CN112968910A - Replay attack prevention method and device - Google Patents
Replay attack prevention method and device Download PDFInfo
- Publication number
- CN112968910A CN112968910A CN202110340953.2A CN202110340953A CN112968910A CN 112968910 A CN112968910 A CN 112968910A CN 202110340953 A CN202110340953 A CN 202110340953A CN 112968910 A CN112968910 A CN 112968910A
- Authority
- CN
- China
- Prior art keywords
- access request
- request
- check code
- mac check
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/121—Timestamp
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for preventing replay attack, and relates to the field of data security. One embodiment of the method comprises: the rear end receives an access request and a first mac check code parameter transmitted by the front end; acquiring a preset secret salt value, and processing the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter; and comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, processing the access request, otherwise, judging that the access request is a replay request, and refusing to process the access request. On the basis of the existing timeframe and nonce anti-replay control, the implementation mode is additionally provided with a mac checking mechanism to further ensure the authenticity of the timeframe and nonce in the request parameters, and the existing codes are not greatly modified, are light in weight and are not easy to be tampered.
Description
Technical Field
The present invention relates to the field of data security, and in particular, to a method and an apparatus for preventing replay attack.
Background
Existing anti-replay attack schemes are generally based on a timeframe + nonce check: the front-end needs to add a timestamp parameter each time it initiates an HTTP request. Because a normal HTTP request is sent to the server, the time period from the sending to the server generally does not exceed 60s, after the back end receives the HTTP request, it is first determined whether the timestamp parameter exceeds 60s compared to the current timestamp parameter, and if so, it is considered as an illegal request.
However, the attacker still has 60s time attack as further optimization, and a nonce random number is added to prevent repeated requests within 60 s. The nonce is a random number valid only once in 60s, requiring that the parameter is guaranteed to be different for each request in 60s, and the parameter received in 60s is buffered to check whether there is a duplicate nonce in 60 s.
In the process of implementing the invention, the inventor finds that the scheme of timeframe + nonce, although simple and easy to understand, is easy to forge: after an attacker intercepts the message, the timestamp is modified into a timestamp in 60s when the attacker replays the request, the nonce is modified into another random number, and due to the characteristics of the random number, the random number only has a very small probability of being repeated with the nonce existing in 60s, so that the replay attack prevention fails.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for preventing replay attack, which can at least solve the problem that the existing timestamp + nonce scheme is easy to forge and fail to prevent replay attack, although it is simple and easy to understand.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a replay attack preventing method including:
the rear end receives an access request and a first mac check code parameter transmitted by the front end;
acquiring a preset secret salt value, and processing the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter;
and comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, processing the access request, otherwise, judging that the access request is a replay request, and refusing to process the access request.
Optionally, before the back end receives the access request and the first mac check code parameter transmitted by the front end, the method further includes:
the front end receives an access request, encrypts the preset secret salt value and a request parameter in the access request and generates a first mac check code parameter;
and sending the access request and the first mac check code parameter to a back end together for anti-replay check.
Optionally, the sending together to the back end for performing anti-replay verification further includes: processing the first mac check code parameter to obtain a message verification code in the process of transmitting the access request and the first mac check code parameter from the front end to the back end;
the receiving, by the back end, the access request and the first mac check code parameter transmitted by the front end includes: and the back end receives the access request and the message verification code and restores the access request and the message verification code to the first mac check code parameter.
Optionally, the processing the first mac check code parameter to obtain a message verification code includes:
and processing the first mac check code parameter by using a symmetric encryption or asymmetric encryption mode to obtain a message verification code.
Optionally, the request parameter includes a request service parameter, a request timestamp, and a random number;
if so, processing the access request, further comprising:
if so, calculating a difference value between the request timestamp and the current timestamp, and judging whether the difference value exceeds a preset time difference;
if the random number exceeds the preset time period, judging that the random number is a replay request, refusing to process the access request, and otherwise, acquiring all random numbers counted in the preset time period from the current timestamp;
and judging whether all the random numbers contain the random numbers or not, if so, judging that the random numbers are replay requests, refusing to process the access requests, and otherwise, processing the access requests.
Optionally, after the denying of the processing of the access request, the method further includes:
and determining an object initiating the access request, and performing current limiting operation on the object.
To achieve the above object, according to another aspect of embodiments of the present invention, there is provided a replay attack preventing apparatus including:
the receiving module is used for receiving the access request and the first mac check code parameter transmitted by the front end at the rear end;
the processing module is used for acquiring a preset secret salt value, processing the preset secret salt value and the request parameter in the access request and obtaining a second mac check code parameter;
and the comparison module is used for comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, the access request is processed, otherwise, the access request is judged to be a replay request, and the access request is refused to be processed.
Optionally, the system further includes a front-end processing module, configured to:
the front end receives an access request, encrypts the preset secret salt value and a request parameter in the access request and generates a first mac check code parameter;
and sending the access request and the first mac check code parameter to a back end together for anti-replay check.
Optionally, the system further includes a transmission encryption module, configured to: processing the first mac check code parameter to obtain a message verification code in the process of transmitting the access request and the first mac check code parameter from the front end to the back end;
the receiving module is configured to: and the back end receives the access request and the message verification code and restores the access request and the message verification code to the first mac check code parameter.
Optionally, the transmission encryption module is configured to: and processing the first mac check code parameter by using a symmetric encryption or asymmetric encryption mode to obtain a message verification code.
Optionally, the request parameter includes a request service parameter, a request timestamp, and a random number;
the comparison module is further configured to:
if so, calculating a difference value between the request timestamp and the current timestamp, and judging whether the difference value exceeds a preset time difference;
if the random number exceeds the preset time period, judging that the random number is a replay request, refusing to process the access request, and otherwise, acquiring all random numbers counted in the preset time period from the current timestamp;
and judging whether all the random numbers contain the random numbers or not, if so, judging that the random numbers are replay requests, refusing to process the access requests, and otherwise, processing the access requests.
Optionally, the apparatus further comprises a current limiting module, configured to:
and determining an object initiating the access request, and performing current limiting operation on the object.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided an electronic device for preventing replay attack.
The electronic device of the embodiment of the invention comprises: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize any one of the above-mentioned replay attack prevention methods.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer-readable medium on which a computer program is stored, the program implementing any of the above-described replay attack prevention methods when executed by a processor.
According to the scheme provided by the invention, one embodiment of the invention has the following advantages or beneficial effects: while preventing replay attack, adding a request message tamper-proof mechanism, and carrying out hash calculation according to the user request service parameters, the timestamp, the nonce and the salt to verify the mac, thereby avoiding the condition of forging the timestamp + nonce value.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic flow chart of a method for preventing replay attack according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method for specifically preventing replay attacks according to an embodiment of the present invention;
FIG. 3 is a schematic illustration of a timeframe + nonce anti-replay flow;
FIG. 4 is a flow chart illustrating an alternative method for preventing replay attacks according to an embodiment of the present invention;
fig. 5 is a schematic diagram of main blocks of a replay attack prevention apparatus according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
FIG. 7 is a schematic block diagram of a computer system suitable for use with a mobile device or server implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The replay attack is one of attack modes commonly used by hackers in the computer field, and the replay attack is that an attacker sends a packet which is received by a target host to achieve the purpose of deceiving a system, and is mainly used for bypassing the identity authentication process, destroying the correctness of authentication and sending a request again once or for many times without change; or malicious repeated read-write operation of the database is performed on the system, so that the performance of the system is influenced. The main hazards are as follows:
1. the authentication request may be acquired by an attacker and retransmitted to the authentication server, thereby achieving the purpose of passing authentication. Although the information leakage can be prevented through encryption and signature, and the session is hijacked and modified, the replay attack cannot be prevented through the method.
2. If the normal request is an insert database operation, multiple duplicate data may occur once the statements inserted into the database write poorly. Once a relatively slow query operation occurs, it may cause database blocking and the like.
Replay attacks are a type of attack that repeats an effective data transmission, either continuously maliciously or fraudulently, either by the originator or by an adversary that intercepts and retransmits the data. The attacker steals the authentication credentials by using network monitoring or other methods, and then retransmits the authentication credentials to the authentication server. It is understood from this explanation that encryption can effectively prevent session hijacking, but does not prevent replay attacks. Replay attacks may occur during any network communication.
Referring to fig. 1, a main flowchart of a method for preventing replay attack according to an embodiment of the present invention is shown, including the following steps:
s101: the rear end receives an access request and a first mac check code parameter transmitted by the front end;
s102: acquiring a preset secret salt value, and processing the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter;
s103: and comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, processing the access request, otherwise, judging that the access request is a replay request, and refusing to process the access request.
In the above embodiment, regarding steps S101 to S103, the front end in the present embodiment generally refers to all systems using front-end and back-end message format interaction, such as a browser, a PC, an App, and a Web application.
The front end responds to an access request initiated by a user, and adds a mac check code parameter after a request parameter (including a request service parameter, a request timestamp, and a random number), where the specific calculation mode is mac-hash (request parameter, salt), for example:
the request service parameters are article id: articleId 1
Request timestamp 20210208091703345
12333494859 random number nonce
salt 43edf4hf, which is a secret salt value predetermined for the front and back ends
Using HmacSHA256 as the hash algorithm:
mac1=HmacSHA256(“articleId=1×tamp=20210208091703345&nonce=12333494859”,“43edf4hf”)=19def6d19512987cf4e72bf4c52a356e6e1c3935a79faad15689cd35565689af
in addition to the above-mentioned method, the mac check code parameter may be calculated in other manners, as long as it is ensured that only the front end and the back end of the system can calculate the check code, and an attacker who intercepts the message cannot calculate the check code.
In applications where security concerns and data privacy are a concern, encryption algorithms are used, sometimes to make the results of encryption more "funeral" and often to add "salt" to the encrypted data. Commonly used encryption algorithms are roughly divided into two types: reversible and irreversible, such as MD5() irreversible, RijnDael reversible. In irreversible encryption algorithms, the salt value is typically "more and more" as represented by md5(' VoyageMobile:. $ this- > getSalt ($ extraKey)), thus, the emphasis is on using the salt value in reversible algorithms.
Salt is usually created in order to ensure the uniqueness of the salt value, so that the encrypted character strings seen by different users are also different. The timeliness of the salt value is guaranteed, the salt value is changed frequently due to the safety consideration, and therefore the encrypted character string is changed and the rule is not easy to find.
After the front end calculates the mac1 check code parameter, the front end sends the mac1 check code parameter and the access request one to the back end for anti-replay check processing, which is specifically shown in fig. 2.
After receiving the access request and the mac1 check code parameters sent by the front end, the back end continues to perform hash calculation on the mac2 check code parameters (mac2 is hash) according to the user request parameters and salt, judges whether mac1 and mac2 are equal, if the mac2 is equal, the current request parameters are not tampered, the request is a normal request, and the normal service processing logic returns a result; but if the two requests are not equal, the request is determined to be a replay request, and an error is returned.
Further, if mac1 is equal to mac2, the anti-replay check of the timemap and nonce parameters is continued. Referring to fig. 3, first, it is calculated whether the difference between the timestamp and the current timestamp exceeds a preset time difference (for example, 60s), if so, it is determined to be a replay request, otherwise, it continues to determine the nonce. Usually, all random numbers (which may be character strings or other digital forms) within a preset time difference from the current timestamp are stored in the system cache, and whether the random numbers have a random number nonce in the access request of this time or not is directly judged, if yes, the access request is judged to be a replay request and processing is refused, otherwise, the access request is normally processed.
For replay requests, an alarm reminder may be triggered, an object (e.g., a user) that initiated the access request may be determined, and the user name, IP address, etc. of the object may be added to a blacklist to perform a current limiting operation on the object.
In the method provided by the embodiment, when the back-end processes the browser request, hash calculation is performed according to the user request service parameter, the timestamp, the nonce, and the salt to verify mac. The whole realization is simple, the calculation cost of generating a mac check code parameter for each access request is low, and the parameters input by calculating the mac comprise the timestamp and the nonce used for preventing replay attack, so the mac is not easy to be tampered.
Referring to fig. 4, a main flowchart of an alternative method for preventing replay attack according to an embodiment of the present invention is shown, which includes the following steps:
s401: the front end receives an access request, encrypts the preset secret salt value and a request parameter in the access request and generates a first mac check code parameter;
s402: processing the first mac check code parameter to obtain a message verification code in the process of transmitting the access request and the first mac check code parameter from the front end to the back end;
s403: the back end receives the access request and the message verification code, and restores the access request and the message verification code to the first mac check code parameter from the message verification code;
s404: acquiring a preset secret salt value, and processing the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter;
s405: and comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, processing the access request, otherwise, judging that the access request is a replay request, and refusing to process the access request.
In the above embodiment, reference may be made to the description shown in fig. 1 for steps S401, S404, and S405, which are not described herein again.
In the above embodiment, for steps S402 and S403, the message authentication code (keyed Hash function): in cryptography, a verification mechanism used by both communicating entities is a tool to ensure the integrity of message data. The construction method is proposed by m.bellare, and the security depends on the Hash function, so the construction method is also called the Hash function with the key. The message authentication code is a value obtained based on the key and the message digest, and can be used for data origination authentication and integrity check.
In the process that the front end generates mac1 and sends the mac1 to the back end, the mac1 is encrypted in a symmetric encryption or asymmetric encryption mode (specifically set according to actual requirements), a message verification code is obtained, and the message verification code and the access request are sent to the back end in a message mode.
After receiving the message, the back end firstly recovers the mac1 from the message authentication code by using a symmetric encryption or asymmetric encryption mode, simultaneously obtains the mac2 by combining with the preset salt value and locally processing the request parameter in the access request, compares the two macs, if the two macs are equal, the message passes the authentication, continues to perform anti-replay verification on the timestamp and nonce parameters, and otherwise, judges that the message is a replay request and refuses to process the access request.
In the method provided by the embodiment, the mac check code parameter is a main judgment standard for authenticating the authenticity of the message, and the message authentication code is only used for encapsulating the mac according to a certain format, so that the secure transmission is realized, and the anti-replay attack effect is further improved.
The method provided by the embodiment of the invention is characterized in that on the basis of the existing timemap and nonce anti-replay control, a mac check mechanism is additionally arranged to further ensure the authenticity of the timemap and nonce in the request parameters, and the existing codes are not greatly modified, are light in weight and are not easy to be tampered.
Referring to fig. 5, a schematic diagram of main modules of an apparatus 500 for preventing replay attack according to an embodiment of the present invention is shown, including:
a receiving module 501, configured to receive, at the back end, an access request and a first mac check code parameter transmitted by the front end;
a processing module 502, configured to obtain a preset secret salt value, and process the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter;
a comparing module 503, configured to compare whether the first mac check code parameter and the second mac check code parameter are equal, if so, process the access request, otherwise, determine that the access request is a replay request, and refuse to process the access request.
The apparatus of the embodiment of the present invention further includes a front-end processing module 504 (not shown in the figure), configured to:
the front end receives an access request, encrypts the preset secret salt value and a request parameter in the access request and generates a first mac check code parameter;
and sending the access request and the first mac check code parameter to a back end together for anti-replay check.
The apparatus of the embodiment of the present invention further includes a transmission encryption module 505 (not shown in the figure), configured to: processing the first mac check code parameter to obtain a message verification code in the process of transmitting the access request and the first mac check code parameter from the front end to the back end;
the receiving module 501 is configured to: and the back end receives the access request and the message verification code and restores the access request and the message verification code to the first mac check code parameter.
In the apparatus of the embodiment of the present invention, the transmission encryption module 505 is configured to:
and processing the first mac check code parameter by using a symmetric encryption or asymmetric encryption mode to obtain a message verification code.
In the device of the embodiment of the invention, the request parameters comprise request service parameters, request time stamps and random numbers;
the alignment module 503 is further configured to:
if so, calculating a difference value between the request timestamp and the current timestamp, and judging whether the difference value exceeds a preset time difference;
if the random number exceeds the preset time period, judging that the random number is a replay request, refusing to process the access request, and otherwise, acquiring all random numbers counted in the preset time period from the current timestamp;
and judging whether all the random numbers contain the random numbers or not, if so, judging that the random numbers are replay requests, refusing to process the access requests, and otherwise, processing the access requests.
The apparatus of the embodiment of the present invention further includes a current limiting module 506 (not shown in the figure) configured to:
and determining an object initiating the access request, and performing current limiting operation on the object.
In addition, the detailed implementation of the device in the embodiment of the present invention has been described in detail in the above method, so that the repeated description is not repeated here.
FIG. 6 illustrates an exemplary system architecture 600 to which embodiments of the invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605 (by way of example only). The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. Various communication client applications can be installed on the terminal devices 601, 602, 603.
The terminal devices 601, 602, 603 may be various electronic devices having display screens and supporting web browsing, and the server 605 may be a server providing various services.
It should be noted that the method provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the apparatus is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor comprises a receiving module, a processing module and a comparison module. The names of these modules do not in some cases form a limitation on the module itself, and for example, an alignment module may also be described as a "check code alignment module".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise:
the rear end receives an access request and a first mac check code parameter transmitted by the front end;
acquiring a preset secret salt value, and processing the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter;
and comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, processing the access request, otherwise, judging that the access request is a replay request, and refusing to process the access request.
According to the technical scheme of the embodiment of the invention, hash calculation is carried out according to the user request service parameters, the timestamp, the nonce and the salt to verify the mac, the whole realization is simple, the calculation cost is lower, and the parameters input by calculating the mac comprise the timestamp and the nonce used for preventing replay attack, so the mac is not easy to be tampered, and the safety is higher.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of preventing replay attacks, comprising:
the rear end receives an access request and a first mac check code parameter transmitted by the front end;
acquiring a preset secret salt value, and processing the preset secret salt value and the request parameter in the access request to obtain a second mac check code parameter;
and comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, processing the access request, otherwise, judging that the access request is a replay request, and refusing to process the access request.
2. The method of claim 1, further comprising, before the back-end receives the access request and the first mac check code parameter transmitted by the front-end:
the front end receives an access request, encrypts the preset secret salt value and a request parameter in the access request and generates a first mac check code parameter;
and sending the access request and the first mac check code parameter to a back end together for anti-replay check.
3. The method of claim 2, wherein the sending together to a back-end for anti-replay verification further comprises: processing the first mac check code parameter to obtain a message verification code in the process of transmitting the access request and the first mac check code parameter from the front end to the back end;
the receiving, by the back end, the access request and the first mac check code parameter transmitted by the front end includes: and the back end receives the access request and the message verification code and restores the access request and the message verification code to the first mac check code parameter.
4. The method of claim 3, wherein the processing the first mac check code parameter to obtain a message authentication code comprises:
and processing the first mac check code parameter by using a symmetric encryption or asymmetric encryption mode to obtain a message verification code.
5. The method according to any of claims 1-4, wherein the request parameters include a request traffic parameter, a request timestamp, and a random number;
if so, processing the access request, further comprising:
if so, calculating a difference value between the request timestamp and the current timestamp, and judging whether the difference value exceeds a preset time difference;
if the random number exceeds the preset time period, judging that the random number is a replay request, refusing to process the access request, and otherwise, acquiring all random numbers counted in the preset time period from the current timestamp;
and judging whether all the random numbers contain the random numbers or not, if so, judging that the random numbers are replay requests, refusing to process the access requests, and otherwise, processing the access requests.
6. The method of claim 5, further comprising, after said denying processing the access request:
and determining an object initiating the access request, and performing current limiting operation on the object.
7. An apparatus for preventing replay attack, comprising:
the receiving module is used for receiving the access request and the first mac check code parameter transmitted by the front end at the rear end;
the processing module is used for acquiring a preset secret salt value, processing the preset secret salt value and the request parameter in the access request and obtaining a second mac check code parameter;
and the comparison module is used for comparing whether the first mac check code parameter and the second mac check code parameter are equal, if so, the access request is processed, otherwise, the access request is judged to be a replay request, and the access request is refused to be processed.
8. The apparatus of claim 7, further comprising a front-end processing module to:
the front end receives an access request, encrypts the preset secret salt value and a request parameter in the access request and generates a first mac check code parameter;
and sending the access request and the first mac check code parameter to a back end together for anti-replay check.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110340953.2A CN112968910B (en) | 2021-03-30 | 2021-03-30 | Replay attack prevention method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110340953.2A CN112968910B (en) | 2021-03-30 | 2021-03-30 | Replay attack prevention method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112968910A true CN112968910A (en) | 2021-06-15 |
CN112968910B CN112968910B (en) | 2022-12-27 |
Family
ID=76279708
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110340953.2A Active CN112968910B (en) | 2021-03-30 | 2021-03-30 | Replay attack prevention method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112968910B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113612795A (en) * | 2021-08-18 | 2021-11-05 | 广州科语机器人有限公司 | Replay attack judgment method, Internet of things equipment, electronic equipment and storage medium |
CN114301623A (en) * | 2021-11-24 | 2022-04-08 | 岚图汽车科技有限公司 | Message encryption method and related equipment |
CN115065503A (en) * | 2022-05-11 | 2022-09-16 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
CN118713940A (en) * | 2024-08-30 | 2024-09-27 | 浙江中控研究院有限公司 | Anti-replay method, equipment and storage medium for time-free industrial control network communication |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150318992A1 (en) * | 2012-12-10 | 2015-11-05 | Gemalto Sa | Method for server assisted keystore protection |
CN106549963A (en) * | 2016-11-05 | 2017-03-29 | 北京工业大学 | Safe storage system based on HDFS |
CN106789997A (en) * | 2016-12-12 | 2017-05-31 | 中国传媒大学 | A kind of encryption method of anti-replay-attack |
CN107135073A (en) * | 2016-02-26 | 2017-09-05 | 北京京东尚科信息技术有限公司 | Interface interchange method and apparatus |
CN108494775A (en) * | 2018-03-26 | 2018-09-04 | 四川长虹电器股份有限公司 | It prevents from utilizing valid data or the method for distorting valid data progress network attack |
US20180343251A1 (en) * | 2017-11-16 | 2018-11-29 | Qingdao Hisense Electronics Co., Ltd. | Processing method and apparatus for remote assistance |
CN110611564A (en) * | 2019-07-30 | 2019-12-24 | 云南昆钢电子信息科技有限公司 | System and method for defending API replay attack based on timestamp |
-
2021
- 2021-03-30 CN CN202110340953.2A patent/CN112968910B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150318992A1 (en) * | 2012-12-10 | 2015-11-05 | Gemalto Sa | Method for server assisted keystore protection |
CN107135073A (en) * | 2016-02-26 | 2017-09-05 | 北京京东尚科信息技术有限公司 | Interface interchange method and apparatus |
CN106549963A (en) * | 2016-11-05 | 2017-03-29 | 北京工业大学 | Safe storage system based on HDFS |
CN106789997A (en) * | 2016-12-12 | 2017-05-31 | 中国传媒大学 | A kind of encryption method of anti-replay-attack |
US20180343251A1 (en) * | 2017-11-16 | 2018-11-29 | Qingdao Hisense Electronics Co., Ltd. | Processing method and apparatus for remote assistance |
CN108494775A (en) * | 2018-03-26 | 2018-09-04 | 四川长虹电器股份有限公司 | It prevents from utilizing valid data or the method for distorting valid data progress network attack |
CN110611564A (en) * | 2019-07-30 | 2019-12-24 | 云南昆钢电子信息科技有限公司 | System and method for defending API replay attack based on timestamp |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113612795A (en) * | 2021-08-18 | 2021-11-05 | 广州科语机器人有限公司 | Replay attack judgment method, Internet of things equipment, electronic equipment and storage medium |
CN114301623A (en) * | 2021-11-24 | 2022-04-08 | 岚图汽车科技有限公司 | Message encryption method and related equipment |
CN115065503A (en) * | 2022-05-11 | 2022-09-16 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
CN115065503B (en) * | 2022-05-11 | 2024-05-31 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
CN118713940A (en) * | 2024-08-30 | 2024-09-27 | 浙江中控研究院有限公司 | Anti-replay method, equipment and storage medium for time-free industrial control network communication |
Also Published As
Publication number | Publication date |
---|---|
CN112968910B (en) | 2022-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210344512A1 (en) | Methods and systems for pki-based authentication | |
US10999272B2 (en) | Authenticating and authorizing users with JWT and tokenization | |
CN112968910B (en) | Replay attack prevention method and device | |
US9985994B2 (en) | Enforcing compliance with a policy on a client | |
US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
US10277576B1 (en) | Diameter end-to-end security with a multiway handshake | |
CN104243419A (en) | Data processing method, device and system based on secure shell protocol | |
US8099602B2 (en) | Methods for integrating security in network communications and systems thereof | |
CN110545285A (en) | Internet of things terminal security authentication method based on security chip | |
US10122755B2 (en) | Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
CN112566121B (en) | Method for preventing attack, server and storage medium | |
CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
CN107566393A (en) | A kind of dynamic rights checking system and method based on trust certificate | |
CN111901124B (en) | Communication safety protection method and device and electronic equipment | |
CN110943840A (en) | Signature verification method and system | |
JP5186648B2 (en) | System and method for facilitating secure online transactions | |
CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
CN113225348B (en) | Request anti-replay verification method and device | |
CN116094786A (en) | Data processing method, system, device and storage medium based on double-factor protection | |
CN116074028A (en) | Access control method, device and system for encrypted traffic | |
CN110830465A (en) | Security protection method for accessing UKey, server and client | |
EP3087714B1 (en) | A method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
KR101737925B1 (en) | Method and system for authenticating user based on challenge-response |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |