[go: up one dir, main page]

CN108650214A - The anti-method and device of going beyond one's commission of dynamic page encryption - Google Patents

The anti-method and device of going beyond one's commission of dynamic page encryption Download PDF

Info

Publication number
CN108650214A
CN108650214A CN201810216827.4A CN201810216827A CN108650214A CN 108650214 A CN108650214 A CN 108650214A CN 201810216827 A CN201810216827 A CN 201810216827A CN 108650214 A CN108650214 A CN 108650214A
Authority
CN
China
Prior art keywords
data
transaction
page
encrypted domain
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810216827.4A
Other languages
Chinese (zh)
Other versions
CN108650214B (en
Inventor
戴凯宇
谢家凯
郑小强
司媛媛
薛志文
梁建威
王涵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of Communications Co Ltd
Original Assignee
Bank of Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of Communications Co Ltd filed Critical Bank of Communications Co Ltd
Priority to CN201810216827.4A priority Critical patent/CN108650214B/en
Publication of CN108650214A publication Critical patent/CN108650214A/en
Application granted granted Critical
Publication of CN108650214B publication Critical patent/CN108650214B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0457Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of anti-method and device of going beyond one's commission of dynamic page encryption, wherein this method includes:When user is initially opened the page, generates encryption key and deposit in session;The data of back page are encrypted with encryption key, generate encryption numeric field data;It will be in the data of the back page of unencryption and encrypted domain data back to the page;The transaction request that user submits is received, the transaction request carries encryption numeric field data and plaintext transaction data;Numeric field data is encrypted with the secret key decryption preserved in session;According to data control transaction in the encrypted domain decrypted.The present invention can solve the problems, such as that e-bank, e-commerce etc. are distorted using the list of the transaction system of dynamic page technology and go beyond one's commission, ensure that system passes back to when the data of the page are submitted again not to be tampered, with the attack that prevents from going beyond one's commission, and it is not take up more memory overhead, does not influence system performance.

Description

The anti-method and device of going beyond one's commission of dynamic page encryption
Technical field
The present invention relates to technical field of data security more particularly to the anti-method and devices of going beyond one's commission of dynamic page encryption.
Background technology
Bank, e-commerce company generally use dynamic page technology to make business site, such as e-bank, electric business purchase Object website etc..Transaction Information, website backstage is submitted to receive basis after the information that user submits by list on the page of website After the input of user inquires user information or other information in the database, the relevant page is generated.
Fig. 1 is dynamic page business site transaction flow exemplary plot in the prior art, as shown in Figure 1, the friendship of dynamic page Easy flow generally comprises:11, user's input information on the page;12, system is according to user input query data;It 13, will inquiry Data are counter to be shown on the page;14, user's operation related data is traded.
Fig. 2 is that electronic bank accounts inquire transaction flow exemplary plot in the prior art, as shown in Fig. 2, the account of e-bank The flow of family inquiry transaction generally comprises:21, user inputs user name, password login;22, user is inquired after system verification identity The card number held;23, it shows card number is counter on the page;24, user selects card number to submit inquiry transaction;25, it is shown on the page Account inquiries result.
Fig. 3 is e-bank's money transfer transactions flow example figure in the prior art, as shown in figure 3, the friendship of transferring accounts of e-bank Easy flow generally comprises:31, user inputs user name, password login;32, the card number that inquiry user holds after system verification identity And it is shown on the page;33, user selects the information such as card number and typing other side account, the amount of money;34, by one's own side's account, other side's account Number, information are counter shows on the page for the amount of money etc.;35, user authenticates and confirms transaction;36, transfer request, system is submitted to carry out It transfers accounts.
Attacker can attack the websites such as e-bank, e-commerce, distorted in submission form on the page from The data for the data or previous step typing that backstage is looked into back, realization are gone beyond one's commission.
Fig. 4 is that attacker distorts list attack flow exemplary plot in the prior art, as shown in figure 4, attack flow is generally wrapped It includes:41, user's input information on the page;42, system is according to user input query data;43, will inquiry data are counter shows page On face;44, attacker distorts the data of data or preceding step typing that backstage is looked into back and submits.
Fig. 5 attacks electronic bank accounts inquiry transaction flow exemplary plot to distort list in the prior art, as shown in figure 5, The flow of attack electronic bank accounts inquiry transaction generally comprises:51, user inputs user name, password login;52, system is verified The card number that user holds is inquired after identity;53, it shows card number is counter on the page;54, attacker distorts the card number in list, carries out It submits;55, the query result for the account that attacker submits is shown on the page.
Fig. 6 is the flow example figure for distorting list attack e-bank money transfer transactions in the prior art, as shown in fig. 6, attacking The flow for hitting e-bank's money transfer transactions generally comprises:61, user inputs user name, password login;62, after system verification identity It inquires the card number that user holds and is shown on the page;63, user selects the information such as card number and typing other side account, the amount of money;64、 By one's own side's account, other side's account, amount of money etc., information are counter shows on the page;65, user authenticates and confirms transaction;66, it attacks Person distorts the data such as account, the amount of money in list and transfer request, system is submitted to transfer accounts.
Nearly all e-bank, the inquiring of electric business business site, dynamic account class transaction can make to carry out in this way Go beyond one's commission attack, allow attacker inquire it is non-I user information, hold product information, Transaction Information, using it is non-I Account or product be traded.
General e-bank can control trading privilege by the way of back-end data comparison, i.e., by back in process of exchange It the data of rapid user's typing and is preserved from the data looked into back from the background, final step is compared verification and weighs when submitting transaction Limit;Or initiate to inquire again when final step is merchandised, compare the data that user submits.Due to being related to transaction and can distort Form data is too many, and this protection method is almost impossible to guard against, and the previous step of each user is stored in server memory Rapid Transaction Information occupies the memory space of system, influences system performance.
Invention content
The embodiment of the present invention provides a kind of anti-method of going beyond one's commission of dynamic page encryption, in the feelings for not influencing server performance Improve transaction security protection effect under condition, this method includes:
When user is initially opened the page, generates encryption key and deposit in session;
The data of back page are encrypted with encryption key, generate encryption numeric field data;
It will be in the data of the back page of unencryption and encrypted domain data back to the page;
The transaction request that user submits is received, the transaction request carries encryption numeric field data and plaintext transaction data;
Numeric field data is encrypted with the secret key decryption preserved in session;
According to data control transaction in the encrypted domain decrypted.
The embodiment of the present invention also provides a kind of anti-device of going beyond one's commission of dynamic page encryption, not influence server performance In the case of improve transaction security protection effect, which includes:
Key production module, for when user is initially opened the page, generating encryption key and depositing in session;
Encrypted domain generation module generates encryption numeric field data for the data of back page to be encrypted with encryption key;
Data back module, for by the data of the back page of unencryption and encrypted domain data back to the page;
Transaction acceptance module, the transaction request for receiving user's submission, the transaction request carry encryption numeric field data and Plaintext transaction data;
Encrypted domain deciphering module, for encrypting numeric field data with the secret key decryption preserved in session;
Transaction control module, for according to data control transaction in the encrypted domain decrypted.
The embodiment of the present invention also provides a kind of computer equipment, including memory, processor and storage are on a memory simultaneously The computer program that can be run on a processor, the processor realize that above-mentioned dynamic page adds when executing the computer program Tight defense is gone beyond one's commission method.
The embodiment of the present invention also provides a kind of computer readable storage medium, and the computer-readable recording medium storage has Execute the computer program of the above-mentioned anti-method of going beyond one's commission of dynamic page encryption.
The embodiment of the present invention has following advantageous effect:
1, the embodiment of the present invention may insure Dynamic Website System from the data looked into back from the background not by attacker in user terminal It is submitted after distorting to realize attack of going beyond one's commission.
2, the embodiment of the present invention can utilize the data of encrypted domain storage, control transaction flow, prevent the friendship that strides Easily attack.
3, the embodiment of the present invention only need to be that a symmetric key is stored in each session in server end, and server does not have to additional Store data.Since key exists only in server end, and generate every time session all can regenerating key, so attacker It can not be released from the ciphertext of user terminal in plain text.
4, the embodiment of the present invention does not influence arm's length dealing flow, and the workload reinforced to existing system is little.
5, in embodiments of the present invention, it is submitted to user terminal and again due to encrypted domain data transfer, safety inspection relies on In the encryption numeric field data that user submits, even if user operates multiple transaction simultaneously, it can also realize that safety is protected to each transaction Shield.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.In the accompanying drawings:
Fig. 1 is dynamic page business site transaction flow exemplary plot in the prior art;
Fig. 2 is that electronic bank accounts inquire transaction flow exemplary plot in the prior art;
Fig. 3 is e-bank's money transfer transactions flow example figure in the prior art;
Fig. 4 is that attacker distorts list attack flow exemplary plot in the prior art;
Fig. 5 is to distort list in the prior art to attack electronic bank accounts inquiry transaction flow exemplary plot;
Fig. 6 is the flow example figure for distorting list attack e-bank money transfer transactions in the prior art;
Fig. 7 is the schematic diagram of the anti-method of going beyond one's commission of dynamic page encryption in the embodiment of the present invention;
Fig. 8 is that anti-scheme exemplary plot of going beyond one's commission is encrypted in the embodiment of the present invention;
Fig. 9 is the schematic diagram of the anti-device of going beyond one's commission of dynamic page encryption in the embodiment of the present invention.
Specific implementation mode
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the accompanying drawings to this hair Bright embodiment is described in further details.Here, the illustrative embodiments of the present invention and their descriptions are used to explain the present invention, but simultaneously It is not as a limitation of the invention.
The technical term that the embodiment of the present invention may relate to is briefly described below.
Static page:Page code is fixed, and the information on the same page that all users see is completely the same.
Dynamic page:Opposite with static page, page code is generated with customer transaction, and different user sees the same page Information may different (information for including user individual), electronic trading system such as e-bank etc. is all dynamic page.
It goes beyond one's commission attack:Refer to attacker and distort list submit the total amount evidence in electronic trading system, surmounts account itself to realize The transaction of permission.Such as card number of the attacker in distorting submission form during account inquiries are merchandised, to inquire other users Transaction Information.
Stride attack:Attacker utilizes tool or script, skips preceding several steps of arm's length dealing, directly initiates last One step, to veritify the attack pattern of control around identity.
Session (session):User data in memory, user perform fighting website for the first time, and web station system can be held in memory A data field is warded off, the information of this user is stored.
Symmetric cryptography:It is encrypted and decrypted using the same key, selects algorithm appropriate and ensures that key is not revealed, It can ensure release in plain text from ciphertext.
Encrypted domain:System is encrypted to a field and returns to user terminal after needing to pass back to data combination on the page. This encrypted field is exactly encrypted domain.The embodiment of the present invention using encrypted domain storage previous step user's typing data and The data that backstage is looked into back, user are compared when submitting transaction using the data of encrypted domain, and attack of going beyond one's commission is prevented.
Fig. 7 is the schematic diagram of the anti-method of going beyond one's commission of dynamic page encryption in the embodiment of the present invention, as shown in fig. 7, this method can To include:
Step 71, when user is initially opened the page, generate encryption key simultaneously deposit in session;
Step 72 is encrypted the data of back page with encryption key, generates encryption numeric field data;
Step 73, will be in the data of the back page of unencryption and encrypted domain data back to the page;
Step 74 receives the transaction request that user submits, and the transaction request carries encryption numeric field data and plaintext number of deals According to;
Step 75 encrypts numeric field data with the secret key decryption preserved in session;
Step 76 is merchandised according to data control in the encrypted domain decrypted.
Flow uses dynamic it is known that the embodiment of the present invention can solve e-bank, e-commerce etc. as shown in Figure 7 The list of the transaction system of page technology distorts the problem of going beyond one's commission, that is, ensure system pass back to when the data of the page are submitted again not by Distort, with the attack that prevents from going beyond one's commission, and do not increase back-end data storage (only need for each online user store one it is symmetrical close Key).Using the embodiment of the present invention and corresponding system development specification and system component are formulated, it can be comprehensive, compactly right Anti- reinforcing of going beyond one's commission is realized in each transaction, convenient to do safety inspection to code, it is not easy to omit.
As previously mentioned, currently available technology is generally used for storing the transaction data of back in memory, and in latter step The mode being compared in rapid realizes that transaction is anti-and goes beyond one's commission.Memory stores data and the mode of comparison occupies more memory overhead, appearance Protection is easily omitted, and is difficult to cope with user while operating the scene of several transaction, because can only generally store one in memory Otherwise the data of transaction are just difficult to manage and clean up.
Relative to existing memory Scheme of Strengthening, the embodiment of the present invention does not increase memory overhead substantially, can be with common set The mode of part carries out, and exploitation is simpler, and protection is more comprehensive.User terminal is transmitted to due to encrypted domain and is submitted again, it can It operates multiple transaction simultaneously to a user and all does safeguard protection.
In embodiment, when user is initially opened Website page, an encryption key is generated at random, is stored in session (session) in.It is encrypted using the data of this key pair back page, generates encryption numeric field data.Encrypting numeric field data can be with It is placed in hiding field and passes back on the page.It is the number of the back page of unencryption in plain text while these data are encrypted According to still transferring back on the page, arm's length dealing flow is not influenced.Encrypted domain is merchandised in plain text with normal while user submits transaction Data are submitted together.After transaction is submitted, numeric field data is encrypted using the secret key decryption preserved in session, according to the encrypted domain decrypted Middle data control transaction.
In embodiment, according to data control transaction in the encrypted domain decrypted, may include:With data in encrypted domain to bright Literary transaction data is checked, if the field that user submits in plaintext transaction data is present in encrypted domain, is checked and is handed in plain text The consistency of the field and the field in encrypted domain, shuts the book if inconsistent in easy data.For example, using in encrypted domain Data check plaintext transaction data, if a field was both submitted in plaintext transaction data, are also stored in encrypted domain This field then checking the consistency of the two fields stops this transaction if inconsistent, can prevent user in this way The attack that the data verified are distorted at end or part distorts, and then goes beyond one's commission.
In embodiment, when back page data be one group of enumerated value, the data of back page are carried out with encryption key Encryption generates encryption numeric field data, may include:It is preserved, is generated with encryption keys using this group of enumerated value as a list Encrypt numeric field data;Plaintext transaction data includes the enumerated value that user selects in this group of enumerated value;It checks in plaintext transaction data The consistency of the field in the field and encrypted domain may include:The enumerated value of user's selection is in verification plaintext transaction data It is no to enumerate value list in encrypted domain, if not shutting the book if.For example, being enumerated back to one group on the page for backstage The data of value, user select the transaction sent in wherein a certain value on the page, and for example user inquires account row in e-bank Then table selects the transaction of one of account inquiries details, is protected all enumerated values as a list encryption in encrypted domain It deposits, enumerated value list name is consistent with the field name that transaction is submitted.After transaction is submitted, it can check that user terminal is submitted according to field name Value whether in the field of encrypted domain enumerate value list, be normally carried out transaction if comparing successfully, lost if compared It loses, shuts the book.
Fig. 8 is that anti-scheme exemplary plot of going beyond one's commission is encrypted in the embodiment of the present invention, as shown in fig. 7, implementation process can for example wrap It includes:81, user is initially opened Website page;82, server creates session, and generates encryption key;83, user logs in and enters Transaction;84, server obtains background query data and the data encryption that typing is walked before user, are put into the hiding field of the page In (encrypted domain);85, user typing, confirmation and submits transaction on the page, while submitting encrypted domain field;86, server end The data that user submits are compared to whether there is in encrypted domain, and if so, whether both comparisons are consistent, if it is inconsistent, There is attack of going beyond one's commission in judgement, and blocks this transaction.
It, can be by if the field name of the passback page of original system and the field name submitted again are all consistent in embodiment Above-described embodiment reinforces system, it is only necessary to develop a public encryption and veritify component, so that it may with to all passback pages The field in face is encrypted, and transaction is veritified when submitting, without making modification to particular transactions.Or, or it is each A configuration is write in transaction, is maintained in configuration file, including this transaction will encrypt the field of veritification.
In embodiment, by the way that the transaction number for being related to operation flow is added in encrypted data fields, transaction step is numbered, and It is submitting the when of merchandising to check transaction number and transaction step, can prevent user terminal from arbitrarily calling a certain step of transaction, prevent Stride attack.For example final step of transferring accounts directly is sent to server and completes the attack transferred accounts.
The safety check process of the embodiment of the present invention can also use another embodiment, that is, ignore the data submitted in plain text, And it is subject to the data in encrypted domain and is traded.For enumerating value list, then can select to carry in plain text by user on the page Enumerated value serial number is handed over, enumerated value is then taken out from encrypted domain according to serial number, obtains the data of user's selection.That is, when returning to page When the data in face are one group of enumerated value, plaintext transaction data includes the serial number for the enumerated value that user selects in this group of enumerated value; According to data control transaction in the encrypted domain decrypted, may include:According to the serial number of enumerated value in plaintext transaction data, from adding Corresponding enumerated value is taken out in enumerating for close domain in value list, obtain the enumerated value of user's selection;The enumerated value selected according to user Execute transaction.
The specific example of the anti-method of going beyond one's commission of dynamic page encryption in the embodiment of the present invention is given below.
Example one, the account inquiries transaction for protecting e-bank
In this example, user generates encryption key and stores in a session when entering e-bank, when doing account inquiries transaction, System is shown account list is counter on the page, generates an encrypted domain at this time, the account information and biography of user are included in encrypted domain It is delivered on the page.User submits when inquiry transaction on simultaneously and send plaintext account number field and encrypted domain, and system, which compares plaintext account, is In the no account list for being present in encrypted domain, and if so, normally complete transaction, if there is no then terminating this transaction.
Example two, the money transfer transactions for protecting e-bank
In this example, user generates encryption key and stores in a session when entering e-bank, when doing account inquiries, system It shows account list is counter on the page, generates an encrypted domain at this time, the account information comprising user and be transmitted in encrypted domain On the page.User selects one's own side's account, and typing reciprocal account and the amount of money on the page, then submits transaction and encrypted domain.System One's own side's account that system compares plaintext whether there is in the account list of encrypted domain, and if so, continuing, if there is no then Terminate this transaction.In the case of continuation, system is all deposited after encrypting one's own side's account, the amount of money, other side's account, next step transaction step It is placed in encrypted domain, and show these information are counter on the page, while encrypted domain being also passed in the hiding field of the page, use Family, which confirms, merchandises and inputs trading password and authentication, and transaction, system is then submitted to compare the one's own side's account submitted at this time, gold again Whether volume, other side's account and the data stored in encrypted domain are consistent, and check whether the transaction step in encrypted domain is to transfer accounts Result step, termination of merchandising if inconsistent, if consistent complete to transfer accounts.
By above-described embodiment it is found that the embodiment of the present invention can protect Dynamic Website System from the data looked into back from the background not by Attacker submits after user terminal is distorted to realize attack of going beyond one's commission.In embodiment can utilize encrypted domain storage transaction number, Transaction step, the information such as especially next transaction step, system can judge transaction flow, and the prevention transaction that strides is attacked It hits.Only need to be that a symmetric key is stored in each session in server end when implementation, server does not have to extra storage data.Due to Key exists only in server end, and generate every time session all can regenerating key, so attacker can not be from user terminal Ciphertext in release in plain text.The embodiment of the present invention can be developed in a manner of public safety component, not influence arm's length dealing flow, The workload reinforced to existing system is little.User terminal is transmitted to due to encrypted domain and is submitted again, safety inspection only according to Rely the security configuration of the encrypted domain and transaction submitted in user, it, can also be to each even if user operates multiple transaction simultaneously Safeguard protection is realized in transaction.
Based on same inventive concept, a kind of anti-device of going beyond one's commission of dynamic page encryption is additionally provided in the embodiment of the present invention, such as Described in the following examples.It, should since the principle that the device solves the problems, such as is similar to the anti-method of going beyond one's commission of dynamic page encryption The implementation of device may refer to the implementation of the anti-method of going beyond one's commission of dynamic page encryption, and overlaps will not be repeated.
Fig. 9 is the schematic diagram of the anti-device of going beyond one's commission of dynamic page encryption in the embodiment of the present invention, as shown in figure 9, the device can To include:
Key production module 91, for when user is initially opened the page, generating encryption key and depositing in session;
Encrypted domain generation module 92 generates encrypted domain number for the data of back page to be encrypted with encryption key According to;
Data back module 93, for by the data of the back page of unencryption and encrypted domain data back to the page;
Transaction acceptance module 94, the transaction request for receiving user's submission, the transaction request carry encryption numeric field data With plaintext transaction data;
Encrypted domain deciphering module 95, for encrypting numeric field data with the secret key decryption preserved in session;
Transaction control module 96, for according to data control transaction in the encrypted domain decrypted.
In one embodiment, data back module 93 can be further used for:Encryption numeric field data is placed in hiding field Pass back on the page.
In one embodiment, transaction control module 96 can be further used for:
Plaintext transaction data is checked with data in encrypted domain, if the field that user submits in plaintext transaction data is deposited It is in encrypted domain, then checks the consistency of the field and the field in encrypted domain in plaintext transaction data, stop if inconsistent Only merchandise.
In one embodiment, the data of the back page can be one group of enumerated value;
The encrypted domain generation module 92 can be further used for:Using this group of enumerated value as a list encryption key Encrypting storing generates encryption numeric field data;
The plaintext transaction data may include the enumerated value that user selects in this group of enumerated value;
The transaction control module 96 can be further used for:That checks that user in the plaintext transaction data selects enumerates Whether value in encrypted domain enumerates value list, if not shutting the book if.
In one embodiment, the data of the back page can be one group of enumerated value;
The plaintext transaction data may include the serial number for the enumerated value that user selects in this group of enumerated value;
The transaction control module 96 can be further used for:
According to the serial number of enumerated value in the plaintext transaction data, corresponding piece is taken out in value list from enumerating for encrypted domain Act value obtains the enumerated value of user's selection;The enumerated value selected according to user executes transaction.
The embodiment of the present invention also provides a kind of computer equipment, including memory, processor and storage are on a memory simultaneously The computer program that can be run on a processor, the processor realize that above-mentioned dynamic page adds when executing the computer program Tight defense is gone beyond one's commission method.
The embodiment of the present invention also provides a kind of computer readable storage medium, and the computer-readable recording medium storage has Execute the computer program of the above-mentioned anti-method of going beyond one's commission of dynamic page encryption.
In conclusion the embodiment of the present invention may insure that Dynamic Website System is not existed from the data looked into back from the background by attacker User terminal is submitted after distorting to realize attack of going beyond one's commission.The embodiment of the present invention can utilize the data of encrypted domain storage, to transaction flow Cheng Jinhang is controlled, and prevention strides to merchandise and attack.The embodiment of the present invention only need to be that each session stores one symmetrically in server end Key, server do not have to extra storage data.Since key exists only in server end, and generating session every time all can be again Key is generated, so attacker can not release in plain text from the ciphertext of user terminal.The embodiment of the present invention does not influence arm's length dealing stream Journey, the workload reinforced to existing system are little.In embodiments of the present invention, due to encrypted domain data transfer to user terminal And submit again, safety inspection depends on the encryption numeric field data that user submits, can also even if user operates multiple transaction simultaneously Safeguard protection is realized to each transaction.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Particular embodiments described above has carried out further in detail the purpose of the present invention, technical solution and advantageous effect Describe in detail it is bright, it should be understood that the above is only a specific embodiment of the present invention, the guarantor being not intended to limit the present invention Range is protected, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should be included in this Within the protection domain of invention.

Claims (10)

1. a kind of anti-method of going beyond one's commission of dynamic page encryption, which is characterized in that including:
When user is initially opened the page, generates encryption key and deposit in session;
The data of back page are encrypted with encryption key, generate encryption numeric field data;
It will be in the data of the back page of unencryption and encrypted domain data back to the page;
The transaction request that user submits is received, the transaction request carries encryption numeric field data and plaintext transaction data;
Numeric field data is encrypted with the secret key decryption preserved in session;
According to data control transaction in the encrypted domain decrypted.
2. the method as described in claim 1, which is characterized in that by encrypted domain data back to the page, including:By encrypted domain Data, which are placed in hiding field, to pass back on the page.
3. the method as described in claim 1, which is characterized in that data control transaction in the encrypted domain that the basis decrypts, Including:
Plaintext transaction data is checked with data in encrypted domain, if the field that user submits in plaintext transaction data is present in In encrypted domain, then the consistency of the field and the field in encrypted domain in plaintext transaction data is checked, stops handing over if inconsistent Easily.
4. method as claimed in claim 3, which is characterized in that the data of the back page are one group of enumerated value;
It is described that the data of back page are encrypted with encryption key, encryption numeric field data is generated, including:This group of enumerated value is made It is preserved with encryption keys for a list, generates encryption numeric field data;
The plaintext transaction data includes the enumerated value that user selects in this group of enumerated value;
The consistency of the field and the field in encrypted domain in the verification plaintext transaction data, including:The plaintext is checked to hand over Whether user selects in easy data enumerated value in encrypted domain enumerates value list, if not shutting the book if.
5. the method as described in claim 1, which is characterized in that the data of the back page are one group of enumerated value;
The plaintext transaction data includes the serial number for the enumerated value that user selects in this group of enumerated value;
Data control transaction in the encrypted domain that the basis decrypts, including:
According to the serial number of enumerated value in the plaintext transaction data, corresponding enumerate is taken out in value list from enumerating for encrypted domain Value obtains the enumerated value of user's selection;The enumerated value selected according to user executes transaction.
6. a kind of anti-device of going beyond one's commission of dynamic page encryption, which is characterized in that including:
Key production module, for when user is initially opened the page, generating encryption key and depositing in session;
Encrypted domain generation module generates encryption numeric field data for the data of back page to be encrypted with encryption key;
Data back module, for by the data of the back page of unencryption and encrypted domain data back to the page;
Transaction acceptance module, the transaction request for receiving user's submission, the transaction request carry encryption numeric field data and plaintext Transaction data;
Encrypted domain deciphering module, for encrypting numeric field data with the secret key decryption preserved in session;
Transaction control module, for according to data control transaction in the encrypted domain decrypted.
7. device as claimed in claim 6, which is characterized in that the transaction control module is further used for:
Plaintext transaction data is checked with data in encrypted domain, if the field that user submits in plaintext transaction data is present in In encrypted domain, then the consistency of the field and the field in encrypted domain in plaintext transaction data is checked, stops handing over if inconsistent Easily.
8. device as claimed in claim 6, which is characterized in that the data of the back page are one group of enumerated value;
The plaintext transaction data includes the serial number for the enumerated value that user selects in this group of enumerated value;
The transaction control module is further used for:
According to the serial number of enumerated value in the plaintext transaction data, corresponding enumerate is taken out in value list from enumerating for encrypted domain Value obtains the enumerated value of user's selection;The enumerated value selected according to user executes transaction.
9. a kind of computer equipment, including memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, which is characterized in that the processor realizes any side of claim 1 to 5 when executing the computer program Method.
10. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has perform claim It is required that the computer program of 1 to 5 any the method.
CN201810216827.4A 2018-03-16 2018-03-16 Dynamic page encryption anti-unauthorized method and device Active CN108650214B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810216827.4A CN108650214B (en) 2018-03-16 2018-03-16 Dynamic page encryption anti-unauthorized method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810216827.4A CN108650214B (en) 2018-03-16 2018-03-16 Dynamic page encryption anti-unauthorized method and device

Publications (2)

Publication Number Publication Date
CN108650214A true CN108650214A (en) 2018-10-12
CN108650214B CN108650214B (en) 2021-09-17

Family

ID=63744236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810216827.4A Active CN108650214B (en) 2018-03-16 2018-03-16 Dynamic page encryption anti-unauthorized method and device

Country Status (1)

Country Link
CN (1) CN108650214B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600377A (en) * 2018-12-13 2019-04-09 平安科技(深圳)有限公司 Anti- go beyond one's commission method, apparatus, computer equipment and storage medium
CN111709803A (en) * 2020-06-12 2020-09-25 北京思特奇信息技术股份有限公司 Method and system for preventing unauthorized business handling
CN113395269A (en) * 2021-06-04 2021-09-14 上海浦东发展银行股份有限公司 Data interaction method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101067358A (en) * 2007-03-20 2007-11-07 姜君凯 Trick lock mechanism
CN101770619A (en) * 2008-12-31 2010-07-07 中国银联股份有限公司 Multiple-factor authentication method for online payment and authentication system
US20120246080A1 (en) * 2005-06-15 2012-09-27 E. E. System Corporation Method and system for real time online debit transactions
US20120323717A1 (en) * 2011-06-16 2012-12-20 OneID, Inc. Method and system for determining authentication levels in transactions
CN105591746A (en) * 2014-12-11 2016-05-18 中国银联股份有限公司 Processing method and processing system for binding acceptance terminal online
CN105989482A (en) * 2015-02-04 2016-10-05 成都天地网信息科技有限公司 Data encryption method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120246080A1 (en) * 2005-06-15 2012-09-27 E. E. System Corporation Method and system for real time online debit transactions
CN101067358A (en) * 2007-03-20 2007-11-07 姜君凯 Trick lock mechanism
CN101770619A (en) * 2008-12-31 2010-07-07 中国银联股份有限公司 Multiple-factor authentication method for online payment and authentication system
US20120323717A1 (en) * 2011-06-16 2012-12-20 OneID, Inc. Method and system for determining authentication levels in transactions
CN105591746A (en) * 2014-12-11 2016-05-18 中国银联股份有限公司 Processing method and processing system for binding acceptance terminal online
CN105989482A (en) * 2015-02-04 2016-10-05 成都天地网信息科技有限公司 Data encryption method

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600377A (en) * 2018-12-13 2019-04-09 平安科技(深圳)有限公司 Anti- go beyond one's commission method, apparatus, computer equipment and storage medium
CN109600377B (en) * 2018-12-13 2022-11-22 平安科技(深圳)有限公司 Method and device for preventing unauthorized use computer device and storage medium
CN111709803A (en) * 2020-06-12 2020-09-25 北京思特奇信息技术股份有限公司 Method and system for preventing unauthorized business handling
CN111709803B (en) * 2020-06-12 2023-09-05 北京思特奇信息技术股份有限公司 Method and system for preventing unauthorized business handling
CN113395269A (en) * 2021-06-04 2021-09-14 上海浦东发展银行股份有限公司 Data interaction method and device

Also Published As

Publication number Publication date
CN108650214B (en) 2021-09-17

Similar Documents

Publication Publication Date Title
US7333615B1 (en) Encryption between multiple devices
USRE38070E1 (en) Cryptography system and method for providing cryptographic services for a computer application
Smid et al. Data encryption standard: past and future
Ramana et al. A three-level gateway protocol for secure M-commerce transactions using encrypted OTP
EP0995177B1 (en) Symmetrically-secured electronic communication system
CN103390124B (en) Apparatus, system and method for secure entry and processing of passwords
CN107210914A (en) The method supplied for security credence
US20020023054A1 (en) Method and system for protecting credit card transactions
CN109697365A (en) Information processing method and block chain node, electronic equipment
KR20160114749A (en) Dealing method of Crypto-currency base on Blockchain System
EP1984890A2 (en) A point-of-sale terminal transaction using mutating identifiers
JPH09244886A (en) Software using method and software distribution system
CN1921395B (en) Method for improving security of network software
CN108810017A (en) Business processing safe verification method and device
CN112513904B (en) Digital asset transaction control method, device, terminal equipment and storage medium
KR101923943B1 (en) System and method for remitting crypto currency with enhanced security
CN103353973A (en) Banking transaction authentication method based on video verification, and banking transaction authentication system based on video verification
KR20000012391A (en) Method and system for electronic payment via internet
CN111798224A (en) A digital currency payment method based on SGX
WO2019199813A2 (en) Managed high integrity blockchain and blockchain communications that utilize containers
US20240414003A1 (en) Checkout with mac
CN108650214A (en) The anti-method and device of going beyond one's commission of dynamic page encryption
US6424953B1 (en) Encrypting secrets in a file for an electronic micro-commerce system
TW201504964A (en) Secure mobile device shopping system and method
Muftic et al. Overview and analysis of the concept and applications of virtual currencies

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant