[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102647461B - Communication means based on HTTP, server, terminal - Google Patents

Communication means based on HTTP, server, terminal Download PDF

Info

Publication number
CN102647461B
CN102647461B CN201210089712.6A CN201210089712A CN102647461B CN 102647461 B CN102647461 B CN 102647461B CN 201210089712 A CN201210089712 A CN 201210089712A CN 102647461 B CN102647461 B CN 102647461B
Authority
CN
China
Prior art keywords
timestamp
ciphertext
time stamp
terminal
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210089712.6A
Other languages
Chinese (zh)
Other versions
CN102647461A (en
Inventor
李超
杭程
吴浩
任寰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210089712.6A priority Critical patent/CN102647461B/en
Priority to CN201610169962.9A priority patent/CN105681470B/en
Publication of CN102647461A publication Critical patent/CN102647461A/en
Application granted granted Critical
Publication of CN102647461B publication Critical patent/CN102647461B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of network communication method based on HTTP and system, server, terminal, to resist the Replay Attack in HTTP network service. Answer terminal request to send very first time stamp to terminal; The network request information that receiving terminal sends; In described network request information, comprise described very first time stamp and corresponding timestamp ciphertext; Described timestamp ciphertext is encrypted and is generated the algorithm factor that comprises described very first time stamp according to preset AES by terminal; Verify that by described preset AES whether described timestamp ciphertext is effective, if invalid, described network request information is invalidation request. Legitimacy and the validity of the timestamp ciphertext that comprises timestamp information by checking, and then prevent the possibility that in network request, timestamp information is tampered, avoid the generation of network Replay Attack.

Description

Communication means based on HTTP, server, terminal
Technical field
The application relates to network security technology field, particularly relates to a kind of based on HTTPCommunication means, server, terminal.
Background technology
At present along with internet more and more in depth affects people's routine work life, based on the number of internetWhat just show according to the security of communication is particularly important.
In the various factors that affect Network Communicate Security, Replay Attack (ReplayAttacks) isFor one of common attack pattern. Replay Attack claims again replay attack, replay attack or freshness to attack(FreshnessAttacks), refer to assailant utilize network monitoring or other modes steal certification withAccording to, again again issuing server through the packet of camouflage, reach the object of fraud system afterwards. ItsBe used for authentication process, destroy the correctness of certification. This attack meeting is malice or fraudulent ground constantlyRepeat the transmission of active data, Replay Attack can be by promoter, also can be by tackling and retransmitting thisThe enemy of data carries out. Explain and understand from this, though data encryption can effectively prevent network request letterBreath is held as a hostage or distorts, but because Replay Attack is to intercept effective information to resend, even therefore dataEncrypt and also cannot prevent Replay Attack.
In current network communications technology framework, transmission control/interconnection protocol (TCP/IP, TransmissionControlProtocol/InternetProtocol) be the basis of whole internet communication. ICP/IP protocol is adoptedWith the hierarchical structure of 4 layers: network interface layer, Internet, transport layer and application layer, its eachThe network that layer is all called out its lower one deck to be provided completes the demand of oneself. Wherein, in application layer,Data communication based on HTTP (HTTP, HypertextTransferProtocol) isThe main communication mode of current many network applications, as most of websites, forum etc. But due to HTTPAgreement is that a nothing connects, stateless agreement, and server is often handled terminal request and receivedAfter replying, disconnect, and this agreement is to the memoryless ability of issued transaction, therefore terminal is given at every turnThe HTTP network request that server sends, between front and back, be do not have associated.
The Stateless of http protocol, just determine at the beginning of this Protocol Design without connectivity. BecauseThe object of http protocol is to support the transfer of data of hypertext, so at terminal browser to HTTPServer sends request, and corresponding resource is sent back to the such process of terminal by http server thenIn, no matter for terminal or server, all there is no need to record this process, because request each timeAll relatively independent with responding. Generally speaking, URL (URL, a UniversalResourceLocator) corresponding unique hypertext, and http server sends any terminalRequest, it all can return to identical hypertext according to the URL request receiving. Exactly because suchUniqueness, makes the behavior state of recording user become meaningless, so http protocol is designedFor stateless connection protocol.
For these reasons, once terminal and server solicited message in the process of transfer of data blockedCut, do not record the relevant informations such as any state about request due to server, therefore also just cannot knowWhether this request is not blocked, resets, and also just cannot avoid the generation of Replay Attack.
In a word, need the urgent technical problem solving of those skilled in the art to be exactly: how to prevent existingThere is the Replay Attack for http protocol communication in the network communications technology.
Summary of the invention
It is logical that technical problems to be solved in this application are to provide a kind of network based on HTTPLetter method, server, terminal, intercepted because of HTTP network request the weight causing to effectively preventPut attack, improved the security of HTTP network service.
In order to address the above problem, the application discloses a kind of network service based on HTTPMethod, comprising: answer terminal request to send very first time stamp to terminal;
The network request information that receiving terminal sends; In described network request information, comprise the described very first timeStamp and corresponding timestamp ciphertext; Described timestamp ciphertext by terminal according to preset AES to comprisingState the algorithm factor of very first time stamp and encrypt generation;
Verify that by described preset AES whether described timestamp ciphertext is effective, if invalid, described netNetwork solicited message is invalidation request.
Preferably, further comprise:
Whether the interval of verifying very first time in described network request information stamp and current time is effectivelyIn phase, if exceed, described network request information is invalid.
Preferably, described preset AES is Signcryption Algorithm,
Described terminal is encrypted raw according to preset AES to the algorithm factor that comprises described very first time stampBecome timestamp ciphertext to comprise:
Terminal is encrypted raw according to described Signcryption Algorithm to the algorithm factor that comprises described very first time stampBecome the first digital signature makeup time stamp ciphertext;
Whether the described timestamp ciphertext of described checking effectively comprises:
By described Signcryption Algorithm, the algorithm factor that comprises described very first time stamp is encrypted and generated secondDigital signature;
Verify described the second digital signature first digital signature corresponding with described timestamp ciphertext whetherCause, if inconsistent, described timestamp ciphertext is invalid.
Preferably, described preset AES is symmetric encipherment algorithm,
Described terminal is encrypted raw according to preset AES to the algorithm factor that comprises described very first time stampBecome timestamp ciphertext to comprise:
Terminal is used corresponding key to comprising described very first time stamp according to described symmetric encipherment algorithmAlgorithm factor stabs ciphertext between encrypting and generating;
Whether the described timestamp ciphertext of described checking effectively comprises:
Use the key that described symmetric encipherment algorithm is corresponding to be decrypted and to obtain it described timestamp ciphertextIn timestamp information as the second timestamp, judge in described the second timestamp and network request informationWhether very first time stamp is consistent, if inconsistent, described timestamp ciphertext is invalid.
Preferably, described preset AES is rivest, shamir, adelman,
Described terminal is encrypted raw according to preset AES to the algorithm factor that comprises described very first time stampBecome timestamp ciphertext to comprise:
Terminal is used corresponding PKI to comprising described very first time stamp according to described rivest, shamir, adelmanAlgorithm factor encrypt generate between stab ciphertext;
Whether the described timestamp ciphertext of described checking effectively comprises:
Server uses the private key corresponding with described rivest, shamir, adelman to carry out described timestamp ciphertextDecipher the timestamp information obtaining wherein as the second timestamp, judge that described the second timestamp and network pleaseWhether ask the very first time stamp in information consistent, if inconsistent, described timestamp ciphertext is invalid.
Preferably, in the network request information that described terminal sends, also comprise the voucher mark being generated by terminalKnow; And
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
Preferably, before the network request information that described receiving terminal sends, also comprise:
Receive the request for credentials information of terminal;
Generate the voucher mark corresponding with described request for credentials information;
Send described voucher mark to described terminal.
Preferably,
In the networking solicited message of described reception, also comprise described voucher mark;
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
Preferably, dynamically effectively, described method also comprises described voucher mark:
If the network request information that described terminal sends comprises voucher mark, this voucher of server authenticationWhether identify effectively, if invalid, described network request is invalidation request.
For addressing the above problem, disclosed herein as well is a kind of network service based on HTTPMethod, comprising:
Obtain very first time stamp from server;
Send network request information to server; In described network request information, comprise described very first time stampWith corresponding timestamp ciphertext; Described timestamp ciphertext is to comprising described first according to preset AESThe algorithm factor of timestamp is encrypted and is generated.
Preferably, described preset AES is Signcryption Algorithm,
Describedly according to preset AES, the algorithm factor that comprises described very first time stamp is encrypted while generatingBetween stab ciphertext and comprise:
According to described Signcryption Algorithm, the algorithm factor that comprises described very first time stamp is encrypted and generated theOne digital signature makeup time stamp ciphertext.
Preferably, described preset AES is symmetric encipherment algorithm,
Describedly according to preset AES, the algorithm factor that comprises described very first time stamp is encrypted while generatingBetween stab ciphertext and comprise:
Use the key corresponding with described symmetric encipherment algorithm to the algorithm that comprises described very first time stamp because ofSon stabs ciphertext between encrypting and generating.
Preferably, described preset AES is rivest, shamir, adelman,
Describedly according to preset AES, the algorithm factor that comprises described very first time stamp is encrypted while generatingBetween stab ciphertext and comprise:
Use the PKI corresponding with described rivest, shamir, adelman to comprising the algorithm of described very first time stampThe factor is stabbed ciphertext between encrypting and generating.
Preferably, in described network request information, also comprise voucher mark; And
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
Preferably, describedly before sending network request information, server also comprises:
Send request for credentials information to server;
The voucher mark that reception server sends.
For addressing the above problem, disclosed herein as well is a kind of server based on HTTP,Comprise:
Receiver module, sending module, timestamp generation module and ciphertext correction verification module;
Wherein said receiver module comprises:
The first receiving element, for time of reception stamp solicited message;
The second receiving element, for receiving network request information; In described network request information, comprise firstTimestamp and corresponding timestamp ciphertext; Described timestamp ciphertext is to comprising according to preset AESState the algorithm factor of very first time stamp and encrypt generation;
Wherein said timestamp generation module, for should described timestamp solicited message generating the very first timeStamp;
Wherein said sending module comprises:
The first transmitting element, the very first time stamp generating for transmitting time stamp generation module;
Wherein said ciphertext correction verification module, for verifying described timestamp ciphertext by described preset AESWhether effective, if invalid, described network request information is invalidation request.
Preferably,
Described server also comprises:
Timestamp verification module, for verify second receiving element receive network request information firstThe interval of timestamp and current time whether before the deadline, if exceed, described network request information withoutEffect.
Preferably, described preset AES is Signcryption Algorithm,
Described ciphertext correction verification module also comprises:
Signature generation unit, for by described Signcryption Algorithm to comprising the algorithm of described very first time stampThe factor is encrypted and is generated the second signature;
The first verification unit, for the second digital signature and of verifying that described signature generation unit generatesWhether the first digital signature corresponding to timestamp ciphertext that two receiving elements receive be consistent, if inconsistent,Described timestamp ciphertext is invalid.
Preferably, described preset AES is symmetric encipherment algorithm,
Described ciphertext correction verification module also comprises:
The second verification unit, for being used key that described symmetric encipherment algorithm is corresponding to the second receiving elementThe timestamp ciphertext receiving is decrypted the timestamp information obtaining wherein as the second timestamp, judgementVery first time stamp in the network request information that described the second timestamp and the second receiving element receive isNo consistent, if inconsistent, described timestamp ciphertext is invalid.
Preferably, described preset AES is rivest, shamir, adelman,
Described ciphertext correction verification module also comprises:
The 3rd verification unit, for being used the private key corresponding with described rivest, shamir, adelman to the second receptionThe timestamp ciphertext that unit receives is decrypted the timestamp information obtaining wherein as the second timestamp,Judge whether described the second timestamp is consistent with the very first time stamp in network request information, if inconsistent,Described timestamp ciphertext is invalid.
Preferably, described receiver module also comprises:
The 3rd receiving element, for the request for credentials of receiving terminal;
Described server also comprises:
Voucher mark generation unit, generates voucher for the request for credentials receiving according to the 3rd receiving elementMark;
Described sending module also comprises:
The second transmitting element, the voucher mark generating for sending voucher mark generation unit.
Preferably, in the network request information that described the second receiving element receives, also comprise voucher mark;
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
Preferably, described voucher mark dynamically effectively;
Described server also comprises:
Voucher correction verification module, for verifying whether the network request information that the second receiving element receives wrapsDraw together voucher mark, if comprise and this voucher mark invalid, described network request information is invalid.
For addressing the above problem, disclosed herein as well is a kind of terminal based on HTTP, bagDraw together:
Sending module, receiver module and ciphertext module;
Wherein said sending module comprises:
The first transmitting element, obtains request for sending very first time stamp;
The second transmitting element, for sending network request information; Described in comprising in described network request informationThe very first time stamp that receiver module receives, and the corresponding timestamp ciphertext being generated by described ciphertext module;
Wherein said receiver module comprises:
The first receiving element, for receiving very first time stamp;
Wherein said ciphertext module for according to preset AES to including first o'clock of described receptionBetween the algorithm factor of stamp encrypt rise time stamp ciphertext.
Preferably, described preset AES is Signcryption Algorithm;
Described ciphertext module also comprises:
The first ciphering unit, for encrypting and generate the first number the algorithm factor that comprises described very first time stampWord signature composition timestamp ciphertext.
Preferably, described preset AES is symmetric encipherment algorithm;
Described ciphertext module also comprises:
The second ciphering unit, for using the key corresponding with described symmetric encipherment algorithm to comprising describedThe algorithm factor of one timestamp stabs ciphertext between encrypting and generating.
Preferably, described preset AES is rivest, shamir, adelman;
Described ciphertext module also comprises:
The 3rd ciphering unit, for using the PKI corresponding with described rivest, shamir, adelman to described in comprisingThe algorithm factor of very first time stamp stabs ciphertext between encrypting and generating.
Preferably, also comprise:
Voucher mark generation module, for generating voucher mark;
The described algorithm factor that comprises very first time stamp also comprises the voucher that described voucher identification module generatesMark;
Described algorithm factor is made up of by preset rules described very first time stamp and described voucher mark.
Preferably,
Described transmitting element also comprises:
The 3rd transmitting element, for sending request for credentials information;
Described receiver module also comprises:
The second receiving element, for receiving voucher mark;
In the network request information that described the second transmitting element sends, also comprise that the 3rd receiving element connectsThe voucher mark of receiving;
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
Compared with prior art, the application has the following advantages:
Consider that the existing network service based on http protocol exists without connection, stateless characteristic, pleaseAsk information to be blocked rear this problem of server None-identified of playback, we propose to send out at terminal to serverJoining day stamp in the solicited message of sending, server is by verifying the timestamp in network request information and working asWhether the time interval of front time in its term of validity, if the described time interval exceeds the term of validity, is thoughtCurrent network request is blocked playback, is an invalidation request, therefore can effectively avoid for HTTPThe generation of communication Replay Attack.
Further, in the scheme providing in the application, terminal is stabbed from server acquisition time, and to bagCharacter string containing this timestamp is signed by the signature algorithm rule generating digital of agreement, and by this digital signaturePut people in the network request information of server transmission. Server generates according to identical signature algorithm ruleDigital signature, and in the digital signature of authentication server generation and network request information, the digital signature of being with isNo consistent, if inconsistent, think that the character string that comprises timestamp in current network solicited message is tampered,Think that this network request is invalidation request. So, avoided attempt by distorting network request informationMiddle timestamp pretends the possibility of effective information spoofing server, thereby has further avoided Replay AttackGeneration.
Brief description of the drawings
Fig. 1 is the flow process of a kind of network communication method based on http protocol described in the embodiment of the present application oneFigure;
Fig. 2 is a kind of flow process of the network communication method based on http protocol described in application embodiment bis-Figure;
Fig. 3 is the flow process of a kind of network communication method based on http protocol described in the embodiment of the present application threeFigure;
Fig. 4 is a kind of structure based on HTTP http server described in the embodiment of the present applicationSchematic diagram;
Fig. 5 is that a kind of structure based on HTTP HTTP terminal is shown described in the embodiment of the present applicationIntention;
Fig. 6 is a kind of based on HTTP HTTP network communicating system described in the embodiment of the present applicationStructural representation.
Detailed description of the invention
For the above-mentioned purpose, the feature and advantage that make the application can become apparent more, below in conjunction with accompanying drawingWith detailed description of the invention, the application is described in further detail.
With reference to Fig. 1, show a kind of communication means embodiment based on http protocol that the application providesOne schematic flow sheet, the communication means based on http protocol of the present embodiment comprises the following steps:
Step 101, the request of terminal to server transmitting time stamp.
Step 102, server generates very first time stamp.
Server can generate very first time stamp according to international standard Rule current time.
Step 103, server will stab and be sent to terminal the very first time.
Step 104, the network request information that server receiving terminal sends; In described network request informationComprise described very first time stamp and corresponding timestamp ciphertext; Described timestamp ciphertext by terminal according to presetAES is encrypted and is generated the algorithm factor that comprises described very first time stamp.
Step 105, server verifies that by described preset AES whether described timestamp ciphertext is effective,If invalid, described network request information is invalidation request.
Step 106, the very first time stamp described in server authentication in network request information and current timeBefore the deadline whether, if exceed, described network request information is invalid at interval. This step is optional stepSuddenly.
The algorithm factor that comprises very first time stamp is encrypted to rise time stamp ciphertext, server according to terminalThe AES of agreement verifies that this ciphertext is effectively, if invalid, can think that timestamp ciphertext transmittingIn journey, may be blocked or distort, thereby can further assert that described very first time stamp and corresponding network pleaseAsk invalid.
For ease of describing, the timestamp of server being answered terminal request to generate herein, and at network requestThe timestamp directly comprising in information is called very first time stamp, the rise time is stabbed in the algorithm factor of ciphertextTimestamp be called the second timestamp.
Because timestamp generates by server is unified, can ensure that this timestamp has strict accuracy. ClothesBusiness device can arrange the effective of timestamp corresponding to this terminal according to the residing network application environment of different terminalsPhase. The timestamp term of validity is a time span normally, and as 0.5 second, the meaning was that terminal obtains from serverGet timestamp, and the network request that contains this timestamp is sent to this process spent time of serverShould, in 0.5 second, if exceed, think that this network request, in transmitting procedure, delay has occurred, possible quiltTackling or Replay Attack has occurred, is invalid network request.
One of ordinary skill in the art will readily recognize that and can be somebody's turn to do according to the residing region of terminal, the setting of application complexityThe timestamp term of validity that Terminal Type is corresponding.
Step 107, server returns to the response message of network request to terminal.
If empirical tests network request information is effective, the response message that server returns to terminal just should compriseThe effective information that this network request is corresponding, as web page resources etc., otherwise, in described response message, just containThe announcement information of network request failure.
With reference to Fig. 2, show a kind of communication means embodiment based on http protocol that the application providesTwo schematic flow sheet, the communication means based on http protocol of the present embodiment comprises the following steps:
Step 201, terminal generates voucher mark.
Terminal can select according to practical application the building form of voucher mark, as obtained the IP of terminalLocation and port numbers, network interface card mark and current time composition voucher mark etc., as long as ensure the net of different terminalsThe voucher mark that many wheels network request of network request or same terminal uses has uniqueness.
Step 202, the request of terminal to server transmitting time stamp; In described timestamp solicited message, compriseThe voucher mark of described terminal.
Due to the existing network service based on http protocol be without connect, stateless communication, terminal toNot contact between multiple requests that server sends. What therefore, we sent at terminal to server is manyIn individual network request, add unified voucher mark, can be by network request associated in multiple front and back contentsSet up contact by this voucher mark, facilitate the network of terminal and the multiple relevances of server admin to askAsk.
Step 203, server generates very first time stamp; Store configuration information, described configuration information storageThere are voucher mark corresponding to current network solicited message, very first time stamp and the corresponding very first time to stab effectivelyPhase.
Server often receives that the timestamp of terminal obtains request, just stores current voucher and identifies at new second o'clockBetween stamp and the term of validity, also can empty the second timestamp term of validity record before this voucher mark simultaneously.
Step 204, server will stab and be sent to terminal the very first time.
Step 205, the network request information that server receiving terminal sends; In described network request informationComprise described very first time stamp and corresponding timestamp ciphertext; Described timestamp ciphertext by terminal according to presetAES is encrypted and is generated the algorithm factor that comprises described very first time stamp and voucher mark.
Step 206, whether server authentication timestamp ciphertext is effective, if invalid, described network requestInformation is invalid.
Step 207, whether the very first time stamp in server authentication network request is effective, if invalid,Described network request information is invalid.
Server is by the voucher mark in current network request, the configuration information of very first time stamp from storingIn obtain this very first time and stab corresponding effective period, then judge timestamp in current network request withWhether the time interval of server current time in its corresponding term of validity, if exceed the term of validity, recognizesFor the timestamp of current network request lost efficacy, this network request is illegal request.
Preferably, described voucher mark dynamically effectively. Server can judge this voucher mark according to certain conditionWhether know effectively, whether for example this voucher identifies corresponding terminal off-line, broken string or long-time without shouldAnswer, exceed effective period etc., if meet invalid condition, server can be set to invalid shape by this voucher markState, and interrupt the subsequent treatment of current network request and return to terminal the response message that request is failed,Even if so this voucher mark is stolen by others or utilize also cannot legitimate correspondence, effectively improve logicalThe security of letter process.
Step 208, server returns to response message to terminal.
In embodiment mono-, server can only use the fixing term of validity to judge its network to a certain Terminal TypeWhether request time stamp is effective, and in above-described embodiment two, server is by configuration information storage terminalVoucher identifies the effective period of corresponding timestamp He this timestamp, due to voucher mark to different terminals orUse the different user of terminal to have uniqueness, therefore, the configuration to the timestamp term of validity and judgement canSpecific to the different user to each terminal and this terminal of use, improve server authentication timestamp effectiveThe fineness of property.
With reference to Fig. 3, show a kind of communication means embodiment based on http protocol that the application providesThree schematic flow sheet, the communication means based on http protocol of the present embodiment comprises the following steps:
Step 301, terminal to server sends request for credentials.
Step 302, server response request for credentials, generates voucher mark by rule; Voucher mark is sent outDeliver to terminal.
Although voucher mark can be produced voluntarily by terminal, in the time that terminal quantity, concurrent request are too much,The voucher mark generating cannot ensure definitely unique. Pressed according to the request for credentials of each terminal by serverThe unified voucher mark that generates of preset rules has been avoided the problems referred to above effectively, for example, can believe by terminal requestIP address, port numbers and the time comprising in breath generates the current unique sequence number of this terminal as voucherMark.
Step 303, the request of terminal to server transmitting time stamp.
Step 304, server generates very first time stamp.
Step 305, server will stab and be sent to terminal the very first time.
Step 306, terminal is encrypted and is generated the algorithm factor that comprises very first time stamp by preset AESTimestamp ciphertext.
Step 307, the network request information that server receiving terminal sends; In described network request informationComprise described very first time stamp, voucher mark and corresponding timestamp ciphertext.
Timestamp ciphertext is to comprising the algorithm factor of very first time stamp, voucher mark by preset AESEncrypt and generate.
Preferably, whether the voucher mark in server authentication current network solicited message is effective, if invalid,Execution step 308.
If current terminal off-line, broken string or for a long time in inactive state, the voucher that this terminal is correspondingMark can serviced device be only invalid.
Step 308, server verifies that by preset AES whether described timestamp ciphertext is effective, if nothingEffect, execution step 310.
Described preset AES is the AES rule that terminal and server commitment are good.
Optionally, described AES is Signcryption Algorithm. Terminal is according to described Signcryption Algorithm pairThe algorithm factor that comprises described very first time stamp is encrypted and is generated the first digital signature makeup time stamp ciphertext; ClothesBusiness device is encrypted and is generated second the algorithm factor that comprises described very first time stamp by described Signcryption AlgorithmDigital signature; Verify that described the second digital signature first digital signature corresponding with described timestamp ciphertext isNo consistent, if inconsistent, described timestamp ciphertext is invalid.
Described Signcryption Algorithm rule can comprise the following steps: first by presetting rule organize algorithm because ofSon; Then this algorithm factor is calculated to digital signature by signature algorithm. For example, in this example algorithm because ofThe organization regulation of son can be ' timestamp+voucher mark+other ', even whole request message can be doneFor algorithm factor; The signature algorithm using can be Message Digest 5 (MD5, MessageDigestOr other signature algorithms Algorithm5).
MD5 algorithm is the widely used a kind of hash function of computer safety field, in order to give informationIntegrity protection. This algorithm can generate unique MD5 letter to any file or a segment informationBreath summary, i.e. digital signature. If anyone has done any change to file or information, its MD5 value allCan change.
Optionally, described preset AES is symmetric encipherment algorithm; Terminal is calculated according to described symmetric cryptographyMethod is used corresponding key to encrypt between generation and stab ciphertext the algorithm factor that comprises described very first time stamp; ClothesBusiness device uses the key that described symmetric encipherment algorithm is corresponding to be decrypted and to obtain it described timestamp ciphertextIn timestamp information as the second timestamp, judge in described the second timestamp and network request informationWhether very first time stamp is consistent, if inconsistent, described timestamp ciphertext is invalid.
Be the informative abstract of algorithm factor to be encrypted to obtain signature different from signature algorithm, use symmetricalAES is that whole algorithm factor character string is encrypted and obtains timestamp ciphertext; Server uses phaseSame key or corresponding decrypted program are decrypted and obtain algorithm factor original text timestamp ciphertext. OftenWith algorithm as Advanced Encryption Standard (AdvancedEncryptionStandard, AES) AES.
Optionally, described preset AES is rivest, shamir, adelman; Terminal is according to described asymmetric addingClose algorithm uses corresponding PKI close to stabbing between the algorithm factor encryption generation that comprises described very first time stampLiterary composition; Server uses the private key corresponding with described rivest, shamir, adelman to separate described timestamp ciphertextThe close timestamp information wherein of obtaining, as the second timestamp, judges described the second timestamp and network requestWhether the very first time stamp in information is consistent, if inconsistent, described timestamp ciphertext is invalid. Commonly useRivest, shamir, adelman is as RSA cryptographic algorithms.
If empirical tests timestamp ciphertext is invalid, word corresponding with algorithm factor in network request information is describedSymbol string is tampered, and current network request is no longer trusted and is illegal request.
Preferably, the application uses the character string that comprises timestamp and voucher mark as adding by preset rulesThe algorithm factor of close algorithm. Because server is terminal distribution, voucher mark has uniqueness, therefore byThe algorithm factor of its composition is namely unique unduplicated. Because timestamp in HTTP request message mostly isPlain code, and voucher mark is that server generates by presetting rule, unless therefore voucher mark generation rule is let outReveal, to identify the possibility being tampered very low for this voucher so; Moreover the composition rule of algorithm factor is by terminalAnd server commitment, not external disclosure, has used timestamp and voucher mark even if know in algorithm factorKnow, be also difficult to know frequency and the permutation and combination method of its appearance, if therefore in terminal network solicited messageTimestamp ciphertext invalid, can think that the timestamp in this character string is tampered, this request is illegalRequest.
It should be appreciated by those skilled in the art that in the time implementing the application, can determine as the case may be the timeStamp becomes the preset rules of algorithm factor with voucher identified group, and timestamp and voucher are identified at algorithm factorThe order of middle appearance and number of times, for example, can be timestamp+voucher mark, can be also voucher mark+Timestamp+timestamp+voucher mark etc.
Step 309, the very first time stamp in server authentication network request and the time interval of current timeWithin its effective period, if exceed the term of validity, current network request is invalidation request.
Step 310, server returns to response message to terminal.
In above-described embodiment, in the network request information that terminal to server sends, comprise by server and unifyThe voucher mark of distributing, server can first be verified this voucher to the network request information that contains this voucher markWhether identify effectively, if voucher is designated disarmed state, server can interrupt subsequent operation, directly returnsReturn terminal invalidation request, saved server section operational order, therefore to a certain degree saved serverResource, has reduced server load. Secondly, add digital signature in network request information, can be effectively anti-Only network request information is tampered, and has avoided the generation of Replay Attack. Especially, the application uses by takingThe voucher mark of business device unified distribution and timestamp, as the signature algorithm factor, have ensured the signature algorithm factorUniqueness, avoided different terminals to produce the possibility of same signature and possibility that timestamp is tamperedProperty, effectively prevent network Replay Attack.
A kind of communication means based on http protocol in conjunction with several embodiment, the application being provided above doesDescription. Below in conjunction with concrete applied environment, described method is described further:
In the following embodiments, suppose that user, by a terminal, uses the user name of oneself, password to step onRecord a website, if server is proved to be successful logging request, server returns to dynamic password Key to wholeEnd uses. The server of this website comprises logon server, encryption server.
Step S01, user's login, obtains voucher mark.
In terminal, user inputs username and password and sends logging request to logon server. If loginSuccess, logon server returns to voucher mark to this terminal. This voucher mark is that logon server is according to being somebody's turn to doUnique authentication information string that user's user name and other relevant information generate.
Step S02, terminal is stabbed from encryption server acquisition time.
Terminal is called PostDownloadTimeStamp method and is sent an acquisition time to encryption serverStamp request, obtains up-to-date timestamp from encryption server, and timestamp is that encryption server is during from the whole worldBetween the current Perfect Time that obtains on synchronization server.
Step S03, terminal generates the first signature composition timestamp ciphertext, and tissue checking request data package.
If timestamp obtains successfully, terminal is called RequestHeader_Stamp method and is generated signature groupBecome checking request data package.
Terminal stamp service time, voucher mark compute signature makeup time stamp ciphertext, its specific algorithm is:First by timestamp+timestamp+voucher mark+timestamp composition algorithm factor character string; Then to this calculationMethod generates a signature character string makeup time stamp ciphertext because substring carries out MD5.
Step S04, terminal is used HTTPS mode to send checking request to encryption server
Terminal is used PostDownloadTimeStamp method that checking request is sent to encryption serverOn.
Step S05, encryption server uses the rule identical with terminal to generate timestamp, voucher markThe second signature carrys out the verification terminal checking request of sending, if the second signature corresponding with timestamp ciphertext theOne signature is consistent, and timestamp ciphertext is legal effectively.
Step S06, the very first time stamp in checking network request information with the time interval of current time isNo in the corresponding term of validity, if exceed, described network request is invalid.
Step S07, encryption server returns to response message to terminal.
If be verified, encryption server returns to correct dynamic password key to terminal, otherwise, to endEnd returns to the announcement information that request is failed.
The dynamic password Key that terminal obtains can be used for this user's subsequent operation, as dynamic password inputDeng.
It should be noted that, for aforesaid each embodiment of the method, for simple description, therefore it is all shownState as a series of combination of actions, but those skilled in the art should know, the application be not subject to retouchThe restriction of the sequence of movement of stating, because according to the application, some step can adopt other orders or sameShi Jinhang. Secondly, those skilled in the art also should know, the embodiment described in description all belongs toIn preferred embodiment, related action might not be that the application is necessary.
With reference to Fig. 4, be a kind of based on HTTP http server described in the embodiment of the present applicationStructural representation.
Described http server specifically comprises:
Receiver module 410, sending module 420, timestamp generation module 460 and ciphertext correction verification module 430;
Wherein said receiver module 410 comprises:
The first receiving element 411, for time of reception stamp solicited message;
The second receiving element 412, for receiving network request information; In described network request information, compriseVery first time stamp and corresponding timestamp ciphertext; Described timestamp ciphertext is to bag according to preset AESEncrypt and generate containing the algorithm factor of described very first time stamp;
Wherein said timestamp generation module 460, for should described timestamp solicited message generating at first o'clockBetween stamp;
Wherein said sending module 420 comprises:
The first transmitting element 421, the very first time stamp generating for transmitting time stamp generation module;
Wherein said ciphertext correction verification module 430, for verifying described timestamp by described preset AESWhether ciphertext is effective, if invalid, described network request information is invalidation request.
Preferably,
Described server also comprises:
Timestamp verification module 470, for the network request information of verifying that the second receiving element 412 receivesIn very first time stamp and current time interval whether before the deadline, if exceed, described network pleaseAsk information invalid.
Optionally, described preset AES is Signcryption Algorithm,
Described ciphertext correction verification module 430 also comprises:
Signature generation unit 431, for by described Signcryption Algorithm to comprising described very first time stampAlgorithm factor is encrypted and is generated the second signature;
The first verification unit 432, for the second numeral of verifying that described signature generation unit 431 generatesThe first digital signature corresponding to the timestamp ciphertext that receives with the second receiving element 412 of signature whether oneCause, if inconsistent, described timestamp ciphertext is invalid.
Optionally, described preset AES is symmetric encipherment algorithm,
Described ciphertext correction verification module 430 also comprises:
The second verification unit 433, for being used key that described symmetric encipherment algorithm is corresponding to the second receptionThe timestamp ciphertext that unit 412 receives is decrypted the timestamp information obtaining wherein as the second timeStamp, judges first o'clock in the network request information that described the second timestamp and the second receiving element receiveBetween stamp whether consistent, if inconsistent, described timestamp ciphertext is invalid.
Optionally, described preset AES is rivest, shamir, adelman,
Described ciphertext correction verification module 430 also comprises:
The 3rd verification unit 434, for being used the private key corresponding with described rivest, shamir, adelman to secondReceive single 412 yuan of timestamp ciphertexts that receive and be decrypted the timestamp information obtaining wherein as secondTimestamp, judges whether described the second timestamp is consistent with the very first time stamp in network request information, ifInconsistent, described timestamp ciphertext is invalid.
Further, described receiver module 410 also comprises:
The 3rd receiving element 413, for the request for credentials of receiving terminal;
Described server also comprises:
Voucher mark generation unit 440, for the request for credentials receiving according to the 3rd receiving element 413Generation voucher mark;
Described sending module 420 also comprises:
The voucher mark that the second transmitting element 422 generates for sending voucher mark generation unit 440.
Preferably, in the network request information that described the second receiving element 412 receives, also comprise voucher markKnow;
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
Preferably, described voucher mark dynamically effectively;
Described server also comprises:
Voucher correction verification module 450, for the network request information of verifying that the second receiving element 412 receivesIn whether comprise voucher mark, if comprise and this voucher mark invalid, described network request information is invalid.
With reference to Fig. 5, be a kind of based on HTTP HTTP terminal described in the embodiment of the present applicationStructural representation.
Described HTTP terminal comprises:
Sending module 510, receiver module 520 and ciphertext module 530;
Wherein said sending module 510 comprises:
The first transmitting element 511, obtains request for sending very first time stamp;
The second transmitting element 512, for sending network request information; In described network request information, compriseThe very first time stamp that described receiver module receives, and the corresponding timestamp being generated by described ciphertext module is closeLiterary composition;
Wherein said receiver module 520 comprises:
The first receiving element 521, for receiving very first time stamp;
Wherein said ciphertext module for according to preset AES to including first o'clock of described receptionBetween the algorithm factor of stamp encrypt rise time stamp ciphertext.
Optionally, described preset AES is Signcryption Algorithm;
Described ciphertext module 530 also comprises:
The first ciphering unit 531, generates for the algorithm factor that comprises described very first time stamp is encryptedOne digital signature makeup time stamp ciphertext.
Optionally, described preset AES is symmetric encipherment algorithm;
Described ciphertext module 530 also comprises:
The second ciphering unit 532, for using the key corresponding with described symmetric encipherment algorithm to comprisingThe algorithm factor of stating very first time stamp stabs ciphertext between encrypting and generating.
Optionally, described preset AES is rivest, shamir, adelman;
Described ciphertext module 530 also comprises:
The 3rd ciphering unit 533, for using the PKI corresponding with described rivest, shamir, adelman to comprisingThe algorithm factor of described very first time stamp stabs ciphertext between encrypting and generating.
Optionally, described terminal also comprises:
Voucher mark generation module 540, for generating voucher mark;
The described algorithm factor that comprises very first time stamp also comprises the voucher that described voucher identification module generatesMark;
Described algorithm factor is made up of by preset rules described very first time stamp and described voucher mark.
Preferably,
Described transmitting element 510 also comprises:
The 3rd transmitting element 513, for sending request for credentials information;
Described receiver module 520 also comprises:
The second receiving element 522, for receiving voucher mark;
In the network request information that described the second transmitting element 512 sends, also comprise the second receiving elementThe 522 voucher marks that receive;
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
With reference to Fig. 6, it is a kind of system based on HTTP HTTP described in the embodiment of the present applicationStructural representation.
Concrete, described system comprises HTTP terminal 6100, http server 6200;
Described HTTP terminal 6100 comprises:
Terminal sending module 6110, terminal receiver module 6120 and ciphertext module 6130;
Wherein said terminal sending module 6110 comprises:
The first transmitting element 6111, obtains request for sending very first time stamp;
The second transmitting element 6112, for sending network request information; In described network request information, compriseThe very first time stamp that described receiver module receives, and the corresponding timestamp being generated by described ciphertext module is closeLiterary composition;
Wherein said terminal receiver module 6120 comprises:
The first receiving element 6121, for receiving very first time stamp;
Wherein said ciphertext module 6130 for according to preset AES to including of described receptionThe algorithm factor of one timestamp is encrypted rise time stamp ciphertext.
Described http server 6200 comprises:
Server receiver module 6210, server sending module 6220, timestamp generation module 6230 andCiphertext correction verification module 6240;
Wherein said server receiver module 6210 comprises:
The first receiving element 6211, for time of reception stamp solicited message;
The second receiving element 6212, for receiving network request information; In described network request information, compriseVery first time stamp and corresponding timestamp ciphertext; Described timestamp ciphertext is to bag according to preset AESEncrypt and generate containing the algorithm factor of described very first time stamp;
Wherein said timestamp generation module 6230 is for should described timestamp solicited message generating at first o'clockBetween stamp;
Wherein said server sending module 6220 comprises:
The first transmitting element 6221, the very first time stamp generating for transmitting time stamp generation module;
Wherein said ciphertext correction verification module 6240 is for verifying described timestamp by described preset AESWhether ciphertext is effective, if invalid, described network request information is invalidation request.
The detailed structure of said system refers to above HTTP terminal, http server, and methodThe explanation of embodiment relevant portion.
Each embodiment in this description all adopts the mode of going forward one by one to describe, and each embodiment stressesBe all and the difference of other embodiment, between each embodiment identical similar part mutually referring to. For system and/or device embodiment, because it is substantially similar to embodiment of the method, soThat describes is fairly simple, and relevant part is referring to the part explanation of embodiment of the method.
Finally, also it should be noted that, in this article, the relational terms such as the first and second gradesOnly be used for an entity or operation and another entity or operating space to separate, and not necessarily requirementOr imply the relation or the order that between these entities or operation, there are any this reality.
And, "and/or" above represented both to have comprised herein " with " relation, also comprised the pass of "or"System, wherein: if option A and option b be " with " relation, representing in certain embodiment can the whileComprise option A and option b; If option A and option b are the relations of "or", represent certain embodimentIn can comprise separately option A, or comprise separately option b.
A kind of network service side based on HTTP HTTP above the application being providedMethod, server, terminal, be described in detail, and applied former to the application of specific case hereinReason and embodiment are set forth, and the explanation of above embodiment is just for helping to understand the application's sideMethod and core concept thereof; Meanwhile, for one of ordinary skill in the art, according to the application's thought,All will change in specific embodiments and applications, in sum, this description is notBe interpreted as the restriction to the application.

Claims (25)

1. the network communication method based on HTTP, is characterized in that, comprising:
Answer terminal request to send very first time stamp to terminal;
The network request information that receiving terminal sends; In described network request information, comprise the described very first timeStamp and corresponding timestamp ciphertext, also comprise by terminal and generating in the network request information that described terminal sendsVoucher mark;
Described timestamp ciphertext by terminal according to preset AES to comprising the calculation of described very first time stampThe method factor is encrypted and is generated, described in comprise very first time stamp algorithm factor comprise described voucher mark; DescribedAlgorithm factor is made up of by preset rules described very first time stamp and described voucher mark, wherein said voucherMark is made up of the IP address of terminal, port numbers, network interface card mark and the current time of terminal;
Verify that by described preset AES whether described timestamp ciphertext is effective, if invalid, described netNetwork solicited message is invalidation request.
2. the method for claim 1, is characterized in that, further comprises:
Whether the interval of verifying very first time in described network request information stamp and current time is effectivelyIn phase, if exceed, described network request information is invalid.
3. the method for claim 1, is characterized in that, described preset AES is signatureAES,
Described terminal is encrypted raw according to preset AES to the algorithm factor that comprises described very first time stampBecome timestamp ciphertext to comprise:
Terminal is encrypted raw according to described Signcryption Algorithm to the algorithm factor that comprises described very first time stampBecome the first digital signature makeup time stamp ciphertext;
Whether the described timestamp ciphertext of described checking effectively comprises:
By described Signcryption Algorithm, the algorithm factor that comprises described very first time stamp is encrypted and generated secondDigital signature;
Verify described the second digital signature first digital signature corresponding with described timestamp ciphertext whetherCause, if inconsistent, described timestamp ciphertext is invalid.
4. the method for claim 1, is characterized in that, described preset AES is symmetricalAES,
Described terminal is encrypted raw according to preset AES to the algorithm factor that comprises described very first time stampBecome timestamp ciphertext to comprise:
Terminal is used corresponding key to comprising described very first time stamp according to described symmetric encipherment algorithmAlgorithm factor stabs ciphertext between encrypting and generating;
Whether the described timestamp ciphertext of described checking effectively comprises:
Use the key that described symmetric encipherment algorithm is corresponding to be decrypted and to obtain it described timestamp ciphertextIn timestamp information as the second timestamp, judge in described the second timestamp and network request informationWhether very first time stamp is consistent, if inconsistent, described timestamp ciphertext is invalid.
5. the method for claim 1, is characterized in that, described preset AES is non-rightClaim AES,
Described terminal is encrypted raw according to preset AES to the algorithm factor that comprises described very first time stampBecome timestamp ciphertext to comprise:
Terminal is used corresponding PKI to comprising described very first time stamp according to described rivest, shamir, adelmanAlgorithm factor encrypt generate between stab ciphertext;
Whether the described timestamp ciphertext of described checking effectively comprises:
Server uses the private key corresponding with described rivest, shamir, adelman to carry out described timestamp ciphertextDecipher the timestamp information obtaining wherein as the second timestamp, judge that described the second timestamp and network pleaseWhether ask the very first time stamp in information consistent, if inconsistent, described timestamp ciphertext is invalid.
6. the method for claim 1, is characterized in that, the network that described receiving terminal sendsBefore solicited message, also comprise:
Receive the request for credentials information of terminal;
Generate the voucher mark corresponding with described request for credentials information;
Send described voucher mark to described terminal.
7. the method for claim 1, is characterized in that, described voucher mark is dynamically effective,Described method also comprises:
If the network request information that described terminal sends comprises voucher mark, this voucher of server authenticationWhether identify effectively, if invalid, described network request is invalidation request.
8. the network communication method based on HTTP, is characterized in that, comprising:
Obtain very first time stamp from server;
Send network request information to server; In described network request information, comprise described very first time stampWith corresponding timestamp ciphertext, in the network request information that terminal sends, also comprise the voucher being generated by terminalMark;
Described timestamp ciphertext be according to preset AES to the algorithm that comprises described very first time stamp because ofSon is encrypted and is generated, described in comprise very first time stamp algorithm factor also comprise described voucher mark; Described calculationThe method factor is made up of by preset rules described very first time stamp and described voucher mark, wherein said voucher markKnow by the IP address of terminal, port numbers, network interface card mark and the current time of terminal and form.
9. method as claimed in claim 8, is characterized in that, described preset AES is signatureAES,
Describedly according to preset AES, the algorithm factor that comprises described very first time stamp is encrypted while generatingBetween stab ciphertext and comprise:
According to described Signcryption Algorithm, the algorithm factor that comprises described very first time stamp is encrypted and generated theOne digital signature makeup time stamp ciphertext.
10. method as claimed in claim 8, is characterized in that, described preset AES is symmetricalAES,
Describedly according to preset AES, the algorithm factor that comprises described very first time stamp is encrypted while generatingBetween stab ciphertext and comprise:
Use the key corresponding with described symmetric encipherment algorithm to the algorithm that comprises described very first time stamp because ofSon stabs ciphertext between encrypting and generating.
11. methods as claimed in claim 8, is characterized in that, described preset AES is non-rightClaim AES,
Describedly according to preset AES, the algorithm factor that comprises described very first time stamp is encrypted while generatingBetween stab ciphertext and comprise:
Use the PKI corresponding with described rivest, shamir, adelman to comprising the algorithm of described very first time stampThe factor is stabbed ciphertext between encrypting and generating.
12. methods as claimed in claim 8, is characterized in that, described to server send network pleaseBefore asking information, also comprise:
Send request for credentials information to server;
The voucher mark that reception server sends.
13. 1 kinds of servers based on HTTP, is characterized in that, comprising: receiver module,Sending module, timestamp generation module and ciphertext correction verification module;
Wherein said receiver module comprises:
The first receiving element, for time of reception stamp solicited message;
The second receiving element, for receiving network request information; In described network request information, comprise firstTimestamp and corresponding timestamp ciphertext, also comprise voucher mark in the network request information receiving;
Described timestamp ciphertext be according to preset AES to the algorithm that comprises described very first time stamp because ofSon is encrypted and is generated, described in comprise very first time stamp algorithm factor also comprise described voucher mark; Described calculationThe method factor is made up of by preset rules described very first time stamp and described voucher mark, wherein said voucher markKnow by the IP address of terminal, port numbers, network interface card mark and the current time of terminal and form;
Wherein said timestamp generation module, for should described timestamp solicited message generating the very first timeStamp;
Wherein said sending module comprises:
The first transmitting element, the very first time stamp generating for transmitting time stamp generation module;
Wherein said ciphertext correction verification module, for verifying described timestamp ciphertext by described preset AESWhether effective, if invalid, described network request information is invalidation request.
14. servers as claimed in claim 13, is characterized in that,
Described server also comprises:
Timestamp verification module, for verify second receiving element receive network request information firstThe interval of timestamp and current time whether before the deadline, if exceed, described network request information withoutEffect.
15. servers as claimed in claim 13, is characterized in that, described preset AES isSigncryption Algorithm,
Described ciphertext correction verification module also comprises:
Signature generation unit, for by described Signcryption Algorithm to comprising the algorithm of described very first time stampThe factor is encrypted and is generated the second signature;
The first verification unit, for the second digital signature and of verifying that described signature generation unit generatesWhether the first digital signature corresponding to timestamp ciphertext that two receiving elements receive be consistent, if inconsistent,Described timestamp ciphertext is invalid.
16. servers as claimed in claim 13, is characterized in that, described preset AES isSymmetric encipherment algorithm,
Described ciphertext correction verification module also comprises:
The second verification unit, for being used key that described symmetric encipherment algorithm is corresponding to the second receiving elementThe timestamp ciphertext receiving is decrypted the timestamp information obtaining wherein as the second timestamp, judgementVery first time stamp in the network request information that described the second timestamp and the second receiving element receive isNo consistent, if inconsistent, described timestamp ciphertext is invalid.
17. servers as claimed in claim 13, is characterized in that, described preset AES isRivest, shamir, adelman,
Described ciphertext correction verification module also comprises:
The 3rd verification unit, for being used the private key corresponding with described rivest, shamir, adelman to the second receptionThe timestamp ciphertext that unit receives is decrypted the timestamp information obtaining wherein as the second timestamp,Judge whether described the second timestamp is consistent with the very first time stamp in network request information, if inconsistent,Described timestamp ciphertext is invalid.
18. servers as claimed in claim 13, is characterized in that, described receiver module also comprises:
The 3rd receiving element, for the request for credentials of receiving terminal;
Described server also comprises:
Voucher mark generation unit, generates voucher for the request for credentials receiving according to the 3rd receiving elementMark;
Described sending module also comprises:
The second transmitting element, the voucher mark generating for sending voucher mark generation unit.
19. servers as described in claim 18,13, is characterized in that, described voucher mark is movingState is effective;
Described server also comprises:
Voucher correction verification module, for verifying whether the network request information that the second receiving element receives wrapsDraw together voucher mark, if comprise and this voucher mark invalid, described network request information is invalid.
20. 1 kinds of terminals based on HTTP, is characterized in that, comprising:
Sending module, receiver module and ciphertext module;
Wherein said sending module comprises:
The first transmitting element, obtains request for sending very first time stamp;
The second transmitting element, for sending network request information; Described in comprising in described network request informationThe very first time stamp that receiver module receives, and the corresponding timestamp ciphertext being generated by described ciphertext module,In described network request information, also comprise that the voucher being generated by terminal identifies;
Wherein said receiver module comprises:
The first receiving element, for receiving very first time stamp;
Wherein said ciphertext module for according to preset AES to including first o'clock of described receptionBetween the algorithm factor of stamp encrypt rise time stamp ciphertext, described in comprise very first time stamp algorithm factor compriseDescribed voucher mark; Described algorithm factor is pressed preset rules by described very first time stamp and described voucher markComposition, wherein said voucher mark is identified and is worked as by IP address, the port numbers of terminal, the network interface card of terminalFront time composition.
21. terminals as claimed in claim 20, is characterized in that, described preset AES is for signingName AES;
Described ciphertext module also comprises:
The first ciphering unit, for encrypting and generate the first number the algorithm factor that comprises described very first time stampWord signature composition timestamp ciphertext.
22. terminals as claimed in claim 20, is characterized in that, described preset AES is rightClaim AES;
Described ciphertext module also comprises:
The second ciphering unit, for using the key corresponding with described symmetric encipherment algorithm to comprising describedThe algorithm factor of one timestamp stabs ciphertext between encrypting and generating.
23. terminals as claimed in claim 20, is characterized in that, described preset AES is non-Symmetric encipherment algorithm;
Described ciphertext module also comprises:
The 3rd ciphering unit, for using the PKI corresponding with described rivest, shamir, adelman to described in comprisingThe algorithm factor of very first time stamp stabs ciphertext between encrypting and generating.
24. terminals as claimed in claim 20, is characterized in that, also comprise:
Voucher mark generation module, for generating voucher mark;
The described algorithm factor that comprises very first time stamp also comprises the voucher that described voucher identification module generatesMark;
Described algorithm factor is made up of by preset rules described very first time stamp and described voucher mark.
25. terminals as claimed in claim 20, is characterized in that,
Described sending module also comprises:
The 3rd transmitting element, for sending request for credentials information;
Described receiver module also comprises:
The second receiving element, for receiving voucher mark;
In the network request information that described the second transmitting element sends, also comprise that the second receiving element connectsThe voucher mark of receiving;
The described algorithm factor that comprises very first time stamp also comprises described voucher mark; Described algorithm factor byDescribed very first time stamp and described voucher mark are by preset rules composition.
CN201210089712.6A 2012-03-29 2012-03-29 Communication means based on HTTP, server, terminal Active CN102647461B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201210089712.6A CN102647461B (en) 2012-03-29 2012-03-29 Communication means based on HTTP, server, terminal
CN201610169962.9A CN105681470B (en) 2012-03-29 2012-03-29 Communication means, server based on hypertext transfer protocol, terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210089712.6A CN102647461B (en) 2012-03-29 2012-03-29 Communication means based on HTTP, server, terminal

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN201610169962.9A Division CN105681470B (en) 2012-03-29 2012-03-29 Communication means, server based on hypertext transfer protocol, terminal

Publications (2)

Publication Number Publication Date
CN102647461A CN102647461A (en) 2012-08-22
CN102647461B true CN102647461B (en) 2016-05-04

Family

ID=46660034

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210089712.6A Active CN102647461B (en) 2012-03-29 2012-03-29 Communication means based on HTTP, server, terminal

Country Status (1)

Country Link
CN (1) CN102647461B (en)

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051722B (en) * 2012-12-26 2015-10-14 新浪网技术(中国)有限公司 A kind ofly determine the method whether page is held as a hostage and relevant device
CN105099676B (en) * 2014-04-18 2018-10-02 阿里巴巴集团控股有限公司 A kind of user login method, user terminal and server
CN103973703A (en) * 2014-05-23 2014-08-06 杭州智屏科技有限公司 Request method for safety of data exchange between application program and server
CN105791339B (en) * 2014-12-18 2020-03-31 中兴通讯股份有限公司 Method and device for processing resource operation request
CN104852800B (en) * 2015-05-25 2018-12-25 小米科技有限责任公司 Data transmission method and device
CN106470103B (en) * 2015-08-17 2020-01-17 苏宁云计算有限公司 Method and system for sending encrypted URL request by client
CN105141636B (en) * 2015-09-24 2018-04-17 网宿科技股份有限公司 Suitable for the HTTP safety communicating methods and system of CDN value-added service platforms
WO2017066995A1 (en) * 2015-10-23 2017-04-27 深圳还是威健康科技有限公司 Method and device for preventing unauthorized access to server
CN106936578B (en) * 2015-12-30 2020-02-18 航天信息股份有限公司 Time stamp system and method for issuing time stamp
CN105516186B (en) * 2015-12-31 2019-07-23 华为技术有限公司 A kind of method preventing Replay Attack and server
CN106254327A (en) * 2016-07-28 2016-12-21 努比亚技术有限公司 Information processor and method
CN106130720A (en) * 2016-08-12 2016-11-16 福建中金在线信息科技有限公司 A kind of method that internet information required parameter is encrypted safely and deciphered
CN106330437A (en) * 2016-10-20 2017-01-11 武汉斗鱼网络科技有限公司 Password resetting method and device
WO2018082391A1 (en) * 2016-11-07 2018-05-11 天地融科技股份有限公司 Circuit delay self-measurement method, device, and system
CN108243176B (en) * 2016-12-27 2020-08-11 腾讯科技(深圳)有限公司 Data transmission method and device
CN107959691B (en) * 2018-01-22 2021-03-16 武汉斗鱼网络科技有限公司 Method for detecting user identity information, server, computer-readable storage medium and computer equipment
CN108306739B (en) * 2018-01-22 2021-03-12 武汉斗鱼网络科技有限公司 Method for detecting user identity information, server, computer-readable storage medium and computer equipment
CN108055286B (en) * 2018-01-22 2021-06-15 武汉斗鱼网络科技有限公司 Method, client, computer-readable storage medium and computer device for generating user identity information
CN108400979B (en) * 2018-02-06 2021-07-30 武汉斗鱼网络科技有限公司 Communication method applied to client and server and electronic equipment
CN108322470A (en) * 2018-02-07 2018-07-24 链家网(北京)科技有限公司 A kind of network request processing method and processing device
CN108712408B (en) * 2018-05-08 2021-03-23 百度在线网络技术(北京)有限公司 Anti-cheating method and device for user behavior verification
CN108646584A (en) * 2018-07-12 2018-10-12 合肥数理电子信息科技有限公司 A kind of intelligent home control system
CN109335906B (en) * 2018-08-01 2020-09-11 苏州汇川技术有限公司 Verification method, elevator control device and elevator peripheral device
CN108777601B (en) * 2018-08-06 2020-01-17 深圳信息职业技术学院 Clock synchronization method, device and network equipment
CN109088731B (en) * 2018-09-04 2021-09-21 杭州涂鸦信息技术有限公司 Internet of things cloud communication method and device
CN109347869B (en) * 2018-11-28 2021-07-06 京东数字科技控股有限公司 Method, device, medium and electronic equipment for generating inter-cluster communication security factor
CN110445809B (en) * 2019-09-03 2022-02-25 深圳绿米联创科技有限公司 Network attack detection method, device, system, electronic equipment and storage medium
CN111131200B (en) * 2019-12-11 2022-06-28 新华三大数据技术有限公司 Network security detection method and device
CN111162899A (en) * 2020-01-13 2020-05-15 成都安联云防保安服务有限公司 Encryption transmission method for potential safety risk data
CN112149100A (en) * 2020-09-01 2020-12-29 长沙市到家悠享网络科技有限公司 Verification method, verification device, electronic equipment and storage medium
CN112217835B (en) * 2020-10-23 2022-11-04 中国工商银行股份有限公司 Message data processing method and device, server and terminal equipment
CN112465502A (en) * 2020-11-11 2021-03-09 中国农业银行股份有限公司上海市分行 Method for deploying digital time stamp offline
CN112511565B (en) * 2021-01-29 2021-05-11 腾讯科技(深圳)有限公司 Request response method and device, computer readable storage medium and electronic equipment
CN113395282A (en) * 2021-06-15 2021-09-14 济南浪潮智投智能科技有限公司 Method and system for preventing third party from accessing server resources

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453328A (en) * 2007-12-06 2009-06-10 中国移动通信集团公司 Identity management system and identity authentication system
CN101534196A (en) * 2008-03-12 2009-09-16 因特伟特公司 Method and apparatus for securely invoking a rest api
CN101594226A (en) * 2009-06-17 2009-12-02 中兴通讯股份有限公司 The data guard method and the system that are used for file transfer
CN102025748A (en) * 2011-01-04 2011-04-20 深信服网络科技(深圳)有限公司 Method, device and system for acquiring user name of Kerberos authentication mode
CN102073953A (en) * 2009-11-24 2011-05-25 阿里巴巴集团控股有限公司 On-line payment method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453328A (en) * 2007-12-06 2009-06-10 中国移动通信集团公司 Identity management system and identity authentication system
CN101534196A (en) * 2008-03-12 2009-09-16 因特伟特公司 Method and apparatus for securely invoking a rest api
CN101594226A (en) * 2009-06-17 2009-12-02 中兴通讯股份有限公司 The data guard method and the system that are used for file transfer
CN102073953A (en) * 2009-11-24 2011-05-25 阿里巴巴集团控股有限公司 On-line payment method and system
CN102025748A (en) * 2011-01-04 2011-04-20 深信服网络科技(深圳)有限公司 Method, device and system for acquiring user name of Kerberos authentication mode

Also Published As

Publication number Publication date
CN102647461A (en) 2012-08-22

Similar Documents

Publication Publication Date Title
CN102647461B (en) Communication means based on HTTP, server, terminal
CN105681470A (en) Communication method, server and terminal based on hypertext transfer protocol
CN102624740B (en) A kind of data interactive method and client, server
CN103685282B (en) A kind of identity identifying method based on single-sign-on
CN106878318B (en) Block chain real-time polling cloud system
CN101674304B (en) Network identity authentication system and method
US8971540B2 (en) Authentication
CN103490881B (en) Authentication service system, user authentication method, and authentication information processing method and system
EP2345235B1 (en) Fast and transparent client reauthentication
US20150244525A1 (en) Authentication
Tsai et al. New dynamic ID authentication scheme using smart cards
US20150124963A1 (en) Authentication
Eldefrawy et al. Mobile one‐time passwords: two‐factor authentication using mobile phones
JP2011515961A (en) Authentication storage method and authentication storage system for client side certificate authentication information
CN111030814A (en) Key negotiation method and device
US10735188B2 (en) System and method for secure electronic communications through security hardware based on threshold cryptography
CN110267270A (en) A kind of substation's inner sensor terminal access Border Gateway authentication intelligence contract
Kumari et al. Design of a user anonymous password authentication scheme without smart card
Liu et al. A secure cookie protocol
CN105429991A (en) Efficient data transmission method for mobile terminal
Malik et al. Federated identity management (FIM): Challenges and opportunities
WO2008020991A2 (en) Notarized federated identity management
CN107094156A (en) A kind of safety communicating method and system based on P2P patterns
Alzuwaini et al. An Efficient Mechanism to Prevent the Phishing Attacks.
CN108737376A (en) A kind of double factor authentication method and system based on fingerprint and digital certificate

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD.

Effective date: 20121025

Owner name: BEIJING QIHU TECHNOLOGY CO., LTD.

Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD.

Effective date: 20121025

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100016 CHAOYANG, BEIJING TO: 100088 XICHENG, BEIJING

TA01 Transfer of patent application right

Effective date of registration: 20121025

Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Applicant after: Qizhi software (Beijing) Co.,Ltd.

Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C

Applicant before: Qizhi software (Beijing) Co.,Ltd.

C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220718

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.