[go: up one dir, main page]

CN118827126A - Method, device, equipment and computer storage medium for transmitting service request information - Google Patents

Method, device, equipment and computer storage medium for transmitting service request information Download PDF

Info

Publication number
CN118827126A
CN118827126A CN202410257057.3A CN202410257057A CN118827126A CN 118827126 A CN118827126 A CN 118827126A CN 202410257057 A CN202410257057 A CN 202410257057A CN 118827126 A CN118827126 A CN 118827126A
Authority
CN
China
Prior art keywords
additional verification
information
verification information
preset
service request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410257057.3A
Other languages
Chinese (zh)
Other versions
CN118827126B (en
Inventor
洪超
路明
郝帅
邹琼琼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Anhui Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Anhui Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Anhui Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202410257057.3A priority Critical patent/CN118827126B/en
Publication of CN118827126A publication Critical patent/CN118827126A/en
Application granted granted Critical
Publication of CN118827126B publication Critical patent/CN118827126B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种业务请求信息的传输方法、装置、设备及计算机存储介质。该方法应用于网关,包括:接收目标设备发送的第一业务请求信息,第一业务请求信息包括目标附加校验信息和第二业务请求信息;利用预设解密算法对目标附加校验信息进行解密,得到第一时间戳,获取解密完成时的第二时间戳;在第一时间戳与第二时间戳的差值小于第一预设值,且目标附加校验信息与预存的附加校验信息不一致的情况下,向目标服务器发送第二业务请求信息。如此,攻击者无法对加密的时间戳进行修改;而且对业务请求信息的目标附加校验信息进行了两次校验,不会存在多次重复的业务请求信息进入到服务器中,即不会发生重放攻击。

The present application discloses a method, device, equipment and computer storage medium for transmitting service request information. The method is applied to a gateway, and includes: receiving a first service request information sent by a target device, the first service request information including target additional verification information and second service request information; decrypting the target additional verification information using a preset decryption algorithm to obtain a first timestamp, and obtaining a second timestamp when the decryption is completed; when the difference between the first timestamp and the second timestamp is less than a first preset value, and the target additional verification information is inconsistent with the pre-stored additional verification information, sending the second service request information to the target server. In this way, an attacker cannot modify the encrypted timestamp; and the target additional verification information of the service request information is verified twice, so that there will be no repeated service request information entering the server, that is, no replay attack will occur.

Description

Transmission method, device and equipment of service request information and computer storage medium
Technical Field
The application belongs to cloud computing big data edge computing, and particularly relates to a transmission method, device and equipment of service request information and a computer storage medium.
Background
With the enhancement of the internet active protection technology, traditional attack means (such as security holes, riot libraries and the like) are gradually reduced, and network security risks in new periods appear in a hidden form and are more difficult to identify. Among them, replay attack is one of the most hidden network attack modes. Replay attack refers to that an attacker acquires service request information by using a network monitoring or other modes, repeatedly sends the service request information to a server, and causes disorder of service relation in the server, thereby achieving the purpose of attack.
In order to cope with replay attacks, in the prior art, a client transmits service request information after adding a timestamp, an authentication end verifies the service request information through the added timestamp, and a server processes the service request information which passes the verification.
However, by using the method for coping with replay attack, an attacker can still make the authentication end unable to distinguish the repeated service request information by modifying the timestamp attached to the service request information, and send the repeated service request information to the server, i.e. replay attack occurs.
Disclosure of Invention
The embodiment of the application provides a transmission method, a device, equipment and a computer storage medium of service request information, which are used for receiving an encrypted time stamp sent by target equipment and decrypting; verifying the decrypted time stamp, wherein an attacker cannot modify the encrypted time stamp; and the target additional verification information of the service request information is verified twice, and the gateway can only send the service request information sent by the target device to the target server when the time stamp of the request information received by the target device and the time stamp of the gateway after decryption is completed are separated by a time length which is less than a first preset value and the additional verification information of the service request information is inconsistent with the preset additional verification information, so that repeated service request information cannot enter the server, and replay attack cannot occur.
In a first aspect, an embodiment of the present application provides a method for transmitting service request information, which is applied to a gateway, and includes:
Receiving first service request information sent by target equipment, wherein the first service request information comprises target additional verification information and second service request information, the target additional verification information is information obtained by encrypting a first time stamp by the target equipment by using a preset encryption algorithm, and the first time stamp is the time stamp of the second service request information received by the target equipment;
Decrypting the target additional verification information by using a preset decryption algorithm to obtain a first time stamp, and obtaining a second time stamp when decryption is completed;
And sending second service request information to the target server under the condition that the difference value between the first time stamp and the second time stamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information.
In one possible implementation embodiment, the target additional verification information includes a random factor, first additional verification information, and second additional verification information, the second additional verification information includes m second characters, and decrypting the target additional verification information by using a preset decryption algorithm to obtain a first timestamp, including:
Respectively matching m second characters with preset characters in a secret key stored in a gateway, determining the serial numbers of the m second characters, wherein the secret key comprises the preset characters and serial numbers corresponding to the preset characters, and m is a positive integer;
Determining initial additional verification information according to the first preset relation information according to the sequence numbers of m second characters, the random factors and the first additional verification information, wherein the first preset relation information comprises the relation information of the sequence numbers of the preset second characters, the preset random factors, the preset first additional verification information and the preset initial additional verification information, the sequence numbers of the preset second characters comprise the sequence numbers of the second characters, the preset random factors comprise the random factors, the preset first additional verification information comprises the first additional verification information, and the preset initial additional verification information comprises the initial additional verification information;
Splitting the initial additional verification information according to preset combination information to obtain a first timestamp.
In one possible implementation embodiment, the random factor includes m+1 first characters, and determining initial additional verification information according to the first preset relationship information based on the sequence number of the m second characters, the random factor, and the first additional verification information includes:
Determining the (m) th third additional verification information according to the (m+1) th first character and the first additional verification information and the first preset relation information;
determining the m-1 th third additional verification information according to the first preset relation information according to the serial number of the m second character, the m first character and the m third additional verification information;
And under the condition that the first and third additional verification information is determined, determining initial additional verification information according to the first preset relation information according to the serial number of the first and second characters, the first character and the first and third additional verification information.
In one possible embodiment, before sending the second service request information to the target server, in a case that a difference between the first timestamp and the second timestamp is smaller than a first preset value and the target additional check information is inconsistent with the additional check information in the cache module, the method further includes:
Calculating a difference between the first timestamp and the second timestamp;
Checking whether the difference value is smaller than a first preset value or not to obtain a checking result;
and under the condition that the difference value between the first time stamp and the second time stamp is smaller than a first preset value, whether the additional verification information of the verification target is inconsistent with the additional verification information in the cache module or not is judged.
In one possible implementation embodiment, the method further includes:
And storing the target additional verification information under the condition that the target additional verification information is inconsistent with the pre-stored additional verification information.
In a second aspect, an embodiment of the present application provides a method for transmitting service request information, which is applied to a target device, and includes:
Under the condition of receiving the second service request information, acquiring a first time stamp of the received second service request information;
encrypting the first timestamp by using a preset encryption algorithm to obtain target additional verification information;
The method comprises the steps that first service request information is sent to a gateway, the first service request information comprises target additional verification information and second service request information, the target additional verification information is decrypted by the gateway through a preset decryption algorithm to obtain a first time stamp, a second time stamp when decryption is completed is obtained, and the second service request information is sent to a target server under the condition that the difference value between the first time stamp and the second time stamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information.
In one possible embodiment, encrypting the first timestamp with a preset encryption algorithm to obtain the target additional verification information includes:
acquiring a random number with a preset number of bits;
Combining the random number with the preset bit number and the first timestamp according to preset combination information to obtain initial additional verification information;
Acquiring a first character from a secret key stored in target equipment, wherein the secret key comprises a preset character and a serial number corresponding to the preset character as a random factor, and the preset character comprises the first character;
determining the sequence numbers of the first additional verification information and the second character according to the first preset relation information, wherein the first preset relation information comprises the sequence numbers of the preset second character, the preset random factor, the relation information of the preset first additional verification information and the preset initial additional verification information, the sequence numbers of the preset second character comprise the sequence numbers of the second character, the preset random factor comprises the random factor, the preset first additional verification information comprises the first additional verification information, and the preset initial additional verification information comprises the initial additional verification information;
acquiring a second character corresponding to the serial number of the second character from the secret key as second additional verification information;
And combining the random factor, the first additional check information and the second additional check information to obtain the target additional check information.
In one possible implementation embodiment, the obtaining the first character from the key stored by the target device as the random factor includes:
randomly acquiring a first target character from the secret key, wherein the first target character is used as a first character of a random factor;
Determining the sequence number of an nth first character of the random factor according to second preset relation information according to the initial additional verification information and the first character, wherein the second preset relation information comprises relation information of preset initial additional verification information and preset first characters, the preset first characters comprise the first characters, and n is a positive integer larger than 1;
And acquiring an nth first character corresponding to the serial number of the nth first character from the secret key as the nth first character of the random factor.
In one possible implementation embodiment, determining the sequence numbers of the first additional verification information and the second character according to the first preset relation information according to the initial additional verification information and the random factor includes:
determining a first third additional verification information and a serial number of a first second character according to the first additional verification information and the first character of the random factor and the first preset relation information;
According to the m+1th first character of the m-th third additional verification information and the random factor, determining the m+1th third additional verification information and the sequence number of the m+1th second character according to the first preset relation information, and determining the m+1th third additional verification information as the first additional verification information under the condition that the sequence number of the m+1th second character is a target value, wherein m is a positive integer, and n is more than or equal to m+1;
Obtaining a second character corresponding to the serial number of the second character from the secret key as second additional verification information, wherein the second character comprises:
and respectively acquiring second characters corresponding to the serial numbers of the first to the mth second characters from the secret key as second additional verification information.
In a third aspect, an embodiment of the present application provides a transmission device for service request information, which is applied to a gateway, and includes:
The receiving module is used for receiving first service request information sent by target equipment, wherein the first service request information comprises target additional verification information and second service request information, the target additional verification information is information obtained by encrypting a first time stamp by the target equipment by using a preset encryption algorithm, and the first time stamp is the time stamp of the second service request information received by the target equipment;
the decryption module is used for decrypting the target additional verification information by using a preset decryption algorithm to obtain a first time stamp and obtaining a second time stamp when decryption is completed;
And the sending module is used for sending the second service request information to the target server under the condition that the difference value between the first timestamp and the second timestamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information.
In a fourth aspect, an embodiment of the present application provides a transmission apparatus for service request information, which is applied to a target device, including:
The acquisition module is used for acquiring a first time stamp for receiving the second service request information under the condition of receiving the second service request information;
The encryption module is used for encrypting the first timestamp by using a preset encryption algorithm to obtain target additional verification information;
the sending module is used for sending first service request information to the gateway, wherein the first service request information comprises target additional check information and second service request information, the first service request information is used for decrypting the target additional check information by the gateway through a preset decryption algorithm to obtain a first time stamp, the second time stamp is obtained when decryption is completed, and the second service request information is sent to the target server under the condition that the difference value between the first time stamp and the second time stamp is smaller than a first preset value and the target additional check information is inconsistent with the pre-stored additional check information.
In a fifth aspect, an embodiment of the present application provides an electronic device, including:
A processor and a memory storing computer program instructions;
The processor executes the computer program instructions to implement the method for transmitting the in-service request information of any one of the above.
In a sixth aspect, an embodiment of the present application provides a computer storage medium, where computer program instructions are stored, where the computer program instructions, when executed by a processor, implement a method for transmitting service request information according to any one of the above.
In a seventh aspect, an embodiment of the present application provides a computer program product, where instructions in the computer program product, when executed by a processor of an electronic device, enable the electronic device to perform a method for transmitting service request information according to any one of the above.
The method, the device, the equipment and the computer storage medium for transmitting the service request information are applied to a gateway and comprise the following steps: receiving first service request information sent by target equipment, wherein the first service request information comprises target additional verification information and second service request information; decrypting the target additional verification information by using a preset decryption algorithm to obtain a first time stamp, and obtaining a second time stamp when decryption is completed; and sending second service request information to the target server under the condition that the difference value between the first time stamp and the second time stamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information. Thus, the encrypted time stamp sent by the target equipment is received and decrypted; verifying the decrypted time stamp, wherein an attacker cannot modify the encrypted time stamp; and the target additional verification information of the service request information is verified twice, and the gateway can only send the service request information sent by the target device to the target server when the time stamp of the request information received by the target device and the time stamp of the gateway after decryption is completed are separated by a time length which is less than a first preset value and the additional verification information of the service request information is inconsistent with the preset additional verification information, so that repeated service request information cannot enter the server, and replay attack cannot occur.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present application, the drawings that are needed to be used in the embodiments of the present application will be briefly described, and it is possible for a person skilled in the art to obtain other drawings according to these drawings without inventive effort.
Fig. 1 is a flow chart of a transmission method of service request information according to an embodiment of the present application;
Fig. 2 is a flow chart of a transmission method of service request information according to another embodiment of the present application;
Fig. 3 is a flow chart of a transmission method of service request information according to another embodiment of the present application;
Fig. 4 is a flow chart of a transmission method of service request information according to still another embodiment of the present application;
fig. 5 is a flow chart of a transmission method of service request information according to still another embodiment of the present application;
Fig. 6 is a schematic structural diagram of a transmission device of service request information applied to a gateway according to still another embodiment of the present application;
fig. 7 is a schematic structural diagram of a transmission apparatus for service request information applied to a target device according to still another embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to still another embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application will be described in detail below, and in order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings and the detailed embodiments. It should be understood that the particular embodiments described herein are meant to be illustrative of the application only and not limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the application by showing examples of the application.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
With the enhancement of the internet active protection technology, traditional attack means (such as security holes, riot libraries and the like) are gradually reduced, and network security risks in new periods appear in a hidden form and are more difficult to identify. Among them, replay attack is one of the most hidden network attack modes. Replay attack refers to that an attacker acquires service request information by using a network monitoring or other modes, repeatedly sends the service request information to a server, and causes disorder of service relation in the server, thereby achieving the purpose of attack.
In order to cope with replay attacks, in the prior art, a client transmits service request information after adding a timestamp, an authentication end verifies the service request information through the added timestamp, and a server processes the service request information which passes the verification.
However, by using the method for coping with replay attack, an attacker can still make the authentication end unable to distinguish the repeated service request information by modifying the timestamp attached to the service request information, and send the repeated service request information to the server, i.e. replay attack occurs.
In order to solve the problems in the prior art, the embodiment of the application provides a transmission method, a device, equipment and a computer storage medium of service request information. The following first describes a transmission method of service request information provided by the embodiment of the present application.
Fig. 1 is a flow chart illustrating a method for transmitting service request information according to an embodiment of the present application.
As shown in fig. 1, the method for transmitting service request information provided in the embodiment of the present application includes the following steps.
S110, the target equipment acquires a first time stamp for receiving the second service request information under the condition of receiving the second service request information.
Here, the second service request information includes service request information input by the user. The target device may be a client.
As one example, the target device may receive the second service request information input by the user through the target page.
In some embodiments, the target device includes an encryption encapsulation module therein. The js code obtained in advance in the encryption packaging module can be used for intercepting the second service request information, and obtaining the first timestamp of the target device for receiving the second service request information.
As one example, the time stamp may be a millisecond-level time stamp. The first timestamp may be a number of milliseconds since zero-point on the day the second service request information was received.
And S120, the target equipment encrypts the first timestamp by using a preset encryption algorithm to obtain additional verification information of the target.
Here, the preset encryption algorithm is set in advance.
In some embodiments, the target device may call a preset encryption algorithm through js code, and encrypt the first timestamp with the preset encryption algorithm to obtain the target additional verification information. It is understood that the target additional verification information is information obtained by encrypting the first time stamp.
In some embodiments, the code corresponding to the preset encryption algorithm may be packaged into a binary code in WebAssembly manner, and stored in the target device in the form of WebAssembly binary code. The method can prevent the exposure of the preset encryption algorithm, and is compatible with the current mainstream browser.
S130, the target device sends first service request information to the gateway, wherein the first service request information comprises target additional verification information and second service request information.
Here, the target additional verification information is information obtained by encrypting the first time stamp. The second service request information is the service request information received by the target equipment.
In some embodiments, the target device packages the target additional verification information and the second service request information and sends to the gateway.
And S140, the gateway decrypts the target additional verification information by using a preset decryption algorithm to obtain a first time stamp, and obtains a second time stamp when decryption is completed.
Here, the preset decryption algorithm is set in advance.
In some embodiments, after receiving the first service request information, the gateway decrypts the target additional verification information added to the second service request information by using a preset decryption algorithm to obtain the first timestamp. It should be noted that the preset encryption algorithm and the preset decryption algorithm are a pair of reversible encryption algorithms.
And S150, the gateway sends second service request information to the target server under the condition that the difference value between the first timestamp and the second timestamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information.
Here, the first preset value is set in advance. For example, the first preset value is 30 seconds. The pre-stored additional check information is the additional check information received before the second time stamp.
In some embodiments, the gateway determines whether the second service request information is a replay attack. And the gateway sends second service request information to the target server under the condition that the difference value between the first timestamp and the second timestamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information. Specifically, if the time stamp of the second service request information received by the target device and the time stamp of the gateway when decryption is completed are long, it is indicated that the second service request information is possibly service request information received a long time before, that is, repeated service request information; and if the target additional verification information is consistent with the pre-stored additional verification information, the target additional verification information is repeated. And intercepting the repeated second service request information, and judging the replay attack.
Thus, the encrypted time stamp sent by the target equipment is received and decrypted; verifying the decrypted time stamp, wherein an attacker cannot modify the encrypted time stamp; and the target additional verification information of the service request information is verified twice, and the gateway can only send the service request information sent by the target device to the target server when the time stamp of the request information received by the target device and the time stamp of the gateway after decryption is completed are separated by a time length which is less than a first preset value and the additional verification information of the service request information is inconsistent with the preset additional verification information, so that repeated service request information cannot enter the server, and replay attack cannot occur.
Based on this, in some embodiments, as shown in fig. 2, S120 may specifically include:
s121, acquiring a random number with a preset number of bits.
Here, the preset number of bits is set in advance. For example two bits. The random number is a randomly generated number, and may be at least one number.
S122, combining the random number with the preset bit number and the first time stamp according to the preset combination information to obtain initial additional verification information.
Here, the preset combination information is set in advance. For example, the preset combining algorithm combines a random number before and after the first timestamp, respectively.
In some embodiments, the random number of the preset bit number and the first time stamp are combined to obtain initial additional verification information, and the regularity of the data is eliminated for the first time.
S123, acquiring a first character from a secret key stored in target equipment, wherein the secret key comprises a preset character and a serial number corresponding to the preset character as a random factor, and the preset character comprises the first character.
Here, the key is a segment of a character string that is not repeated. For example, the key is a scrambled string composed of 62 characters in total, such as a_za_z0_9. The length of the character string may be set in advance, and the user may increase or decrease the length of the character string according to circumstances. The characters and the serial numbers have a one-to-one correspondence.
In some embodiments, the random factor comprises at least one.
S124, determining the sequence numbers of the first additional verification information and the second character according to the initial additional verification information and the random factor and the first preset relation information, wherein the first preset relation information comprises the sequence numbers of the preset second character, the preset random factor, the relation information of the preset first additional verification information and the preset initial additional verification information, the sequence numbers of the preset second character comprise the sequence numbers of the second character, the preset random factor comprises the random factor, the preset first additional verification information comprises the first additional verification information, and the preset initial additional verification information comprises the initial additional verification information.
Here, the first preset relationship is set in advance.
In some embodiments, the first additional verification information and the sequence number of the second character are obtained by calculating according to the initial additional verification information and the random factor by using at least one first preset relation information.
As one example, the first preset relationship information is a remainder calculation. And finally determining the serial numbers of the first additional verification information and the second character by calculating the quotient and the remainder of the initial additional verification information and the random factor. Wherein the remainder can be used as the sequence number of the second character and the last calculated quotient can be used as the first additional verification information.
S125, obtaining a second character corresponding to the serial number of the second character from the secret key as second additional verification information.
In some embodiments, the sequence number of the at least one second character may be determined using the first predetermined relationship information. And respectively acquiring second characters corresponding to the serial numbers of the second characters from the secret key, and taking the second characters as second additional verification information.
S126, combining the random factor, the first additional verification information and the second additional verification information to obtain target additional verification information.
In some embodiments, the combination of the random factor, the first additional check information, and the second additional check information may be set in advance.
Thus, the obtained target additional verification information is fully encrypted information, and an attacker cannot change the information at will, so that the replay attack prevention capability is ensured, and the security of the timestamp added by the second service request is ensured.
Based on this, in some embodiments, the step S123 may specifically include:
the target device randomly acquires a first target character from the secret key, and the first target character is used as a first character of a random factor;
The target device determines the sequence number of an nth first character of the random factor according to the initial additional verification information and the first character and the second preset relation information, wherein the second preset relation information comprises relation information of preset initial additional verification information and preset first characters, the preset first characters comprise the first characters, and n is a positive integer larger than 1;
the target device obtains an nth first character corresponding to the serial number of the nth first character from the secret key, and the nth first character is used as a random factor.
In some embodiments, in the first round of calculation, the second preset relationship information specifically includes relationship information of initial additional verification information, a first character, and a serial number of the second first character. For example, the square of the initial additional verification information divided by the first character equals the first target value, and the remainder is the sequence number of the second first character; in the second round of calculation, the second preset relation information specifically includes initial additional verification information, relation information of serial numbers of the second first character and the third first character, or relation information of serial numbers of the first target value, the second first character and the third first character. For example, the square of the initial additional verification information divided by the second first character equals the second target value, the remainder being the sequence number of the third first character, or the square of the first target value divided by the second first character equals the second target value, the remainder being the sequence number of the third first character; and the like, calculating to obtain a random factor.
Thus, the linear change of the encryption result is eliminated by using the changed random factor, and the security of the encryption process is increased.
Based on this, in some embodiments, as shown in fig. 3, the S124 may specifically include:
S210, the target equipment determines a first third additional check information and a serial number of a first second character according to first preset relation information according to the first additional check information and a first character of a random factor;
S211, the target equipment determines the (m+1) th third additional verification information and the (m+1) th sequence number of the (m+1) th second character according to the (m+1) th third additional verification information and the (m+1) th first character of the random factor and the first preset relation information, and determines the (m+1) th third additional verification information as the first additional verification information under the condition that the (m+1) th sequence number of the (m+1) th second character is a target value, wherein m is a positive integer, and n is more than or equal to m+1;
the step S125 may specifically include:
the target device obtains second characters corresponding to the sequence numbers of the first to the mth second characters from the secret key respectively, and the second characters are used as second additional verification information.
In some embodiments, in the first round of calculation, the first preset relationship information may specifically include relationship information of initial additional verification information, a first character of a random factor, a first third additional verification information, and a sequence number of the first second character, for example, the first character of the initial additional verification information divided by the random factor is equal to the first third additional verification information, and the remainder is the sequence number of the first second character; in the second round of calculation, the first preset relationship information may specifically include first third additional verification information, a second first character of the random factor, second third additional verification information, and relationship information of a sequence number of the second character, for example, the second first character of the first third additional verification information divided by the random factor is equal to the second third additional verification information, and the remainder is the sequence number of the second character; and by the pushing, the (m+1) th third additional check information and the (m+1) th serial number of the second character are obtained. And determining the (m+1) th third additional check information as the first additional check information in the case that the sequence number of the (m+1) th second character is the target value. And respectively acquiring second characters corresponding to the serial numbers of the first to the mth second characters from the secret key as second additional verification information.
As one example, the target value here is 0.
Therefore, the first time stamp and the random number are encrypted by utilizing multiple rounds of calculation, so that the security of the time stamp is higher, and replay attack is more effectively prevented.
Based on this, in some embodiments, the target additional verification information includes a random factor, a first additional verification information, and a second additional verification information, where the second additional verification information includes m second characters, as shown in fig. 4, in S140, the gateway decrypts the target additional verification information by using a preset decryption algorithm to obtain a first timestamp, which may specifically include:
s141, the gateway respectively matches m second characters with preset characters in a secret key stored in the gateway, the serial numbers of the m second characters are determined, the secret key comprises the preset characters and serial numbers corresponding to the preset characters, and m is a positive integer;
S142, the gateway determines initial additional verification information according to the sequence numbers of m second characters, random factors and first additional verification information and first preset relation information, wherein the first preset relation information comprises the relation information of the sequence numbers of the preset second characters, the preset random factors, the preset first additional verification information and the preset initial additional verification information, the sequence numbers of the preset second characters comprise the sequence numbers of the second characters, the preset random factors comprise the random factors, the preset first additional verification information comprises the first additional verification information, and the preset initial additional verification information comprises the initial additional verification information;
s143, the gateway splits the initial additional verification information according to the preset combination information to obtain a first timestamp.
Here, the key stored in the gateway is the same as the key stored in the target device.
In some embodiments, the gateway splits the target additional verification information to obtain a random factor, first additional verification information, and second additional verification information, the second additional verification information including m second characters. And respectively matching the m second characters with preset characters in the secret key stored in the gateway, and determining the sequence numbers of the m second characters. In contrast to the encryption process, initial additional verification information is determined according to the first preset relationship information based on the sequence numbers of the m second characters, the random factor and the first additional verification information. And removing the random number in the initial additional verification information to obtain a first time stamp.
In some embodiments, the second service request information is intercepted if decryption fails.
In this way, the restored first timestamp can be used for comparing with the second timestamp, so that repeated second service requests are intercepted, and the safety of the server is guaranteed.
Based on this, in some embodiments, the random factor includes m+1 first characters, and S142 may specifically include:
The gateway determines the (m) th third additional verification information according to the (m+1) th first character and the first additional verification information and the first preset relation information;
The gateway determines the m-1 th third additional verification information according to the first preset relation information according to the sequence number of the m second character, the m first character and the m third additional verification information;
And under the condition that the first and third additional verification information is determined, the gateway determines initial additional verification information according to the first preset relation information according to the serial number of the first and second characters, the first character and the first and third additional verification information.
In some embodiments, the next round of calculation is performed according to the result obtained from the previous round of calculation, and in the case of determining the first third additional verification information, initial additional verification information is determined according to the first preset relationship information according to the serial number of the first second character, the first character and the first third additional verification information.
In some embodiments, if any of the rounds of computation fails, the second service request information is intercepted.
Therefore, the second service request information which does not accord with the target additional verification information in the calculation process is intercepted, the second service request information which is tried to attack is effectively prevented, and the safety of the server is ensured.
Based on this, in some embodiments, as shown in fig. 5, before S150 described above, the method may further include:
s220, the gateway calculates a difference value between the first time stamp and the second time stamp;
s221, checking whether the difference value is smaller than a first preset value by the gateway to obtain a checking result;
S222, if the difference value between the first time stamp and the second time stamp is smaller than the first preset value, the gateway checks whether the target additional check information is inconsistent with the additional check information in the cache module.
In some embodiments, it is first determined whether to replay the attack according to the decrypted first timestamp. If the verification of the time stamp is not passed, whether the target additional verification information is inconsistent with the additional verification information in the cache module is not required to be judged.
Therefore, whether the decryption process and the decryption result are abnormal or not is judged, and whether the target additional check information is inconsistent with the additional check information in the cache module or not is judged, so that the safety is better ensured, the replayed service request information is avoided, and whether the target additional check information is inconsistent with the additional check information in the cache module or not is judged, so that the system resource is saved.
Based on this, in some embodiments, the method may further comprise:
And the gateway stores the target additional verification information under the condition that the target additional verification information is inconsistent with the pre-stored additional verification information.
In some embodiments, the gateway caches the target additional verification information. The target additional verification information may be deleted after the target duration.
Thus, the additional verification information received at the rear side can be verified, and the memory pressure is reduced.
In the embodiment provided by the application, a gateway is arranged between the target equipment and the target server under the ajax architecture of web development, the gateway acquires all second service request information received by the target equipment, and whether the second service request information is replay attack or not is judged. If yes, interception is performed, if not, the method is transmitted to the target server, and the processing result of the target server is returned to the target device, so that unauthorized calling can be effectively prevented, whether second service request information exists or not in WASM codes can be effectively prevented, and the simulator is prevented from directly calling to bypass verification.
In the embodiment provided by the application, the network security technology based on the ajax framework is realized, the new trend of network development is complied, the application prospect is wide, and the encryption algorithm is used, so that the realization is easier, the resource occupation is smaller, the expandability is stronger and the security is higher while the effectiveness of defending replay attack is maintained. And the system is oriented to an emerging ajax framework, has expandability, and has a life cycle continued along with ajax.
In the embodiment provided by the application, the reversible encryption algorithm is flexible and expandable, and keys with different lengths can be adopted according to conditions; the encryption calculation result is random enough, and can resist violent cracking, so that the safety performance is effectively improved. The system can be designed based on the stateless of http/https, does not need to memorize the request state, does not choose the scene, and has wide application range. The calculation process is fast, does not require complex calculation like rsa, and can be implemented in a hard gateway. And the result generated after encryption, namely the target additional verification information (generally smaller than 8 bits) does not generate huge results like des,3des, aes and rsa, so that network transmission is facilitated.
In the embodiment provided by the application, the double verification based on the time stamp and the target additional verification information is realized, because the time sequence is naturally not repeated, no dead angle protection can be realized, the safety is improved, and no missing report and no false report can be realized. The gateway has small data storage, short time and small occupied memory, so the gateway is more stable and can bear larger concurrent flow.
In the embodiment provided by the application, the gateway can be operated independently or in a form of one module (such as lua, pipy, openPCS) of the gateway, and the flexibility and the high efficiency can be realized during the system deployment.
Based on the transmission method of the service request information provided by the embodiment, correspondingly, the application also provides a specific implementation mode of the transmission device of the service request information. Please refer to the following examples.
Referring to fig. 6, a transmission device 300 for service request information provided by an embodiment of the present application is applied to a gateway, and includes:
A receiving module 310, configured to receive first service request information sent by a target device, where the first service request information includes target additional verification information and second service request information, the target additional verification information is information obtained by encrypting, by the target device, a first timestamp by using a preset encryption algorithm, where the first timestamp is a timestamp when the target device receives the second service request information;
The decryption module 320 is configured to decrypt the target additional verification information by using a preset decryption algorithm, obtain a first timestamp, and obtain a second timestamp when decryption is completed;
and the sending module 330 is configured to send the second service request information to the target server when the difference between the first timestamp and the second timestamp is smaller than the first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information.
Based on this, in some embodiments, the target additional verification information includes a random factor, first additional verification information, and second additional verification information, the second additional verification information including m second characters, the decryption module 320 may include:
The determining unit is used for respectively matching the m second characters with preset characters in the secret key stored in the gateway to determine the serial numbers of the m second characters, wherein the secret key comprises the preset characters and serial numbers corresponding to the preset characters, and m is a positive integer;
The determining unit is further configured to determine initial additional verification information according to the sequence numbers of the m second characters, the random factors and the first additional verification information and according to first preset relation information, where the first preset relation information includes relation information of preset sequence numbers of the second characters, preset random factors, preset first additional verification information and preset initial additional verification information, the sequence numbers of the preset second characters include the sequence numbers of the second characters, the preset random factors include the random factors, the preset first additional verification information includes the first additional verification information, and the preset initial additional verification information includes the initial additional verification information;
the determining unit is further configured to split the initial additional verification information according to preset combination information to obtain a first timestamp.
Based on this, in some embodiments, the random factor comprises m+1 first characters, the determining unit may be specifically configured to:
Determining the (m) th third additional verification information according to the (m+1) th first character and the first additional verification information and the first preset relation information;
determining the m-1 th third additional verification information according to the first preset relation information according to the serial number of the m second character, the m first character and the m third additional verification information;
And under the condition that the first and third additional verification information is determined, determining initial additional verification information according to the first preset relation information according to the serial number of the first and second characters, the first character and the first and third additional verification information.
Based on this, in some embodiments, the apparatus 300 may further include:
the calculating module is used for calculating the difference value between the first timestamp and the second timestamp before sending the second service request information to the target server under the condition that the difference value between the first timestamp and the second timestamp is smaller than a first preset value and the target additional verification information is inconsistent with the additional verification information in the cache module;
the verification module is used for verifying whether the difference value is smaller than a first preset value or not to obtain a verification result;
and the verification module is also used for verifying whether the target additional verification information is inconsistent with the additional verification information in the cache module or not under the condition that the difference value between the first time stamp and the second time stamp is smaller than a first preset value as a verification result.
Based on this, in some embodiments, the apparatus 300 may further include:
And the storage module is used for storing the target additional verification information under the condition that the target additional verification information is inconsistent with the pre-stored additional verification information.
Referring to fig. 7, a transmission apparatus 400 for service request information provided by an embodiment of the present application is applied to a target device, and includes:
An obtaining module 410, configured to obtain, when the second service request information is received, a first timestamp of the receipt of the second service request information;
the encryption module 420 is configured to encrypt the first timestamp with a preset encryption algorithm to obtain target additional verification information;
The sending module 430 is configured to send first service request information to the gateway, where the first service request information includes target additional verification information and second service request information, so that the gateway decrypts the target additional verification information by using a preset decryption algorithm to obtain a first timestamp, and obtains a second timestamp when decryption is completed, and send the second service request information to the target server when a difference between the first timestamp and the second timestamp is smaller than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information.
Based on this, in some embodiments, encryption module 420 may include:
the acquisition sub-module is used for acquiring random numbers with preset digits;
the combination sub-module is used for combining the random number with the preset bit number and the first timestamp according to preset combination information to obtain initial additional verification information;
the acquisition sub-module is further used for acquiring a first character from a secret key stored in the target equipment, wherein the secret key comprises a preset character and a serial number corresponding to the preset character, and the preset character comprises the first character;
The determining submodule is further used for determining the sequence numbers of the first additional verification information and the second character according to the initial additional verification information and the random factor and the first preset relation information, wherein the first preset relation information comprises the sequence numbers of the preset second character, the preset random factor, the relation information of the preset first additional verification information and the preset initial additional verification information, the sequence numbers of the preset second character comprise the sequence numbers of the second character, the preset random factor comprises the random factor, the preset first additional verification information comprises the first additional verification information, and the preset initial additional verification information comprises the initial additional verification information;
The acquisition sub-module is also used for acquiring a second character corresponding to the serial number of the second character from the secret key and taking the second character as second additional verification information;
And the combination sub-module is also used for combining the random factor, the first additional check information and the second additional check information to obtain the target additional check information.
Based on this, in some embodiments, the acquisition sub-module may include:
an acquisition unit configured to randomly acquire a first target character from the key as a first character of a random factor;
The determining unit is used for determining the serial number of the nth first character of the random factor according to the initial additional verification information and the first character and the second preset relation information, wherein the second preset relation information comprises relation information of preset initial additional verification information and preset first character, the preset first character comprises the first character, and n is a positive integer larger than 1;
The acquisition unit is further used for acquiring an nth first character corresponding to the serial number of the nth first character from the secret key, wherein the nth first character is used as an nth first character of the random factor.
Based on this, in some embodiments, determining the sub-module may include:
the determining unit is used for determining the serial numbers of the first third additional verification information and the first second character according to the first preset relation information according to the first character of the initial additional verification information and the random factor;
the determining unit is further used for determining the (m+1) th third additional verification information and the (m+1) th sequence number of the (m+1) th second character according to the (m+1) th third additional verification information and the (m+1) th first character of the random factor and the first preset relation information, and determining the (m+1) th third additional verification information as the first additional verification information under the condition that the (m+1) th sequence number of the (m+1) th second character is a target value, wherein m is a positive integer, and n is more than or equal to m+1;
The acquisition submodule may be specifically configured to:
and respectively acquiring second characters corresponding to the serial numbers of the first to the mth second characters from the secret key as second additional verification information.
The modules of the transmission device for service request information provided by the embodiment of the application can realize the functions of the steps of the transmission method for service request information provided by the embodiment of the application and achieve the corresponding technical effects, and are not repeated for brevity description.
Based on the same inventive concept, the embodiment of the application also provides electronic equipment.
Fig. 8 shows a schematic hardware structure of an electronic device according to an embodiment of the present application.
A processor 801 and a memory 802 storing computer program instructions may be included in an electronic device.
In particular, the processor 801 may include a central processing unit (Central Processing Unit, CPU), or Application SPECIFIC INTEGRATED Circuit (ASIC), or may be configured as one or more integrated circuits that implement embodiments of the present application.
Memory 802 may include mass storage for data or instructions. By way of example, and not limitation, memory 802 may include a hard disk drive (HARD DISK DRIVE, HDD), a floppy disk drive, flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a universal serial bus (Universal Serial Bus, USB) drive, or a combination of two or more of these. Memory 802 may include removable or non-removable (or fixed) media, where appropriate. Memory 802 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 802 is a non-volatile solid-state memory.
The Memory may include Read Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk storage media devices, optical storage media devices, flash Memory devices, electrical, optical, or other physical/tangible Memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors) it is operable to perform the operations described with reference to methods in accordance with aspects of the present disclosure.
The processor 801 implements the transmission method of the service request information of any one of the above embodiments by reading and executing the computer program instructions stored in the memory 802.
In one example, the electronic device may also include a communication interface 803 and a bus 810. As shown in fig. 8, the processor 801, the memory 802, and the communication interface 803 are connected to each other via a bus 810 and perform communication with each other.
Communication interface 803 is primarily used to implement communication between modules, devices, units, and/or apparatuses in an embodiment of the present application.
Bus 810 includes hardware, software, or both, that couple components of an electronic device to each other. By way of example, and not limitation, the buses may include an accelerated graphics Port (ACCELERATED GRAPHICS Port, AGP) or other graphics Bus, an enhanced industry Standard architecture (Extended Industry Standard Architecture, EISA) Bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an industry Standard architecture (Industry Standard Architecture, ISA) Bus, an Infiniband interconnect, a low pin count (LINEAR PREDICTIVE Coding, LPC) Bus, a memory Bus, a micro channel architecture (MicroChannel Architecture, MCA) Bus, a peripheral component interconnect (PERIPHERAL COMPONENT INTERCONNECT, PCI) Bus, a PCI-Express (PERIPHERAL COMPONENT INTERCONNECT-X, PCI-X) Bus, a serial advanced technology attachment (SERIAL ADVANCED Technology Attachment, SATA) Bus, a video electronics standards Association Local Bus (VLB) Bus, or other suitable Bus, or a combination of two or more of these. Bus 810 may include one or more buses, where appropriate. Although embodiments of the application have been described and illustrated with respect to a particular bus, the application contemplates any suitable bus or interconnect. The electronic equipment can execute the transmission method of the service request information in the embodiment of the application, thereby realizing the transmission method of the service request information.
In addition, in combination with the transmission method of the service request information in the above embodiment, the embodiment of the present application may be implemented by providing a computer storage medium. The computer storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement a method of transmitting service request information in any of the above embodiments.
The application also provides a computer program product, wherein the instructions in the computer program product are executed by a processor of an electronic device, so that the electronic device executes various processes of the transmission method embodiment for realizing any one of the service request information.
It should be understood that the application is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. The method processes of the present application are not limited to the specific steps described and shown, but various changes, modifications and additions, or the order between steps may be made by those skilled in the art after appreciating the spirit of the present application.
The functional blocks shown in the above-described structural block diagrams may be implemented in hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic Circuit, application SPECIFIC INTEGRATED Circuit (ASIC), appropriate firmware, plug-in, function card, or the like. When implemented in software, the elements of the application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transfer information. Examples of machine-readable media include electronic circuitry, semiconductor Memory devices, read-Only Memory (ROM), flash Memory, erasable Read-Only Memory (Erasable Read Only Memory, EROM), floppy disks, compact discs (Compact Disc Read-Only Memory, CD-ROM), optical discs, hard disks, fiber optic media, radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this disclosure describe some methods or systems based on a series of steps or devices. The present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, or may be performed in a different order from the order in the embodiments, or several steps may be performed simultaneously.
Aspects of the present disclosure are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to being, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware which performs the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the foregoing, only the specific embodiments of the present application are described, and it will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the systems, modules and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein. It should be understood that the scope of the present application is not limited thereto, and any equivalent modifications or substitutions can be easily made by those skilled in the art within the technical scope of the present application, and they should be included in the scope of the present application.

Claims (14)

1.一种业务请求信息的传输方法,其特征在于,应用于网关,包括:1. A method for transmitting service request information, characterized in that it is applied to a gateway, comprising: 接收目标设备发送的第一业务请求信息,所述第一业务请求信息包括目标附加校验信息和第二业务请求信息,所述目标附加校验信息为所述目标设备利用预设加密算法对第一时间戳加密后的信息,所述第一时间戳为所述目标设备接收到所述第二业务请求信息的时间戳;Receive first service request information sent by a target device, the first service request information including target additional verification information and second service request information, the target additional verification information is information obtained by encrypting a first timestamp by the target device using a preset encryption algorithm, and the first timestamp is a timestamp when the target device receives the second service request information; 利用预设解密算法对所述目标附加校验信息进行解密,得到所述第一时间戳,并获取解密完成时的第二时间戳;Decrypting the target additional verification information using a preset decryption algorithm to obtain the first timestamp, and obtaining a second timestamp when the decryption is completed; 在所述第一时间戳与所述第二时间戳的差值小于第一预设值,且所述目标附加校验信息与预存的附加校验信息不一致的情况下,向目标服务器发送所述第二业务请求信息。When the difference between the first timestamp and the second timestamp is less than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information, the second service request information is sent to the target server. 2.根据权利要求1所述的业务请求信息的传输方法,其特征在于,目标附加校验信息包括随机因子、第一附加校验信息和第二附加校验信息,所述第二附加校验信息包括m个第二字符,所述利用预设解密算法对所述目标附加校验信息进行解密,得到所述第一时间戳,包括:2. The method for transmitting service request information according to claim 1, wherein the target additional verification information includes a random factor, first additional verification information, and second additional verification information, the second additional verification information includes m second characters, and the decrypting the target additional verification information using a preset decryption algorithm to obtain the first timestamp includes: 分别将所述m个第二字符和所述网关中存储的密钥中的预设字符进行匹配,确定所述m个第二字符的序号,所述密钥包括预设字符和所述预设字符对应的序号,m为正整数;Matching the m second characters with preset characters in a key stored in the gateway respectively to determine the sequence numbers of the m second characters, wherein the key includes preset characters and sequence numbers corresponding to the preset characters, and m is a positive integer; 根据所述m个第二字符的序号、所述随机因子和所述第一附加校验信息,按照第一预设关系信息确定初始附加校验信息,所述第一预设关系信息包括预设第二字符的序号、预设随机因子、预设第一附加校验信息和预设初始附加校验信息的关系信息,所述预设第二字符的序号包括所述第二字符的序号,所述预设随机因子包括所述随机因子,所述预设第一附加校验信息包括所述第一附加校验信息,所述预设初始附加校验信息包括所述初始附加校验信息;determining initial additional verification information according to first preset relationship information according to the sequence numbers of the m second characters, the random factor, and the first additional verification information, wherein the first preset relationship information includes relationship information among the sequence number of a preset second character, a preset random factor, preset first additional verification information, and preset initial additional verification information, the sequence number of the preset second character includes the sequence number of the second character, the preset random factor includes the random factor, the preset first additional verification information includes the first additional verification information, and the preset initial additional verification information includes the initial additional verification information; 按照预设组合信息,将所述初始附加校验信息进行拆分,得到所述第一时间戳。The initial additional verification information is split according to preset combination information to obtain the first timestamp. 3.根据权利要求2所述的业务请求信息的传输方法,其特征在于,所述随机因子包括m+1个第一字符,所述根据所述m个第二字符的序号、所述随机因子和所述第一附加校验信息,按照第一预设关系信息确定初始附加校验信息,包括:3. The method for transmitting service request information according to claim 2, wherein the random factor includes m+1 first characters, and the initial additional verification information is determined according to the first preset relationship information based on the sequence numbers of the m second characters, the random factor and the first additional verification information, comprising: 根据第m+1个第一字符和所述第一附加校验信息,按照第一预设关系信息确定第m个第三附加校验信息;Determine the mth third additional verification information according to the m+1th first character and the first additional verification information according to the first preset relationship information; 根据第m个第二字符的序号、第m个第一字符和所述第m个第三附加校验信息,按照所述第一预设关系信息确定第m-1个第三附加校验信息;Determine (m-1) th third additional verification information according to the first preset relationship information, based on the sequence number of the m th second character, the m th first character and the m th third additional verification information; 在确定第一个第三附加校验信息的情况下,根据第一个第二字符的序号、第一个第一字符和所述第一个第三附加校验信息,按照所述第一预设关系信息确定初始附加校验信息。When the first third additional verification information is determined, the initial additional verification information is determined according to the first preset relationship information based on the sequence number of the first second character, the first first character and the first third additional verification information. 4.根据权利要求1所述的业务请求信息的传输方法,其特征在于,在所述第一时间戳与所述第二时间戳的差值小于第一预设值,且所述目标附加校验信息与缓存模块中的附加校验信息不一致的情况下,向目标服务器发送所述第二业务请求信息之前,所述方法还包括:4. The method for transmitting service request information according to claim 1, characterized in that, when the difference between the first timestamp and the second timestamp is less than a first preset value, and the target additional verification information is inconsistent with the additional verification information in the cache module, before sending the second service request information to the target server, the method further comprises: 计算所述第一时间戳与所述第二时间戳的差值;Calculating a difference between the first timestamp and the second timestamp; 校验所述差值是否小于所述第一预设值,得到校验结果;Verifying whether the difference is less than the first preset value, and obtaining a verification result; 在所述校验结果为所述第一时间戳与所述第二时间戳的差值小于第一预设值的情况下,校验所述目标附加校验信息与缓存模块中的附加校验信息是否不一致。When the verification result is that the difference between the first timestamp and the second timestamp is less than a first preset value, it is verified whether the target additional verification information is inconsistent with the additional verification information in the cache module. 5.根据权利要求4所述的业务请求信息的传输方法,其特征在于,还包括:5. The method for transmitting service request information according to claim 4, further comprising: 在所述目标附加校验信息与所述预存的附加校验信息不一致的情况下,保存所述目标附加校验信息。When the target additional verification information is inconsistent with the pre-stored additional verification information, the target additional verification information is saved. 6.一种业务请求信息的传输方法,其特征在于,应用于目标设备,包括:6. A method for transmitting service request information, characterized in that it is applied to a target device, comprising: 在接收到第二业务请求信息的情况下,获取接收到所述第二业务请求信息的第一时间戳;When receiving the second service request information, obtaining a first timestamp of receiving the second service request information; 利用预设加密算法对所述第一时间戳进行加密,得到目标附加校验信息;Encrypting the first timestamp using a preset encryption algorithm to obtain target additional verification information; 向网关发送第一业务请求信息,所述第一业务请求信息包括所述目标附加校验信息和所述第二业务请求信息,以用于所述网关利用预设解密算法对所述目标附加校验信息进行解密,得到所述第一时间戳,并获取解密完成时的第二时间戳,在所述第一时间戳与所述第二时间戳的差值小于第一预设值,且所述目标附加校验信息与预存的附加校验信息不一致的情况下,向目标服务器发送所述第二业务请求信息。A first service request message is sent to a gateway, wherein the first service request message includes the target additional verification information and the second service request message, so that the gateway uses a preset decryption algorithm to decrypt the target additional verification information, obtains the first timestamp, and obtains the second timestamp when the decryption is completed. When the difference between the first timestamp and the second timestamp is less than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information, the second service request message is sent to the target server. 7.根据权利要求6所述的业务请求信息的传输方法,其特征在于,所述利用预设加密算法对所述第一时间戳进行加密,得到目标附加校验信息,包括:7. The method for transmitting service request information according to claim 6, wherein the step of encrypting the first timestamp using a preset encryption algorithm to obtain target additional verification information comprises: 获取预设位数的随机数;Get a random number with a preset number of digits; 按照预设组合信息,将所述预设位数的随机数和所述第一时间戳进行组合,得到初始附加校验信息;According to preset combination information, the random number of preset bits and the first timestamp are combined to obtain initial additional verification information; 从所述目标设备存储的密钥中获取第一字符,作为随机因子,所述密钥包括预设字符和所述预设字符对应的序号,所述预设字符包括所述第一字符;Obtaining a first character from a key stored in the target device as a random factor, the key comprising a preset character and a serial number corresponding to the preset character, the preset character comprising the first character; 根据所述初始附加校验信息和所述随机因子,按照第一预设关系信息确定第一附加校验信息和第二字符的序号,所述第一预设关系信息包括预设第二字符的序号、预设随机因子、预设第一附加校验信息和预设初始附加校验信息的关系信息,所述预设第二字符的序号包括所述第二字符的序号,所述预设随机因子包括所述随机因子,所述预设第一附加校验信息包括所述第一附加校验信息,所述预设初始附加校验信息包括所述初始附加校验信息;Determining the first additional verification information and the sequence number of the second character according to the first preset relationship information according to the initial additional verification information and the random factor, the first preset relationship information including the sequence number of the preset second character, the preset random factor, the relationship information between the preset first additional verification information and the preset initial additional verification information, the sequence number of the preset second character including the sequence number of the second character, the preset random factor including the random factor, the preset first additional verification information including the first additional verification information, and the preset initial additional verification information including the initial additional verification information; 从所述密钥中获取所述第二字符的序号对应的第二字符,作为第二附加校验信息;Obtaining, from the key, a second character corresponding to the serial number of the second character as second additional verification information; 将所述随机因子、所述第一附加校验信息和所述第二附加校验信息进行组合,得到目标附加校验信息。The random factor, the first additional verification information, and the second additional verification information are combined to obtain target additional verification information. 8.根据权利要求7所述的业务请求信息的传输方法,其特征在于,所述从所述目标设备存储的密钥中获取第一字符,作为随机因子,包括:8. The method for transmitting service request information according to claim 7, wherein the step of obtaining the first character from the key stored in the target device as a random factor comprises: 从密钥中随机获取第一目标字符,作为随机因子的第一个第一字符;Randomly obtain a first target character from the key as the first character of the random factor; 根据所述初始附加校验信息和所述第一个第一字符,按照第二预设关系信息确定所述随机因子的第n个第一字符的序号,所述第二预设关系信息包括预设初始附加校验信息和预设第一字符的关系信息,所述预设第一字符包括所述第一字符,n为大于1的正整数;Determining the sequence number of the nth first character of the random factor according to the initial additional check information and the first first character according to second preset relationship information, wherein the second preset relationship information includes relationship information between preset initial additional check information and preset first characters, the preset first characters include the first character, and n is a positive integer greater than 1; 从所述密钥中获取所述第n个第一字符的序号对应的第n个第一字符,作为所述随机因子的第n个第一字符。The nth first character corresponding to the sequence number of the nth first character is obtained from the key as the nth first character of the random factor. 9.根据权利要求8所述的业务请求信息的传输方法,其特征在于,所述根据所述初始附加校验信息和所述随机因子,按照第一预设关系信息确定第一附加校验信息和第二字符的序号,包括:9. The method for transmitting service request information according to claim 8, characterized in that the determining the sequence number of the first additional verification information and the second character according to the first preset relationship information based on the initial additional verification information and the random factor comprises: 根据所述初始附加校验信息和所述随机因子的第一个第一字符,按照第一预设关系信息确定第一个第三附加校验信息和第一个第二字符的序号;Determine, according to the initial additional check information and the first first character of the random factor, the sequence number of the first third additional check information and the first second character according to the first preset relationship information; 根据第m个第三附加校验信息和所述随机因子的第m+1个第一字符,按照所述第一预设关系信息确定第m+1个第三附加校验信息和第m+1个第二字符的序号,在所述第m+1个第二字符的序号为目标值的情况下,确定所述第m+1个第三附加校验信息为第一附加校验信息,其中,m为正整数,n≥m+1;According to the mth third additional verification information and the m+1th first character of the random factor, determining the sequence numbers of the m+1th third additional verification information and the m+1th second character according to the first preset relationship information, and when the sequence number of the m+1th second character is a target value, determining the m+1th third additional verification information as the first additional verification information, where m is a positive integer and n≥m+1; 所述从所述密钥中获取所述第二字符的序号对应的第二字符,作为第二附加校验信息,包括:The obtaining, from the key, a second character corresponding to the sequence number of the second character as second additional verification information includes: 分别从所述密钥中获取从第一个到第m个第二字符的序号对应的第二字符,作为第二附加校验信息。The second characters corresponding to the serial numbers of the first to the mth second characters are respectively obtained from the key as the second additional verification information. 10.一种业务请求信息的传输装置,其特征在于,应用于网关,包括:10. A transmission device for service request information, characterized in that it is applied to a gateway, comprising: 接收模块,用于接收目标设备发送的第一业务请求信息,所述第一业务请求信息包括目标附加校验信息和第二业务请求信息,所述目标附加校验信息为所述目标设备利用预设加密算法对第一时间戳加密后的信息,所述第一时间戳为所述目标设备接收到所述第二业务请求信息的时间戳;a receiving module, configured to receive first service request information sent by a target device, wherein the first service request information includes target additional verification information and second service request information, wherein the target additional verification information is information obtained by encrypting a first timestamp by the target device using a preset encryption algorithm, and the first timestamp is a timestamp at which the target device receives the second service request information; 解密模块,用于利用预设解密算法对所述目标附加校验信息进行解密,得到所述第一时间戳,并获取解密完成时的第二时间戳;A decryption module, used to decrypt the target additional verification information using a preset decryption algorithm to obtain the first timestamp and obtain a second timestamp when the decryption is completed; 发送模块,用于在所述第一时间戳与所述第二时间戳的差值小于第一预设值,且所述目标附加校验信息与预存的附加校验信息不一致的情况下,向目标服务器发送所述第二业务请求信息。The sending module is used to send the second service request information to the target server when the difference between the first timestamp and the second timestamp is less than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information. 11.一种业务请求信息的传输装置,其特征在于,应用于目标设备,包括:11. A transmission device for service request information, characterized in that it is applied to a target device and comprises: 获取模块,用于在接收到第二业务请求信息的情况下,获取接收到所述第二业务请求信息的第一时间戳;An acquisition module, configured to acquire a first timestamp of receiving the second service request information when the second service request information is received; 加密模块,用于利用预设加密算法对所述第一时间戳进行加密,得到目标附加校验信息;An encryption module, used to encrypt the first timestamp using a preset encryption algorithm to obtain target additional verification information; 发送模块,用于向网关发送第一业务请求信息,所述第一业务请求信息包括所述目标附加校验信息和所述第二业务请求信息,以用于所述网关利用预设解密算法对所述目标附加校验信息进行解密,得到所述第一时间戳,并获取解密完成时的第二时间戳,在所述第一时间戳与所述第二时间戳的差值小于第一预设值,且所述目标附加校验信息与预存的附加校验信息不一致的情况下,向目标服务器发送所述第二业务请求信息。A sending module is used to send first service request information to a gateway, wherein the first service request information includes the target additional verification information and the second service request information, so that the gateway uses a preset decryption algorithm to decrypt the target additional verification information to obtain the first timestamp and obtain the second timestamp when the decryption is completed. When the difference between the first timestamp and the second timestamp is less than a first preset value and the target additional verification information is inconsistent with the pre-stored additional verification information, the second service request information is sent to the target server. 12.一种电子设备,其特征在于,所述设备包括:处理器以及存储有计算机程序指令的存储器;12. An electronic device, characterized in that the device comprises: a processor and a memory storing computer program instructions; 所述处理器执行所述计算机程序指令时实现如权利要求1-5任意一项所述的业务请求信息的传输方法,或者如权利要求6-9任意一项所述的业务请求信息的传输方法。When the processor executes the computer program instructions, the method for transmitting the service request information according to any one of claims 1 to 5 or the method for transmitting the service request information according to any one of claims 6 to 9 is implemented. 13.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现如权利要求1-5任意一项所述的业务请求信息的传输方法,或者如权利要求6-9任意一项所述的业务请求信息的传输方法。13. A computer-readable storage medium, characterized in that computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are executed by a processor, the method for transmitting business request information as described in any one of claims 1 to 5, or the method for transmitting business request information as described in any one of claims 6 to 9 is implemented. 14.一种计算机程序产品,其特征在于,所述计算机程序产品中的指令由电子设备的处理器执行时,使得所述电子设备能够执行如权利要求1-5任意一项所述的业务请求信息的传输方法,或者如权利要求6-9任意一项所述的业务请求信息的传输方法。14. A computer program product, characterized in that when the instructions in the computer program product are executed by a processor of an electronic device, the electronic device is enabled to execute the method for transmitting business request information as described in any one of claims 1-5, or the method for transmitting business request information as described in any one of claims 6-9.
CN202410257057.3A 2024-03-06 2024-03-06 Transmission method, device and equipment of service request information and computer storage medium Active CN118827126B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410257057.3A CN118827126B (en) 2024-03-06 2024-03-06 Transmission method, device and equipment of service request information and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410257057.3A CN118827126B (en) 2024-03-06 2024-03-06 Transmission method, device and equipment of service request information and computer storage medium

Publications (2)

Publication Number Publication Date
CN118827126A true CN118827126A (en) 2024-10-22
CN118827126B CN118827126B (en) 2026-01-23

Family

ID=93084612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410257057.3A Active CN118827126B (en) 2024-03-06 2024-03-06 Transmission method, device and equipment of service request information and computer storage medium

Country Status (1)

Country Link
CN (1) CN118827126B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120029549A (en) * 2025-01-24 2025-05-23 无锡众星微系统技术有限公司 A command interaction method, storage controller card and interaction system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8392709B1 (en) * 2009-04-28 2013-03-05 Adobe Systems Incorporated System and method for a single request—single response protocol with mutual replay attack protection
WO2020155758A1 (en) * 2019-01-28 2020-08-06 平安科技(深圳)有限公司 Data encryption transmission control method and device, computer apparatus, and storage medium
CN112073188A (en) * 2020-08-31 2020-12-11 北京市商汤科技开发有限公司 Authentication method, device, equipment and computer readable storage medium
CN114499995A (en) * 2021-12-30 2022-05-13 中国电信股份有限公司 A method, apparatus and system for preventing replay attacks
CN114640524A (en) * 2022-03-18 2022-06-17 中国建设银行股份有限公司 Method, apparatus, device and medium for processing transaction replay attack
CN115065503A (en) * 2022-05-11 2022-09-16 浪潮云信息技术股份公司 Method for preventing replay attack of API gateway
CN116800446A (en) * 2022-03-18 2023-09-22 海信集团控股股份有限公司 A video encryption and decryption method and device
CN117240433A (en) * 2023-10-13 2023-12-15 杭州电子科技大学 An information sharing method and device based on proxy re-encryption
WO2024001654A1 (en) * 2022-06-30 2024-01-04 中兴通讯股份有限公司 Verification method, terminal device, network device and medium
CN119449272A (en) * 2024-10-11 2025-02-14 中广核工程有限公司 User authentication method, electronic device, and storage medium based on nuclear power Internet of Things

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8392709B1 (en) * 2009-04-28 2013-03-05 Adobe Systems Incorporated System and method for a single request—single response protocol with mutual replay attack protection
WO2020155758A1 (en) * 2019-01-28 2020-08-06 平安科技(深圳)有限公司 Data encryption transmission control method and device, computer apparatus, and storage medium
CN112073188A (en) * 2020-08-31 2020-12-11 北京市商汤科技开发有限公司 Authentication method, device, equipment and computer readable storage medium
US20220209951A1 (en) * 2020-08-31 2022-06-30 Beijing Sensetime Technology Development Co., Ltd. Authentication method, apparatus and device, and computer-readable storage medium
CN114499995A (en) * 2021-12-30 2022-05-13 中国电信股份有限公司 A method, apparatus and system for preventing replay attacks
CN114640524A (en) * 2022-03-18 2022-06-17 中国建设银行股份有限公司 Method, apparatus, device and medium for processing transaction replay attack
CN116800446A (en) * 2022-03-18 2023-09-22 海信集团控股股份有限公司 A video encryption and decryption method and device
CN115065503A (en) * 2022-05-11 2022-09-16 浪潮云信息技术股份公司 Method for preventing replay attack of API gateway
WO2024001654A1 (en) * 2022-06-30 2024-01-04 中兴通讯股份有限公司 Verification method, terminal device, network device and medium
CN117240433A (en) * 2023-10-13 2023-12-15 杭州电子科技大学 An information sharing method and device based on proxy re-encryption
CN119449272A (en) * 2024-10-11 2025-02-14 中广核工程有限公司 User authentication method, electronic device, and storage medium based on nuclear power Internet of Things

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120029549A (en) * 2025-01-24 2025-05-23 无锡众星微系统技术有限公司 A command interaction method, storage controller card and interaction system

Also Published As

Publication number Publication date
CN118827126B (en) 2026-01-23

Similar Documents

Publication Publication Date Title
US12184770B2 (en) Apparatus and method for producing a message authentication code
EP3321837B1 (en) Method, apparatus and system for deviceidentification
KR101387799B1 (en) Encryption method for message authentication
CN112115461B (en) Equipment authentication method and device, computer equipment and storage medium
Ronen et al. Pseudo constant time implementations of TLS are only pseudo secure
CN110059458B (en) User password encryption authentication method, device and system
CN111127015B (en) Transaction data processing method and device, trusted application and electronic device
CN109981285B (en) Password protection method, password verification method and system
KR101942030B1 (en) Electronic device for performing code-based encryption supporting integrity verification of a message and operating method thereof
US9847879B2 (en) Protection against passive sniffing
CN114389793B (en) Method, device, equipment and computer storage medium for verifying session key
CN113114654A (en) Terminal equipment access security authentication method, device and system
CN118827126B (en) Transmission method, device and equipment of service request information and computer storage medium
CN114499995B (en) Method, device and system for preventing replay attack
CN116455572B (en) Data encryption method, device and equipment
CN115567200A (en) http interface anti-brush method, system and related device
CN118200049A (en) A financial data encryption method, encryption device, equipment and medium
CN113411347B (en) Transaction message processing method and processing device
KR101974345B1 (en) Data communication apparatus for connected vehicle supporting secure communication between vehicles via digital signature and operating method thereof
CN112966289A (en) Information processing method and device, computer equipment and medium
CN119835041B (en) Information encryption methods, devices, electronic devices, storage media and software products
KR102894549B1 (en) Remote terminal unit that can encrypt data and transmit it to the central server through linking with an iot communication modem equipped with a true random number generator and the operating method thereof
CN115967574B (en) Data encryption method, management method, device, system, equipment and medium thereof
CN118821164B (en) Data processing method, device, equipment and computer readable storage medium
CN115174063B (en) Software license generation, verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant