.0A Active CN103944900B (en) 2014-04-18 2014-04-18 It is a kind of that attack prevention method and its device are asked across station based on encryption

Country Status (1)

Country Link
CN (1) CN103944900B (en)

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105354451B (en) * 2014-08-20 2020-10-16 腾讯科技(深圳)有限公司 Access authentication method and system
CN104852907B (en) * 2015-04-17 2018-08-24 新华三技术有限公司 A kind of cross-site forged request CSRF attack recognition method and apparatus
US10454949B2 (en) 2015-11-20 2019-10-22 International Business Machines Corporation Guarding against cross-site request forgery (CSRF) attacks
CN105516264B (en) * 2015-11-30 2018-12-04 努比亚技术有限公司 Session sharing method under distributed cluster system, apparatus and system
CN105407102B (en) * 2015-12-10 2019-05-17 四川长虹电器股份有限公司 Http request data reliability verifying method
CN107294921A (en) * 2016-03-31 2017-10-24 阿里巴巴集团控股有限公司 The processing method and processing device that a kind of web terminal is accessed
CN105915537A (en) * 2016-05-27 2016-08-31 努比亚技术有限公司 Token generation method, token calibration method and token authentication server
CN106302414B (en) * 2016-08-04 2019-05-31 北京百度网讯科技有限公司 The anti-grasping means of web site contents and device
CN106302481A (en) * 2016-08-19 2017-01-04 中国银联股份有限公司 The method and apparatus that detection WebSocket forges leak across station request
CN106453352B (en) * 2016-10-25 2020-04-17 电子科技大学 Single-system multi-platform identity authentication method
CN107196950B (en) * 2017-06-12 2020-06-16 武汉斗鱼网络科技有限公司 Verification method, verification device and server
CN107634942B (en) * 2017-09-08 2020-07-31 北京京东尚科信息技术有限公司 Method and device for identifying malicious request
CN107612926B (en) * 2017-10-12 2020-09-29 成都知道创宇信息技术有限公司 One-sentence speech WebShell interception method based on client recognition
CN107682346B (en) * 2017-10-19 2021-06-25 南京大学 A fast positioning and identification system and method for CSRF attack
CN107809483A (en) * 2017-10-27 2018-03-16 大猫网络科技(北京)股份有限公司 A kind of transaction voucher store method and device
CN107819579B (en) * 2017-12-13 2021-08-24 西安Tcl软件开发有限公司 A user request processing method, server and computer-readable storage medium
CN110875903B (en) * 2018-08-31 2022-10-14 阿里巴巴集团控股有限公司 Security defense method and device
CN109788477A (en) * 2018-12-28 2019-05-21 天翼电子商务有限公司 It is a kind of to prevent the method, system and server-side that key message is ravesdropping in webpage
CN109873818B (en) * 2019-02-01 2021-07-09 湖南快乐阳光互动娱乐传媒有限公司 Method and system for preventing illegal access to server
CN110061967B (en) * 2019-03-15 2022-02-22 平安科技(深圳)有限公司 Service data providing method, device, equipment and computer readable storage medium
CN110176988B (en) * 2019-04-25 2022-04-08 中国人民解放军战略支援部队信息工程大学 Apparatus and method for ensuring consistent encryption behavior of redundant executive bodies
CN113055344B (en) * 2019-12-27 2023-07-28 贵州白山云科技股份有限公司 Scheduling method, device, medium and equipment
CN111371743A (en) * 2020-02-21 2020-07-03 上海红神信息技术有限公司 Security defense method, device and system
CN111417122B (en) * 2020-03-25 2024-03-01 杭州迪普科技股份有限公司 Attack prevention method and device
CN113783824B (en) * 2020-06-10 2022-08-30 中国电信股份有限公司 Method, apparatus, client, system and medium for preventing cross-site request forgery
CN114884736B (en) * 2022-05-11 2024-04-09 山东鲁软数字科技有限公司 Safety protection method and device for explosion attack prevention
CN115065537B (en) * 2022-06-16 2023-07-07 公安部第三研究所 Defending system and dynamic defending method aiming at WEB application automatic attack behaviors
CN115567297A (en) * 2022-09-26 2023-01-03 中国银行股份有限公司 Cross-site request data processing method and device
CN115550047A (en) * 2022-10-12 2022-12-30 中国航空结算有限责任公司 Configuration-free interface authority verification method, device and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860540A (en) * 2010-05-26 2010-10-13 吴晓军 Method and device for identifying legality of website service
CN102480490A (en) * 2010-11-30 2012-05-30 国际商业机器公司 Method and device for preventing CSRF attack
CN102571846A (en) * 2010-12-23 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for forwarding hyper text transport protocol (HTTP) request
CN102685081A (en) * 2011-03-17 2012-09-19 腾讯科技(深圳)有限公司 Webpage request safe processing method and system
CN103679018A (en) * 2012-09-06 2014-03-26 百度在线网络技术(北京)有限公司 Method and device for detecting CSRF loophole

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8181246B2 (en) * 2007-06-20 2012-05-15 Imperva, Inc. System and method for preventing web frauds committed using client-scripting attacks
US8020193B2 (en) * 2008-10-20 2011-09-13 International Business Machines Corporation Systems and methods for protecting web based applications from cross site request forgery attacks
US8924553B2 (en) * 2009-08-31 2014-12-30 Red Hat, Inc. Multifactor validation of requests to thwart cross-site attacks
US8850219B2 (en) * 2010-05-13 2014-09-30 Salesforce.Com, Inc. Secure communications
CN102857479B (en) * 2011-06-30 2015-07-29 北京新媒传信科技有限公司 The encryption method of network communication and system
CN102387152A (en) * 2011-11-03 2012-03-21 北京锐安科技有限公司 Preset-key-based symmetric encryption communication method
CN103312666B (en) * 2012-03-09 2016-03-16 腾讯科技(深圳)有限公司 A kind of defence forges the mthods, systems and devices of CSRF attack across station request
CN103117998B (en) * 2012-11-28 2016-01-20 北京用友政务软件有限公司 A kind of safety encryption based on JavaEE application system
CN103634307A (en) * 2013-11-19 2014-03-12 北京奇虎科技有限公司 Method for certificating webpage content and browser

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860540A (en) * 2010-05-26 2010-10-13 吴晓军 Method and device for identifying legality of website service
CN102480490A (en) * 2010-11-30 2012-05-30 国际商业机器公司 Method and device for preventing CSRF attack
CN102571846A (en) * 2010-12-23 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for forwarding hyper text transport protocol (HTTP) request
CN102685081A (en) * 2011-03-17 2012-09-19 腾讯科技(深圳)有限公司 Webpage request safe processing method and system
CN103679018A (en) * 2012-09-06 2014-03-26 百度在线网络技术(北京)有限公司 Method and device for detecting CSRF loophole

Also Published As

Publication number Publication date
CN103944900A (en) 2014-07-23

Similar Documents

Publication Publication Date Title
CN103944900B (en) It is a kind of that attack prevention method and its device are asked across station based on encryption
Sun et al. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
US8245030B2 (en) Method for authenticating online transactions using a browser
US8302170B2 (en) Method for enhancing network application security
Huang et al. Using one-time passwords to prevent password phishing attacks
US8959650B1 (en) Validating association of client devices with sessions
US10225260B2 (en) Enhanced authentication security
Karapanos et al. On the Effective Prevention of {TLS}{Man-in-the-Middle} Attacks in Web Applications
Sumitra et al. A survey of cloud authentication attacks and solution approaches
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN110933078B (en) H5 unregistered user session tracking method
Bojjagani et al. PhishPreventer: a secure authentication protocol for prevention of phishing attacks in mobile environment with formal verification
Cao et al. Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel
Hossain et al. OAuth-SSO: A framework to secure the OAuth-based SSO service for packaged web applications
Badra et al. Phishing attacks and solutions
Li et al. Mitigating csrf attacks on oauth 2.0 systems
Ellahi et al. Analyzing 2FA phishing attacks and their prevention techniques
Joseph et al. Cookie based protocol to defend malicious browser extensions
Aljawarneh et al. A web client authentication system using smart card for e-systems: initial testing and evaluation
Deeptha et al. Extending OpenID connect towards mission critical applications
Gao et al. A research of security in website account binding
Hashim et al. Design a strong scheme to resist phishing attack
KR20140110118A (en) A Defence Mechanism against Cookie Replay Attack in Single Sign-On of Web Application
CN106130996A (en) A kind of website attack protection checking system and method
Holtmann Single sign-on security: security analysis of real-life openid connect implementations

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240320

Address after: Room 711C, Floor 7, Building A, Yard 19, Ronghua Middle Road, Daxing District, Beijing Economic-Technological Development Area, 100176

Patentee after: Beijing Zhongke Flux Technology Co.,Ltd.

Country or region after: China

Address before: 100190 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District

Patentee before: Institute of Computing Technology, Chinese Academy of Sciences

Country or region before: China

TR01 Transfer of patent right