[go: up one dir, main page]

CN116094786A - Data processing method, system, device and storage medium based on double-factor protection - Google Patents

Data processing method, system, device and storage medium based on double-factor protection Download PDF

Info

Publication number
CN116094786A
CN116094786A CN202211708701.1A CN202211708701A CN116094786A CN 116094786 A CN116094786 A CN 116094786A CN 202211708701 A CN202211708701 A CN 202211708701A CN 116094786 A CN116094786 A CN 116094786A
Authority
CN
China
Prior art keywords
request
request information
check value
factor
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211708701.1A
Other languages
Chinese (zh)
Inventor
于翔
钱长杰
丁霞
朱明�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi IoT Technology Co Ltd
Original Assignee
Tianyi IoT Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi IoT Technology Co Ltd filed Critical Tianyi IoT Technology Co Ltd
Priority to CN202211708701.1A priority Critical patent/CN116094786A/en
Publication of CN116094786A publication Critical patent/CN116094786A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种基于双因子防护的数据处理方法、系统、装置及存储介质,包括:根据预设算法将请求协议包作为请求参数生成校验数值;将所述请求参数按照预设规则进行排序生成参数字符串;根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数;根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击。本发明实施例能够提高防重放攻击的有效性,可广泛应用于计算机技术领域。

Figure 202211708701

The invention discloses a data processing method, system, device and storage medium based on two-factor protection, comprising: using a request protocol packet as a request parameter to generate a check value according to a preset algorithm; and performing the request parameter according to a preset rule Sorting to generate a parameter string; generating an encryption summary of the parameter string and the check value according to an encryption function, and generating a dynamic check factor according to the check value and the encryption summary; the encryption function is an irreversible encryption function; generate request information according to the dynamic check factor, and send the request information to the server, so that the server verifies the request information according to the check value and the encrypted digest, and determines Whether the request information is a replay attack. The embodiment of the present invention can improve the effectiveness of anti-replay attack, and can be widely used in the field of computer technology.

Figure 202211708701

Description

基于双因子防护的数据处理方法、系统、装置及存储介质Data processing method, system, device and storage medium based on two-factor protection

技术领域technical field

本发明涉及计算机技术领域,尤其涉及一种基于双因子防护的数据处理方法、系统、装置及存储介质。The present invention relates to the field of computer technology, in particular to a data processing method, system, device and storage medium based on two-factor protection.

背景技术Background technique

重放攻击又称重播攻击、回放攻击或新鲜性攻击,是指攻击者窃取以前运行的协议或当前运行的协议中的消息或消息片段用于对当前协议运行进行欺骗的攻击行为,从而达到破坏网络协议安全、阻碍正常通信、消耗网络资源的目的,并且重放攻击在任何网络通讯过程中都可能发生,因此做好防重放攻击势在必行。通常防止重放攻击,可在请求消息设置新鲜性来识别消息是否为重放消息。设置请求消息的新鲜性方法常见的有:基于时间戳、基于序列号。但是,上述设置请求消息的新鲜性方法均存在漏掉,防重放攻击的有效性有待提高。Replay attack, also known as replay attack, replay attack or freshness attack, refers to an attack behavior in which an attacker steals messages or message fragments in a previously running protocol or a currently running protocol to deceive the current protocol operation, thereby destroying The purpose of network protocol security, hindering normal communication, and consuming network resources, and replay attacks may occur in any network communication process, so it is imperative to prevent replay attacks. Usually to prevent replay attacks, you can set freshness in the request message to identify whether the message is a replay message. Common methods for setting the freshness of request messages are: based on timestamp and based on sequence number. However, there are omissions in the freshness methods of the above-mentioned setting request message, and the effectiveness of preventing replay attacks needs to be improved.

发明内容Contents of the invention

有鉴于此,本发明实施例的目的是提供一种基于双因子防护的数据处理方法、系统、装置及存储介质,能够提高防重放攻击的有效性。In view of this, the purpose of the embodiments of the present invention is to provide a data processing method, system, device and storage medium based on two-factor protection, which can improve the effectiveness of preventing replay attacks.

第一方面,本发明实施例提供了一种基于双因子防护的数据处理方法,应用于客户端,包括:In the first aspect, the embodiment of the present invention provides a data processing method based on two-factor protection, which is applied to the client, including:

根据预设算法将请求协议包作为请求参数生成校验数值;According to the preset algorithm, the request protocol packet is used as the request parameter to generate the check value;

将所述请求参数按照预设规则进行排序生成参数字符串;Sorting the request parameters according to preset rules to generate a parameter string;

根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数;Generating an encrypted summary of the parameter character string and the check value according to an encryption function, and generating a dynamic check factor according to the check value and the encrypted summary; the encryption function is an irreversible encryption function;

根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击;其中,当请求成功后,将所述校验数值保存至缓存中。Generate request information according to the dynamic check factor, and send the request information to the server, so that the server can verify the request information according to the check value and the encryption digest, and determine the Whether the request information is a replay attack; wherein, when the request is successful, the check value is saved in the cache.

可选地,所述根据预设算法将请求协议包作为请求参数生成校验数值,具体包括:Optionally, the generating a check value using the request protocol packet as a request parameter according to a preset algorithm specifically includes:

根据散列算法将将请求协议包作为请求参数生成Hash值。According to the hash algorithm, the request protocol packet will be used as the request parameter to generate the Hash value.

可选地,将所述请求参数按照预设规则进行排序,具体包括:Optionally, sorting the request parameters according to preset rules specifically includes:

将所述请求参数按照首字母顺序或ASCII码顺序进行排序。Sort the request parameters in alphabetical order or ASCII code order.

第二方面,本发明实施例提供了一种基于双因子防护的数据处理方法,应用于服务端,包括:In the second aspect, the embodiment of the present invention provides a data processing method based on two-factor protection, which is applied to the server, including:

接收客户端发送的请求信息,根据所述请求信息确定动态校验因子;动态校验因子包括校验数值及加密摘要;receiving the request information sent by the client, and determining a dynamic verification factor according to the request information; the dynamic verification factor includes a verification value and an encryption summary;

查询缓存中是否存在所述校验数值;Query whether the check value exists in the cache;

若所述缓存中存在所述校验数值,所述请求信息为重放攻击;If the check value exists in the cache, the request information is a replay attack;

若所述缓存中不存在所述校验数值,对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击。If the check value does not exist in the cache, verify the encrypted digest, and determine whether the request information is a replay attack according to a verification result.

可选地,所述对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击,具体包括:Optionally, the verifying the encrypted digest, and determining whether the request information is a replay attack according to the verification result, specifically includes:

根据所述请求信息确定参数字符串及校验值,根据加密算法将所述参数字符串及所述校验值生成验证摘要;Determine a parameter string and a check value according to the request information, and generate a verification summary for the parameter string and the check value according to an encryption algorithm;

将所述验证摘要与所述加密摘要进行对比;comparing the verification digest with the encryption digest;

若所述验证摘要与所述加密摘要一致,所述请求信息不是重放攻击;If the verification digest is consistent with the encryption digest, the request information is not a replay attack;

若所述验证摘要与所述加密摘要不一致,所述请求信息为重放攻击。If the verification digest is inconsistent with the encryption digest, the request information is a replay attack.

第三方面,本发明实施例提供了一种基于双因子防护的数据处理系统,应用于客户端,包括:In the third aspect, the embodiment of the present invention provides a data processing system based on two-factor protection, which is applied to the client, including:

第一模块,用于根据预设算法将请求协议包作为请求参数生成校验数值;The first module is used to use the request protocol packet as a request parameter to generate a check value according to a preset algorithm;

第二模块,用于将所述请求参数按照预设规则进行排序生成参数字符串;The second module is configured to sort the request parameters according to preset rules to generate a parameter string;

第三模块,用于根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数;The third module is used to generate an encrypted summary of the parameter string and the check value according to an encryption function, and generate a dynamic check factor according to the check value and the encrypted summary; the encryption function is an irreversible encryption function;

第四模块,用于根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击;其中,当请求成功后,将所述校验数值保存至缓存中。A fourth module, configured to generate request information according to the dynamic check factor, and send the request information to the server, so that the server can process the request information according to the check value and the encrypted digest Perform verification to determine whether the request information is a replay attack; wherein, when the request is successful, save the check value in the cache.

第四方面,本发明实施例提供了一种基于双因子防护的数据处理系统,应用于服务端,包括:In the fourth aspect, the embodiment of the present invention provides a data processing system based on two-factor protection, which is applied to the server, including:

第五模块,用于接收客户端发送的请求信息,根据所述请求信息确定动态校验因子;动态校验因子包括校验数值及加密摘要;The fifth module is used to receive the request information sent by the client, and determine the dynamic verification factor according to the request information; the dynamic verification factor includes a verification value and an encryption summary;

第六模块,用于查询缓存中是否存在所述校验数值;The sixth module is used to query whether the check value exists in the cache;

第七模块,用于若所述缓存中存在所述校验数值,所述请求信息为重放攻击;The seventh module is used to determine that the request information is a replay attack if the check value exists in the cache;

第八模块,用于若所述缓存中不存在所述校验数值,对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击。An eighth module, configured to verify the encryption digest if the check value does not exist in the cache, and determine whether the request information is a replay attack according to the verification result.

第五方面,本发明实施例提供了一种基于双因子防护的数据处理装置,包括:In the fifth aspect, the embodiment of the present invention provides a data processing device based on two-factor protection, including:

至少一个处理器;at least one processor;

至少一个存储器,用于存储至少一个程序;at least one memory for storing at least one program;

当所述至少一个程序被所述至少一个处理器执行,使得所述至少一个处理器实现上述第一方面实施例或第二方面实施例所述的方法。When the at least one program is executed by the at least one processor, the at least one processor is made to implement the method described in the embodiment of the first aspect or the embodiment of the second aspect.

第六方面,本发明实施例提供了一种计算机可读存储介质,其中存储有处理器可执行的程序,所述处理器可执行的程序在由处理器执行时用于执行上述第一方面实施例或第二方面实施例所述的方法。In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores a processor-executable program, and the processor-executable program is used to perform the implementation of the above-mentioned first aspect when executed by a processor. example or the method described in the embodiment of the second aspect.

第七方面,本发明实施例提供了一种基于双因子防护的数据处理系统,包括客户端及服务端,所述客户端与所述服务端之间通信连接,其中,In the seventh aspect, the embodiment of the present invention provides a data processing system based on two-factor protection, including a client and a server, and the client and the server are connected by communication, wherein,

所述客户端,用于实现第一方面实施例所述的方法;The client is configured to implement the method described in the embodiment of the first aspect;

所述服务端,用于实现第二方面实施例所述的方法。The server is configured to implement the method described in the embodiment of the second aspect.

实施本发明实施例包括以下有益效果:本实施例中客户端首先根据预设算法将请求参数生成校验数值,并对请求参数生成参数字符串,然后根据加密函数将参数字符串及校验数值生成加密摘要,并根据校验数值及加密摘要生成动态校验因子,将动态校验因子加入到请求信息中发送给服务端;服务端接收请求信息后,解析请求信息中的动态校验因子,并分别对动态校验因子中的校验数值及加密摘要进行验证,以确定请求信息是否为重放攻击;因此,客户端与服务端之间通过校验数值及加密摘要形成双因子防护的接口验证方法,构建防止重放攻击防御机制,有效防止重放攻击,提高接口通信安全,大大提高应用安全防护的智能化水平。Implementing the embodiment of the present invention includes the following beneficial effects: In this embodiment, the client first generates a check value for the request parameter according to a preset algorithm, and generates a parameter string for the request parameter, and then converts the parameter string and the check value according to the encryption function Generate an encrypted digest, and generate a dynamic check factor based on the check value and the encrypted digest, add the dynamic check factor to the request information and send it to the server; after receiving the request information, the server parses the dynamic check factor in the request information, And verify the check value and encryption summary in the dynamic check factor respectively to determine whether the request information is a replay attack; therefore, the interface between the client and the server forms a two-factor protection through the check value and the encryption summary The verification method builds a defense mechanism to prevent replay attacks, effectively prevents replay attacks, improves interface communication security, and greatly improves the intelligence level of application security protection.

附图说明Description of drawings

图1是本发明实施例提供的一种基于双因子防护的数据处理系统的结构框图;Fig. 1 is a structural block diagram of a data processing system based on two-factor protection provided by an embodiment of the present invention;

图2是本发明实施例提供的一种应用于客户端的数据处理方法的步骤流程示意图;Fig. 2 is a schematic flowchart of steps of a data processing method applied to a client provided by an embodiment of the present invention;

图3是本发明实施例提供的一种应用于客户端的数据处理系统的结构框图;FIG. 3 is a structural block diagram of a data processing system applied to a client provided by an embodiment of the present invention;

图4是本发明实施例提供的一种应用于服务端的数据处理方法的步骤流程示意图;FIG. 4 is a schematic flowchart of steps of a data processing method applied to a server provided by an embodiment of the present invention;

图5是本发明实施例提供的一种应用于服务端的数据处理系统的结构框图;FIG. 5 is a structural block diagram of a data processing system applied to a server provided by an embodiment of the present invention;

图6是本发明实施例提供的一种基于双因子防护的数据处理装置的结构框图;Fig. 6 is a structural block diagram of a data processing device based on two-factor protection provided by an embodiment of the present invention;

图7是本发明实施例提供的另一种基于双因子防护的数据处理方法的流程图。Fig. 7 is a flowchart of another data processing method based on two-factor protection provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明做进一步的详细说明。对于以下实施例中的步骤编号,其仅为了便于阐述说明而设置,对步骤之间的顺序不做任何限定,实施例中的各步骤的执行顺序均可根据本领域技术人员的理解来进行适应性调整。The present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments. For the step numbers in the following embodiments, it is only set for the convenience of illustration and description, and the order between the steps is not limited in any way. The execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art sexual adjustment.

在以下的描述中,涉及到“一些实施例”,其描述了所有可能实施例的子集,但是可以理解,“一些实施例”可以是所有可能实施例的相同子集或不同子集,并且可以在不冲突的情况下相互结合。In the following description, references to "some embodiments" describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or a different subset of all possible embodiments, and Can be combined with each other without conflict.

在以下的描述中,所涉及的术语“第一\第二\第三”仅仅是是区别类似的对象,不代表针对对象的特定排序,可以理解地,“第一\第二\第三”在允许的情况下可以互换特定的顺序或先后次序,以使这里描述的本发明实施例能够以除了在这里图示或描述的以外的顺序实施。In the following description, the term "first\second\third" is only used to distinguish similar objects, and does not represent a specific ordering of objects. Understandably, "first\second\third" Where permitted, the specific order or sequence may be interchanged such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein.

除非另有定义,本发明实施例所使用的所有的技术和科学术语与属于本发明的技术领域的技术人员通常理解的含义相同。本发明实施例中所使用的术语只是为了描述本发明实施例的目的,不是旨在限制本发明。Unless otherwise defined, all technical and scientific terms used in the embodiments of the present invention have the same meaning as commonly understood by those skilled in the technical field of the present invention. The terms used in the embodiments of the present invention are only for the purpose of describing the embodiments of the present invention, and are not intended to limit the present invention.

对本发明实施例进行进一步详细说明之前,对本发明实施例中涉及的名词和术语进行说明,本发明实施例中涉及的名词和术语适用于如下的解释。Before further describing the embodiments of the present invention in detail, the nouns and terms involved in the embodiments of the present invention are described, and the nouns and terms involved in the embodiments of the present invention are applicable to the following explanations.

参阅图1,本发明实施例中客户端和服务端之间通过接口通信,通信方式可采用有线通信或无线通信,客户端向服务端发送请求信息,服务端根据请求信息确定是否为重放攻击,从而确定请求信息的有效性。Referring to Fig. 1, in the embodiment of the present invention, the client and the server communicate through an interface. The communication method can be wired communication or wireless communication. The client sends request information to the server, and the server determines whether it is a replay attack according to the request information. , to determine the validity of the requested information.

如图2所示,本发明实施例提供了一种基于双因子防护的数据处理方法,应用于客户端,包括步骤S100至步骤S400。As shown in FIG. 2 , the embodiment of the present invention provides a data processing method based on two-factor protection, which is applied to a client, including steps S100 to S400.

S100、根据预设算法将请求协议包作为请求参数生成校验数值。S100. Generate a check value by using the request protocol packet as a request parameter according to a preset algorithm.

需要说明的是,预设算法根据实际应用确定,本实施例不做具体限制。校验数值由请求参数及选择的预设算法确定,不同的预设算法对应不同的校验数值,例如,散列算法对应的校验数值为Hash值。It should be noted that the preset algorithm is determined according to an actual application, and is not specifically limited in this embodiment. The check value is determined by the request parameters and the selected preset algorithm. Different preset algorithms correspond to different check values. For example, the check value corresponding to the hash algorithm is a Hash value.

可选地,所述根据预设算法将请求协议包作为请求参数生成校验数值,具体包括:Optionally, the generating a check value using the request protocol packet as a request parameter according to a preset algorithm specifically includes:

S110、根据散列算法将将请求协议包作为请求参数生成Hash值。S110, using the request protocol packet as a request parameter to generate a Hash value according to a hash algorithm.

具体地,当预设算法选择散列算法,客户端将每次请求的协议包进行Hash算法计算得到的Hash值。Specifically, when the preset algorithm selects the hash algorithm, the client calculates the Hash value obtained by performing the Hash algorithm on the protocol packet requested each time.

S200、将所述请求参数按照预设规则进行排序生成参数字符串。S200. Sorting the request parameters according to preset rules to generate a parameter string.

需要说明的是,预设规则为某种约定排序规则,预设规则根据实际应用确定,本实施例不做具体限制。It should be noted that the preset rule is a certain agreed sorting rule, and the preset rule is determined according to an actual application, which is not specifically limited in this embodiment.

可选地,将所述请求参数按照预设规则进行排序,具体包括:Optionally, sorting the request parameters according to preset rules specifically includes:

S210、将所述请求参数按照首字母顺序或ASCII码顺序进行排序。S210. Sort the request parameters according to the order of initial letters or the order of ASCII codes.

具体地,将请求参数按照首字母顺序、ASCII码顺序或约定的特定顺序进行排序。Specifically, the request parameters are sorted in alphabetical order, ASCII code order, or an agreed specific order.

S300、根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数。S300. Generate an encryption digest from the parameter string and the check value according to an encryption function, and generate a dynamic check factor according to the check value and the encryption digest; the encryption function is an irreversible encryption function.

需要说明的是,加密函数是客户端与服务端共同约定的不可逆加密函数,包括但不限于常用的MD5加密函数等。It should be noted that the encryption function is an irreversible encryption function agreed upon by the client and the server, including but not limited to the commonly used MD5 encryption function.

具体地,每次请求时,客户端使用加密函数,将排序后的客户端请求参数+Hash值的字符串进行加密生成加密摘要,并根据校验数值及加密摘要生成动态校验因子。Specifically, each time a request is made, the client uses an encryption function to encrypt the sorted string of client request parameters + Hash values to generate an encrypted digest, and generates a dynamic check factor based on the check value and the encrypted digest.

S400、根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击;其中,当请求成功后,将所述校验数值保存至缓存中。S400. Generate request information according to the dynamic check factor, and send the request information to the server, so that the server can verify the request information according to the check value and the encryption digest, and determine Whether the request information is a replay attack; wherein, when the request is successful, the check value is saved in the cache.

具体地,动态校验因子在请求报文的位置包括但不限于请求报文头部、请求报文体等位置。客户端将动态校验因子加入到原请求报文中得到请求信息,并将请求信息发送给服务端;服务端接收请求信息后,根据请求信息中的动态校验因子对校验数值及加密摘要进行验证,以确定请求信息是否重放攻击。Specifically, the position of the dynamic check factor in the request message includes but is not limited to the header of the request message, the body of the request message, and the like. The client adds the dynamic verification factor to the original request message to obtain the request information, and sends the request information to the server; after receiving the request information, the server verifies the verification value and encrypted summary according to the dynamic verification factor in the request information Validation is performed to determine if the requested information is a replay attack.

需要说明的是,每次请求成功后,服务端将Hash值保存至Redis缓存。Redis缓存用于存储验证通过的请求信息的动态校验因子的Hash值。It should be noted that after each successful request, the server saves the Hash value to the Redis cache. The Redis cache is used to store the Hash value of the dynamic verification factor of the verified request information.

实施本发明实施例包括以下有益效果:本实施例中客户端首先根据预设算法将请求参数生成校验数值,并对请求参数生成参数字符串,然后根据加密函数将参数字符串及校验数值生成加密摘要,并根据校验数值及加密摘要生成动态校验因子,将动态校验因子加入到请求信息中发送给服务端,以使服务端对请求信息中的动态校验因子进行验证,以确定请求信息是否为重放攻击;因此,客户端与服务端之间通过校验数值及加密摘要形成双因子防护的接口验证方法,构建防止重放攻击防御机制,有效防止重放攻击,提高接口通信安全,大大提高应用安全防护的智能化水平。Implementing the embodiment of the present invention includes the following beneficial effects: In this embodiment, the client first generates a check value for the request parameter according to a preset algorithm, and generates a parameter string for the request parameter, and then converts the parameter string and the check value according to the encryption function Generate an encrypted digest, and generate a dynamic check factor based on the check value and the encrypted digest, add the dynamic check factor to the request information and send it to the server, so that the server can verify the dynamic check factor in the request information to Determine whether the requested information is a replay attack; therefore, a two-factor protection interface verification method is formed between the client and the server through the check value and encrypted summary, and a defense mechanism to prevent replay attacks is built to effectively prevent replay attacks and improve the interface Communication security greatly improves the intelligent level of application security protection.

参阅图3,本发明实施例提供了一种基于双因子防护的数据处理系统,应用于客户端,包括:Referring to Fig. 3, the embodiment of the present invention provides a data processing system based on two-factor protection, which is applied to the client, including:

第一模块,用于根据预设算法将请求协议包作为请求参数生成校验数值;The first module is used to use the request protocol packet as a request parameter to generate a check value according to a preset algorithm;

第二模块,用于将所述请求参数按照预设规则进行排序生成参数字符串;The second module is configured to sort the request parameters according to preset rules to generate a parameter string;

第三模块,用于根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数;The third module is used to generate an encrypted summary of the parameter string and the check value according to an encryption function, and generate a dynamic check factor according to the check value and the encrypted summary; the encryption function is an irreversible encryption function;

第四模块,用于根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击;其中,当请求成功后,将所述校验数值保存至缓存中。A fourth module, configured to generate request information according to the dynamic check factor, and send the request information to the server, so that the server can process the request information according to the check value and the encrypted digest Perform verification to determine whether the request information is a replay attack; wherein, when the request is successful, save the check value in the cache.

可见,上述应用于客户端的方法实施例中的内容均适用于本系统实施例中,本系统实施例所具体实现的功能与上述应用于客户端的方法实施例相同,并且达到的有益效果与上述应用于客户端的方法实施例所达到的有益效果也相同。It can be seen that the content in the above-mentioned embodiment of the method applied to the client is applicable to the embodiment of the system, and the functions realized by the embodiment of the system are the same as those of the embodiment of the method applied to the client, and the beneficial effects achieved are similar to those of the above-mentioned application The beneficial effect achieved by the method embodiment of the client is also the same.

参阅图4,本发明实施例提供了一种基于双因子防护的数据处理方法,应用于服务端,包括步骤S500至步骤S800。Referring to FIG. 4 , an embodiment of the present invention provides a data processing method based on two-factor protection, which is applied to a server, including steps S500 to S800.

S500、接收客户端发送的请求信息,根据所述请求信息确定动态校验因子;动态校验因子包括校验数值及加密摘要。S500. Receive request information sent by the client, and determine a dynamic check factor according to the request information; the dynamic check factor includes a check value and an encrypted digest.

具体地,服务端接收客户端发送的请求信息后,从请求信息中提取动态校验因子,动态校验因子包括校验数值及加密摘要。Specifically, after receiving the request information sent by the client, the server extracts a dynamic verification factor from the request information, and the dynamic verification factor includes a verification value and an encrypted digest.

S600、查询缓存中是否存在所述校验数值。S600. Query whether the check value exists in the cache.

具体地,服务端在Redis缓存中查询校验数值是否存在,根据校验数值在Redis缓存中的存在情况判断本次请求是否为重放攻击,查询方式可以通过匹配验证。Specifically, the server queries whether the check value exists in the Redis cache, and judges whether the request is a replay attack based on the presence of the check value in the Redis cache. The query method can pass the matching verification.

S700、若所述缓存中存在所述校验数值,所述请求信息为重放攻击。S700. If the check value exists in the cache, the request information is a replay attack.

具体地,如果Redis缓存中存在上述的校验数值,则本次请求信息为重放攻击,本次请求信息无效;如果Redis缓存中不存在上述的校验数值,则本次请求信息为非重放攻击,说明本次请求信息有效,需要再对加密摘要进行进一步验证。Specifically, if the above check value exists in the Redis cache, the request information is a replay attack, and the request information is invalid; if the above check value does not exist in the Redis cache, the request information is non-replay attack. If the attack is released, it means that the requested information is valid, and further verification of the encrypted digest is required.

S800、若所述缓存中不存在所述校验数值,对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击。S800. If the check value does not exist in the cache, verify the encrypted digest, and determine whether the request information is a replay attack according to a verification result.

具体地,当根据校验数值无法确定请求信息是否为重放攻击,服务端按照客户端的加密摘要生成规则生成服务端的加密摘要,然后与客户端发送的加密摘要进行对比,根据对比结果确定请求信息是否为重放攻击。Specifically, when it is not possible to determine whether the request information is a replay attack based on the check value, the server generates the encryption digest of the server according to the encryption digest generation rules of the client, and then compares it with the encryption digest sent by the client, and determines the request information according to the comparison result Whether it is a replay attack.

可选地,所述对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击,具体包括:Optionally, the verifying the encrypted digest, and determining whether the request information is a replay attack according to the verification result, specifically includes:

S810、根据所述请求信息确定参数字符串及校验值,根据加密算法将所述参数字符串及所述校验值生成验证摘要;S810. Determine a parameter character string and a verification value according to the request information, and generate a verification digest from the parameter character string and the verification value according to an encryption algorithm;

S820、将所述验证摘要与所述加密摘要进行对比;S820. Compare the verification digest with the encryption digest;

S830、若所述验证摘要与所述加密摘要一致,所述请求信息不是重放攻击;S830. If the verification digest is consistent with the encryption digest, the request information is not a replay attack;

S840、若所述验证摘要与所述加密摘要不一致,所述请求信息为重放攻击。S840. If the verification digest is inconsistent with the encryption digest, the request information is a replay attack.

具体地,服务端接收动态校验因子中的Hash值及请求参数;然后服务端根据排序规则,将客户端请求中参数进行排序得到排序后的参数字符串,随后服务端根据加密函数将参数字符串、时间戳以及随机数Hash值按照加密算法生成服务端的加密摘要,并和动态校验因子中的加密摘要进行对比,若不一致,则说明本次请求已被篡改,判断本次请求为信息篡改攻击,若一致,则说明本次请求有效,防重放校验通过,服务端可进行业务处理。Specifically, the server receives the Hash value and request parameters in the dynamic verification factor; then the server sorts the parameters in the client request according to the sorting rules to obtain the sorted parameter strings, and then the server sorts the parameter strings according to the encryption function String, timestamp, and random number Hash value generate an encrypted digest on the server according to the encryption algorithm, and compare it with the encrypted digest in the dynamic check factor. If they are inconsistent, it means that this request has been tampered with, and it is judged that this request is information tampered Attack, if they match, it means that the request is valid, the anti-replay check passes, and the server can process business.

需要说明的是,若本次请求已通过以上Hash值以及加密摘要的验证,服务端将动态校验因子中的Hash值存入Redis缓存。Hash值校验:服务端根据Hash值在缓存中匹配,若未匹配到相同的值,则校验通过。加密摘要校验:服务端按照客户端的加密摘要生成规则生成服务端的加密摘要,然后同客户端的加密摘要进行对比,如果一致,则校验通过。It should be noted that if the request has passed the verification of the above Hash value and encrypted digest, the server will store the Hash value in the dynamic verification factor into the Redis cache. Hash value verification: The server matches in the cache according to the Hash value. If the same value is not matched, the verification passes. Encryption Digest Verification: The server generates the server’s encryption digest according to the client’s encryption digest generation rules, and then compares it with the client’s encryption digest. If they are consistent, the verification passes.

实施本发明实施例包括以下有益效果:本实施例中客户端首先根据预设算法将请求参数生成校验数值,并对请求参数生成参数字符串,然后根据加密函数将参数字符串及校验数值生成加密摘要,并根据校验数值及加密摘要生成动态校验因子,将动态校验因子加入到请求信息中发送给服务端;服务端接收请求信息后,解析请求信息中的动态校验因子,并分别对动态校验因子中的校验数值及加密摘要进行验证,以确定请求信息是否为重放攻击;因此,客户端与服务端之间通过校验数值及加密摘要形成双因子防护的接口验证方法,构建防止重放攻击防御机制,有效防止重放攻击,提高接口通信安全,大大提高应用安全防护的智能化水平。Implementing the embodiment of the present invention includes the following beneficial effects: In this embodiment, the client first generates a check value for the request parameter according to a preset algorithm, and generates a parameter string for the request parameter, and then converts the parameter string and the check value according to the encryption function Generate an encrypted digest, and generate a dynamic check factor based on the check value and the encrypted digest, add the dynamic check factor to the request information and send it to the server; after receiving the request information, the server parses the dynamic check factor in the request information, And respectively verify the check value and encryption summary in the dynamic check factor to determine whether the request information is a replay attack; therefore, the interface between the client and the server forms a two-factor protection through the check value and the encryption summary The verification method builds a defense mechanism to prevent replay attacks, effectively prevents replay attacks, improves interface communication security, and greatly improves the intelligence level of application security protection.

参阅图5,本发明实施例提供了一种基于双因子防护的数据处理系统,应用于服务端,包括:Referring to Figure 5, an embodiment of the present invention provides a data processing system based on two-factor protection, which is applied to the server, including:

第五模块,用于接收客户端发送的请求信息,根据所述请求信息确定动态校验因子;动态校验因子包括校验数值及加密摘要;The fifth module is used to receive the request information sent by the client, and determine the dynamic verification factor according to the request information; the dynamic verification factor includes a verification value and an encryption summary;

第六模块,用于查询缓存中是否存在所述校验数值;The sixth module is used to query whether the check value exists in the cache;

第七模块,用于若所述缓存中存在所述校验数值,所述请求信息为重放攻击;The seventh module is used to determine that the request information is a replay attack if the check value exists in the cache;

第八模块,用于若所述缓存中不存在所述校验数值,对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击。An eighth module, configured to verify the encryption digest if the check value does not exist in the cache, and determine whether the request information is a replay attack according to the verification result.

可见,上述应用于服务端的方法实施例中的内容均适用于本系统实施例中,本系统实施例所具体实现的功能与上述应用于服务端的方法实施例相同,并且达到的有益效果与应用于服务端的方法实施例所达到的有益效果也相同。It can be seen that the content in the above-mentioned method embodiment applied to the server is applicable to this system embodiment, and the functions implemented by this system embodiment are the same as those of the above-mentioned method embodiment applied to the server, and the beneficial effects achieved are similar to those applied to the system embodiment. The beneficial effects achieved by the embodiment of the method at the server end are also the same.

第五方面,本发明实施例提供了一种基于双因子防护的数据处理装置,包括:In the fifth aspect, the embodiment of the present invention provides a data processing device based on two-factor protection, including:

至少一个处理器;at least one processor;

至少一个存储器,用于存储至少一个程序;at least one memory for storing at least one program;

当所述至少一个程序被所述至少一个处理器执行,使得所述至少一个处理器实现上述应用于客户端的方法或应用于服务端的方法。When the at least one program is executed by the at least one processor, the at least one processor is made to implement the above method applied to the client or the method applied to the server.

其中,存储器作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序以及非暂态性计算机可执行程序。存储器可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中,存储器可选包括相对于处理器远程设置的远程存储器,这些远程存储器可以通过网络连接至处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。Wherein, the memory, as a non-transitory computer-readable storage medium, can be used to store non-transitory software programs and non-transitory computer executable programs. The memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage devices. In some embodiments, the memory may optionally include remote memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

可见,上述方法实施例中的内容均适用于本装置实施例中,本装置实施例所具体实现的功能与上述方法实施例相同,并且达到的有益效果与上述方法实施例所达到的有益效果也相同。It can be seen that the content in the above-mentioned method embodiment is applicable to this device embodiment, and the functions realized by this device embodiment are the same as those of the above-mentioned method embodiment, and the beneficial effects achieved are also the same as those achieved by the above-mentioned method embodiment. same.

此外,本申请实施例还公开了一种计算机程序产品或计算机程序,计算机程序产品或计算机程序存储在计算机可读存介质中。计算机设备的处理器可以从计算机可读存储介质读取该计算机程序,处理器执行该计算机程序,使得该计算机设备执行上述的方法。同样地,上述方法实施例中的内容均适用于本存储介质实施例中,本存储介质实施例所具体实现的功能与上述方法实施例相同,并且达到的有益效果与上述方法实施例所达到的有益效果也相同。In addition, the embodiment of the present application also discloses a computer program product or computer program, and the computer program product or computer program is stored in a computer-readable storage medium. The processor of the computer device can read the computer program from the computer-readable storage medium, and the processor executes the computer program, so that the computer device executes the above method. Similarly, the content in the above-mentioned method embodiments is applicable to this storage medium embodiment. The functions realized by this storage medium embodiment are the same as those of the above-mentioned method embodiments, and the beneficial effects achieved are the same as those achieved by the above-mentioned method embodiments. The beneficial effects are also the same.

本发明实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有处理器可执行的程序,所述处理器可执行的程序在被处理器执行时用于实现上述的方法。An embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a processor-executable program, and the processor-executable program is used to implement the above method when executed by the processor .

可以理解的是,上文中所公开方法中的全部或某些步骤、系统可以被实施为软件、固件、硬件及其适当的组合。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。It can be understood that all or some of the steps and systems in the methods disclosed above can be implemented as software, firmware, hardware and an appropriate combination thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit . Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. permanent, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic storage devices, or can Any other medium used to store desired information and which can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

参阅图1,本发明实施例提供了一种基于双因子防护的数据处理系统,包括客户端及服务端,所述客户端与所述服务端之间通信连接,其中,Referring to FIG. 1 , an embodiment of the present invention provides a data processing system based on two-factor protection, including a client and a server, the client and the server are connected in communication, wherein,

所述客户端,用于实现图2所述的方法;The client is configured to implement the method described in Figure 2;

所述服务端,用于实现图4所述的方法。The server is configured to implement the method described in FIG. 4 .

下面以一个具体的实施例对上述基于双因子防护的数据处理方法进行说明。参阅图7,具体的数据处理过程如下:The above-mentioned data processing method based on two-factor protection will be described below with a specific embodiment. Referring to Figure 7, the specific data processing process is as follows:

第一步:客户端通过散列算法将请求协议包作为参数生成Hash值;Step 1: The client uses a hash algorithm to generate a Hash value using the request protocol package as a parameter;

第二步:客户端将本次的请求参数按照ASCII码顺序进行排序,生成参数字符串;Step 2: The client sorts the request parameters this time according to the order of ASCII codes to generate a parameter string;

第三步:客户端使用加密函数MD5(参数字符串+Hash值),生成加密摘要sign;Step 3: The client uses the encryption function MD5 (parameter string + Hash value) to generate an encrypted digest sign;

第四步:客户端在发起请求前,将Hash值、sign等动态校验因子放入请求参数的头部,并向服务端发起请求;Step 4: Before initiating the request, the client puts dynamic verification factors such as Hash value and sign into the header of the request parameters, and initiates a request to the server;

第五步:服务端接收到客户端请求后,将请求头部的动态校验因子一一取出;首先进行Hash值判断,服务端将获取到的Hash值在Redis缓存中进行查询操作,若未查询到结果,则说明本次请求有效,需要再进行加密摘要验证,若查询到结果,则说明本次请求是重放攻击,请求无效;Step 5: After the server receives the request from the client, it takes out the dynamic verification factors of the request header one by one; firstly, it judges the Hash value, and the server queries the obtained Hash value in the Redis cache. If the result is found, it means that the request is valid, and the encrypted digest verification needs to be performed again. If the result is found, it means that the request is a replay attack and the request is invalid;

第六步:服务端将接收到的请求参数按照ASCII码顺序进行排序,例如请求参数为c=3&b=2&a=1,则排序后的参数字符串为a=1&b=2&c=3;Step 6: The server sorts the received request parameters according to the order of ASCII codes. For example, if the request parameter is c=3&b=2&a=1, the sorted parameter string is a=1&b=2&c=3;

第七步:服务端使用加密函数生成加密摘要sign_server:sign_server=MD5(’a=1&b=2&c=3’+Hash值),并将服务端的加密摘要sign_server与客户端的加密摘要sign进行对比,若一致,则说明本次请求有效,防重放校验通过,服务端可进行业务处理,若不一致,则说明本次请求被篡改,请求无效;Step 7: The server uses an encryption function to generate an encrypted digest sign_server: sign_server=MD5('a=1&b=2&c=3'+Hash value), and compares the server's encrypted digest sign_server with the client's encrypted digest sign, if they are consistent , it means that the request is valid, the anti-replay check passes, and the server can perform business processing. If it is inconsistent, it means that the request has been tampered with and the request is invalid;

第八步:防重放校验通过,服务端将Hash值存入Redis缓存。Step 8: After the anti-replay check is passed, the server stores the Hash value in the Redis cache.

本发明实施例具体以下有益效果:1、基于双因子防护的接口安全方法防御机制,可有效防御防重放攻击、信息篡改攻击、中间人攻击等多种类的Web应用层攻击,有效保障系统的平稳运行;2、降低了对服务端数据库存储空间的开销,只需访问服务器端的内存无需访问服务端的数据库,有效地提高验证的效率;采用了散列算法、加密摘要等验证方式,适合于网络安全技术领域大多数通信场景,极大地提高了系统防重放防御能力。The embodiment of the present invention has the following beneficial effects: 1. The interface security method defense mechanism based on two-factor protection can effectively defend against various types of Web application layer attacks such as anti-replay attacks, information tampering attacks, and man-in-the-middle attacks, and effectively guarantee the stability of the system 2. Reduce the overhead of server database storage space, only need to access the memory of the server without accessing the database of the server, effectively improving the efficiency of verification; using hash algorithm, encrypted summary and other verification methods, suitable for network security Most communication scenarios in the technical field have greatly improved the system's anti-replay defense capabilities.

以上是对本发明的较佳实施进行了具体说明,但本发明创造并不限于所述实施例,熟悉本领域的技术人员在不违背本发明精神的前提下还可做作出种种的等同变形或替换,这些等同的变形或替换均包含在本申请权利要求所限定的范围内。The above is a specific description of the preferred implementation of the present invention, but the invention is not limited to the described embodiments, and those skilled in the art can also make various equivalent deformations or replacements without violating the spirit of the present invention. , these equivalent modifications or replacements are all within the scope defined by the claims of the present application.

Claims (10)

1.一种基于双因子防护的数据处理方法,其特征在于,应用于客户端,包括:1. A data processing method based on two-factor protection, characterized in that it is applied to the client, including: 根据预设算法将请求协议包作为请求参数生成校验数值;According to the preset algorithm, the request protocol packet is used as the request parameter to generate the check value; 将所述请求参数按照预设规则进行排序生成参数字符串;Sorting the request parameters according to preset rules to generate a parameter string; 根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数;Generating an encrypted summary of the parameter character string and the check value according to an encryption function, and generating a dynamic check factor according to the check value and the encrypted summary; the encryption function is an irreversible encryption function; 根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击;其中,当请求成功后,将所述校验数值保存至缓存中。Generate request information according to the dynamic check factor, and send the request information to the server, so that the server can verify the request information according to the check value and the encryption digest, and determine the Whether the request information is a replay attack; wherein, when the request is successful, the check value is saved in the cache. 2.根据权利要求1所述的方法,其特征在于,所述根据预设算法将请求协议包作为请求参数生成校验数值,具体包括:2. The method according to claim 1, characterized in that, the request protocol packet is used as a request parameter to generate a check value according to a preset algorithm, specifically comprising: 根据散列算法将将请求协议包作为请求参数生成Hash值。According to the hash algorithm, the request protocol packet will be used as the request parameter to generate the Hash value. 3.根据权利要求1所述的方法,其特征在于,将所述请求参数按照预设规则进行排序,具体包括:3. The method according to claim 1, wherein the request parameters are sorted according to preset rules, specifically comprising: 将所述请求参数按照首字母顺序或ASCII码顺序进行排序。Sort the request parameters in alphabetical order or ASCII code order. 4.一种基于双因子防护的数据处理方法,其特征在于,应用于服务端,包括:4. A data processing method based on two-factor protection, characterized in that it is applied to the server, including: 接收客户端发送的请求信息,根据所述请求信息确定动态校验因子;动态校验因子包括校验数值及加密摘要;receiving the request information sent by the client, and determining a dynamic verification factor according to the request information; the dynamic verification factor includes a verification value and an encryption summary; 查询缓存中是否存在所述校验数值;Query whether the check value exists in the cache; 若所述缓存中存在所述校验数值,所述请求信息为重放攻击;If the check value exists in the cache, the request information is a replay attack; 若所述缓存中不存在所述校验数值,对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击。If the check value does not exist in the cache, verify the encrypted digest, and determine whether the request information is a replay attack according to a verification result. 5.根据权利要求4所述的方法,其特征在于,所述对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击,具体包括:5. The method according to claim 4, wherein the verifying the encrypted digest, and determining whether the request information is a replay attack according to the verification result, specifically includes: 根据所述请求信息确定参数字符串及校验值,根据加密算法将所述参数字符串及所述校验值生成验证摘要;Determine a parameter string and a check value according to the request information, and generate a verification summary for the parameter string and the check value according to an encryption algorithm; 将所述验证摘要与所述加密摘要进行对比;comparing the verification digest with the encryption digest; 若所述验证摘要与所述加密摘要一致,所述请求信息不是重放攻击;If the verification digest is consistent with the encryption digest, the request information is not a replay attack; 若所述验证摘要与所述加密摘要不一致,所述请求信息为重放攻击。If the verification digest is inconsistent with the encryption digest, the request information is a replay attack. 6.一种基于双因子防护的数据处理系统,其特征在于,应用于客户端,包括:6. A data processing system based on two-factor protection, characterized in that it is applied to the client, including: 第一模块,用于根据预设算法将请求协议包作为请求参数生成校验数值;The first module is used to use the request protocol packet as a request parameter to generate a check value according to a preset algorithm; 第二模块,用于将所述请求参数按照预设规则进行排序生成参数字符串;The second module is configured to sort the request parameters according to preset rules to generate a parameter string; 第三模块,用于根据加密函数将所述参数字符串及所述校验数值生成加密摘要,并根据所述校验数值及所述加密摘要生成动态校验因子;所述加密函数为不可逆加密函数;The third module is used to generate an encrypted summary of the parameter string and the check value according to an encryption function, and generate a dynamic check factor according to the check value and the encrypted summary; the encryption function is an irreversible encryption function; 第四模块,用于根据所述动态校验因子生成请求信息,并将所述请求信息发送给服务端,以使所述服务端根据所述校验数值及所述加密摘要对所述请求信息进行验证,确定所述请求信息是否重放攻击;其中,当请求成功后,将所述校验数值保存至缓存中。A fourth module, configured to generate request information according to the dynamic check factor, and send the request information to the server, so that the server can process the request information according to the check value and the encrypted digest Perform verification to determine whether the request information is a replay attack; wherein, when the request is successful, save the check value in the cache. 7.一种基于双因子防护的数据处理系统,其特征在于,应用于服务端,包括:7. A data processing system based on two-factor protection, characterized in that it is applied to the server, including: 第五模块,用于接收客户端发送的请求信息,根据所述请求信息确定动态校验因子;动态校验因子包括校验数值及加密摘要;The fifth module is used to receive the request information sent by the client, and determine the dynamic verification factor according to the request information; the dynamic verification factor includes a verification value and an encryption summary; 第六模块,用于查询缓存中是否存在所述校验数值;The sixth module is used to query whether the check value exists in the cache; 第七模块,用于若所述缓存中存在所述校验数值,所述请求信息为重放攻击;The seventh module is used to determine that the request information is a replay attack if the check value exists in the cache; 第八模块,用于若所述缓存中不存在所述校验数值,对所述加密摘要进行验证,并根据验证结果确定所述请求信息是否为重放攻击。An eighth module, configured to verify the encryption digest if the check value does not exist in the cache, and determine whether the request information is a replay attack according to the verification result. 8.一种基于双因子防护的数据处理装置,其特征在于,包括:8. A data processing device based on two-factor protection, characterized in that it comprises: 至少一个处理器;at least one processor; 至少一个存储器,用于存储至少一个程序;at least one memory for storing at least one program; 当所述至少一个程序被所述至少一个处理器执行,使得所述至少一个处理器实现如权利要求1-3或4-5任一项所述的方法。When the at least one program is executed by the at least one processor, the at least one processor is made to implement the method according to any one of claims 1-3 or 4-5. 9.一种计算机可读存储介质,其中存储有处理器可执行的程序,其特征在于,所述处理器可执行的程序在由处理器执行时用于执行如权利要求1-3或4-5任一项所述的方法。9. A computer-readable storage medium, in which a processor-executable program is stored, wherein the processor-executable program is used to execute claims 1-3 or 4- when executed by a processor. The method described in any one of 5. 10.一种基于双因子防护的数据处理系统,其特征在于,包括客户端及服务端,所述客户端与所述服务端之间通信连接,其中,10. A data processing system based on two-factor protection, characterized in that it includes a client and a server, the client and the server are connected in communication, wherein, 所述客户端,用于实现如权利要求1-3任一项所述的方法;The client is configured to implement the method according to any one of claims 1-3; 所述服务端,用于实现如权利要求4-5任一项所述的方法。The server is configured to implement the method according to any one of claims 4-5.
CN202211708701.1A 2022-12-29 2022-12-29 Data processing method, system, device and storage medium based on double-factor protection Pending CN116094786A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211708701.1A CN116094786A (en) 2022-12-29 2022-12-29 Data processing method, system, device and storage medium based on double-factor protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211708701.1A CN116094786A (en) 2022-12-29 2022-12-29 Data processing method, system, device and storage medium based on double-factor protection

Publications (1)

Publication Number Publication Date
CN116094786A true CN116094786A (en) 2023-05-09

Family

ID=86213116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211708701.1A Pending CN116094786A (en) 2022-12-29 2022-12-29 Data processing method, system, device and storage medium based on double-factor protection

Country Status (1)

Country Link
CN (1) CN116094786A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668193A (en) * 2023-07-27 2023-08-29 高新兴智联科技股份有限公司 Communication method of terminal equipment and server of Internet of things and computer readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106571923A (en) * 2016-10-21 2017-04-19 天津海量信息技术股份有限公司 User data signature verification method with time effectiveness
CN108400979A (en) * 2018-02-06 2018-08-14 武汉斗鱼网络科技有限公司 Communication means and electronic equipment applied to client and server
CN110958249A (en) * 2019-12-03 2020-04-03 望海康信(北京)科技股份公司 Information processing method, information processing device, electronic equipment and storage medium
CN111066046A (en) * 2019-04-26 2020-04-24 阿里巴巴集团控股有限公司 Replay attack resistant authentication protocol
CN111291393A (en) * 2020-01-21 2020-06-16 上海悦易网络信息技术有限公司 Request checking method and device
CN111447195A (en) * 2020-03-23 2020-07-24 杭州趣维科技有限公司 Web interface design method for preventing request message from being tampered, attacked and replayed
CN111917557A (en) * 2020-07-28 2020-11-10 中国平安财产保险股份有限公司 Security verification method, security verification system and storage medium for network service request
CN114860712A (en) * 2022-05-27 2022-08-05 平安普惠企业管理有限公司 Data request duplication prevention method and device, electronic equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106571923A (en) * 2016-10-21 2017-04-19 天津海量信息技术股份有限公司 User data signature verification method with time effectiveness
CN108400979A (en) * 2018-02-06 2018-08-14 武汉斗鱼网络科技有限公司 Communication means and electronic equipment applied to client and server
CN111066046A (en) * 2019-04-26 2020-04-24 阿里巴巴集团控股有限公司 Replay attack resistant authentication protocol
CN110958249A (en) * 2019-12-03 2020-04-03 望海康信(北京)科技股份公司 Information processing method, information processing device, electronic equipment and storage medium
CN111291393A (en) * 2020-01-21 2020-06-16 上海悦易网络信息技术有限公司 Request checking method and device
CN111447195A (en) * 2020-03-23 2020-07-24 杭州趣维科技有限公司 Web interface design method for preventing request message from being tampered, attacked and replayed
CN111917557A (en) * 2020-07-28 2020-11-10 中国平安财产保险股份有限公司 Security verification method, security verification system and storage medium for network service request
CN114860712A (en) * 2022-05-27 2022-08-05 平安普惠企业管理有限公司 Data request duplication prevention method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李彦广;: "基于HTTP平台的网络安全性研究", 商洛学院学报, no. 04, 20 August 2013 (2013-08-20) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668193A (en) * 2023-07-27 2023-08-29 高新兴智联科技股份有限公司 Communication method of terminal equipment and server of Internet of things and computer readable storage medium
CN116668193B (en) * 2023-07-27 2023-10-03 高新兴智联科技股份有限公司 Communication method of terminal equipment and server of Internet of things and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN107749848B (en) Internet of things data processing method and device and Internet of things system
US10516662B2 (en) System and method for authenticating the legitimacy of a request for a resource by a user
US7822200B2 (en) Method and system for asymmetric key security
CN110264354B (en) Method and device for creating block chain account and verifying block chain transaction
CN109714370B (en) HTTP (hyper text transport protocol) -based cloud security communication implementation method
CN111669402B (en) Encrypted communication method, device, equipment and storage medium
CN103001770B (en) A kind of user rs authentication method, server and system
CN112968910B (en) Replay attack prevention method and device
CN107135077B (en) Software protection method and device
US20200169389A1 (en) Creating a blockchain account and verifying blockchain transactions
CN112149068A (en) Access-based authorization verification method, information generation method and device, and server
CN107566360B (en) A kind of generation method of data authentication code
US7490237B1 (en) Systems and methods for caching in authentication systems
CN114928452A (en) Access request verification method, device, storage medium and server
CN112688919A (en) APP interface-based crawler-resisting method, device and medium
CN113536250B (en) Token generation method, login verification method and related equipment
CN110943840B (en) Signature verification method
CN111800262A (en) Digital asset processing method and device and electronic equipment
CN116579026A (en) Cloud data integrity auditing method, device, equipment and storage medium
CN116094786A (en) Data processing method, system, device and storage medium based on double-factor protection
US20190124111A1 (en) Responding and processing method for dnssec negative response
US10673633B2 (en) Hashed data retrieval method
CN107770183B (en) Data transmission method and device
CN113225348B (en) Request anti-replay verification method and device
CN107888548A (en) A kind of Information Authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination