CN102647461B - Communication method, server and terminal based on hypertext transfer protocol - Google Patents
Communication method, server and terminal based on hypertext transfer protocol Download PDFInfo
- Publication number
- CN102647461B CN102647461B CN201210089712.6A CN201210089712A CN102647461B CN 102647461 B CN102647461 B CN 102647461B CN 201210089712 A CN201210089712 A CN 201210089712A CN 102647461 B CN102647461 B CN 102647461B
- Authority
- CN
- China
- Prior art keywords
- timestamp
- ciphertext
- encryption algorithm
- terminal
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请提供了一种基于超文本传输协议的网络通信方法和系统、服务器、终端,以抵御HTTP网络通信中的重放攻击。应终端请求向终端发送第一时间戳;接收终端发送的网络请求信息;所述网络请求信息中包含所述第一时间戳和对应的时间戳密文;所述时间戳密文由终端根据预置加密算法对包含所述第一时间戳的算法因子加密生成;按所述预置加密算法验证所述时间戳密文是否有效,若无效,则所述网络请求信息为无效请求。通过验证包含时间戳信息的时间戳密文的合法性和有效性,进而防止网络请求中时间戳信息被篡改的可能,避免网络重放攻击的发生。
The present application provides a network communication method and system, server, and terminal based on the Hypertext Transfer Protocol to resist replay attacks in HTTP network communications. A first timestamp is sent to a terminal upon request by the terminal; network request information sent by the terminal is received; the network request information includes the first timestamp and the corresponding timestamp ciphertext; the timestamp ciphertext is generated by the terminal by encrypting the algorithm factor including the first timestamp according to a preset encryption algorithm; the timestamp ciphertext is verified to be valid according to the preset encryption algorithm; if not, the network request information is an invalid request. By verifying the legitimacy and validity of the timestamp ciphertext containing the timestamp information, the possibility of tampering with the timestamp information in the network request is prevented, and the occurrence of network replay attacks is avoided.
Description
技术领域 technical field
本申请涉及网络安全技术领域,特别是涉及一种基于超文本传输协议的通信方法、服务器、终端。The present application relates to the technical field of network security, in particular to a hypertext transfer protocol-based communication method, server, and terminal.
背景技术 Background technique
目前随着互联网越来越深入地影响人们日常工作生活,基于互联网的数据通信的安全性就显的尤为重要。At present, as the Internet affects people's daily work and life more and more deeply, the security of data communication based on the Internet is particularly important.
在各种影响网络通信安全的因素中,重放攻击(ReplayAttacks)是最为常见的攻击方式之一。重放攻击又称重播攻击、回放攻击或新鲜性攻击(FreshnessAttacks),是指攻击者利用网络监听或者其他方式盗取认证凭据,之后再把经伪装的数据包重新发给服务器,来达到欺骗系统的目的。其多用于身份认证过程,破坏认证的正确性。这种攻击会不断恶意或欺诈性地重复一个有效的数据传输,重放攻击可以由发起者,也可以由拦截并重发该数据的敌方进行。从这个解释上理解,数据加密虽可以有效防止网络请求信息被劫持或篡改,但由于重放攻击是截取有效信息重新发送,因此即使数据加密也无法防止重放攻击。Among various factors affecting network communication security, replay attacks (ReplayAttacks) are one of the most common attack methods. Replay attack, also known as replay attack, replay attack or freshness attack (Freshness Attacks), refers to that the attacker uses network monitoring or other methods to steal authentication credentials, and then resends the disguised data packet to the server to deceive the system. the goal of. It is mostly used in the identity authentication process, destroying the correctness of authentication. This kind of attack repeats a valid data transmission maliciously or fraudulently. The replay attack can be carried out by the initiator or the enemy who intercepts and resends the data. From this explanation, although data encryption can effectively prevent network request information from being hijacked or tampered with, since replay attacks intercept valid information and resend, even data encryption cannot prevent replay attacks.
目前的网络通信技术架构中,传输控制/互联协议(TCP/IP,TransmissionControlProtocol/InternetProtocol)是整个互联网通信的基础。TCP/IP协议采用了4层的层级结构:网络接口层、网络层、传输层和应用层,其每一层都呼叫它的下一层所提供的网络来完成自己的需求。其中,在应用层,基于超文本传送协议(HTTP,HypertextTransferProtocol)的数据通信是当前诸多网络应用的主要通信方式,如大多数网站、论坛等。但由于HTTP协议是一个无连接、无状态的协议,即服务器每处理完终端请求并收到应答后即断开连接,且该协议对事务处理无记忆能力,因此终端每次给服务器发出的HTTP网络请求,前后之间是没有联系的。In the current network communication technology architecture, Transmission Control Protocol/Internet Protocol (TCP/IP, Transmission Control Protocol/Internet Protocol) is the basis of the entire Internet communication. The TCP/IP protocol adopts a four-layer hierarchical structure: network interface layer, network layer, transport layer, and application layer. Each layer calls the network provided by its next layer to fulfill its own needs. Among them, at the application layer, data communication based on Hypertext Transfer Protocol (HTTP, Hypertext Transfer Protocol) is the main communication method of many current network applications, such as most websites and forums. However, since the HTTP protocol is a connectionless and stateless protocol, that is, the server disconnects after processing the terminal request and receiving the response, and the protocol has no memory ability for transaction processing, so the HTTP protocol sent by the terminal to the server every time There is no connection between the front and back of the network request.
HTTP协议的无状态性、无连接性在该协议设计之初就已经决定。因为HTTP协议的目的在于支持超文本的数据传输,那么在终端浏览器向HTTP服务器发送请求,继而HTTP服务器将相应的资源发回给终端这样一个过程中,无论对于终端还是服务器,都没有必要记录这个过程,因为每一次请求和响应都是相对独立的。一般而言,一个统一资源定位符(URL,UniversalResourceLocator)对应着唯一的超文本,而HTTP服务器对任意终端发送的请求,它都会根据接收到的URL请求返回相同的超文本。正是因为这样的唯一性,使得记录用户的行为状态变得毫无意义,所以,HTTP协议被设计为无状态的连接协议。The stateless and connectionless nature of the HTTP protocol has been decided at the beginning of the protocol design. Because the purpose of the HTTP protocol is to support hypertext data transmission, in the process where the terminal browser sends a request to the HTTP server, and then the HTTP server sends the corresponding resources back to the terminal, no matter for the terminal or the server, there is no need to record This process, because each request and response are relatively independent. Generally speaking, a Uniform Resource Locator (URL, UniversalResourceLocator) corresponds to a unique hypertext, and the HTTP server will return the same hypertext according to the received URL request for any request sent by a terminal. It is precisely because of this uniqueness that it is meaningless to record the user's behavior status, so the HTTP protocol is designed as a stateless connection protocol.
基于上述原因,一旦终端与服务器在数据传输的过程中请求信息被拦截,由于服务器没有记录任何有关请求的状态等相关信息,因此也就无法识别该请求是否被拦截、重放,也就无法避免重放攻击的发生。Based on the above reasons, once the request information between the terminal and the server is intercepted during the data transmission process, since the server does not record any relevant information such as the status of the request, it is impossible to identify whether the request is intercepted and replayed, and it is unavoidable. occurrence of replay attacks.
总之,需要本领域技术人员迫切解决的一个技术问题就是:如何防止现有网络通信技术中针对HTTP协议通信的重放攻击。In a word, a technical problem that needs to be solved urgently by those skilled in the art is: how to prevent the replay attack on the HTTP protocol communication in the existing network communication technology.
发明内容 Contents of the invention
本申请所要解决的技术问题是提供一种基于超文本传输协议的网络通信方法、服务器、终端,以便有效防止因HTTP网络请求被截取而造成的重放攻击,提高了HTTP网络通信的安全性。The technical problem to be solved in this application is to provide a hypertext transfer protocol-based network communication method, server, and terminal, so as to effectively prevent replay attacks caused by intercepted HTTP network requests and improve the security of HTTP network communication.
为了解决上述问题,本申请公开了一种基于超文本传输协议的网络通信方法,包括:应终端请求向终端发送第一时间戳;In order to solve the above problems, the present application discloses a hypertext transfer protocol-based network communication method, including: sending a first timestamp to the terminal at the request of the terminal;
接收终端发送的网络请求信息;所述网络请求信息中包含所述第一时间戳和对应的时间戳密文;所述时间戳密文由终端根据预置加密算法对包含所述第一时间戳的算法因子加密生成;Receiving the network request information sent by the terminal; the network request information includes the first timestamp and the corresponding timestamp ciphertext; the timestamp ciphertext is paired by the terminal according to a preset encryption algorithm to include the first timestamp The algorithm factor encryption generation;
按所述预置加密算法验证所述时间戳密文是否有效,若无效,则所述网络请求信息为无效请求。Verifying whether the time stamp ciphertext is valid according to the preset encryption algorithm, if invalid, the network request information is an invalid request.
优选的,进一步包括:Preferably, further comprising:
验证所述网络请求信息中的第一时间戳与当前时间的间隔是否在有效期内,若超出,则所述网络请求信息无效。Verifying whether the interval between the first timestamp in the network request information and the current time is within the validity period, and if it exceeds, the network request information is invalid.
优选的,所述预置加密算法为签名加密算法,Preferably, the preset encryption algorithm is a signature encryption algorithm,
所述终端根据预置加密算法对包含所述第一时间戳的算法因子加密生成时间戳密文包括:Encrypting, by the terminal, an algorithm factor containing the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext includes:
终端根据所述签名加密算法对包含所述第一时间戳的算法因子加密生成第一数字签名组成时间戳密文;The terminal encrypts the algorithm factor containing the first timestamp according to the signature encryption algorithm to generate a first digital signature to form a timestamp ciphertext;
所述验证所述时间戳密文是否有效包括:The verification of whether the timestamp ciphertext is valid includes:
按所述签名加密算法对包含所述第一时间戳的算法因子加密生成第二数字签名;Encrypt the algorithm factor containing the first timestamp according to the signature encryption algorithm to generate a second digital signature;
验证所述第二数字签名与所述时间戳密文对应的第一数字签名是否一致,若不一致,则所述时间戳密文无效。Verifying whether the second digital signature is consistent with the first digital signature corresponding to the time stamp ciphertext, if not, the time stamp ciphertext is invalid.
优选的,所述预置加密算法为对称加密算法,Preferably, the preset encryption algorithm is a symmetric encryption algorithm,
所述终端根据预置加密算法对包含所述第一时间戳的算法因子加密生成时间戳密文包括:Encrypting, by the terminal, an algorithm factor containing the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext includes:
终端根据所述对称加密算法使用对应的密钥对包含所述第一时间戳的算法因子加密生成间戳密文;The terminal uses the corresponding key to encrypt the algorithm factor including the first timestamp according to the symmetric encryption algorithm to generate an interstamp ciphertext;
所述验证所述时间戳密文是否有效包括:The verification of whether the timestamp ciphertext is valid includes:
使用所述对称加密算法对应的密钥对所述时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。Use the key corresponding to the symmetric encryption algorithm to decrypt the timestamp ciphertext to obtain the timestamp information therein as a second timestamp, and determine whether the second timestamp is consistent with the first timestamp in the network request information , if inconsistent, the timestamp ciphertext is invalid.
优选的,所述预置加密算法为非对称加密算法,Preferably, the preset encryption algorithm is an asymmetric encryption algorithm,
所述终端根据预置加密算法对包含所述第一时间戳的算法因子加密生成时间戳密文包括:Encrypting, by the terminal, an algorithm factor containing the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext includes:
终端根据所述非对称加密算法使用对应的公钥对包含所述第一时间戳的算法因子加密生成间戳密文;The terminal uses the corresponding public key to encrypt the algorithm factor including the first timestamp according to the asymmetric encryption algorithm to generate an interstamp ciphertext;
所述验证所述时间戳密文是否有效包括:The verification of whether the timestamp ciphertext is valid includes:
服务器使用与所述非对称加密算法对应的私钥对所述时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。The server uses the private key corresponding to the asymmetric encryption algorithm to decrypt the time stamp ciphertext to obtain the time stamp information therein as the second time stamp, and judges whether the second time stamp is consistent with the first time in the network request information Whether the stamps are consistent, if not, the time stamp ciphertext is invalid.
优选的,所述终端发送的网络请求信息中还包括由终端生成的凭证标识;且Preferably, the network request information sent by the terminal further includes a credential identifier generated by the terminal; and
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first timestamp and the credential identifier according to preset rules.
优选的,所述接收终端发送的网络请求信息之前还包括:Preferably, the network request information sent by the receiving terminal further includes:
收到终端的凭证请求信息;Receive the credential request information from the terminal;
生成与所述凭证请求信息对应的凭证标识;generating a credential identifier corresponding to the credential request information;
向所述终端发送所述凭证标识。Send the credential identifier to the terminal.
优选的,preferred,
所述接收的网路请求信息中还包括所述凭证标识;The received network request information also includes the credential identifier;
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first timestamp and the credential identifier according to preset rules.
优选的,所述凭证标识动态有效,所述方法还包括:Preferably, the credential identification is dynamically valid, and the method further includes:
若所述终端发送的网络请求信息中包括凭证标识,则服务器验证该凭证标识是否有效,若无效,则所述网络请求为无效请求。If the network request information sent by the terminal includes a credential identifier, the server verifies whether the credential identifier is valid, and if invalid, the network request is an invalid request.
为解决上述问题,本申请还公开了一种基于超文本传输协议的网络通信方法,包括:In order to solve the above problems, the application also discloses a network communication method based on hypertext transfer protocol, including:
从服务器获取第一时间戳;Get the first timestamp from the server;
向服务器发送网络请求信息;所述网络请求信息中包含所述第一时间戳和对应的时间戳密文;所述时间戳密文是根据预置加密算法对包含所述第一时间戳的算法因子加密生成。Sending network request information to the server; the network request information includes the first timestamp and the corresponding timestamp ciphertext; the timestamp ciphertext is an algorithm that includes the first timestamp according to a preset encryption algorithm Factor encryption generation.
优选的,所述预置加密算法为签名加密算法,Preferably, the preset encryption algorithm is a signature encryption algorithm,
所述根据预置加密算法对包含所述第一时间戳的算法因子加密生成时间戳密文包括:Encrypting the algorithm factor containing the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext includes:
根据所述签名加密算法对包含所述第一时间戳的算法因子加密生成第一数字签名组成时间戳密文。Encrypting the algorithm factor including the first time stamp according to the signature encryption algorithm to generate a first digital signature to form a time stamp ciphertext.
优选的,所述预置加密算法为对称加密算法,Preferably, the preset encryption algorithm is a symmetric encryption algorithm,
所述根据预置加密算法对包含所述第一时间戳的算法因子加密生成时间戳密文包括:Encrypting the algorithm factor containing the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext includes:
使用与所述对称加密算法对应的密钥对包含所述第一时间戳的算法因子加密生成间戳密文。Using a key corresponding to the symmetric encryption algorithm to encrypt the algorithm factor including the first time stamp to generate an interstamped ciphertext.
优选的,所述预置加密算法为非对称加密算法,Preferably, the preset encryption algorithm is an asymmetric encryption algorithm,
所述根据预置加密算法对包含所述第一时间戳的算法因子加密生成时间戳密文包括:Encrypting the algorithm factor containing the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext includes:
使用与所述非对称加密算法对应的公钥对包含所述第一时间戳的算法因子加密生成间戳密文。Using the public key corresponding to the asymmetric encryption algorithm to encrypt the algorithm factor including the first time stamp to generate an interstamped ciphertext.
优选的,所述网络请求信息中还包括凭证标识;且Preferably, the network request information also includes a credential identifier; and
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first timestamp and the credential identifier according to preset rules.
优选的,所述向服务器发送网络请求信息之前还包括:Preferably, before sending the network request information to the server, it also includes:
向服务器发送凭证请求信息;Send credential request information to the server;
接收服务器发送的凭证标识。Receive the credential ID sent by the server.
为解决上述问题,本申请还公开了一种基于超文本传输协议的服务器,包括:In order to solve the above problems, the application also discloses a server based on hypertext transfer protocol, including:
接收模块、发送模块、时间戳生成模块和密文校验模块;Receiving module, sending module, timestamp generating module and ciphertext verification module;
其中所述接收模块包括:Wherein said receiving module comprises:
第一接收单元,用于接收时间戳请求信息;a first receiving unit, configured to receive timestamp request information;
第二接收单元,用于接收网络请求信息;所述网络请求信息中包含第一时间戳和对应的时间戳密文;所述时间戳密文是根据预置加密算法对包含所述第一时间戳的算法因子加密生成;The second receiving unit is configured to receive network request information; the network request information includes a first time stamp and a corresponding time stamp ciphertext; the time stamp ciphertext is based on a preset encryption algorithm that includes the first time Stamp algorithm factor encryption generation;
其中所述时间戳生成模块,用于应所述时间戳请求信息生成第一时间戳;Wherein the timestamp generating module is configured to generate a first timestamp in response to the timestamp request information;
其中所述发送模块包括:Wherein said sending module comprises:
第一发送单元,用于发送时间戳生成模块所生成的第一时间戳;The first sending unit is configured to send the first timestamp generated by the timestamp generating module;
其中所述密文校验模块,用于按所述预置加密算法验证所述时间戳密文是否有效,若无效,则所述网络请求信息为无效请求。Wherein the ciphertext verification module is used to verify whether the time stamp ciphertext is valid according to the preset encryption algorithm, and if invalid, the network request information is an invalid request.
优选的,preferred,
所述服务器还包括:The server also includes:
时间戳验证模块,用于验证第二接收单元接收的网络请求信息中的第一时间戳与当前时间的间隔是否在有效期内,若超出,则所述网络请求信息无效。The timestamp verification module is used to verify whether the interval between the first timestamp and the current time in the network request information received by the second receiving unit is within the valid period, and if it exceeds, the network request information is invalid.
优选的,所述预置加密算法为签名加密算法,Preferably, the preset encryption algorithm is a signature encryption algorithm,
所述密文校验模块还包括:The ciphertext verification module also includes:
签名生成单元,用于按所述签名加密算法对包含所述第一时间戳的算法因子加密生成第二签名;A signature generating unit, configured to encrypt an algorithm factor including the first timestamp according to the signature encryption algorithm to generate a second signature;
第一校验单元,用于验证所述签名生成单元所生成的第二数字签名与第二接收单元所接收的时间戳密文对应的第一数字签名是否一致,若不一致,则所述时间戳密文无效。The first checking unit is used to verify whether the second digital signature generated by the signature generating unit is consistent with the first digital signature corresponding to the timestamp ciphertext received by the second receiving unit, and if not, the timestamp The ciphertext is invalid.
优选的,所述预置加密算法为对称加密算法,Preferably, the preset encryption algorithm is a symmetric encryption algorithm,
所述密文校验模块还包括:The ciphertext verification module also includes:
第二校验单元,用于使用所述对称加密算法对应的密钥对第二接收单元所接收的时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与第二接收单元所接收的网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。The second verification unit is configured to use the key corresponding to the symmetric encryption algorithm to decrypt the time stamp ciphertext received by the second receiving unit to obtain the time stamp information therein as the second time stamp, and determine the second time whether the stamp is consistent with the first timestamp in the network request information received by the second receiving unit; if not, the timestamp ciphertext is invalid.
优选的,所述预置加密算法为非对称加密算法,Preferably, the preset encryption algorithm is an asymmetric encryption algorithm,
所述密文校验模块还包括:The ciphertext verification module also includes:
第三校验单元,用于使用与所述非对称加密算法对应的私钥对第二接收单元所接收的时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。The third verification unit is configured to use the private key corresponding to the asymmetric encryption algorithm to decrypt the time stamp ciphertext received by the second receiving unit to obtain the time stamp information therein as the second time stamp, and determine the first time stamp Whether the second timestamp is consistent with the first timestamp in the network request information; if not, the timestamp ciphertext is invalid.
优选的,所述接收模块还包括:Preferably, the receiving module also includes:
第三接收单元,用于接收终端的凭证请求;a third receiving unit, configured to receive a credential request from the terminal;
所述服务器还包括:The server also includes:
凭证标识生成单元,用于根据第三接收单元所接收的凭证请求生成凭证标识;a credential identifier generating unit, configured to generate a credential identifier according to the credential request received by the third receiving unit;
所述发送模块还包括:The sending module also includes:
第二发送单元,用于发送凭证标识生成单元所生成的凭证标识。The second sending unit is configured to send the voucher identifier generated by the voucher identifier generating unit.
优选的,所述第二接收单元所接收的网络请求信息中还包括凭证标识;Preferably, the network request information received by the second receiving unit further includes a credential identifier;
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first timestamp and the credential identifier according to preset rules.
优选的,所述凭证标识动态有效;Preferably, the credential identifier is dynamically valid;
所述服务器还包括:The server also includes:
凭证校验模块,用于验证第二接收单元所接收的网络请求信息中是否包括凭证标识,若包括且该凭证标识无效,则所述网络请求信息无效。A credential verification module, configured to verify whether the network request information received by the second receiving unit includes a credential identifier, and if it is included and the credential identifier is invalid, the network request information is invalid.
为解决上述问题,本申请还公开了一种基于超文本传输协议的终端,包括:In order to solve the above problems, this application also discloses a terminal based on hypertext transfer protocol, including:
发送模块、接收模块和密文模块;Sending module, receiving module and ciphertext module;
其中所述发送模块包括:Wherein said sending module comprises:
第一发送单元,用于发送第一时间戳获取请求;a first sending unit, configured to send a first timestamp acquisition request;
第二发送单元,用于发送网络请求信息;所述网络请求信息中包含所述接收模块接收的第一时间戳,和对应的由所述密文模块生成的时间戳密文;The second sending unit is configured to send network request information; the network request information includes the first timestamp received by the receiving module and the corresponding timestamp ciphertext generated by the ciphertext module;
其中所述接收模块包括:Wherein said receiving module comprises:
第一接收单元,用于接收第一时间戳;a first receiving unit, configured to receive a first timestamp;
其中所述密文模块用于根据预置加密算法对包含有所述接收的第一时间戳的算法因子加密生成时间戳密文。Wherein the ciphertext module is used to encrypt the algorithm factor containing the received first time stamp according to a preset encryption algorithm to generate a time stamp ciphertext.
优选的,所述预置加密算法为签名加密算法;Preferably, the preset encryption algorithm is a signature encryption algorithm;
所述密文模块还包括:The ciphertext module also includes:
第一加密单元,用于对包含所述第一时间戳的算法因子加密生成第一数字签名组成时间戳密文。The first encryption unit is configured to encrypt the algorithm factor including the first time stamp to generate a first digital signature to form a time stamp ciphertext.
优选的,所述预置加密算法为对称加密算法;Preferably, the preset encryption algorithm is a symmetric encryption algorithm;
所述密文模块还包括:The ciphertext module also includes:
第二加密单元,用于使用与所述对称加密算法对应的密钥对包含所述第一时间戳的算法因子加密生成间戳密文。The second encryption unit is configured to use a key corresponding to the symmetric encryption algorithm to encrypt the algorithm factor including the first time stamp to generate an interstamped ciphertext.
优选的,所述预置加密算法为非对称加密算法;Preferably, the preset encryption algorithm is an asymmetric encryption algorithm;
所述密文模块还包括:The ciphertext module also includes:
第三加密单元,用于使用与所述非对称加密算法对应的公钥对包含所述第一时间戳的算法因子加密生成间戳密文。The third encryption unit is configured to use the public key corresponding to the asymmetric encryption algorithm to encrypt the algorithm factor including the first time stamp to generate an interstamped ciphertext.
优选的,还包括:Preferably, it also includes:
凭证标识生成模块,用于生成凭证标识;A credential identification generating module, configured to generate a credential identification;
所述包含第一时间戳的算法因子还包括所述凭证标识模块生成的凭证标识;The algorithm factor including the first timestamp also includes the credential identification generated by the credential identification module;
所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor is composed of the first time stamp and the credential identifier according to preset rules.
优选的,preferred,
所述发送单元还包括:The sending unit also includes:
第三发送单元,用于发送凭证请求信息;a third sending unit, configured to send credential request information;
所述接收模块还包括:The receiving module also includes:
第二接收单元,用于接收凭证标识;The second receiving unit is used to receive the credential identification;
所述第二发送单元所发送的网络请求信息中还包括第三接收单元所接收的凭证标识;The network request information sent by the second sending unit also includes the credential identifier received by the third receiving unit;
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first timestamp and the credential identifier according to preset rules.
与现有技术相比,本申请具有以下优点:Compared with the prior art, the present application has the following advantages:
考虑到现有基于HTTP协议的网络通信存在无连接、无状态的特性,请求信息被拦截重放后服务器无法识别这一问题,我们提出在终端向服务器发送的请求信息中加入时间戳,服务器通过验证网络请求信息中的时间戳与当前时间的时间间隔是否在其有效期内,若所述时间间隔超出有效期,则认为当前网络请求被拦截重放,是一个无效请求,因此可以有效避免针对HTTP通信重放攻击的发生。Considering that the existing HTTP-based network communication has connectionless and stateless characteristics, and the server cannot recognize this problem after the request information is intercepted and replayed, we propose to add a timestamp to the request information sent by the terminal to the server, and the server passes Verify whether the time interval between the timestamp in the network request information and the current time is within its validity period. If the time interval exceeds the validity period, it is considered that the current network request is intercepted and replayed, which is an invalid request, so it can effectively avoid HTTP communication occurrence of replay attacks.
进一步的,在本申请提供的方案中,终端从服务器获取时间戳,并对包含该时间戳的字符串按约定的签名算法规则生成数字签名,并将该数字签名放人向服务器发送的网络请求信息中。服务器按照相同的签名算法规则生成数字签名,并验证服务器生成的数字签名与网络请求信息中所带数字签名是否一致,若不一致,则认为当前网络请求信息中包含时间戳的字符串被篡改,认为该网络请求为无效请求。这样一来,避免了企图通过篡改网络请求信息中时间戳来伪装有效信息欺骗服务器的可能,因而更进一步避免了重放攻击的发生。Furthermore, in the solution provided by this application, the terminal obtains the time stamp from the server, generates a digital signature for the character string containing the time stamp according to the agreed signature algorithm rules, and puts the digital signature in the network request sent to the server information. The server generates a digital signature according to the same signature algorithm rules, and verifies whether the digital signature generated by the server is consistent with the digital signature carried in the network request information. The web request is invalid. In this way, the possibility of attempting to disguise valid information to deceive the server by tampering with the time stamp in the network request information is avoided, thereby further avoiding the occurrence of replay attacks.
附图说明 Description of drawings
图1是本申请实施例一所述一种基于HTTP协议的网络通信方法的流程图;Fig. 1 is a flowchart of a network communication method based on the HTTP protocol described in Embodiment 1 of the present application;
图2是申请实施例二所述一种基于HTTP协议的网络通信方法的流程图;Fig. 2 is the flow chart of a kind of network communication method based on HTTP protocol described in the second embodiment of the application;
图3是本申请实施例三所述一种基于HTTP协议的网络通信方法的流程图;Fig. 3 is a flow chart of a network communication method based on the HTTP protocol described in Embodiment 3 of the present application;
图4是本申请实施例所述一种基于超文本传输协议HTTP服务器的结构示意图;Fig. 4 is a schematic structural diagram of an HTTP server based on the hypertext transfer protocol described in the embodiment of the present application;
图5是本申请实施例所述一种基于超文本传输协议HTTP终端的结构示意图;FIG. 5 is a schematic structural diagram of a hypertext transfer protocol-based HTTP terminal according to an embodiment of the present application;
图6是本申请实施例所述一种基于超文本传输协议HTTP网络通信系统的结构示意图。FIG. 6 is a schematic structural diagram of an HTTP-based network communication system according to an embodiment of the present application.
具体实施方式 detailed description
为使本申请的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本申请作进一步详细的说明。In order to make the above objects, features and advantages of the present application more obvious and comprehensible, the present application will be further described in detail below in conjunction with the accompanying drawings and specific implementation methods.
参照图1,示出了本申请提供的一种基于HTTP协议的通信方法实施例一的流程示意图,本实施例的基于HTTP协议的通信方法包括以下步骤:Referring to FIG. 1 , it shows a schematic flow diagram of Embodiment 1 of a communication method based on HTTP protocol provided by the present application. The communication method based on HTTP protocol of this embodiment includes the following steps:
步骤101,终端向服务器发送时间戳请求。Step 101, the terminal sends a timestamp request to the server.
步骤102,服务器生成第一时间戳。Step 102, the server generates a first timestamp.
服务器可按照国际标准规则获取当前时间生成第一时间戳。The server may obtain the current time according to international standard rules to generate the first time stamp.
步骤103,服务器将第一时间戳发送至终端。Step 103, the server sends the first timestamp to the terminal.
步骤104,服务器接收终端发送的网络请求信息;所述网络请求信息中包含所述第一时间戳和对应的时间戳密文;所述时间戳密文由终端根据预置加密算法对包含所述第一时间戳的算法因子加密生成。Step 104, the server receives the network request information sent by the terminal; the network request information includes the first timestamp and the corresponding timestamp ciphertext; the timestamp ciphertext is encrypted by the terminal according to a preset encryption algorithm containing the The algorithm factor encryption generation of the first timestamp.
步骤105,服务器按所述预置加密算法验证所述时间戳密文是否有效,若无效,则所述网络请求信息为无效请求。Step 105, the server verifies whether the timestamp ciphertext is valid according to the preset encryption algorithm, and if invalid, the network request information is an invalid request.
步骤106,服务器验证所述网络请求信息中的第一时间戳与当前时间的间隔是否在有效期内,若超出,则所述网络请求信息无效。该步骤为可选步骤。Step 106, the server verifies whether the interval between the first timestamp in the network request information and the current time is within the valid period, and if it exceeds, the network request information is invalid. This step is optional.
对包含第一时间戳的算法因子加密生成时间戳密文,服务器按照与终端约定的加密算法验证该密文是有效,若无效,则可认为时间戳密文在传输过程中可能被拦截或篡改,因而可进一步认定所述第一时间戳和对应的网络请求无效。Encrypt the algorithm factor containing the first timestamp to generate a timestamp ciphertext, and the server verifies that the ciphertext is valid according to the encryption algorithm agreed with the terminal. If it is invalid, it can be considered that the timestamp ciphertext may be intercepted or tampered with during transmission , so it can be further determined that the first timestamp and the corresponding network request are invalid.
为便于描述,本文将服务器应终端请求生成的时间戳,以及在网络请求信息中直接包含的时间戳称为第一时间戳,将生成时间戳密文的算法因子中的时间戳称为第二时间戳。For the convenience of description, this paper refers to the timestamp generated by the server in response to the terminal request and the timestamp directly included in the network request information as the first timestamp, and the timestamp in the algorithm factor that generates the timestamp ciphertext as the second timestamp. timestamp.
由于时间戳由服务器统一生成,可保证该时间戳具有严格的准确性。服务器可根据不同终端所处的网络应用环境设置该终端对应的时间戳的有效期。时间戳有效期通常是一个时间长度,如0.5秒,意思是终端从服务器获取时间戳,以及将含有该时间戳的网络请求发送至服务器这一过程所耗时间应在0.5秒内,若超出,则认为该网络请求在传输过程发生了延迟,可能被拦截或发生了重放攻击,为无效的网络请求。Since the time stamp is uniformly generated by the server, it can be guaranteed that the time stamp has strict accuracy. The server may set the valid period of the time stamp corresponding to the terminal according to the network application environment where the terminal is located. The timestamp validity period is usually a length of time, such as 0.5 seconds, which means that the time it takes for the terminal to obtain the timestamp from the server and send the network request containing the timestamp to the server should be within 0.5 seconds. If it exceeds, then It is considered that the network request is delayed during transmission, may be intercepted or a replay attack has occurred, and it is an invalid network request.
本领域技术人员容易理解,可根据终端所处的地域、应用复杂度设置该类终端对应的时间戳有效期。Those skilled in the art can easily understand that the validity period of the timestamp corresponding to this type of terminal can be set according to the region where the terminal is located and the complexity of the application.
步骤107,服务器向终端返回网络请求的应答信息。Step 107, the server returns the response information of the network request to the terminal.
若经验证网络请求信息有效,则服务器向终端返回的应答信息就应包括该网络请求对应的有效信息,如网页资源等,否则,所述应答信息中就含有网络请求失败的通知信息。If it is verified that the network request information is valid, the response information returned by the server to the terminal should include valid information corresponding to the network request, such as webpage resources, etc.; otherwise, the response information will include notification information of network request failure.
参照图2,示出了本申请提供的一种基于HTTP协议的通信方法实施例二的流程示意图,本实施例的基于HTTP协议的通信方法包括以下步骤:Referring to FIG. 2 , it shows a schematic flow diagram of Embodiment 2 of a communication method based on the HTTP protocol provided by the present application. The communication method based on the HTTP protocol of this embodiment includes the following steps:
步骤201,终端生成凭证标识。Step 201, the terminal generates a credential identifier.
终端可根据实际应用选择凭证标识的组成方式,如可获取终端的IP地址和端口号、网卡标识和当前时间组成凭证标识等,只要保证不同终端的网络请求或同一终端的多轮网络请求所使用的凭证标识具有唯一性即可。The terminal can choose the composition method of the credential identifier according to the actual application, such as obtaining the terminal's IP address and port number, the network card identifier and the current time to form the credential identifier, etc., as long as the network requests of different terminals or multiple rounds of network requests of the same terminal are used. The ID of the certificate must be unique.
步骤202,终端向服务器发送时间戳请求;所述时间戳请求信息中包含所述终端的凭证标识。Step 202, the terminal sends a time stamp request to the server; the time stamp request information includes the credential identifier of the terminal.
由于现有基于HTTP协议的网络通信是无连接、无状态的通信,终端向服务器发送的多个请求之间没有联系。因此,我们在终端向服务器发送的多个网络请求中加入统一的凭证标识,即可将前后多个内容上关联的网络请求通过该凭证标识建立起联系,方便终端和服务器管理多个内容关联的网络请求。Since the existing network communication based on the HTTP protocol is connectionless and stateless communication, there is no connection between multiple requests sent by the terminal to the server. Therefore, we add a unified credential identifier to the multiple network requests sent by the terminal to the server, so that the network requests associated with multiple contents before and after can be linked through the credential identifier, which is convenient for the terminal and the server to manage multiple content-related network request.
步骤203,服务器生成第一时间戳;存储配置信息,所述配置信息存储有当前网络请求信息对应的凭证标识、第一时间戳和对应的第一时间戳有效期。In step 203, the server generates a first time stamp; stores configuration information, the configuration information stores the credential identifier corresponding to the current network request information, the first time stamp and the corresponding validity period of the first time stamp.
服务器每收到终端的时间戳获取请求,就存储当前凭证标识新的第二时间戳和有效期,同时也可以清空该凭证标识之前的第二时间戳有效期记录。Every time the server receives the timestamp acquisition request from the terminal, it stores the new second timestamp and validity period identified by the current credential, and can also clear the record of the valid period of the second timestamp before the credential identifier.
步骤204,服务器将第一时间戳发送至终端。Step 204, the server sends the first timestamp to the terminal.
步骤205,服务器接收终端发送的网络请求信息;所述网络请求信息中包含所述第一时间戳和对应的时间戳密文;所述时间戳密文由终端根据预置加密算法对包含所述第一时间戳和凭证标识的算法因子加密生成。Step 205, the server receives the network request information sent by the terminal; the network request information includes the first timestamp and the corresponding timestamp ciphertext; the timestamp ciphertext is encrypted by the terminal according to a preset encryption algorithm containing the The algorithm factor encryption generation of the first time stamp and the credential identification.
步骤206,服务器验证时间戳密文是否有效,若无效,则所述网络请求信息无效。In step 206, the server verifies whether the timestamp ciphertext is valid, and if invalid, the network request information is invalid.
步骤207,服务器验证网络请求中的第一时间戳是否有效,若无效,则所述网络请求信息无效。Step 207, the server verifies whether the first timestamp in the network request is valid, and if invalid, the network request information is invalid.
服务器通过当前网络请求中的凭证标识、第一时间戳从存储的配置信息中获取该第一时间戳对应的有效周期,然后判断当前网络请求中的时间戳与服务器当前时间的时间间隔是否在其对应的有效期内,若超出有效期,则认为当前网络请求的时间戳失效,该网络请求为非法请求。The server obtains the valid period corresponding to the first timestamp from the stored configuration information through the credential identifier and the first timestamp in the current network request, and then judges whether the time interval between the timestamp in the current network request and the current time of the server is within If the corresponding validity period exceeds the validity period, the timestamp of the current network request is considered invalid, and the network request is an illegal request.
优选的,所述凭证标识动态有效。服务器可根据一定条件判断该凭证标识是否有效,例如该凭证标识对应的终端是否已经离线、断线或长时间无应答、超出有效周期等,若满足无效条件,服务器可将该凭证标识置为无效状态,以及中断当前网络请求的后续处理并向终端返回请求失败的应答信息,这样一来即使该凭证标识被他人窃取或利用也无法合法通信,有效提高了通信过程的安全性。Preferably, the credential identifier is dynamically valid. The server can judge whether the credential identifier is valid according to certain conditions, such as whether the terminal corresponding to the credential identifier is offline, disconnected, or has not responded for a long time, or exceeds the validity period, etc. If the invalid condition is met, the server can set the credential identifier as invalid state, and interrupt the follow-up processing of the current network request and return the response information of request failure to the terminal, so that even if the credential identifier is stolen or used by others, it cannot communicate legally, which effectively improves the security of the communication process.
步骤208,服务器向终端返回应答信息。Step 208, the server returns response information to the terminal.
在实施例一中,服务器只能对某一类终端使用固定的有效期判断其网络请求时间戳是否有效,而在上述实施例二中,服务器通过配置信息存储终端凭证标识对应的时间戳和该时间戳的有效周期,由于凭证标识对不同终端或使用终端的不同用户具有唯一性,因此,对时间戳有效期的配置和判断可以具体到对各个终端和使用该终端的不同用户,提高了服务器验证时间戳有效性的精细度。In Embodiment 1, the server can only use a fixed period of validity for a certain type of terminal to judge whether its network request timestamp is valid. In the above-mentioned Embodiment 2, the server stores the timestamp corresponding to the terminal credential identifier and the time stamp through the configuration information. The valid period of the stamp, because the credential identifier is unique to different terminals or different users using the terminal, therefore, the configuration and judgment of the valid period of the timestamp can be specific to each terminal and different users using the terminal, which improves the server verification time The granularity of stamp validity.
参照图3,示出了本申请提供的一种基于HTTP协议的通信方法实施例三的流程示意图,本实施例的基于HTTP协议的通信方法包括以下步骤:Referring to FIG. 3 , it shows a schematic flow diagram of Embodiment 3 of a communication method based on the HTTP protocol provided by the present application. The communication method based on the HTTP protocol of this embodiment includes the following steps:
步骤301,终端向服务器发送凭证请求。Step 301, the terminal sends a certificate request to the server.
步骤302,服务器响应凭证请求,按规则生成凭证标识;将凭证标识发送至终端。Step 302, the server responds to the credential request, generates a credential identifier according to the rules, and sends the credential identifier to the terminal.
凭证标识虽然可以由终端自行产生,但当终端数量、并发请求过多时,所生成的凭证标识无法保证绝对唯一。由服务器根据各个终端的凭证请求按预设规则统一生成凭证标识则有效地避免了上述问题,例如可按终端请求信息中包含的IP地址、端口号和时间生成该终端当前唯一的序列号作为凭证标识。Although the credential ID can be generated by the terminal itself, when there are too many terminals and concurrent requests, the generated credential ID cannot be guaranteed to be absolutely unique. The server can effectively avoid the above-mentioned problems by uniformly generating the certificate identifier according to the preset rules according to the certificate request of each terminal. For example, the current unique serial number of the terminal can be generated as the certificate according to the IP address, port number and time contained in the terminal request information. logo.
步骤303,终端向服务器发送时间戳请求。Step 303, the terminal sends a timestamp request to the server.
步骤304,服务器生成第一时间戳。Step 304, the server generates a first timestamp.
步骤305,服务器将第一时间戳发送至终端。Step 305, the server sends the first timestamp to the terminal.
步骤306,终端按预置加密算法对包含第一时间戳的算法因子加密生成时间戳密文。In step 306, the terminal encrypts the algorithm factor including the first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext.
步骤307,服务器接收终端发送的网络请求信息;所述网络请求信息中包含所述第一时间戳、凭证标识和对应的时间戳密文。Step 307, the server receives the network request information sent by the terminal; the network request information includes the first time stamp, the certificate identifier and the corresponding time stamp ciphertext.
时间戳密文是按预置加密算法对包含第一时间戳、凭证标识的算法因子加密生成。The time stamp ciphertext is generated by encrypting the algorithm factors including the first time stamp and certificate identification according to the preset encryption algorithm.
优选的,服务器验证当前网络请求信息中的凭证标识是否有效,若无效,执行步骤308。Preferably, the server verifies whether the credential identifier in the current network request information is valid, and if invalid, execute step 308 .
若当前终端已离线、断线或长时间处于非活动状态,该终端对应的凭证标识可被服务器只为无效。If the current terminal is offline, disconnected or inactive for a long time, the credential identifier corresponding to the terminal may be invalidated by the server.
步骤308,服务器按预置加密算法验证所述时间戳密文是否有效,若无效,执行步骤310。Step 308, the server verifies whether the time stamp ciphertext is valid according to a preset encryption algorithm, and if not, executes step 310.
所述预置加密算法是终端与服务器约定好的加密算法规则。The preset encryption algorithm is an encryption algorithm rule agreed between the terminal and the server.
可选的,所述加密算法是签名加密算法。终端根据所述签名加密算法对包含所述第一时间戳的算法因子加密生成第一数字签名组成时间戳密文;服务器按所述签名加密算法对包含所述第一时间戳的算法因子加密生成第二数字签名;验证所述第二数字签名与所述时间戳密文对应的第一数字签名是否一致,若不一致,则所述时间戳密文无效。Optionally, the encryption algorithm is a signature encryption algorithm. The terminal encrypts the algorithm factor containing the first timestamp according to the signature encryption algorithm to generate a first digital signature to form a timestamp ciphertext; the server encrypts the algorithm factor containing the first timestamp according to the signature encryption algorithm to generate A second digital signature; verifying whether the second digital signature is consistent with the first digital signature corresponding to the time stamp ciphertext, if not, the time stamp ciphertext is invalid.
所述签名加密算法规则可包括以下步骤:首先按预置规则组织算法因子;然后对该算法因子按签名算法计算得到数字签名。例如,本例中算法因子的组织规则可以是‘时间戳+凭证标识+其它’,甚至可以将整个请求报文作为算法因子;所使用的签名算法可以是消息摘要算法(MD5,MessageDigestAlgorithm5)或其他签名算法。The signature encryption algorithm rules may include the following steps: first organize the algorithm factors according to preset rules; then calculate the algorithm factors according to the signature algorithm to obtain a digital signature. For example, the organization rule of the algorithm factor in this example can be 'time stamp + credential identification + others', and even the entire request message can be used as the algorithm factor; the signature algorithm used can be a message digest algorithm (MD5, MessageDigestAlgorithm5) or other Signature algorithm.
MD5算法是计算机安全领域广泛使用的一种散列函数,用以提供消息的完整性保护。该算法可以对任意文件或一段信息生成独一无二的MD5信息摘要,即数字签名。若任何人对文件或信息做了任何改动,其MD5值都会发生变化。The MD5 algorithm is a hash function widely used in the field of computer security to provide message integrity protection. This algorithm can generate a unique MD5 information digest, that is, a digital signature, for any file or a piece of information. If anyone makes any changes to the file or information, its MD5 value will change.
可选的,所述预置加密算法是对称加密算法;终端根据所述对称加密算法使用对应的密钥对包含所述第一时间戳的算法因子加密生成间戳密文;服务器使用所述对称加密算法对应的密钥对所述时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。Optionally, the preset encryption algorithm is a symmetric encryption algorithm; the terminal uses a corresponding key to encrypt the algorithm factor containing the first timestamp according to the symmetric encryption algorithm to generate an interstamp ciphertext; the server uses the symmetric The key corresponding to the encryption algorithm decrypts the timestamp ciphertext to obtain the timestamp information as the second timestamp, and judges whether the second timestamp is consistent with the first timestamp in the network request information, and if not, Then the timestamp ciphertext is invalid.
与签名算法是对算法因子的信息摘要进行加密获得签名不同,使用对称加密算法是对整个算法因子字符串进行加密获得时间戳密文;服务器使用相同的密钥或相对应的解密程序对时间戳密文进行解密获得算法因子原文。常用的算法如高级加密标准(AdvancedEncryptionStandard,AES)加密算法。Unlike the signature algorithm, which encrypts the information digest of the algorithm factor to obtain the signature, the symmetric encryption algorithm encrypts the entire algorithm factor string to obtain the timestamp ciphertext; the server uses the same key or the corresponding decryption program to decrypt the timestamp The ciphertext is decrypted to obtain the original text of the algorithm factor. Commonly used algorithms such as Advanced Encryption Standard (Advanced Encryption Standard, AES) encryption algorithm.
可选的,所述预置加密算法是非对称加密算法;终端根据所述非对称加密算法使用对应的公钥对包含所述第一时间戳的算法因子加密生成间戳密文;服务器使用与所述非对称加密算法对应的私钥对所述时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。常用的非对称加密算法如RSA加密算法。Optionally, the preset encryption algorithm is an asymmetric encryption algorithm; the terminal uses the corresponding public key to encrypt the algorithm factor containing the first timestamp according to the asymmetric encryption algorithm to generate an interstamp ciphertext; the server uses the The private key corresponding to the asymmetric encryption algorithm decrypts the timestamp ciphertext to obtain the timestamp information therein as a second timestamp, and judges whether the second timestamp is consistent with the first timestamp in the network request information, If inconsistent, the time stamp ciphertext is invalid. Commonly used asymmetric encryption algorithms such as RSA encryption algorithm.
若经验证时间戳密文无效,则说明网络请求信息中与算法因子对应的字符串已被篡改,当前网络请求不再被信任且为非法请求。If it is verified that the timestamp ciphertext is invalid, it means that the string corresponding to the algorithm factor in the network request information has been tampered with, and the current network request is no longer trusted and is an illegal request.
优选的,本申请按预设规则使用包含时间戳和凭证标识的字符串作为加密算法的算法因子。由于服务器为终端分配的凭证标识具有唯一性,因此由其组成的算法因子也就是唯一不重复的。由于HTTP请求消息中时间戳多为明码,而凭证标识是服务器按预置规则生成,因此除非凭证标识产生规则泄露,那么该凭证标识被篡改的可能性很低;况且算法因子的组成规则由终端和服务器约定,并不对外公开,即使知道算法因子中使用了时间戳和凭证标识,也很难获知其出现的频率和排列组合方式,因此若终端网络请求信息中的时间戳密文无效,则可以认为该字符串中的时间戳被篡改,该请求为非法请求。Preferably, the present application uses a character string including a time stamp and a certificate identifier as an algorithm factor of an encryption algorithm according to preset rules. Since the credential identifier assigned by the server to the terminal is unique, the algorithm factor composed of it is also unique and non-repetitive. Since the timestamp in the HTTP request message is mostly clear code, and the credential identifier is generated by the server according to preset rules, unless the credential identifier is leaked by the rules, the possibility of the credential identifier being tampered with is very low; moreover, the composition rules of the algorithm factor are determined by the terminal Agreed with the server, it is not disclosed to the public. Even if you know that the timestamp and credential identifier are used in the algorithm factor, it is difficult to know the frequency and arrangement of their occurrence. Therefore, if the timestamp ciphertext in the terminal network request information is invalid, then It can be considered that the timestamp in the string has been tampered with, and the request is an illegal request.
本领域技术人员应该理解,在实施本申请时,可根据具体情况决定时间戳和凭证标识组成算法因子的预设规则,以及时间戳和凭证标识在算法因子中出现的顺序及次数,例如可以是时间戳+凭证标识,也可以是凭证标识+时间戳+时间戳+凭证标识等。Those skilled in the art should understand that when implementing this application, the preset rules for the composition of the time stamp and the credential identifier can be determined according to specific circumstances, as well as the order and number of times that the timestamp and the credential identifier appear in the algorithm factor, for example, it can be Timestamp + credential identifier, or credential identifier + timestamp + timestamp + credential identifier, etc.
步骤309,服务器验证网络请求中的第一时间戳与当前时间的时间间隔是否在其有效周期内,若超出有效期,当前网络请求为无效请求。In step 309, the server verifies whether the time interval between the first timestamp in the network request and the current time is within its valid period, and if it exceeds the valid period, the current network request is an invalid request.
步骤310,服务器向终端返回应答信息。Step 310, the server returns response information to the terminal.
上述实施例中,终端向服务器发送的网络请求信息中包含由服务器统一分配的凭证标识,服务器对含有该凭证标识的网络请求信息可先验证该凭证标识是否有效,若凭证标识为无效状态,则服务器可中断后续操作,直接返回终端无效请求,节约了服务器部分操作指令,因此一定程度节约了服务器资源,降低了服务器载荷。其次,在网络请求信息加入数字签名,可有效防止网络请求信息被篡改,避免了重放攻击的发生。尤其是,本申请使用由服务器统一分配的凭证标识和时间戳作为签名算法因子,保证了签名算法因子的唯一性,避免了不同终端产生相同签名的可能性和时间戳被篡改的可能性,有效防止了网络重放攻击。In the above embodiment, the network request information sent by the terminal to the server includes a credential identifier uniformly assigned by the server, and the server may first verify whether the credential identifier is valid for the network request information containing the credential identifier, and if the credential identifier is invalid, then The server can interrupt the follow-up operation and directly return the invalid request of the terminal, which saves some operation instructions of the server, thus saving server resources to a certain extent and reducing the server load. Secondly, adding a digital signature to the network request information can effectively prevent the network request information from being tampered with and avoid replay attacks. In particular, this application uses the certificate identifier and timestamp uniformly distributed by the server as the signature algorithm factor, which ensures the uniqueness of the signature algorithm factor, avoids the possibility of different terminals generating the same signature and the possibility of the timestamp being tampered with, and effectively Network replay attacks are prevented.
以上结合几个实施例对本申请提供的一种基于HTTP协议的通信方法做了描述。下面结合具体应用环境对所述方法做进一步描述:A communication method based on the HTTP protocol provided by the present application has been described above in conjunction with several embodiments. The method is further described below in conjunction with the specific application environment:
在下面的实施例中,假设用户通过一终端,使用自己的用户名、密码登录一个网站,若服务器对登录请求验证成功,服务器返回动态密码Key给终端使用。该网站的服务器包括登录服务器、加密服务器。In the following embodiments, assume that a user logs in to a website using his user name and password through a terminal, and if the server successfully verifies the login request, the server returns a dynamic password Key to the terminal for use. The server of this website includes login server and encryption server.
步骤S01,用户登录,获取凭证标识。Step S01, the user logs in and obtains a credential ID.
在终端中,用户输入用户名和密码向登录服务器发送登录请求。若登录成功,登录服务器向该终端返回凭证标识。该凭证标识是登录服务器根据该用户的用户名和其它相关信息生成的唯一认证信息串。In the terminal, the user enters the user name and password to send a login request to the login server. If the login is successful, the login server returns the credential identifier to the terminal. The credential identifier is a unique authentication information string generated by the login server based on the user's username and other relevant information.
步骤S02,终端从加密服务器获取时间戳。Step S02, the terminal obtains the time stamp from the encryption server.
终端调用PostDownloadTimeStamp方法向加密服务器发送一个获得时间戳请求,从加密服务器上获取最新的时间戳,时间戳是加密服务器从全球时间同步服务器上获取的当前的精准时间。The terminal calls the PostDownloadTimeStamp method to send a timestamp request to the encrypted server to obtain the latest timestamp from the encrypted server. The timestamp is the current accurate time obtained by the encrypted server from the global time synchronization server.
步骤S03,终端生成第一签名组成时间戳密文,并组织验证请求数据包。Step S03, the terminal generates the first signature to form a timestamp ciphertext, and organizes a verification request data packet.
若时间戳获取成功,终端调用RequestHeader_Stamp方法生成签名并组成验证请求数据包。If the timestamp is obtained successfully, the terminal calls the RequestHeader_Stamp method to generate a signature and form a verification request packet.
终端使用时间戳、凭证标识计算签名组成时间戳密文,其具体算法为:首先将时间戳+时间戳+凭证标识+时间戳组成算法因子字符串;然后对该算法因子字符串进行MD5生成一个签名字符串组成时间戳密文。The terminal uses the timestamp and the certificate identifier to calculate the signature to form the timestamp ciphertext. The specific algorithm is: firstly, the timestamp + timestamp + certificate identifier + timestamp is used to form the algorithm factor string; then the algorithm factor string is MD5ed to generate a The signature string forms the timestamp ciphertext.
步骤S04,终端使用HTTPS方式向加密服务器发送验证请求Step S04, the terminal uses HTTPS to send a verification request to the encrypted server
终端使用PostDownloadTimeStamp方法将验证请求发送到加密服务器上。The terminal uses the PostDownloadTimeStamp method to send the verification request to the encrypted server.
步骤S05,加密服务器使用与终端相同的规则对时间戳、凭证标识生成第二签名来验证终端发送来的验证请求,若第二签名与时间戳密文对应的第一签名一致,则时间戳密文合法有效。Step S05, the encryption server uses the same rules as the terminal to generate a second signature for the timestamp and the certificate identifier to verify the verification request sent by the terminal. If the second signature is consistent with the first signature corresponding to the timestamp ciphertext, the timestamp encryption The text is legal and valid.
步骤S06,验证网络请求信息中的第一时间戳与当前时间的时间间隔是否在对应的有效期内,若超出,则所述网络请求无效。Step S06, verifying whether the time interval between the first timestamp in the network request information and the current time is within a corresponding valid period, and if it exceeds, the network request is invalid.
步骤S07,加密服务器向终端返回应答信息。In step S07, the encryption server returns response information to the terminal.
若验证通过,加密服务器返回正确的动态密码key给终端,否则,向终端返回请求失败的通知信息。If the verification is passed, the encryption server returns the correct dynamic password key to the terminal; otherwise, it returns a request failure notification message to the terminal.
终端所获的动态密码Key可用于该用户的后续操作,如动态密码输入等。The dynamic password Key obtained by the terminal can be used for subsequent operations of the user, such as inputting a dynamic password.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本申请所必须的。It should be noted that for the foregoing method embodiments, for the sake of simple description, they are expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence. Depending on the application, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by this application.
参照图4,是本申请实施例所述一种基于超文本传输协议HTTP服务器的结构示意图。Referring to FIG. 4 , it is a schematic structural diagram of an HTTP server based on the hypertext transfer protocol described in the embodiment of the present application.
所述HTTP服务器具体包括:The HTTP server specifically includes:
接收模块410、发送模块420、时间戳生成模块460和密文校验模块430;Receiving module 410, sending module 420, timestamp generating module 460 and ciphertext checking module 430;
其中所述接收模块410包括:Wherein the receiving module 410 includes:
第一接收单元411,用于接收时间戳请求信息;A first receiving unit 411, configured to receive timestamp request information;
第二接收单元412,用于接收网络请求信息;所述网络请求信息中包含第一时间戳和对应的时间戳密文;所述时间戳密文是根据预置加密算法对包含所述第一时间戳的算法因子加密生成;The second receiving unit 412 is configured to receive network request information; the network request information includes a first time stamp and a corresponding time stamp ciphertext; The algorithm factor encryption generation of the time stamp;
其中所述时间戳生成模块460,用于应所述时间戳请求信息生成第一时间戳;Wherein the timestamp generating module 460 is configured to generate a first timestamp in response to the timestamp request information;
其中所述发送模块420包括:Wherein the sending module 420 includes:
第一发送单元421,用于发送时间戳生成模块所生成的第一时间戳;The first sending unit 421 is configured to send the first timestamp generated by the timestamp generating module;
其中所述密文校验模块430,用于按所述预置加密算法验证所述时间戳密文是否有效,若无效,则所述网络请求信息为无效请求。The ciphertext verification module 430 is used to verify whether the time stamp ciphertext is valid according to the preset encryption algorithm, and if invalid, the network request information is an invalid request.
优选的,preferred,
所述服务器还包括:The server also includes:
时间戳验证模块470,用于验证第二接收单元412接收的网络请求信息中的第一时间戳与当前时间的间隔是否在有效期内,若超出,则所述网络请求信息无效。The timestamp verification module 470 is configured to verify whether the interval between the first timestamp and the current time in the network request information received by the second receiving unit 412 is within the validity period, and if it exceeds, the network request information is invalid.
可选的,所述预置加密算法为签名加密算法,Optionally, the preset encryption algorithm is a signature encryption algorithm,
所述密文校验模块430还包括:The ciphertext verification module 430 also includes:
签名生成单元431,用于按所述签名加密算法对包含所述第一时间戳的算法因子加密生成第二签名;A signature generating unit 431, configured to encrypt an algorithm factor including the first timestamp according to the signature encryption algorithm to generate a second signature;
第一校验单元432,用于验证所述签名生成单元431所生成的第二数字签名与第二接收单元412所接收的时间戳密文对应的第一数字签名是否一致,若不一致,则所述时间戳密文无效。The first verification unit 432 is configured to verify whether the second digital signature generated by the signature generation unit 431 is consistent with the first digital signature corresponding to the timestamp ciphertext received by the second receiving unit 412, and if not, the The above timestamp ciphertext is invalid.
可选的,所述预置加密算法为对称加密算法,Optionally, the preset encryption algorithm is a symmetric encryption algorithm,
所述密文校验模块430还包括:The ciphertext verification module 430 also includes:
第二校验单元433,用于使用所述对称加密算法对应的密钥对第二接收单元412所接收的时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与第二接收单元所接收的网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。The second verification unit 433 is configured to use the key corresponding to the symmetric encryption algorithm to decrypt the timestamp ciphertext received by the second receiving unit 412 to obtain the timestamp information therein as the second timestamp, and judge the Whether the second time stamp is consistent with the first time stamp in the network request information received by the second receiving unit; if not, the ciphertext of the time stamp is invalid.
可选的,所述预置加密算法为非对称加密算法,Optionally, the preset encryption algorithm is an asymmetric encryption algorithm,
所述密文校验模块430还包括:The ciphertext verification module 430 also includes:
第三校验单元434,用于使用与所述非对称加密算法对应的私钥对第二接收单412元所接收的时间戳密文进行解密获取其中的时间戳信息作为第二时间戳,判断所述第二时间戳与网络请求信息中的第一时间戳是否一致,若不一致,则所述时间戳密文无效。The third verification unit 434 is configured to use the private key corresponding to the asymmetric encryption algorithm to decrypt the timestamp ciphertext received by the second receiving unit 412 to obtain the timestamp information therein as the second timestamp, and determine Whether the second timestamp is consistent with the first timestamp in the network request information, if not, the timestamp ciphertext is invalid.
进一步的,所述接收模块410还包括:Further, the receiving module 410 also includes:
第三接收单元413,用于接收终端的凭证请求;The third receiving unit 413 is configured to receive the credential request of the terminal;
所述服务器还包括:The server also includes:
凭证标识生成单元440,用于根据第三接收单元413所接收的凭证请求生成凭证标识;A credential identifier generating unit 440, configured to generate a credential identifier according to the credential request received by the third receiving unit 413;
所述发送模块420还包括:The sending module 420 also includes:
第二发送单元422用于发送凭证标识生成单元440所生成的凭证标识。The second sending unit 422 is configured to send the credential identifier generated by the credential identifier generating unit 440 .
优选的,所述第二接收单元412所接收的网络请求信息中还包括凭证标识;Preferably, the network request information received by the second receiving unit 412 also includes a credential identifier;
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first time stamp and the credential identifier according to preset rules.
优选的,所述凭证标识动态有效;Preferably, the credential identifier is dynamically valid;
所述服务器还包括:The server also includes:
凭证校验模块450,用于验证第二接收单元412所接收的网络请求信息中是否包括凭证标识,若包括且该凭证标识无效,则所述网络请求信息无效。The credential verification module 450 is configured to verify whether the network request information received by the second receiving unit 412 includes a credential identifier, and if it is included and the credential identifier is invalid, the network request information is invalid.
参照图5,是本申请实施例所述一种基于超文本传输协议HTTP终端的结构示意图。Referring to FIG. 5 , it is a schematic structural diagram of a hypertext transfer protocol-based HTTP terminal according to an embodiment of the present application.
所述HTTP终端包括:The HTTP terminal includes:
发送模块510、接收模块520和密文模块530;Sending module 510, receiving module 520 and ciphertext module 530;
其中所述发送模块510包括:Wherein the sending module 510 includes:
第一发送单元511,用于发送第一时间戳获取请求;The first sending unit 511 is configured to send a first timestamp acquisition request;
第二发送单元512,用于发送网络请求信息;所述网络请求信息中包含所述接收模块接收的第一时间戳,和对应的由所述密文模块生成的时间戳密文;The second sending unit 512 is configured to send network request information; the network request information includes the first timestamp received by the receiving module and the corresponding timestamp ciphertext generated by the ciphertext module;
其中所述接收模块520包括:Wherein the receiving module 520 includes:
第一接收单元521,用于接收第一时间戳;A first receiving unit 521, configured to receive a first time stamp;
其中所述密文模块用于根据预置加密算法对包含有所述接收的第一时间戳的算法因子加密生成时间戳密文。Wherein the ciphertext module is used to encrypt the algorithm factor containing the received first time stamp according to a preset encryption algorithm to generate a time stamp ciphertext.
可选的,所述预置加密算法为签名加密算法;Optionally, the preset encryption algorithm is a signature encryption algorithm;
所述密文模块530还包括:The ciphertext module 530 also includes:
第一加密单元531,用于对包含所述第一时间戳的算法因子加密生成第一数字签名组成时间戳密文。The first encryption unit 531 is configured to encrypt the algorithm factor including the first time stamp to generate a first digital signature to form a time stamp ciphertext.
可选的,所述预置加密算法为对称加密算法;Optionally, the preset encryption algorithm is a symmetric encryption algorithm;
所述密文模块530还包括:The ciphertext module 530 also includes:
第二加密单元532,用于使用与所述对称加密算法对应的密钥对包含所述第一时间戳的算法因子加密生成间戳密文。The second encryption unit 532 is configured to use a key corresponding to the symmetric encryption algorithm to encrypt the algorithm factor including the first timestamp to generate an interstamped ciphertext.
可选的,所述预置加密算法为非对称加密算法;Optionally, the preset encryption algorithm is an asymmetric encryption algorithm;
所述密文模块530还包括:The ciphertext module 530 also includes:
第三加密单元533,用于使用与所述非对称加密算法对应的公钥对包含所述第一时间戳的算法因子加密生成间戳密文。The third encryption unit 533 is configured to use the public key corresponding to the asymmetric encryption algorithm to encrypt the algorithm factor including the first timestamp to generate an interstamp ciphertext.
可选的,所述终端还包括:Optionally, the terminal also includes:
凭证标识生成模块540,用于生成凭证标识;Credential ID generating module 540, configured to generate a voucher ID;
所述包含第一时间戳的算法因子还包括所述凭证标识模块生成的凭证标识;The algorithm factor including the first timestamp also includes the credential identification generated by the credential identification module;
所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor is composed of the first time stamp and the credential identifier according to preset rules.
优选的,preferred,
所述发送单元510还包括:The sending unit 510 also includes:
第三发送单元513,用于发送凭证请求信息;A third sending unit 513, configured to send credential request information;
所述接收模块520还包括:The receiving module 520 also includes:
第二接收单元522,用于接收凭证标识;The second receiving unit 522 is configured to receive the credential identification;
所述第二发送单元512所发送的网络请求信息中还包括第二接收单元522所接收的凭证标识;The network request information sent by the second sending unit 512 also includes the credential identifier received by the second receiving unit 522;
所述包含第一时间戳的算法因子还包括所述凭证标识;所述算法因子由所述第一时间戳和所述凭证标识按预设规则组成。The algorithm factor including the first time stamp also includes the credential identifier; the algorithm factor is composed of the first timestamp and the credential identifier according to preset rules.
参照图6,是本申请实施例所述一种基于超文本传输协议HTTP的系统的结构示意图。Referring to FIG. 6 , it is a schematic structural diagram of a system based on the hypertext transfer protocol HTTP described in the embodiment of the present application.
具体的,所述系统包括HTTP终端6100、HTTP服务器6200;Specifically, the system includes an HTTP terminal 6100, an HTTP server 6200;
所述HTTP终端6100包括:The HTTP terminal 6100 includes:
终端发送模块6110、终端接收模块6120和密文模块6130;Terminal sending module 6110, terminal receiving module 6120 and ciphertext module 6130;
其中所述终端发送模块6110包括:Wherein the terminal sending module 6110 includes:
第一发送单元6111,用于发送第一时间戳获取请求;The first sending unit 6111 is configured to send a first timestamp acquisition request;
第二发送单元6112,用于发送网络请求信息;所述网络请求信息中包含所述接收模块接收的第一时间戳,和对应的由所述密文模块生成的时间戳密文;The second sending unit 6112 is configured to send network request information; the network request information includes the first timestamp received by the receiving module and the corresponding timestamp ciphertext generated by the ciphertext module;
其中所述终端接收模块6120包括:Wherein the terminal receiving module 6120 includes:
第一接收单元6121,用于接收第一时间戳;A first receiving unit 6121, configured to receive a first timestamp;
其中所述密文模块6130用于根据预置加密算法对包含有所述接收的第一时间戳的算法因子加密生成时间戳密文。The ciphertext module 6130 is configured to encrypt the algorithm factor containing the received first timestamp according to a preset encryption algorithm to generate a timestamp ciphertext.
所述HTTP服务器6200包括:The HTTP server 6200 includes:
服务器接收模块6210、服务器发送模块6220、时间戳生成模块6230和密文校验模块6240;Server receiving module 6210, server sending module 6220, time stamp generating module 6230 and ciphertext verification module 6240;
其中所述服务器接收模块6210包括:Wherein the server receiving module 6210 includes:
第一接收单元6211,用于接收时间戳请求信息;The first receiving unit 6211 is configured to receive timestamp request information;
第二接收单元6212,用于接收网络请求信息;所述网络请求信息中包含第一时间戳和对应的时间戳密文;所述时间戳密文是根据预置加密算法对包含所述第一时间戳的算法因子加密生成;The second receiving unit 6212 is configured to receive network request information; the network request information includes the first time stamp and the corresponding time stamp ciphertext; the time stamp ciphertext is based on a preset encryption algorithm The algorithm factor encryption generation of the time stamp;
其中所述时间戳生成模块6230用于应所述时间戳请求信息生成第一时间戳;Wherein the timestamp generating module 6230 is configured to generate a first timestamp in response to the timestamp request information;
其中所述服务器发送模块6220包括:Wherein the server sending module 6220 includes:
第一发送单元6221,用于发送时间戳生成模块所生成的第一时间戳;The first sending unit 6221 is configured to send the first timestamp generated by the timestamp generation module;
其中所述密文校验模块6240用于按所述预置加密算法验证所述时间戳密文是否有效,若无效,则所述网络请求信息为无效请求。The ciphertext verification module 6240 is used to verify whether the timestamp ciphertext is valid according to the preset encryption algorithm, and if invalid, the network request information is an invalid request.
上述系统的详细结构请参见以上HTTP终端、HTTP服务器,以及方法实施例相关部分的说明。For the detailed structure of the above system, please refer to the above descriptions of the HTTP terminal, the HTTP server, and the relevant parts of the method embodiments.
本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。对于系统和/或装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the system and/or device embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for relevant parts, refer to the part of the description of the method embodiments.
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists.
而且,上文中的“和/或”表示本文既包含了“和”的关系,也包含了“或”的关系,其中:如果方案A与方案B是“和”的关系,则表示某实施例中可以同时包括方案A和方案B;如果方案A与方案B是“或”的关系,则表示某实施例中可以单独包括方案A,或者单独包括方案B。Moreover, the "and/or" in the above means that this paper includes both the relationship of "and" and the relationship of "or", wherein: if the relationship between scheme A and scheme B is "and", it means that a certain embodiment Scheme A and Scheme B can be included in both schemes; if scheme A and scheme B are in an "or" relationship, it means that scheme A or scheme B can be included alone in a certain embodiment.
以上对本申请所提供的一种基于超文本传输协议HTTP的网络通信方法、服务器、终端,进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。Above, a kind of network communication method, server and terminal based on hypertext transfer protocol HTTP provided by the present application have been introduced in detail. In this paper, specific examples have been used to illustrate the principle and implementation of the present application. The above embodiments The description is only used to help understand the method of the present application and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in the specific implementation and application scope, in summary , the contents of this specification should not be construed as limiting the application.
Claims (25)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210089712.6A CN102647461B (en) | 2012-03-29 | 2012-03-29 | Communication method, server and terminal based on hypertext transfer protocol |
| CN201610169962.9A CN105681470B (en) | 2012-03-29 | 2012-03-29 | Communication means, server based on hypertext transfer protocol, terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210089712.6A CN102647461B (en) | 2012-03-29 | 2012-03-29 | Communication method, server and terminal based on hypertext transfer protocol |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610169962.9A Division CN105681470B (en) | 2012-03-29 | 2012-03-29 | Communication means, server based on hypertext transfer protocol, terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102647461A CN102647461A (en) | 2012-08-22 |
| CN102647461B true CN102647461B (en) | 2016-05-04 |
Family
ID=46660034
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210089712.6A Active CN102647461B (en) | 2012-03-29 | 2012-03-29 | Communication method, server and terminal based on hypertext transfer protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102647461B (en) |
Families Citing this family (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051722B (en) * | 2012-12-26 | 2015-10-14 | 新浪网技术(中国)有限公司 | A kind ofly determine the method whether page is held as a hostage and relevant device |
| CN105099676B (en) * | 2014-04-18 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of user login method, user terminal and server |
| CN103973703A (en) * | 2014-05-23 | 2014-08-06 | 杭州智屏科技有限公司 | Request method for safety of data exchange between application program and server |
| CN105791339B (en) * | 2014-12-18 | 2020-03-31 | 中兴通讯股份有限公司 | Method and device for processing resource operation request |
| CN104852800B (en) * | 2015-05-25 | 2018-12-25 | 小米科技有限责任公司 | Data transmission method and device |
| CN106470103B (en) * | 2015-08-17 | 2020-01-17 | 苏宁云计算有限公司 | Method and system for sending encrypted URL request by client |
| CN105141636B (en) * | 2015-09-24 | 2018-04-17 | 网宿科技股份有限公司 | Suitable for the HTTP safety communicating methods and system of CDN value-added service platforms |
| CN105765941A (en) * | 2015-10-23 | 2016-07-13 | 深圳还是威健康科技有限公司 | Illegal access server prevention method and device |
| CN106936578B (en) * | 2015-12-30 | 2020-02-18 | 航天信息股份有限公司 | Time stamp system and method for issuing time stamp |
| CN105516186B (en) * | 2015-12-31 | 2019-07-23 | 华为技术有限公司 | A kind of method preventing Replay Attack and server |
| CN106254327A (en) * | 2016-07-28 | 2016-12-21 | 努比亚技术有限公司 | Information processor and method |
| CN106130720A (en) * | 2016-08-12 | 2016-11-16 | 福建中金在线信息科技有限公司 | A kind of method that internet information required parameter is encrypted safely and deciphered |
| CN106330437A (en) * | 2016-10-20 | 2017-01-11 | 武汉斗鱼网络科技有限公司 | Password resetting method and device |
| WO2018082391A1 (en) * | 2016-11-07 | 2018-05-11 | 天地融科技股份有限公司 | Circuit delay self-measurement method, device, and system |
| CN108243176B (en) * | 2016-12-27 | 2020-08-11 | 腾讯科技(深圳)有限公司 | Data transmission method and device |
| CN108306739B (en) * | 2018-01-22 | 2021-03-12 | 武汉斗鱼网络科技有限公司 | Method for detecting user identity information, server, computer-readable storage medium and computer equipment |
| CN108055286B (en) * | 2018-01-22 | 2021-06-15 | 武汉斗鱼网络科技有限公司 | Method, client, computer-readable storage medium and computer device for generating user identity information |
| CN107959691B (en) * | 2018-01-22 | 2021-03-16 | 武汉斗鱼网络科技有限公司 | Method for detecting user identity information, server, computer-readable storage medium and computer equipment |
| CN108400979B (en) * | 2018-02-06 | 2021-07-30 | 武汉斗鱼网络科技有限公司 | Communication method applied to client and server and electronic equipment |
| CN108322470A (en) * | 2018-02-07 | 2018-07-24 | 链家网(北京)科技有限公司 | A kind of network request processing method and processing device |
| CN108712408B (en) * | 2018-05-08 | 2021-03-23 | 百度在线网络技术(北京)有限公司 | Anti-cheating method and device for user behavior verification |
| CN108646584A (en) * | 2018-07-12 | 2018-10-12 | 合肥数理电子信息科技有限公司 | A kind of intelligent home control system |
| CN109335906B (en) * | 2018-08-01 | 2020-09-11 | 苏州汇川技术有限公司 | Verification method, elevator control device and elevator peripheral device |
| CN108777601B (en) * | 2018-08-06 | 2020-01-17 | 深圳信息职业技术学院 | A clock synchronization method, device and network equipment |
| CN109088731B (en) * | 2018-09-04 | 2021-09-21 | 杭州涂鸦信息技术有限公司 | Internet of things cloud communication method and device |
| CN109347869B (en) * | 2018-11-28 | 2021-07-06 | 京东数字科技控股有限公司 | Method, device, medium and electronic equipment for generating inter-cluster communication security factor |
| CN110445809B (en) * | 2019-09-03 | 2022-02-25 | 深圳绿米联创科技有限公司 | Network attack detection method, device, system, electronic equipment and storage medium |
| CN111131200B (en) * | 2019-12-11 | 2022-06-28 | 新华三大数据技术有限公司 | Network security detection method and device |
| CN111162899A (en) * | 2020-01-13 | 2020-05-15 | 成都安联云防保安服务有限公司 | Encryption transmission method for potential safety risk data |
| CN112149100A (en) * | 2020-09-01 | 2020-12-29 | 长沙市到家悠享网络科技有限公司 | Verification method, verification device, electronic equipment and storage medium |
| CN112217835B (en) * | 2020-10-23 | 2022-11-04 | 中国工商银行股份有限公司 | Message data processing method and device, server and terminal equipment |
| CN112465502A (en) * | 2020-11-11 | 2021-03-09 | 中国农业银行股份有限公司上海市分行 | Method for deploying digital time stamp offline |
| CN112511565B (en) * | 2021-01-29 | 2021-05-11 | 腾讯科技(深圳)有限公司 | Request response method and device, computer readable storage medium and electronic equipment |
| CN113395282A (en) * | 2021-06-15 | 2021-09-14 | 济南浪潮智投智能科技有限公司 | Method and system for preventing third party from accessing server resources |
| CN116305068A (en) * | 2022-11-30 | 2023-06-23 | 深圳萨摩耶数字科技有限公司 | Verification method, device, system, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453328A (en) * | 2007-12-06 | 2009-06-10 | 中国移动通信集团公司 | Identity management system and identity authentication system |
| CN101534196A (en) * | 2008-03-12 | 2009-09-16 | 因特伟特公司 | Method and apparatus for securely invoking a rest api |
| CN101594226A (en) * | 2009-06-17 | 2009-12-02 | 中兴通讯股份有限公司 | The data guard method and the system that are used for file transfer |
| CN102025748A (en) * | 2011-01-04 | 2011-04-20 | 深信服网络科技(深圳)有限公司 | Method, device and system for acquiring user name of Kerberos authentication mode |
| CN102073953A (en) * | 2009-11-24 | 2011-05-25 | 阿里巴巴集团控股有限公司 | On-line payment method and system |
-
2012
- 2012-03-29 CN CN201210089712.6A patent/CN102647461B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453328A (en) * | 2007-12-06 | 2009-06-10 | 中国移动通信集团公司 | Identity management system and identity authentication system |
| CN101534196A (en) * | 2008-03-12 | 2009-09-16 | 因特伟特公司 | Method and apparatus for securely invoking a rest api |
| CN101594226A (en) * | 2009-06-17 | 2009-12-02 | 中兴通讯股份有限公司 | The data guard method and the system that are used for file transfer |
| CN102073953A (en) * | 2009-11-24 | 2011-05-25 | 阿里巴巴集团控股有限公司 | On-line payment method and system |
| CN102025748A (en) * | 2011-01-04 | 2011-04-20 | 深信服网络科技(深圳)有限公司 | Method, device and system for acquiring user name of Kerberos authentication mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102647461A (en) | 2012-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102647461B (en) | Communication method, server and terminal based on hypertext transfer protocol | |
| CN111212095B (en) | Authentication method, server, client and system for identity information | |
| US9537861B2 (en) | Method of mutual verification between a client and a server | |
| JP6625211B2 (en) | Key exchange through partially trusted third parties | |
| US9853964B2 (en) | System and method for authenticating the legitimacy of a request for a resource by a user | |
| CN102624740B (en) | A kind of data interactive method and client, server | |
| CN105681470B (en) | Communication means, server based on hypertext transfer protocol, terminal | |
| WO2016184216A1 (en) | Link-stealing prevention method, link-stealing prevention server, and client side | |
| CN104753674B (en) | A kind of verification method and equipment of application identity | |
| WO2016065321A1 (en) | Secure communication channel with token renewal mechanism | |
| US10263782B2 (en) | Soft-token authentication system | |
| WO2022022009A1 (en) | Message processing method and apparatus, device, and storage medium | |
| JP2013509840A (en) | User authentication method and system | |
| CN114244522B (en) | Information protection method, device, electronic equipment and computer readable storage medium | |
| US10348701B2 (en) | Protecting clients from open redirect security vulnerabilities in web applications | |
| TWI526871B (en) | Server, user device, and user device and server interaction method | |
| TW201018157A (en) | Method and system for defeating the man in the middle computer hacking technique | |
| Chen et al. | Security analysis and improvement of user authentication framework for cloud computing | |
| US20240106633A1 (en) | Account opening methods, systems, and apparatuses | |
| US12273461B2 (en) | Service registration method and device | |
| CN113312576B (en) | Page jump method, system and device | |
| CN114745115A (en) | An information transmission method, device, computer equipment and storage medium | |
| EP3299984A1 (en) | Authentication of a software entity by another software entity | |
| US8583921B1 (en) | Method and system for identity authentication | |
| CN115242471B (en) | Information transmission method, information transmission device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20121025 Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20121025 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100016 CHAOYANG, BEIJING TO: 100088 XICHENG, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20121025 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220718 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |