[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113225348B - Request anti-replay verification method and device - Google Patents

Request anti-replay verification method and device Download PDF

Info

Publication number
CN113225348B
CN113225348B CN202110548344.6A CN202110548344A CN113225348B CN 113225348 B CN113225348 B CN 113225348B CN 202110548344 A CN202110548344 A CN 202110548344A CN 113225348 B CN113225348 B CN 113225348B
Authority
CN
China
Prior art keywords
access request
preset
message
request
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110548344.6A
Other languages
Chinese (zh)
Other versions
CN113225348A (en
Inventor
王曦
冯晓峰
林明
单晟
袁正东
林威
黄坤
单颖菲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202110548344.6A priority Critical patent/CN113225348B/en
Publication of CN113225348A publication Critical patent/CN113225348A/en
Application granted granted Critical
Publication of CN113225348B publication Critical patent/CN113225348B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a request anti-replay verification method and device, and relates to the technical field of big data. One embodiment of the method comprises: receiving an access request; verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule; and if the verification is passed, processing the access request. The implementation mode greatly reduces the influence of the replay check request on the performance of the server under the high-flow and high-concurrency request state, can ensure the communication safety between services, improves the anti-attack capability of the system, and provides powerful guarantee and technical guidance for meeting the safety management of an enterprise-level system.

Description

Request anti-replay verification method and device
Technical Field
The invention relates to the technical field of big data, in particular to a request anti-replay verification method and a request anti-replay verification device.
Background
In general, in network communication, an API interface needs to provide other service calls, so that the API interface must be exposed to an external network and provide a specific request address and request parameters, which brings a risk that a request message is tampered and replayed. The request tampering means that an attacker intercepts a communication request and tampers the request parameter content, so that the aims of stealing information and attacking a target system are fulfilled. Request replay refers to an attacker sending a request that has been received by the system to achieve the purpose of spoofing the system. The method is mainly used for the identity authentication process and destroys the authentication correctness. Replay attacks may be performed by the initiator or by an adversary who intercepts and retransmits the data. At present, a commonly used method for preventing replay attack needs to store an authentication credential, a sequence window size and a reached sequence number for each request of a client, and when the number of clients is large, a large amount of storage space needs to be consumed. Moreover, when the number of requests of the client at the same time is large, the probability that the requests exceed the range of the preset window under normal conditions exists, so that the normal requests are misjudged.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for request anti-replay verification, which greatly reduce the impact of a replay verification request on the performance of a server in a high-traffic and high-concurrency request state, provide strong guarantees and technical guidance for satisfying security management of an enterprise-level system, ensure communication security between services, and improve the anti-attack capability of the system.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a request anti-replay verification method including: receiving an access request; verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule; and if the verification is passed, processing the access request.
Optionally, the verifying the access request according to a preset timestamp verification rule includes:
analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when the sender sends the access request;
determining a second timestamp when the access request is received;
determining a time difference according to the first time stamp and the second time stamp;
determining a dynamic time error range;
determining whether the time difference is within the dynamic time error range;
and if so, determining that the access request passes the timestamp check rule.
Optionally, determining the dynamic time error range comprises: and determining a dynamic time error range according to the request flow characteristic, the CPU performance characteristic and a preset time stamp coefficient.
Optionally, determining the dynamic time error range according to the requested traffic characteristic and the CPU performance characteristic includes: and determining a dynamic time error range according to the number of requests processed by the server per second, the current number of requests processed by the server, the CPU utilization rate, the maximum CPU utilization rate and a preset timestamp coefficient.
Optionally, the method determines the dynamic time error range according to the following equation (1):
Figure BDA0003074451770000021
the server comprises a server, a plurality of time stamp coefficients and a plurality of servers, wherein nT represents the number of requests which can be processed by the server per second, cT represents the number of requests which can be processed by the server currently, S represents the utilization rate of a CPU, maxS represents the maximum utilization rate of the CPU, and P represents a preset time stamp coefficient; req (t) represents a request parameter coefficient, and CPU (t) represents a CPU utilization coefficient.
Optionally, the verifying the access request according to a preset message verification rule includes:
analyzing the access request, and acquiring a first message value from the access request, wherein the first message value is a result obtained by a sender through calculation on the message content of the access request according to a preset rule;
calculating the message content of the access request according to the preset rule to obtain a second message value;
comparing the first message value with the second message value;
and if the first message value is the same as the second message value, determining that the access request passes the message check rule.
Optionally, according to the preset rule, calculating the message content of the access request, and obtaining a second message value includes: determining the message content to be calculated of the access request; and carrying out Hash calculation on the message content to be calculated to obtain a second message value.
Optionally, performing hash computation on the content of the packet to be computed to obtain a second packet value includes: performing SHA1 calculation on the message content to be calculated to obtain an intermediate value; and performing MD5 calculation on the intermediate value to obtain a second message value.
Optionally, the message content to be calculated at least includes one or more of the following: the uniform resource identifier of the access request, the request parameter and the request message body.
Optionally, the content of the message to be calculated further includes a preset salt value.
Optionally, the checking the access request according to a preset random number check rule includes: analyzing the access request, and acquiring a random number to be checked from the access request; determining whether the random number to be checked exists in a preset storage unit; and if the random number does not exist, determining that the access request passes the random number check rule.
Optionally, after determining that the access request passes the random number check rule, the method further comprises: and writing the random number to be verified into the storage unit, and setting the failure time of the random number to be verified.
Optionally, the verifying the access request according to a preset timestamp check rule, a preset message check rule and a preset random number check rule includes: performing basic check on the access request; and if the access request passes the verification, verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule.
Optionally, the performing the basic check on the access request includes: acquiring a uniform resource identifier of the access request; determining whether the uniform resource identifier is in a preset black and white list; and if not, determining that the access request passes the basic check.
To achieve the above object, according to another aspect of embodiments of the present invention, there is provided a request anti-replay verification apparatus including:
a receiving module, configured to receive an access request;
the verification module is used for verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule;
and the processing module is used for processing the access request under the condition that the access request passes the verification.
Optionally, the verification module is further configured to: analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when the sender sends the access request; determining a second timestamp when the access request is received; determining a time difference according to the first time stamp and the second time stamp; determining a dynamic time error range; determining whether the time difference is within the dynamic time error range; and if so, determining that the access request passes the timestamp check rule.
Optionally, the verification module is further configured to: and determining a dynamic time error range according to the request flow characteristic, the CPU performance characteristic and a preset time stamp coefficient.
Optionally, the verification module is further configured to: and determining a dynamic time error range according to the number of requests which can be processed by the server per second, the number of requests which can be processed by the server currently, the CPU utilization rate, the maximum CPU utilization rate and a preset timestamp coefficient.
Optionally, the check module is further configured to determine a dynamic time error range according to the following equation (1):
Figure BDA0003074451770000051
the server comprises a server, a plurality of time stamp coefficients and a plurality of servers, wherein nT represents the number of requests which can be processed by the server per second, cT represents the number of requests which can be processed by the server currently, S represents the utilization rate of a CPU, maxS represents the maximum utilization rate of the CPU, and P represents a preset time stamp coefficient; req (t) represents a request parameter coefficient, and CPU (t) represents a CPU utilization coefficient.
Optionally, the verification module is further configured to: analyzing the access request, and acquiring a first message value from the access request, wherein the first message value is a result obtained by a sender through calculation on the message content of the access request according to a preset rule; calculating the message content of the access request according to the preset rule to obtain a second message value; comparing the first message value with the second message value; and if the first message value is the same as the second message value, determining that the access request passes the message check rule.
Optionally, the verification module is further configured to: determining the message content to be calculated of the access request; and carrying out Hash calculation on the content of the message to be calculated to obtain a second message value.
Optionally, the verification module is further configured to: performing SHA1 calculation on the message content to be calculated to obtain an intermediate value; and performing MD5 calculation on the intermediate value to obtain a second message value.
Optionally, the message content to be calculated at least includes one or more of the following: the uniform resource identifier of the access request, the request parameter and the request message body.
Optionally, the content of the message to be calculated further includes a preset salt value.
Optionally, the verification module is further configured to: analyzing the access request, and acquiring a random number to be checked from the access request; determining whether the random number to be checked exists in a preset storage unit or not; and if not, determining that the access request passes the random number check rule.
Optionally, the verification module is further configured to: and writing the random number to be verified into the storage unit, and setting the failure time of the random number to be verified.
Optionally, the verification module is further configured to: performing basic check on the access request; and if the access request passes the verification, verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule.
Optionally, the verification module is further configured to: acquiring a uniform resource identifier of the access request; determining whether the uniform resource identifier is in a preset black and white list; and if not, determining that the access request passes the basic check.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic apparatus including: one or more processors; a storage device, configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the request anti-replay verification method of an embodiment of the present invention.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided a computer-readable medium on which a computer program is stored, the program implementing the request anti-replay verification method of an embodiment of the present invention when executed by a processor.
One embodiment of the above invention has the following advantages or benefits: the technical means of verifying the access request through the preset timestamp verification rule, the preset message verification rule and the preset random number verification rule greatly reduces the influence of the replay verification request on the performance of the server under the high-flow and high-concurrency request state, provides powerful guarantee and technical guidance for meeting the safety management of an enterprise-level system, can ensure the communication safety between services, and improves the anti-attack capability of the system.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main flow of a request anti-replay verification method of an embodiment of the present invention;
FIG. 2 is a schematic diagram of a sub-flow of a request anti-replay verification method of an embodiment of the present invention;
FIG. 3 is a schematic diagram of a sub-flow of a request anti-replay verification method of an embodiment of the present invention;
FIG. 4 is a schematic diagram of a sub-flow of a request anti-replay verification method of an embodiment of the present invention;
FIG. 5 is a schematic diagram of the main blocks of a request anti-replay verification apparatus of an embodiment of the present invention;
FIG. 6 is a schematic diagram of the main blocks of a request anti-replay verification apparatus of an embodiment of the present invention;
FIG. 7 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 8 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic flow chart of a method for requesting anti-replay verification according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
step S101: receiving an access request;
step S102: verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule;
step S103: and if the verification is passed, processing the access request.
The request anti-replay verification method provided by the embodiment provides a triple message verification method integrating multiple features for the interface service based on the HTTP and oriented to the Internet, so that the correctness of the request message is ensured, the communication safety between services is ensured, and the anti-attack capability of the system is improved. Specifically, the triple packet verification method fusing multiple features provided in this embodiment verifies the access request according to a preset timestamp verification rule, a preset packet verification rule, and a preset random number verification rule. The sequence of the three check rules can be flexibly set, and the invention is not limited herein. For example, the access request may be checked according to a message check rule, and if the check passes, the access request may be checked according to a timestamp check rule, and if the check passes, the access request may be checked according to a random number check rule. Preferably, the access request can be checked according to the timestamp check rule, that is, when the timestamp check is used as the first check sequence, a certain invalid request can be filtered out, and the calculation cost of the subsequent check is reduced. Each of the check rules is explained in detail below.
As shown in fig. 2, the process of verifying the access request according to the preset timestamp verification rule includes:
step S201: analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when the sender sends the access request;
step S202: determining a second timestamp when the access request is received;
step S203: determining a time difference according to the first time stamp and the second time stamp;
step S204: determining a dynamic time error range;
step S205: determining whether the time difference is within the dynamic time error range;
step S206: and if so, determining that the access request passes the timestamp check rule.
For step S201, the first timestamp may be obtained from some parameter of the access request. As an example, assuming that the access request is initiated to the server through the web application, the access request is named a request, and an example of a request message is shown below. Then the present embodiment may write the first timestamp in the X-TS parameter of the URI.
Method:POST
URI:http://ip:port/XXX/listByPageX-TS=1612439444941&X-Rand om=4335974381
Request Headers:
Signature:6e682d3gsdgf934t6f4s43845
Request Body:
{
“requestEntity”:{},
……
}
For step S203, the second timestamp is subtracted from the first timestamp to obtain a time difference.
For step S204, specifically, the dynamic time error range may be determined according to the following process: and determining a dynamic time error range according to the request flow characteristic, the CPU performance characteristic and a preset time stamp coefficient. In the embodiment, the request flow characteristic and the CPU performance characteristic are weighted, and a weighted probability model is provided, so that the dynamic time error range of the current access request is adjusted according to the probability model. The algorithm effectively excavates the computer performance characteristics related to the current access request, and performs weighting processing and multi-characteristic fusion on the influence factors in a weighting mode to achieve the purposes of dynamically adjusting the time stamp check range (namely the dynamic time error range), reducing the invalid check times of illegal requests and achieving the capability of dynamically adjusting the load and performance of the server; the method greatly reduces the influence of the replay check request on the performance of the server under the conditions of high flow and high concurrent request, and provides powerful guarantee and technical guidance for meeting the safety management of an enterprise-level system. Specifically, the request traffic characteristics include the number of requests per second that the server can process and the number of requests currently processed by the server, and the CPU performance characteristics include the CPU utilization and the CPU maximum utilization. More specifically, the dynamic time error range obtained by fusing the request traffic characteristic and the CPU performance characteristic in the present embodiment is shown in the following formula (1):
Figure BDA0003074451770000091
wherein nT represents the number of requests that can be processed by the server per second (i.e., the capacity of requests processed by the server), cT represents the number of requests currently processed by the server, S represents the CPU utilization, maxS represents the maximum CPU utilization, and P represents a preset timestamp coefficient; req (t) represents a request parameter coefficient, and CPU (t) represents a CPU utilization coefficient.
As can be seen from equation (1), as the current access request is closer to the capability of the server to process the request, (t) is closer to 1; the more the coefficient approaches 0.5 when the current access request exceeds the server's capacity to handle requests by a factor of 5. When the difference between the CPU utilization rate and the CPU maximum utilization rate reaches 10 points (10%) or more, the coefficient approaches to 1; as the CPU usage approaches the CPU maximum usage, the coefficient approaches 0.5.
And checking a preset message checking rule, wherein the rule is used for checking whether the message of the access request is tampered. Specifically, the process of verifying the access request according to the message verification rule includes:
step S301: analyzing the access request, and acquiring a first message value from the access request, wherein the first message value is a result obtained by a sender through calculation on the message content of the access request according to a preset rule;
step S302: calculating the message content of the access request according to the preset rule to obtain a second message value;
step S303: comparing the first message value with the second message value;
step S304: and if the first message value is the same as the second message value, determining that the access request passes the message check rule.
In this embodiment, a range of the message to be calculated may be preset, for example, the range may include one or more of the following: uniform resource identifier URI, request parameters and request body of the access request. Preferably, the scope is the uniform resource identifier URI, request parameters and request body of the access request.
The sender sending the access request can calculate a first message value of the access request according to a preset rule, and then write the first message value into the access request. For example, the first message value may be written into the Signature field. After receiving the access request, obtaining the message content to be calculated of the access request according to the pre-configured parameters, namely calculating the uniform resource identifier, the request parameters and the request message body of the access request. And then, calculating the content of the message to be calculated according to a preset rule to obtain a second message value. Then, the first message value and the second message value are compared, whether the first message value and the second message value are consistent or not is judged, if yes, the check is passed, and the access request can be determined to be a legal request. If the access request is not consistent with the access request, the verification is not passed, the access request is indicated to be tampered, the access request can be determined to be an illegal request, and the access request can be rejected.
Further, in this embodiment, the message content of the access request may be calculated according to a hash algorithm. Among them, the Hash algorithm (Hash) is to convert an input of an arbitrary length into an output of a fixed length through a Hash algorithm, and the output is a Hash value. Common hashing algorithms include MD4, MD5, SHA1, and the like. In this embodiment, MD5 and SHA1 are selected to calculate the message content of the access request, and SHA1 calculation may be performed on the message content to be calculated of the access request first to obtain an intermediate value; and performing MD5 calculation on the intermediate value to obtain a second message value. The formula is shown in the following formula (2):
EncodeMD5(EncodeSha1(request.getURI+request.getQueryString+request.getBody))
the request.getURI represents a Uniform Resource Identifier (URI) for obtaining the access request, the request.getQueryString represents a request parameter for obtaining the access request, and the request.getbinding represents a message body for obtaining the access request.
In an optional embodiment, in order to enhance the accuracy and reliability of the verification and enhance the security of the one-way hash calculation, a salt (salt) is added to the hash algorithm, and the salt is equivalent to an encrypted key, so that the difficulty of cracking is increased. Therefore, the salt value can be set when the message of the access request is checked according to the message check rule. The salt value is an additional value added in the hash process and can comprise random upper and lower case letters, numbers and characters, and the number of digits can be different according to requirements. Therefore, equation (2) for calculating the message value becomes equation (3):
EncodeMD5 (EncodeHa 1 (salt + request. GetURI + request. GetQueryString + request. GetBar))
For the preset random number check rule, considering that a hacker can quickly intercept an access request by using a technical method and perform massive replay attack on a message in a short time, the present embodiment sets the random number check rule as a replay-proof supplementary check.
Specifically, as shown in fig. 4, the process of verifying the access request according to the preset random number verification rule includes:
step S401: analyzing the access request, and acquiring a random number to be checked from the access request;
step S402: determining whether the random number to be checked exists in a preset storage unit or not;
step S403: if not, determining that the access request passes the random number check rule;
step S404: and writing the random number to be verified into the storage unit, and setting the failure time of the random number to be verified.
The front end (namely the sender sending the access request) generates a Random number to be checked according to a Random number generation rule and the digit number which are configured and agreed, and writes the Random number to be checked into an X-Random parameter in the access request message. Then, after receiving the access request, obtaining the X-Random parameter value, using the value as a key value to inquire the currently stored effective Random number in a preset storage unit, if the value can be found, showing that the Random number already exists, the access request has requested the service of the back-end system before, and deems the access request as an illegal replay request, and rejects the access request. If the Random number does not exist, the access request is determined to be a legal request, the Random number X-Random parameter value of the request is stored in a preset storage unit as a key value, the failure time is set to be P, and the condition that the same access request cannot be repeatedly requested within the valid range of the timestamp verification is guaranteed. Thus, the embodiment of the invention completes the triple verification of the access request. And if the access request passes the triple check, starting to process the service content of the access request.
In an optional embodiment, before performing triple check on the access request, a basic check needs to be performed on the access request, if the basic check passes, the triple check is performed, and if the basic check does not pass, the access request is rejected. Specifically, the step compares the URI of the access request with a preset black and white list, and determines whether the access request needs to be subjected to triple verification. If the URI can match the URI in the black and white list, the triple check is skipped.
Determining whether the uniform resource identifier is in a preset black and white list;
and if not, determining that the access request passes the basic check.
The request anti-replay verification method of the embodiment of the invention greatly reduces the influence of the anti-replay verification request on the performance of the server under the high-flow and high-concurrency request state, and provides powerful guarantee and technical guidance for meeting the safety management of an enterprise-level system. Specifically, according to the timestamp verification rule of the request anti-replay verification method, the request flow characteristics and the CPU performance characteristics are weighted, a weighted probability model is provided, and the dynamic time error range of the current access request is adjusted according to the probability model. The algorithm effectively mines the performance characteristics of the computer related to the current access request, and performs weighting processing and multi-characteristic fusion on the influence factors in a weighting mode, so that the time stamp check range (namely the dynamic time error range) is dynamically adjusted, the invalid check times of illegal requests are reduced, and the capability of dynamically adjusting the load and the performance of the server is achieved. When the timestamp range check is taken as the first check sequence, certain invalid requests can be filtered out, and the calculation cost of subsequent check is reduced. Whether the message of the access request is tampered is checked through a message checking rule, and the calculation cost is linearly related to the data volume of the request. By using the random number check rule as a supplementary check for the message check rule and the timestamp check rule, the problem that a hacker quickly intercepts an access request by using a technical method and performs massive replay attack on the message in a short time is solved.
Fig. 5 is a flow chart illustrating the main steps of a request anti-replay verification method according to another embodiment of the present invention, as shown in fig. 5, the method includes:
step S501: and configuring relevant parameters required by verification. Specifically, the calibration parameter values may be pre-configured and set according to the actual usage of the system, and the related parameters include but are not limited to: the method comprises the following steps of allowing request modes, monitoring a request URI black-and-white list, specifying a check field, checking a calculation range of a message, calculating a salt value of the message, generating digits of a random number and failing time of the random number.
Step S502: and receiving an access request sent by the front end. Suppose that the front end initiates an access request to the server through the web page, and names this request as a request, which is an example of a request message:
Method:POST
URI:http://ip:port/XXX/listByPageX-TS=1612439444941&X-Random=4335974381
Request Headers:
Signature:6e682d3gsdgf934t6f4s43845
Request Body:
{
“requestEntity”:{},
……
}
step S503: after receiving the access request, the basic check is carried out on the access request. Specifically, the process of performing the basic verification includes: acquiring a uniform resource identifier of the access request; determining whether the uniform resource identifier is in a preset black and white list; and if not, determining that the access request passes the basic check. If so, then triple verification is skipped, i.e., "XXX/listByPage" can match to the URI configuration in the black and white list, then triple verification is skipped. And checking the request mode of the request to determine whether the basic requirement is met, and rejecting the request if the basic requirement is not met.
Step S504: the request meets the basic information detection, triple verification is needed, and whether the message is tampered or not is verified firstly. Specifically, the process comprises the following steps: analyzing the access request, and acquiring a first message value from the access request, wherein the first message value is a result obtained by a sender through calculation on the message content of the access request according to a preset rule; calculating the message content of the access request according to the preset rule to obtain a second message value; comparing the first message value with the second message value; and if the first message value is the same as the second message value, determining that the access request passes the message check rule. The message content to be calculated comprises: the uniform resource identifier, the request parameter, the request message body and the preset salt value of the access request. More specifically, the message is analyzed, and according to the configured salt value, the SHA1 hash value and the MD5 value are sequentially calculated for the range message content, and then the server side calculation message value is obtained:
EncodeMD5 (EncodeSha 1 (salt + request. GetURI + request. GetQueryString + request. GetCrody))
And the Signature field value in the request message is a message value obtained by adopting the same calculation strategy by the front end, and at the moment, the calculation message value of the service end is compared with the Signature obtained from the request message to judge whether the calculation message value is consistent with the Signature. If the check is passed, the request is determined to be a legal request, if the comparison is inconsistent, the second check is carried out, the request is falsified, the request is determined to be an illegal request, and the request is rejected by the service.
Step S504: after the original correctness of the message content is confirmed in the last step, the Request enters the second double check in the triple check, and the timestamp of the access Request is checked. Analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when a sender sends the access request; determining a second timestamp when the access request is received; determining a time difference according to the first time stamp and the second time stamp; determining a dynamic time error range; determining whether the time difference is within the dynamic time error range; and if so, determining that the access request passes the timestamp check rule.
If the Request is a normal HTTP Request, considering factors such as normal network delay, the time for sending the Request from the page to the system server is usually not more than 1 minute, and the time for a network hacker to grab the Request packet for playback is far more than the time, so the time error range of the Request sending and the Request receiving of the system can be used as one of the metrics of whether the message is played back.
The front end places the timestamp of the request issue into the X-TS parameter in the URI. After receiving a request, acquiring a timestamp X-TS parameter value in the request, and calculating a timestamp tm when a system server in the same time zone receives a request message, wherein a time error range is calculated by a server based on a fusion multi-feature function:
designing a timestamp range: p =60s
Server processing capacity: nT (design can process concurrent requests every second) =500
The server currently requests: cT
Cpu usage: s (%)
Maximum Cpu usage rate maxS =75%
Request parameter coefficients:
Figure BDA0003074451770000151
cpu usage parameters:
Figure BDA0003074451770000152
the dynamic time error of the server is obtained as follows: f (t) = P (t) × cpu (t)
If tm-X-TS < = F (t) indicates that the time error is within the allowable time range calculated by the server based on the fused multi-features, the request is determined to be legal through verification, the third verification is carried out, if the time error exceeds, the time parameter in the request is determined to be invalid, the request is determined to be illegal, and the request is rejected.
Step S505: and after the request timestamp is successfully checked, entering the last random number check. Specifically, the process comprises the following steps: analyzing the access request, and acquiring a random number to be checked from the access request; determining whether the random number to be checked exists in a preset storage unit; and if not, determining that the access request passes the random number check rule.
In the embodiment, a hacker can quickly intercept the message by using a technical method, a large amount of messages are replayed in a short time to attack the system, and the Request message enters the last random number check in the triple check after the timestamp check to perform anti-replay supplementary check. A system administrator can use the normal receiving request frequency through the system, configure the random number failure time and the random number generation rule and the digit, ensure that the probability that the random numbers generated in the failure time range are not repeated is used as the supplement of the time stamp verification, and usually the random number failure time range is kept consistent with the time stamp allowable error time range. Before the front end sends a request message, a response Random number is generated according to a Random number generation rule and a bit number which are configured and agreed, the response Random number is placed in an X-Random parameter in the request message, the module of the server side obtains a Random number X-Random parameter value in the request, the value is used as a key value to inquire a currently stored effective Random number in a system, if the value can be found, the Random number exists, the request has requested the service of a back-end system, the request is determined as an illegal replay request, and the request is rejected. If the Random number does not exist, the request is determined to be a legal request, the Random number X-Random parameter value of the request is stored into the system as a key value, the failure time is set to be P, the same request can not be repeatedly requested within the valid range of the timestamp verification, and all steps of the triple verification are completed.
The request anti-replay verification method of the embodiment of the invention greatly reduces the influence of the anti-replay verification request on the performance of the server under the high-flow and high-concurrency request state, provides powerful guarantee and technical guidance for meeting the security management of an enterprise-level system, can ensure the communication security between services, and improves the anti-attack capability of the system.
Fig. 6 is a schematic diagram of main blocks of a request anti-replay verification apparatus 600 according to an embodiment of the present invention, and as shown in fig. 6, the apparatus 600 includes:
a receiving module 601, configured to receive an access request;
a verification module 602, configured to verify the access request according to a preset timestamp verification rule, a preset message verification rule, and a preset random number verification rule;
a processing module 603, configured to process the access request when the access request passes the verification.
Optionally, the checking module 603 is further configured to: analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when the sender sends the access request; determining a second timestamp when the access request is received; determining a time difference according to the first time stamp and the second time stamp; determining a dynamic time error range; determining whether the time difference is within the dynamic time error range; and if so, determining that the access request passes the timestamp check rule.
Optionally, the checking module 603 is further configured to: and determining a dynamic time error range according to the request flow characteristic, the CPU performance characteristic and a preset time stamp coefficient.
Optionally, the checking module 603 is further configured to: and determining a dynamic time error range according to the number of requests processed by the server per second, the current number of requests processed by the server, the CPU utilization rate, the maximum CPU utilization rate and a preset timestamp coefficient.
Optionally, the check module 603 is further configured to determine a dynamic time error range according to the following equation (1):
Figure BDA0003074451770000171
the server comprises a server, a plurality of time stamp coefficients and a plurality of servers, wherein nT represents the number of requests which can be processed by the server per second, cT represents the number of requests which can be processed by the server currently, S represents the utilization rate of a CPU, maxS represents the maximum utilization rate of the CPU, and P represents a preset time stamp coefficient; req (t) represents a request parameter coefficient, and CPU (t) represents a CPU utilization coefficient.
Optionally, the checking module 603 is further configured to: analyzing the access request, and acquiring a first message value from the access request, wherein the first message value is a result obtained by a sender through calculation on the message content of the access request according to a preset rule; calculating the message content of the access request according to the preset rule to obtain a second message value; comparing the first message value with the second message value; and if the first message value is the same as the second message value, determining that the access request passes the message check rule.
Optionally, the checking module 603 is further configured to: determining the message content to be calculated of the access request; and carrying out Hash calculation on the message content to be calculated to obtain a second message value.
Optionally, the checking module 603 is further configured to: performing SHA1 calculation on the message content to be calculated to obtain an intermediate value; and performing MD6 calculation on the intermediate value to obtain a second message value.
Optionally, the message content to be calculated at least includes one or more of the following: the uniform resource identifier of the access request, the request parameter and the request message body.
Optionally, the message content to be calculated further includes a preset salt value.
Optionally, the checking module 603 is further configured to: analyzing the access request, and acquiring a random number to be checked from the access request; determining whether the random number to be checked exists in a preset storage unit; and if not, determining that the access request passes the random number check rule.
Optionally, the checking module 603 is further configured to: and writing the random number to be verified into the storage unit, and setting the failure time of the random number to be verified.
Optionally, the checking module 603 is further configured to: performing basic check on the access request; and if the access request passes the verification, verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule.
Optionally, the checking module 603 is further configured to: acquiring a uniform resource identifier of the access request; determining whether the uniform resource identifier is in a preset black and white list; and if not, determining that the access request passes the basic check.
The request anti-replay verification device of the embodiment of the invention greatly reduces the influence of the anti-replay verification request on the performance of the server under the high-flow and high-concurrency request state, and provides powerful guarantee and technical guidance for meeting the safety management of an enterprise-level system. Specifically, according to the timestamp verification rule of the request anti-replay verification method, the request flow characteristics and the CPU performance characteristics are weighted, a weighted probability model is provided, and the dynamic time error range of the current access request is adjusted according to the probability model. The algorithm effectively mines the performance characteristics of the computer related to the current access request, and performs weighting processing and multi-characteristic fusion on the influence factors in a weighting mode, so that the time stamp check range (namely the dynamic time error range) is dynamically adjusted, the invalid check times of illegal requests are reduced, and the capability of dynamically adjusting the load and the performance of the server is achieved. When the timestamp range check is taken as the first check sequence, certain invalid requests can be filtered out, and the calculation cost of subsequent check is reduced. Whether the message of the access request is tampered is checked through a message checking rule, and the calculation cost is linearly related to the data volume of the request. By using the random number check rule as a supplementary check for the message check rule and the timestamp check rule, the problem that a hacker quickly intercepts an access request by using a technical method and performs massive replay attack on the message in a short time is solved.
The device can execute the method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided in the embodiment of the present invention.
Fig. 7 illustrates an exemplary system architecture 700 to which the request anti-replay verification method or the request anti-replay verification apparatus of an embodiment of the present invention may be applied.
As shown in fig. 7, the system architecture 700 may include terminal devices 701, 702, 703, a network 704, and a server 705. The network 704 serves to provide a medium for communication links between the terminal devices 701, 702, 703 and the server 705. Network 704 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 701, 702, 703 to interact with a server 705 over a network 704, to receive or send messages or the like. Various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like, may be installed on the terminal devices 701, 702, and 703.
The terminal devices 701, 702, 703 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 705 may be a server that provides various services, such as a background management server that supports shopping websites browsed by users using the terminal devices 701, 702, and 703. The background management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (e.g., target push information and product information) to the terminal device.
It should be noted that the request anti-replay verification method provided by the embodiment of the present invention is generally executed by the server 705, and accordingly, the request anti-replay verification apparatus is generally disposed in the server 705.
It should be understood that the number of terminal devices, networks, and servers in fig. 7 are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 8, a computer system 800 includes a Central Processing Unit (CPU) 801 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that the computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a sending module, an obtaining module, a determining module, and a first processing module. The names of these modules do not constitute a limitation to the unit itself in some cases, and for example, the sending module may also be described as a "module that sends a picture acquisition request to a connected server".
As another aspect, the present invention also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving an access request; verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule; and if the verification is passed, processing the access request.
The technical scheme of the embodiment of the invention greatly reduces the influence of the replay check request on the performance of the server under the high-flow and high-concurrency request state, provides powerful guarantee and technical guidance for meeting the security management of an enterprise-level system, can ensure the communication security between services and improves the anti-attack capability of the system.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (15)

1. A request anti-replay verification method, comprising:
receiving an access request;
verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule;
if the verification is passed, processing the access request;
wherein the verifying the access request according to a preset timestamp verification rule comprises: analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when the sender sends the access request; determining a second timestamp when the access request is received; determining a time difference according to the first time stamp and the second time stamp; determining a dynamic time error range; determining whether the time difference is within the dynamic time error range; if so, determining that the access request passes the timestamp verification rule;
determining a dynamic time error range according to the following formula (1):
Figure FDA0003978332840000011
the method comprises the following steps that nT represents the number of requests which can be processed by a server per second, cT represents the number of requests which can be processed by the server currently, S represents the utilization rate of a CPU, max S represents the maximum utilization rate of the CPU, and P represents a preset timestamp coefficient; req (t) represents a request parameter coefficient, and CPU (t) represents a CPU utilization coefficient.
2. The method of claim 1, wherein determining a dynamic time error range comprises: and determining a dynamic time error range according to the request flow characteristic, the CPU performance characteristic and a preset time stamp coefficient.
3. The method of claim 2, wherein determining a dynamic time error range based on the requested flow characteristic and the CPU performance characteristic comprises:
and determining a dynamic time error range according to the number of requests which can be processed by the server per second, the number of requests which can be processed by the server currently, the CPU utilization rate, the maximum CPU utilization rate and a preset timestamp coefficient.
4. The method of claim 1, wherein verifying the access request according to a predetermined message verification rule comprises: analyzing the access request, and acquiring a first message value from the access request, wherein the first message value is a result obtained by a sender through calculation on the message content of the access request according to a preset rule; calculating the message content of the access request according to the preset rule to obtain a second message value; comparing the first message value with the second message value; and if the first message value is the same as the second message value, determining that the access request passes the message check rule.
5. The method according to claim 4, wherein calculating the message content of the access request according to the preset rule to obtain a second message value comprises:
determining the message content to be calculated of the access request;
and carrying out Hash calculation on the content of the message to be calculated to obtain a second message value.
6. The method according to claim 5, wherein performing a hash calculation on the message content to be calculated to obtain a second message value comprises:
performing SHA1 calculation on the message content to be calculated to obtain an intermediate value;
and performing MD5 calculation on the intermediate value to obtain a second message value.
7. The method of claim 6, wherein the message content to be computed comprises at least one or more of: the uniform resource identifier of the access request, the request parameter and the request message body.
8. The method of claim 7, wherein the message content to be computed further comprises a preset salt value.
9. The method of claim 1, wherein verifying the access request according to a preset random number verification rule comprises:
analyzing the access request, and acquiring a random number to be checked from the access request;
determining whether the random number to be checked exists in a preset storage unit;
and if the random number does not exist, determining that the access request passes the random number check rule.
10. The method of claim 9, wherein after determining that the access request passes the nonce check rule, the method further comprises:
and writing the random number to be verified into the storage unit, and setting the failure time of the random number to be verified.
11. The method of claim 1, wherein verifying the access request according to a preset timestamp check rule, a preset message check rule, and a preset random number check rule comprises:
performing basic check on the access request;
and if the access request passes the verification, verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule.
12. The method of claim 11, wherein performing a base check on the access request comprises:
acquiring a uniform resource identifier of the access request;
determining whether the uniform resource identifier is in a preset black and white list;
and if not, determining that the access request passes the basic check.
13. A request anti-replay verification apparatus, comprising:
a receiving module, configured to receive an access request;
the verification module is used for verifying the access request according to a preset timestamp verification rule, a preset message verification rule and a preset random number verification rule;
the processing module is used for processing the access request under the condition that the access request passes the verification;
wherein the verifying the access request according to a preset timestamp verification rule comprises: analyzing the access request, and acquiring a first time stamp from the access request, wherein the first time stamp is the time stamp when the sender sends the access request; determining a second timestamp when the access request is received; determining a time difference according to the first time stamp and the second time stamp; determining a dynamic time error range; determining whether the time difference is within the dynamic time error range; if so, determining that the access request passes the timestamp check rule;
determining a dynamic time error range according to the following formula (1):
Figure FDA0003978332840000041
the method comprises the following steps that nT represents the number of requests which can be processed by a server per second, cT represents the number of requests which can be processed by the server currently, S represents the utilization rate of a CPU, max S represents the maximum utilization rate of the CPU, and P represents a preset timestamp coefficient; req (t) represents a request parameter coefficient, and CPU (t) represents a CPU utilization coefficient.
14. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-12.
15. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-12.
CN202110548344.6A 2021-05-19 2021-05-19 Request anti-replay verification method and device Active CN113225348B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110548344.6A CN113225348B (en) 2021-05-19 2021-05-19 Request anti-replay verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110548344.6A CN113225348B (en) 2021-05-19 2021-05-19 Request anti-replay verification method and device

Publications (2)

Publication Number Publication Date
CN113225348A CN113225348A (en) 2021-08-06
CN113225348B true CN113225348B (en) 2023-04-07

Family

ID=77093555

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110548344.6A Active CN113225348B (en) 2021-05-19 2021-05-19 Request anti-replay verification method and device

Country Status (1)

Country Link
CN (1) CN113225348B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666411B (en) * 2022-03-02 2024-05-17 中国建设银行股份有限公司 Request processing method, device, server, storage medium and product

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106550248A (en) * 2015-09-18 2017-03-29 中国移动通信集团公司 A kind of method and apparatus of audio-visual synchronization
CN107483459A (en) * 2017-08-29 2017-12-15 四川长虹电器股份有限公司 The interface protection method of anti-replay-attack
CN108512848A (en) * 2018-03-31 2018-09-07 深圳大普微电子科技有限公司 The method and relevant apparatus of anti-replay-attack
CN108667617A (en) * 2018-05-04 2018-10-16 深圳市沃特沃德股份有限公司 App interface anti-replay methods and server
CN112711759A (en) * 2020-12-28 2021-04-27 山东鲁能软件技术有限公司 Method and system for preventing replay attack vulnerability security protection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106488550B (en) * 2016-12-20 2019-11-12 华为技术有限公司 Determine the method and apparatus of terminal Yu base station clock time deviation
WO2021049406A1 (en) * 2019-09-09 2021-03-18 日本電気株式会社 Slave device, time synchronization system, time synchronization method, and time synchronization program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106550248A (en) * 2015-09-18 2017-03-29 中国移动通信集团公司 A kind of method and apparatus of audio-visual synchronization
CN107483459A (en) * 2017-08-29 2017-12-15 四川长虹电器股份有限公司 The interface protection method of anti-replay-attack
CN108512848A (en) * 2018-03-31 2018-09-07 深圳大普微电子科技有限公司 The method and relevant apparatus of anti-replay-attack
CN108667617A (en) * 2018-05-04 2018-10-16 深圳市沃特沃德股份有限公司 App interface anti-replay methods and server
CN112711759A (en) * 2020-12-28 2021-04-27 山东鲁能软件技术有限公司 Method and system for preventing replay attack vulnerability security protection

Also Published As

Publication number Publication date
CN113225348A (en) 2021-08-06

Similar Documents

Publication Publication Date Title
US11956371B2 (en) Recursive token binding for cascaded service calls
US10999272B2 (en) Authenticating and authorizing users with JWT and tokenization
KR101903620B1 (en) Method for authorizing peer in blockchain based distributed network, and server using the same
US8869258B2 (en) Facilitating token request troubleshooting
US9531749B2 (en) Prevention of query overloading in a server application
US11277404B2 (en) System and data processing method
CN112968910B (en) Replay attack prevention method and device
CN109951546B (en) Transaction request processing method, device, equipment and medium based on intelligent contract
CN112491776B (en) Security authentication method and related equipment
CN110958119A (en) Identity verification method and device
CN109981680B (en) Access control implementation method and device, computer equipment and storage medium
CN112689014B (en) Double-full-work communication method, device, computer equipment and storage medium
CN112887284B (en) Access authentication method and device, electronic equipment and readable medium
CN110888838A (en) Object storage based request processing method, device, equipment and storage medium
US11949688B2 (en) Securing browser cookies
US8875244B1 (en) Method and apparatus for authenticating a user using dynamic client-side storage values
CN112511565A (en) Request response method and device, computer readable storage medium and electronic equipment
CN113225348B (en) Request anti-replay verification method and device
CN112560003A (en) User authority management method and device
US11647012B2 (en) Birth private-key based security for rest API in IoT devices
US11296933B1 (en) Secure low-latency and low-throughput support of rest API in IoT devices
US10382398B2 (en) Application signature authorization
US11539711B1 (en) Content integrity processing on browser applications
US11275867B1 (en) Content integrity processing
CN113098685B (en) Security verification method and device based on cloud computing and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant