[go: up one dir, main page]

CN116074107A - Communication data transmission method and device, electronic equipment and storage medium - Google Patents

Communication data transmission method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116074107A
CN116074107A CN202310126365.8A CN202310126365A CN116074107A CN 116074107 A CN116074107 A CN 116074107A CN 202310126365 A CN202310126365 A CN 202310126365A CN 116074107 A CN116074107 A CN 116074107A
Authority
CN
China
Prior art keywords
information
service
ticket
user identity
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310126365.8A
Other languages
Chinese (zh)
Inventor
王志龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Boc Financial Technology Co ltd
Original Assignee
Boc Financial Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Boc Financial Technology Co ltd filed Critical Boc Financial Technology Co ltd
Priority to CN202310126365.8A priority Critical patent/CN116074107A/en
Publication of CN116074107A publication Critical patent/CN116074107A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a communication data transmission method, a device, electronic equipment and a storage medium, which can be applied to the field of network security or the field of finance. The client sends a user identity verification request to the authentication server, records a request time stamp, and returns service bill information to the client for decryption based on the user identity verification request and the Kerberos database when the user identity verification is confirmed to pass, so that service grant bill information and a session key are obtained, the client verifies the user identity after the service grant bill information is confirmed to pass, and returns a network service resource access permission to the client when the user identity verification passes, so that the client can access network service resources. The invention verifies the user identity based on the Kerberos security authentication system, and improves the security and reliability of communication data transmission between the client and the server through the bidirectional security authentication strategy between the client and the server.

Description

一种通信数据的传输方法、装置、电子设备及存储介质Communication data transmission method, device, electronic equipment and storage medium

技术领域technical field

本发明涉及通信技术领域,更具体的说,涉及一种通信数据的传输方法、装置、电子设备及存储介质。The present invention relates to the technical field of communication, and more specifically, to a communication data transmission method, device, electronic equipment and storage medium.

背景技术Background technique

传统的应用服务安全认证大多采用单向安全认证,当客户端与服务器之间传输通信数据时,只需服务器对客户端传输的通信数据验证通过,即返回结果给客户端。单向安全认证流程比较简单,导致通信数据传输过程存在很多安全隐患,比如SQL(StructuredQuery Language,结构化查询语言)注入、网页篡改、缓冲区堆栈信息攻击等,甚至引起服务宕机,导致服务器无法为用户正常提供服务。Traditional application service security authentication mostly adopts one-way security authentication. When the communication data is transmitted between the client and the server, the server only needs to pass the verification of the communication data transmitted by the client, and then return the result to the client. The one-way security authentication process is relatively simple, leading to many security risks in the communication data transmission process, such as SQL (StructuredQuery Language, Structured Query Language) injection, web page tampering, buffer stack information attacks, etc., and even cause service downtime, causing the server to fail. Provide services to users normally.

因此,如何提高通信数据传输的安全性和可靠性,成为本领域技术人员亟需解决的技术问题。Therefore, how to improve the security and reliability of communication data transmission has become a technical problem to be solved urgently by those skilled in the art.

发明内容Contents of the invention

有鉴于此,本发明公开一种通信数据的传输方法、装置、电子设备及存储介质,以提高通信数据传输的安全性和可靠性。In view of this, the present invention discloses a communication data transmission method, device, electronic equipment and storage medium, so as to improve the security and reliability of communication data transmission.

一种通信数据的传输方法,应用于客户端,所述传输方法包括:A communication data transmission method applied to a client, the transmission method comprising:

向认证服务器发送用户身份验证请求,并记录请求时间戳,其中,所述用户身份验证请求中携带有第一用户信息;Sending a user identity verification request to the authentication server, and recording a request timestamp, wherein the user identity verification request carries first user information;

获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息,其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳;Obtaining the service ticket information returned when the authentication server determines that the user identity verification is passed based on the user identity verification request and the Kerberos database, wherein the service ticket information includes: service grant ticket information and the client and ticket authentication server An interactive session key, the service granting ticket information includes: second user information, service granting ticket validity time, and a corresponding return time stamp when returning the service ticket information;

采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥;Decrypting the service ticket information by using a client key to obtain the service grant ticket information and the session key;

计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值;calculating the time difference between the request timestamp and the return timestamp in the service grant ticket information;

当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证;When the time difference is less than a preset difference threshold, in a case where it is determined that the first user information is the same as the second user information in the service grant ticket information, determine that the service grant ticket information passes verify;

基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求;sending the user identity verification request to the ticket authentication server based on the session key;

获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可;Obtaining the network service resource access permission returned when the ticket authentication server determines that the user identity authentication is passed based on the user identity authentication request;

基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。Based on the network service resource access permission, network service resources are accessed within the valid time of the service grant ticket.

可选的,所述基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源包括:Optionally, based on the network service resource access permission, accessing the network service resource within the valid time of the service grant ticket includes:

基于所述网络服务资源访问许可,在所述服务说与票据有效时间内,采用Web防火墙白名单防护策略对设置的自定义访问规则进行安全性校验;Based on the network service resource access permission, within the valid time of the service statement and the ticket, the security verification of the set custom access rules is carried out by using the white list protection strategy of the Web firewall;

当所述自定义访问规则通过安全性校验时,允许访问所述网络服务资源。When the custom access rule passes the security verification, access to the network service resource is allowed.

可选的,所述Web防火墙白名单防护策略包括:用户访问流量信息配置策略、用户操作行为信息配置策略和核心敏感信息配置策略。Optionally, the white list protection policy of the web firewall includes: a user access flow information configuration policy, a user operation behavior information configuration policy, and a core sensitive information configuration policy.

可选的,还包括:Optionally, also include:

当所述时间差值不小于所述预设差值阈值时,确定向所述认证服务器发送的所述用户身份验证请求是伪造的;When the time difference is not less than the preset difference threshold, determine that the user identity verification request sent to the authentication server is forged;

向所述认证服务器发送所述用户身份验证请求为伪造请求的提示信息;Sending prompt information that the user identity verification request is a forged request to the authentication server;

获取所述认证服务器返回的用户身份认证失败信息。Obtain the user identity authentication failure information returned by the authentication server.

可选的,还包括:Optionally, also include:

获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证失败时返回的网络服务资源禁止访问信息。Obtaining network service resource access prohibition information returned when the ticket authentication server determines that user identity authentication fails based on the user identity authentication request.

可选的,所述第一用户信息包括:用户名、用户登录密码和客户端IP地址。Optionally, the first user information includes: user name, user login password and client IP address.

一种通信数据的传输装置,应用于客户端,所述传输装置包括:A transmission device for communication data, applied to a client, the transmission device includes:

第一请求发送单元,用于向认证服务器发送用户身份验证请求,并记录请求时间戳,其中,所述用户身份验证请求中携带有第一用户信息;A first request sending unit, configured to send a user identity verification request to the authentication server, and record a request timestamp, wherein the user identity verification request carries first user information;

获取单元,用于获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息,其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳;An obtaining unit, configured to obtain service ticket information returned when the authentication server determines that user identity verification passes based on the user identity verification request and the Kerberos database, wherein the service ticket information includes: service grant ticket information and the client A session key for interacting with the ticket authentication server, the service granting ticket information includes: second user information, service granting ticket validity time, and a corresponding return time stamp when returning the service ticket information;

解密单元,用于采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥;a decryption unit, configured to use a client key to decrypt the service ticket information to obtain the service grant ticket information and the session key;

计算单元,用于计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值;a calculation unit, configured to calculate a time difference between the request time stamp and the return time stamp in the service grant ticket information;

验证确定单元,用于当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证;a verification determination unit, configured to determine that the first user information is the same as the second user information in the service grant ticket information when the time difference is less than a preset difference threshold; The above service grant ticket information is verified;

第二请求发送单元,用于基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求;a second request sending unit, configured to send the user identity verification request to the ticket authentication server based on the session key;

访问许可获取单元,用于获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可;An access permission acquisition unit, configured to acquire the network service resource access permission returned when the ticket authentication server determines that the user identity verification is passed based on the user identity verification request;

访问单元,用于基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。An access unit, configured to access network service resources within the valid time of the service grant ticket based on the network service resource access permission.

可选的,所述访问单元具体用于:Optionally, the access unit is specifically used for:

基于所述网络服务资源访问许可,在所述服务说与票据有效时间内,采用Web防火墙白名单防护策略对设置的自定义访问规则进行安全性校验;Based on the network service resource access permission, within the valid time of the service statement and the ticket, the security verification of the set custom access rules is carried out by using the white list protection strategy of the Web firewall;

当所述自定义访问规则通过安全性校验时,允许访问所述网络服务资源。When the custom access rule passes the security verification, access to the network service resource is allowed.

可选的,还包括:Optionally, also include:

请求确定单元,用于当所述时间差值不小于所述预设差值阈值时,确定向所述认证服务器发送的所述用户身份验证请求是伪造的;A request determining unit, configured to determine that the user identity verification request sent to the authentication server is forged when the time difference is not less than the preset difference threshold;

提示信息发送单元,用于向所述认证服务器发送所述用户身份验证请求为伪造请求的提示信息;a prompt information sending unit, configured to send prompt information that the user identity verification request is a forged request to the authentication server;

认证失败信息获取单元,用于获取所述认证服务器返回的用户身份认证失败信息。An authentication failure information acquiring unit, configured to acquire user identity authentication failure information returned by the authentication server.

可选的,还包括:Optionally, also include:

禁止访问信息获取单元,用于获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证失败时返回的网络服务资源禁止访问信息。An access prohibition information acquisition unit, configured to acquire network service resource access prohibition information returned when the ticket authentication server determines that user identity verification fails based on the user identity verification request.

一种电子设备,所述电子设备包括:存储器和处理器;An electronic device comprising: a memory and a processor;

所述存储器用于存储至少一个指令;the memory is used to store at least one instruction;

所述处理器用于执行所述至少一个指令以实现上述所述的通信数据的传输方法。The processor is configured to execute the at least one instruction to implement the communication data transmission method described above.

一种计算机可读存储介质,所述计算机可读存储介质存储至少一个指令,所述至少一个指令被处理器执行时实现上述所述的通信数据的传输方法。A computer-readable storage medium, where the computer-readable storage medium stores at least one instruction, and when the at least one instruction is executed by a processor, the above-mentioned communication data transmission method is implemented.

从上述的技术方案可知,本发明公开了一种通信数据的传输方法、装置、电子设备及存储介质,客户端向认证服务器发送用户身份验证请求并记录请求时间戳,认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时向客户端返回服务票据信息,客户端采用客户端密钥对服务票据信息进行解密得到服务授予票据信息和会话密钥,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,客户端确定服务授予票据信息通过验证,并基于会话密钥向票据认证服务器发送用户身份验证请求,当票据认证服务器基于用户身份验证请求确定用户身份验证通过时,向客户端返回网络服务资源访问许可,以使客户端在服务授予票据有效时间内访问网络服务资源。本发明基于Kerberos安全认证体系,除了对用户身份进行了有效性验证,还采用了客户端与服务器双向安全认证策略,因此,大大提高了客户端与服务器之间通信数据传输的安全性和可靠性。It can be seen from the above technical solution that the present invention discloses a communication data transmission method, device, electronic equipment and storage medium. The client sends a user identity verification request to the authentication server and records the time stamp of the request. The authentication server based on the user identity verification request And Kerberos database confirms that the user authentication is passed and returns the service ticket information to the client. The client uses the client key to decrypt the service ticket information to obtain the service grant ticket information and session key. When the time stamp between the request time stamp and the return time stamp When the time difference is less than the preset difference threshold, if it is determined that the first user information and the second user information in the service grant ticket information are the same, the client determines that the service grant ticket information has passed the verification, and sends the The ticket authentication server sends a user authentication request, and when the ticket authentication server determines that the user authentication is passed based on the user authentication request, it returns the network service resource access permission to the client, so that the client can access the network service resource within the valid time of the service-granted ticket . The present invention is based on the Kerberos security authentication system. In addition to verifying the validity of the user identity, it also adopts a two-way security authentication strategy between the client and the server. Therefore, the security and reliability of communication data transmission between the client and the server are greatly improved. .

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据公开的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those skilled in the art, other drawings can also be obtained according to the disclosed drawings without creative work.

图1为本发明实施例公开的一种通信数据的传输方法流程图;FIG. 1 is a flowchart of a communication data transmission method disclosed in an embodiment of the present invention;

图2为本发明实施例公开的一种通信数据的传输装置的结构示意图;FIG. 2 is a schematic structural diagram of a transmission device for communication data disclosed in an embodiment of the present invention;

图3为本发明实施例公开的一种电子设备的结构示意图。FIG. 3 is a schematic structural diagram of an electronic device disclosed by an embodiment of the present invention.

具体实施方式Detailed ways

需要说明的是,本发明提供的一种通信数据的传输方法、装置、电子设备及存储介质可用于网络安全领域或金融领域。上述仅为示例,并不对本发明提供的通信数据的传输方法、装置、电子设备及存储介质的应用领域进行限定。It should be noted that the communication data transmission method, device, electronic equipment and storage medium provided by the present invention can be used in the field of network security or the field of finance. The foregoing is only an example, and does not limit the application fields of the communication data transmission method, device, electronic device, and storage medium provided by the present invention.

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

本发明实施例公开了一种通信数据的传输方法、装置、电子设备及存储介质,客户端向认证服务器发送用户身份验证请求并记录请求时间戳,认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时向客户端返回服务票据信息,客户端采用客户端密钥对服务票据信息进行解密得到服务授予票据信息和会话密钥,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,客户端确定服务授予票据信息通过验证,并基于会话密钥向票据认证服务器发送用户身份验证请求,当票据认证服务器基于用户身份验证请求确定用户身份验证通过时,向客户端返回网络服务资源访问许可,以使客户端在服务授予票据有效时间内访问网络服务资源。本发明基于Kerberos安全认证体系,除了对用户身份进行了有效性验证,还采用了客户端与服务器双向安全认证策略,因此,大大提高了客户端与服务器之间通信数据传输的安全性和可靠性。The embodiment of the present invention discloses a communication data transmission method, device, electronic equipment, and storage medium. The client sends a user identity verification request to the authentication server and records the request time stamp. The authentication server determines the user ID based on the user identity verification request and the Kerberos database. When the identity verification is passed, the service ticket information is returned to the client. The client uses the client key to decrypt the service ticket information to obtain the service grant ticket information and session key. When the time difference between the request timestamp and the returned timestamp is less than When the difference threshold is preset, when it is determined that the first user information is the same as the second user information in the service grant ticket information, the client determines that the service grant ticket information has passed the verification, and sends the user to the ticket authentication server based on the session key. Authentication request, when the ticket authentication server determines that the user authentication is passed based on the user authentication request, return the network service resource access permission to the client, so that the client can access the network service resource within the valid time of the ticket granted by the service. The present invention is based on the Kerberos security authentication system. In addition to verifying the validity of the user identity, it also adopts a two-way security authentication strategy between the client and the server. Therefore, the security and reliability of communication data transmission between the client and the server are greatly improved. .

参见图1,本发明实施例公开的一种通信数据的传输方法流程图,该方法应用于客户端,该传输方法包括:Referring to Fig. 1, a flow chart of a communication data transmission method disclosed in an embodiment of the present invention, the method is applied to a client, and the transmission method includes:

步骤S101、向认证服务器发送用户身份验证请求,并记录请求时间戳。Step S101 , sending a user identity verification request to the authentication server, and recording the request time stamp.

其中,用户身份验证请求中携带有第一用户信息,第一用户信息可以包括:用户名、用户登录密码和客户端IP地址等。Wherein, the user identity verification request carries the first user information, and the first user information may include: user name, user login password, client IP address, and the like.

客户端通过将携带有第一用户信息的用户身份验证请求发送至认证服务器来对用户身份是否有效进行验证。The client verifies whether the user identity is valid by sending a user identity verification request carrying the first user information to the authentication server.

请求时间戳也即客户端向认证服务器发送用户身份验证请求时对应的时间戳。The request timestamp is also the timestamp corresponding to when the client sends the user authentication request to the authentication server.

步骤S102、获取认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息。Step S102, obtaining the service ticket information returned by the authentication server when the authentication server determines that the user authentication is passed based on the user authentication request and the Kerberos database.

Kerberos是一种计算机网络授权协议,用来在非安全网络中,对个人通信以安全的手段进行身份认证。侧重于通信双方身份的认定工作,帮助客户端及服务器验证是否身份有效,从而使得通信两端能够完全信任对方的身份。Kerberos is a computer network authorization protocol used to authenticate personal communications in a secure manner in a non-secure network. It focuses on identifying the identities of both parties in the communication, helping the client and the server to verify whether the identities are valid, so that the two ends of the communication can fully trust each other's identities.

Kerberos数据库中存储有标准用户信息,认证服务器在接收到用户身份验证请求后,通过将第一用户信息与Kerberos数据库中存储的标准用户信息进行比对,来确定用户身份是否有效,并在用户身份验证通过时,向客户端返回服务票据信息。Standard user information is stored in the Kerberos database. After receiving the user identity verification request, the authentication server compares the first user information with the standard user information stored in the Kerberos database to determine whether the user identity is valid. When the verification is passed, the service ticket information is returned to the client.

其中,服务票据信息包括:服务授予票据信息和客户端与票据认证服务器进行交互的会话密钥(Session key)。Wherein, the service ticket information includes: service grant ticket information and a session key (Session key) for the client to interact with the ticket authentication server.

服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳。第二用户信息包括:用户名、用户登录密码、用户IP等。The service grant ticket information includes: the second user information, the valid time of the service grant ticket, and the corresponding return time stamp when the service ticket information is returned. The second user information includes: user name, user login password, user IP and so on.

步骤S103、采用客户端密钥对服务票据信息进行解密,得到服务授予票据信息和会话密钥。Step S103, using the client key to decrypt the service ticket information to obtain the service grant ticket information and the session key.

步骤S104、计算请求时间戳与服务授予票据信息中的返回时间戳之间的时间差值。Step S104, calculating the time difference between the request time stamp and the return time stamp in the service grant ticket information.

步骤S105、当时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,确定服务授予票据信息通过验证。Step S105 , when the time difference is less than the preset difference threshold, if it is determined that the first user information is the same as the second user information in the service grant ticket information, determine that the service grant ticket information has passed the verification.

其中,预设差值阈值的取值依据实际需要而定,比如5min,本发明在此不做限定。Wherein, the value of the preset difference threshold is determined according to actual needs, such as 5 minutes, which is not limited in the present invention.

本实施例中,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,会继续比较第一用户信息和第二用户信息是否相同,以确定服务授予票据的有效性。当第一用户信息和第二用户信息相同时,确定服务授予票据信息通过验证。In this embodiment, when the time difference between the request timestamp and the returned timestamp is less than the preset difference threshold, it will continue to compare whether the first user information and the second user information are the same to determine the validity of the service grant ticket . When the first user information is the same as the second user information, it is determined that the service grant ticket information passes the verification.

步骤S106、基于会话密钥向票据认证服务器发送用户身份验证请求。Step S106, sending a user identity verification request to the ticket authentication server based on the session key.

客户端获取到客户端与票据认证服务器进行交互的会话密钥,并且服务授予票据信息通过验证后,客户端会向票据认证服务器发送用户身份验证请求,由票据认证服务器再次验证用户身份的有效性,对服务授予票据的用户和IP地址进行再次校验。The client obtains the session key for the interaction between the client and the ticket authentication server, and after the service grants the ticket information through verification, the client sends a user identity verification request to the ticket authentication server, and the ticket authentication server verifies the validity of the user identity again , recheck the user and IP address of the service granting the ticket.

步骤S107、获取票据认证服务器基于用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可。Step S107, obtaining the network service resource access permission returned by the ticket authentication server when the user identity authentication is passed based on the user identity authentication request.

当票据认证服务器确定用户身份有效时,会向客户端返回网络服务资源访问许可。客户端只有在接收到网络服务资源访问许可后才可以访问网络服务资源。When the ticket authentication server determines that the user identity is valid, it will return the network service resource access permission to the client. The client can access the network service resource only after receiving the network service resource access permission.

步骤S108、基于网络服务资源访问许可,在服务授予票据有效时间内访问网络服务资源。Step S108, based on the network service resource access permission, access the network service resource within the valid time of the service grant ticket.

综上可知,本发明公开了一种通信数据的传输方法,客户端向认证服务器发送用户身份验证请求并记录请求时间戳,认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时向客户端返回服务票据信息,客户端采用客户端密钥对服务票据信息进行解密得到服务授予票据信息和会话密钥,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,客户端确定服务授予票据信息通过验证,并基于会话密钥向票据认证服务器发送用户身份验证请求,当票据认证服务器基于用户身份验证请求确定用户身份验证通过时,向客户端返回网络服务资源访问许可,以使客户端在服务授予票据有效时间内访问网络服务资源。本发明基于Kerberos安全认证体系,除了对用户身份进行了有效性验证,还采用了客户端与服务器双向安全认证策略,因此,大大提高了客户端与服务器之间通信数据传输的安全性和可靠性。In summary, the present invention discloses a communication data transmission method. The client sends a user identity verification request to the authentication server and records the request time stamp. The terminal returns the service ticket information, and the client uses the client key to decrypt the service ticket information to obtain the service grant ticket information and session key. When the time difference between the request timestamp and the returned timestamp is less than the preset difference threshold , when it is determined that the first user information is the same as the second user information in the service granting ticket information, the client determines that the service granting ticket information has passed the verification, and sends a user identity verification request to the ticket authentication server based on the session key, when the ticket When the authentication server determines that the user authentication is passed based on the user authentication request, it returns the network service resource access permission to the client, so that the client can access the network service resource within the valid time of the service-granted ticket. The present invention is based on the Kerberos security authentication system. In addition to verifying the validity of the user identity, it also adopts a two-way security authentication strategy between the client and the server. Therefore, the security and reliability of communication data transmission between the client and the server are greatly improved. .

Kerberos安全认证体系能够满足不同交易类产品业务场景,但无法避免被重放攻击。本发明为进一步提升Kerberos安全认证体系的可靠性和稳定性,在安全认证后增加了Web防火墙白名单防护策略。The Kerberos security authentication system can meet the business scenarios of different trading products, but it cannot avoid replay attacks. In order to further improve the reliability and stability of the Kerberos safety authentication system, the invention adds a white list protection strategy of the Web firewall after the safety authentication.

因此,为进一步优化上述实施例,步骤S108具体可以包括:Therefore, in order to further optimize the above embodiment, step S108 may specifically include:

基于网络服务资源访问许可,在服务说与票据有效时间内,采用Web防火墙白名单防护策略对设置的自定义访问规则进行安全性校验;Based on the network service resource access permission, within the validity period of the service statement and the ticket, the security verification of the set custom access rules is carried out by using the white list protection strategy of the web firewall;

当自定义访问规则通过安全性校验时,允许访问网络服务资源。When the custom access rule passes the security check, access to network service resources is allowed.

其中,Web防火墙白名单防护策略可以包括:用户访问流量信息配置策略、用户操作行为信息配置策略和核心敏感信息配置策略。Wherein, the white list protection policy of the web firewall may include: a user access flow information configuration policy, a user operation behavior information configuration policy, and a core sensitive information configuration policy.

本发明采用Web防火墙白名单防护策略,通过对用户访问流量监控、用户操作监控和业务核心数据监控等方面进行加固操作,进一步提升了安全认证的可靠星河稳定性。The present invention adopts the white list protection strategy of the Web firewall, and further improves the reliability and stability of security authentication by performing reinforcement operations on aspects such as user access flow monitoring, user operation monitoring, and business core data monitoring.

综上可知,本发明通过将Kerberos协议的安全认证和Web防火墙白名单防护策略两者结合,除了对用户身份进行有效性验证,还可对网络服务资源进行有效监控,防止系统被恶意攻击,并提高了客户端与服务器之间通信数据传输的安全性和可靠性。In summary, by combining the security authentication of the Kerberos protocol and the white list protection strategy of the Web firewall, the present invention can not only verify the validity of the user identity, but also effectively monitor the network service resources, prevent the system from being maliciously attacked, and The security and reliability of the communication data transmission between the client and the server are improved.

为进一步优化上述实施例,传输方法还可以包括:In order to further optimize the above embodiment, the transmission method may also include:

当时间差值不小于预设差值阈值时,确定向认证服务器发送的用户身份验证请求是伪造的;When the time difference is not less than the preset difference threshold, it is determined that the user identity verification request sent to the authentication server is forged;

向认证服务器发送用户身份验证请求为伪造请求的提示信息;Send a prompt message to the authentication server that the user authentication request is a forged request;

获取认证服务器返回的用户身份认证失败信息。Obtain the user identity authentication failure information returned by the authentication server.

本发明中若客户端确定请求时间戳与返回时间戳之间的时间差值不小于预设差值阈值时,确定认证服务器接收到用户身份验证请求是伪造的,此时会向认证服务器发送用户身份验证请求为伪造请求的提示信息,认证服务器在接收到伪造请求的提示信息后,向客户端返回的用户身份认证失败信息。In the present invention, if the client determines that the time difference between the request timestamp and the returned timestamp is not less than the preset difference threshold, it is determined that the authentication server receives the user identity verification request is forged, and at this time it will send the user authentication request to the authentication server. The identity verification request is the prompt information of the forged request, and the authentication server returns user identity authentication failure information to the client after receiving the prompt information of the forged request.

为进一步优化上述实施例,传输方法还可以包括:In order to further optimize the above embodiment, the transmission method may also include:

获取票据认证服务器基于用户身份验证请求确定用户身份验证失败时返回的网络服务资源禁止访问信息。Obtaining the network service resource access prohibition information returned when the ticket authentication server determines that the user authentication fails based on the user authentication request.

本发明中客户端只有在接收到网络服务资源访问许可后才可以访问网络服务资源,若客户端接收到票据认证服务器返回的网络服务资源禁止访问信息时,客户端将无法访问网络服务资源。In the present invention, the client can only access the network service resource after receiving the access permission of the network service resource. If the client receives the network service resource prohibition information returned by the bill authentication server, the client cannot access the network service resource.

与上述方法实施例相对应,本发明还公开了一种通信数据的传输装置。Corresponding to the above method embodiments, the present invention also discloses a communication data transmission device.

参见图2,本发明实施例公开的一种通信数据的传输装置的结构示意图,该装置应用于客户端,传输装置包括:Referring to FIG. 2 , it is a schematic structural diagram of a communication data transmission device disclosed in an embodiment of the present invention. The device is applied to a client, and the transmission device includes:

第一请求发送单元201,用于向认证服务器发送用户身份验证请求,并记录请求时间戳。The first request sending unit 201 is configured to send a user identity verification request to the authentication server, and record the request time stamp.

其中,所述用户身份验证请求中携带有第一用户信息。Wherein, the user identity verification request carries the first user information.

客户端通过将携带有第一用户信息的用户身份验证请求发送至认证服务器来对用户身份是否有效进行验证。The client verifies whether the user identity is valid by sending a user identity verification request carrying the first user information to the authentication server.

请求时间戳也即客户端向认证服务器发送用户身份验证请求时对应的时间戳。The request timestamp is also the timestamp corresponding to when the client sends the user authentication request to the authentication server.

获取单元202,用于获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息。The acquiring unit 202 is configured to acquire the service ticket information returned by the authentication server when the authentication server determines that the user identity authentication is passed based on the user identity authentication request and the Kerberos database.

其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳。Wherein, the service ticket information includes: service grant ticket information and a session key for the client to interact with the ticket authentication server, and the service grant ticket information includes: second user information, service grant ticket valid time, and returned The corresponding return timestamp when the service ticket information is described.

解密单元203,用于采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥。The decryption unit 203 is configured to use a client key to decrypt the service ticket information to obtain the service grant ticket information and the session key.

计算单元204,用于计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值。A calculation unit 204, configured to calculate a time difference between the request time stamp and the return time stamp in the service grant ticket information.

验证确定单元205,用于当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证。a verification determination unit 205, configured to determine that the first user information is the same as the second user information in the service grant ticket information when the time difference is less than a preset difference threshold; The service grant ticket information is verified.

第二请求发送单元206,用于基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求。The second request sending unit 206 is configured to send the user identity verification request to the ticket authentication server based on the session key.

客户端获取到客户端与票据认证服务器进行交互的会话密钥,并且服务授予票据信息通过验证后,客户端会向票据认证服务器发送用户身份验证请求,由票据认证服务器再次验证用户身份的有效性,对服务授予票据的用户和IP地址进行再次校验。The client obtains the session key for the interaction between the client and the ticket authentication server, and after the service grants the ticket information through verification, the client sends a user identity verification request to the ticket authentication server, and the ticket authentication server verifies the validity of the user identity again , recheck the user and IP address of the service granting the ticket.

访问许可获取单元207,用于获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可。The access permission obtaining unit 207 is configured to obtain the network service resource access permission returned when the ticket authentication server determines that the user identity verification is passed based on the user identity verification request.

当票据认证服务器确定用户身份有效时,会向客户端返回网络服务资源访问许可。客户端只有在接收到网络服务资源访问许可后才可以访问网络服务资源。When the ticket authentication server determines that the user identity is valid, it will return the network service resource access permission to the client. The client can access the network service resource only after receiving the network service resource access permission.

访问单元208,用于基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。The access unit 208 is configured to access the network service resource within the valid time of the service grant ticket based on the network service resource access permission.

综上可知,本发明公开了一种通信数据的传输装置,客户端向认证服务器发送用户身份验证请求并记录请求时间戳,认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时向客户端返回服务票据信息,客户端采用客户端密钥对服务票据信息进行解密得到服务授予票据信息和会话密钥,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,客户端确定服务授予票据信息通过验证,并基于会话密钥向票据认证服务器发送用户身份验证请求,当票据认证服务器基于用户身份验证请求确定用户身份验证通过时,向客户端返回网络服务资源访问许可,以使客户端在服务授予票据有效时间内访问网络服务资源。本发明基于Kerberos安全认证体系,除了对用户身份进行了有效性验证,还采用了客户端与服务器双向安全认证策略,因此,大大提高了客户端与服务器之间通信数据传输的安全性和可靠性。In summary, the present invention discloses a transmission device for communication data. The client sends a user identity verification request to the authentication server and records the time stamp of the request. The terminal returns the service ticket information, and the client uses the client key to decrypt the service ticket information to obtain the service grant ticket information and session key. When the time difference between the request timestamp and the returned timestamp is less than the preset difference threshold , when it is determined that the first user information is the same as the second user information in the service granting ticket information, the client determines that the service granting ticket information has passed the verification, and sends a user identity verification request to the ticket authentication server based on the session key, when the ticket When the authentication server determines that the user authentication is passed based on the user authentication request, it returns the network service resource access permission to the client, so that the client can access the network service resource within the valid time of the service-granted ticket. The present invention is based on the Kerberos security authentication system. In addition to verifying the validity of the user identity, it also adopts a two-way security authentication strategy between the client and the server. Therefore, the security and reliability of communication data transmission between the client and the server are greatly improved. .

为进一步优化上述实施例,访问单元208具体可以用于:In order to further optimize the above embodiment, the access unit 208 may specifically be used for:

基于所述网络服务资源访问许可,在所述服务说与票据有效时间内,采用Web防火墙白名单防护策略对设置的自定义访问规则进行安全性校验;Based on the network service resource access permission, within the valid time of the service statement and the ticket, the security verification of the set custom access rules is carried out by using the white list protection strategy of the Web firewall;

当所述自定义访问规则通过安全性校验时,允许访问所述网络服务资源。When the custom access rule passes the security verification, access to the network service resource is allowed.

为进一步优化上述实施例,传输装置还可以包括:In order to further optimize the above embodiment, the transmission device may further include:

请求确定单元,用于当所述时间差值不小于所述预设差值阈值时,确定向所述认证服务器发送的所述用户身份验证请求是伪造的;A request determining unit, configured to determine that the user identity verification request sent to the authentication server is forged when the time difference is not less than the preset difference threshold;

提示信息发送单元,用于向所述认证服务器发送所述用户身份验证请求为伪造请求的提示信息;a prompt information sending unit, configured to send prompt information that the user identity verification request is a forged request to the authentication server;

认证失败信息获取单元,用于获取所述认证服务器返回的用户身份认证失败信息。An authentication failure information acquiring unit, configured to acquire user identity authentication failure information returned by the authentication server.

为进一步优化上述实施例,传输装置还可以包括:In order to further optimize the above embodiment, the transmission device may further include:

禁止访问信息获取单元,用于获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证失败时返回的网络服务资源禁止访问信息。An access prohibition information acquisition unit, configured to acquire network service resource access prohibition information returned when the ticket authentication server determines that user identity verification fails based on the user identity verification request.

需要说明的是,装置实施例中各组成部分的具体工作原理,请参见方法实施例对应部分,此处不再赘述。It should be noted that, for the specific working principle of each component in the device embodiment, please refer to the corresponding part of the method embodiment, which will not be repeated here.

与上述实施例相对应,如图3所示,本发明还公开了一种电子设备,电子设备可以包括:处理器1和存储器2;Corresponding to the above embodiments, as shown in FIG. 3 , the present invention also discloses an electronic device, which may include: a processor 1 and a memory 2;

其中,处理器1和存储器2通过通信总线3完成相互间的通信;Wherein, the processor 1 and the memory 2 complete the mutual communication through the communication bus 3;

处理器1,用于执行至少一个指令;Processor 1, configured to execute at least one instruction;

存储器2,用于存储至少一个指令;memory 2, for storing at least one instruction;

处理器1可能是一个中央处理器CPU,或者是特定集成电路ASIC(ApplicationSpecific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。Processor 1 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present invention.

存储器2可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatilememory),例如至少一个磁盘存储器。The memory 2 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory.

其中,处理器执行至少一个指令实现如下功能:Wherein, the processor executes at least one instruction to realize the following functions:

向认证服务器发送用户身份验证请求,并记录请求时间戳,其中,所述用户身份验证请求中携带有第一用户信息;Sending a user identity verification request to the authentication server, and recording a request timestamp, wherein the user identity verification request carries first user information;

获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息,其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳;Obtaining the service ticket information returned when the authentication server determines that the user identity verification is passed based on the user identity verification request and the Kerberos database, wherein the service ticket information includes: service grant ticket information and the client and ticket authentication server An interactive session key, the service granting ticket information includes: second user information, service granting ticket validity time, and a corresponding return time stamp when returning the service ticket information;

采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥;Decrypting the service ticket information by using a client key to obtain the service grant ticket information and the session key;

计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值;calculating the time difference between the request timestamp and the return timestamp in the service grant ticket information;

当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证;When the time difference is less than a preset difference threshold, in a case where it is determined that the first user information is the same as the second user information in the service grant ticket information, determine that the service grant ticket information passes verify;

基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求;sending the user identity verification request to the ticket authentication server based on the session key;

获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可;Obtaining the network service resource access permission returned when the ticket authentication server determines that the user identity authentication is passed based on the user identity authentication request;

基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。Based on the network service resource access permission, network service resources are accessed within the valid time of the service grant ticket.

综上可知,本发明公开了一种电子设备,电子设备向认证服务器发送用户身份验证请求并记录请求时间戳,认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时向客户端返回服务票据信息,客户端采用客户端密钥对服务票据信息进行解密得到服务授予票据信息和会话密钥,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,客户端确定服务授予票据信息通过验证,并基于会话密钥向票据认证服务器发送用户身份验证请求,当票据认证服务器基于用户身份验证请求确定用户身份验证通过时,向客户端返回网络服务资源访问许可,以使客户端在服务授予票据有效时间内访问网络服务资源。本发明基于Kerberos安全认证体系,除了对用户身份进行了有效性验证,还采用了客户端与服务器双向安全认证策略,因此,大大提高了客户端与服务器之间通信数据传输的安全性和可靠性。In summary, the present invention discloses an electronic device. The electronic device sends a user identity verification request to the authentication server and records the request time stamp. The authentication server returns a service to the client when the user identity verification is passed based on the user identity verification request and the Kerberos database. Ticket information, the client uses the client key to decrypt the service ticket information to obtain the service grant ticket information and session key. When the time difference between the request timestamp and the returned timestamp is less than the preset difference threshold, the When the first user information is the same as the second user information in the service grant ticket information, the client determines that the service grant ticket information has passed the verification, and sends a user identity verification request to the ticket authentication server based on the session key. When the user authentication request determines that the user authentication is passed, the network service resource access permission is returned to the client, so that the client can access the network service resource within the valid time of the ticket granted by the service. The present invention is based on the Kerberos security authentication system. In addition to verifying the validity of the user identity, it also adopts a two-way security authentication strategy between the client and the server. Therefore, the security and reliability of communication data transmission between the client and the server are greatly improved. .

与上述实施例相对应,本发明还公开了一种计算机可读存储介质,计算机可读存储介质存储至少一个指令,所述至少一个指令被处理器执行时实现如下功能:Corresponding to the above-mentioned embodiments, the present invention also discloses a computer-readable storage medium. The computer-readable storage medium stores at least one instruction, and the at least one instruction implements the following functions when executed by a processor:

向认证服务器发送用户身份验证请求,并记录请求时间戳,其中,所述用户身份验证请求中携带有第一用户信息;Sending a user identity verification request to the authentication server, and recording a request timestamp, wherein the user identity verification request carries first user information;

获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息,其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳;Obtaining the service ticket information returned when the authentication server determines that the user identity verification is passed based on the user identity verification request and the Kerberos database, wherein the service ticket information includes: service grant ticket information and the client and ticket authentication server An interactive session key, the service granting ticket information includes: second user information, service granting ticket validity time, and a corresponding return time stamp when returning the service ticket information;

采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥;Decrypting the service ticket information by using a client key to obtain the service grant ticket information and the session key;

计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值;calculating the time difference between the request timestamp and the return timestamp in the service grant ticket information;

当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证;When the time difference is less than a preset difference threshold, in a case where it is determined that the first user information is the same as the second user information in the service grant ticket information, determine that the service grant ticket information passes verify;

基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求;sending the user identity verification request to the ticket authentication server based on the session key;

获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可;Obtaining the network service resource access permission returned when the ticket authentication server determines that the user identity authentication is passed based on the user identity authentication request;

基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。Based on the network service resource access permission, network service resources are accessed within the valid time of the service grant ticket.

综上可知,本发明公开了一种计算机可读存储介质,计算机可读存储介质向认证服务器发送用户身份验证请求并记录请求时间戳,认证服务器基于用户身份验证请求和Kerberos数据库确定用户身份验证通过时向客户端返回服务票据信息,客户端采用客户端密钥对服务票据信息进行解密得到服务授予票据信息和会话密钥,当请求时间戳与返回时间戳之间的时间差值小于预设差值阈值时,在确定第一用户信息和服务授予票据信息中的第二用户信息相同的情况下,客户端确定服务授予票据信息通过验证,并基于会话密钥向票据认证服务器发送用户身份验证请求,当票据认证服务器基于用户身份验证请求确定用户身份验证通过时,向客户端返回网络服务资源访问许可,以使客户端在服务授予票据有效时间内访问网络服务资源。本发明基于Kerberos安全认证体系,除了对用户身份进行了有效性验证,还采用了客户端与服务器双向安全认证策略,因此,大大提高了客户端与服务器之间通信数据传输的安全性和可靠性。In summary, the present invention discloses a computer-readable storage medium. The computer-readable storage medium sends a user identity verification request to the authentication server and records the request time stamp. The authentication server determines that the user identity verification has passed based on the user identity verification request and the Kerberos database. The service ticket information is returned to the client at the time, and the client uses the client key to decrypt the service ticket information to obtain the service grant ticket information and session key. When the time difference between the request timestamp and the returned timestamp is less than the preset difference value threshold, in the case of determining that the first user information is the same as the second user information in the service granting ticket information, the client determines that the service granting ticket information has passed the verification, and sends a user authentication request to the ticket authentication server based on the session key , when the ticket authentication server determines that the user authentication is passed based on the user authentication request, return the network service resource access permission to the client, so that the client can access the network service resource within the valid time of the service-granted ticket. The present invention is based on the Kerberos security authentication system. In addition to verifying the validity of the user identity, it also adopts a two-way security authentication strategy between the client and the server. Therefore, the security and reliability of communication data transmission between the client and the server are greatly improved. .

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (12)

1.一种通信数据的传输方法,其特征在于,应用于客户端,所述传输方法包括:1. A transmission method for communication data, characterized in that it is applied to a client, and the transmission method comprises: 向认证服务器发送用户身份验证请求,并记录请求时间戳,其中,所述用户身份验证请求中携带有第一用户信息;Sending a user identity verification request to the authentication server, and recording a request timestamp, wherein the user identity verification request carries first user information; 获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息,其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳;Obtaining the service ticket information returned when the authentication server determines that the user identity verification is passed based on the user identity verification request and the Kerberos database, wherein the service ticket information includes: service grant ticket information and the client and ticket authentication server An interactive session key, the service granting ticket information includes: second user information, service granting ticket validity time, and a corresponding return time stamp when returning the service ticket information; 采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥;Decrypting the service ticket information by using a client key to obtain the service grant ticket information and the session key; 计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值;calculating the time difference between the request timestamp and the return timestamp in the service grant ticket information; 当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证;When the time difference is less than a preset difference threshold, in a case where it is determined that the first user information is the same as the second user information in the service grant ticket information, determine that the service grant ticket information passes verify; 基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求;sending the user identity verification request to the ticket authentication server based on the session key; 获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可;Obtaining the network service resource access permission returned when the ticket authentication server determines that the user identity authentication is passed based on the user identity authentication request; 基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。Based on the network service resource access permission, network service resources are accessed within the valid time of the service grant ticket. 2.根据权利要求1所述的传输方法,其特征在于,所述基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源包括:2. The transmission method according to claim 1, wherein the accessing the network service resource within the valid time of the service grant ticket based on the network service resource access permission comprises: 基于所述网络服务资源访问许可,在所述服务说与票据有效时间内,采用Web防火墙白名单防护策略对设置的自定义访问规则进行安全性校验;Based on the network service resource access permission, within the valid time of the service statement and the ticket, the security verification of the set custom access rules is carried out by using the white list protection strategy of the Web firewall; 当所述自定义访问规则通过安全性校验时,允许访问所述网络服务资源。When the custom access rule passes the security check, access to the network service resource is allowed. 3.根据权利要求2所述的传输方法,其特征在于,所述Web防火墙白名单防护策略包括:用户访问流量信息配置策略、用户操作行为信息配置策略和核心敏感信息配置策略。3. The transmission method according to claim 2, wherein the white list protection policy of the Web firewall comprises: a user access traffic information configuration policy, a user operation behavior information configuration policy, and a core sensitive information configuration policy. 4.根据权利要求1所述的传输方法,其特征在于,还包括:4. The transmission method according to claim 1, further comprising: 当所述时间差值不小于所述预设差值阈值时,确定向所述认证服务器发送的所述用户身份验证请求是伪造的;When the time difference is not less than the preset difference threshold, determine that the user identity verification request sent to the authentication server is forged; 向所述认证服务器发送所述用户身份验证请求为伪造请求的提示信息;Sending prompt information that the user identity verification request is a forged request to the authentication server; 获取所述认证服务器返回的用户身份认证失败信息。Obtain the user identity authentication failure information returned by the authentication server. 5.根据权利要求1所述的传输方法,其特征在于,还包括:5. The transmission method according to claim 1, further comprising: 获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证失败时返回的网络服务资源禁止访问信息。Obtaining network service resource access prohibition information returned when the ticket authentication server determines that user identity authentication fails based on the user identity authentication request. 6.根据权利要求1所述的传输方法,其特征在于,所述第一用户信息包括:用户名、用户登录密码和客户端IP地址。6. The transmission method according to claim 1, wherein the first user information includes: user name, user login password and client IP address. 7.一种通信数据的传输装置,其特征在于,应用于客户端,所述传输装置包括:7. A transmission device for communication data, characterized in that it is applied to a client, and the transmission device includes: 第一请求发送单元,用于向认证服务器发送用户身份验证请求,并记录请求时间戳,其中,所述用户身份验证请求中携带有第一用户信息;A first request sending unit, configured to send a user identity verification request to the authentication server, and record a request timestamp, wherein the user identity verification request carries first user information; 获取单元,用于获取所述认证服务器基于所述用户身份验证请求和Kerberos数据库确定用户身份验证通过时返回的服务票据信息,其中,所述服务票据信息包括:服务授予票据信息和所述客户端与票据认证服务器进行交互的会话密钥,所述服务授予票据信息包括:第二用户信息、服务授予票据有效时间以及返回所述服务票据信息时对应的返回时间戳;An obtaining unit, configured to obtain service ticket information returned when the authentication server determines that user identity verification passes based on the user identity verification request and the Kerberos database, wherein the service ticket information includes: service grant ticket information and the client A session key for interacting with the ticket authentication server, the service granting ticket information includes: second user information, service granting ticket validity time, and a corresponding return time stamp when returning the service ticket information; 解密单元,用于采用客户端密钥对所述服务票据信息进行解密,得到所述服务授予票据信息和所述会话密钥;a decryption unit, configured to use a client key to decrypt the service ticket information to obtain the service grant ticket information and the session key; 计算单元,用于计算所述请求时间戳与所述服务授予票据信息中的所述返回时间戳之间的时间差值;a calculation unit, configured to calculate a time difference between the request time stamp and the return time stamp in the service grant ticket information; 验证确定单元,用于当所述时间差值小于预设差值阈值时,在确定所述第一用户信息和所述服务授予票据信息中的所述第二用户信息相同的情况下,确定所述服务授予票据信息通过验证;a verification determination unit, configured to determine that the first user information is the same as the second user information in the service grant ticket information when the time difference is less than a preset difference threshold; The above service grant ticket information is verified; 第二请求发送单元,用于基于所述会话密钥向所述票据认证服务器发送所述用户身份验证请求;a second request sending unit, configured to send the user identity verification request to the ticket authentication server based on the session key; 访问许可获取单元,用于获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证通过时返回的网络服务资源访问许可;An access permission acquisition unit, configured to acquire the network service resource access permission returned when the ticket authentication server determines that the user identity verification is passed based on the user identity verification request; 访问单元,用于基于所述网络服务资源访问许可,在所述服务授予票据有效时间内访问网络服务资源。An access unit, configured to access network service resources within the valid time of the service grant ticket based on the network service resource access permission. 8.根据权利要求7所述的传输装置,其特征在于,所述访问单元具体用于:8. The transmission device according to claim 7, wherein the access unit is specifically used for: 基于所述网络服务资源访问许可,在所述服务说与票据有效时间内,采用Web防火墙白名单防护策略对设置的自定义访问规则进行安全性校验;Based on the network service resource access permission, within the valid time of the service statement and the ticket, the security verification of the set custom access rules is carried out by using the white list protection strategy of the Web firewall; 当所述自定义访问规则通过安全性校验时,允许访问所述网络服务资源。When the custom access rule passes the security check, access to the network service resource is allowed. 9.根据权利要求7所述的传输装置,其特征在于,还包括:9. The transmission device according to claim 7, further comprising: 请求确定单元,用于当所述时间差值不小于所述预设差值阈值时,确定向所述认证服务器发送的所述用户身份验证请求是伪造的;A request determining unit, configured to determine that the user identity verification request sent to the authentication server is forged when the time difference is not less than the preset difference threshold; 提示信息发送单元,用于向所述认证服务器发送所述用户身份验证请求为伪造请求的提示信息;a prompt information sending unit, configured to send prompt information that the user identity verification request is a forged request to the authentication server; 认证失败信息获取单元,用于获取所述认证服务器返回的用户身份认证失败信息。An authentication failure information acquiring unit, configured to acquire user identity authentication failure information returned by the authentication server. 10.根据权利要求7所述的传输装置,其特征在于,还包括:10. The transmission device according to claim 7, further comprising: 禁止访问信息获取单元,用于获取所述票据认证服务器基于所述用户身份验证请求确定用户身份验证失败时返回的网络服务资源禁止访问信息。An access prohibition information acquisition unit, configured to acquire network service resource access prohibition information returned when the ticket authentication server determines that user identity verification fails based on the user identity verification request. 11.一种电子设备,其特征在于,所述电子设备包括:存储器和处理器;11. An electronic device, characterized in that the electronic device comprises: a memory and a processor; 所述存储器用于存储至少一个指令;the memory is used to store at least one instruction; 所述处理器用于执行所述至少一个指令以实现如权利要求1~6任意一项所述的通信数据的传输方法。The processor is configured to execute the at least one instruction to implement the communication data transmission method according to any one of claims 1-6. 12.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储至少一个指令,所述至少一个指令被处理器执行时实现如权利要求1~6任意一项所述的通信数据的传输方法。12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores at least one instruction, and when the at least one instruction is executed by a processor, the communication according to any one of claims 1-6 is realized The method of data transfer.
CN202310126365.8A 2023-02-16 2023-02-16 Communication data transmission method and device, electronic equipment and storage medium Pending CN116074107A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310126365.8A CN116074107A (en) 2023-02-16 2023-02-16 Communication data transmission method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310126365.8A CN116074107A (en) 2023-02-16 2023-02-16 Communication data transmission method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116074107A true CN116074107A (en) 2023-05-05

Family

ID=86169717

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310126365.8A Pending CN116074107A (en) 2023-02-16 2023-02-16 Communication data transmission method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116074107A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116707817A (en) * 2023-05-17 2023-09-05 苏州浪潮智能科技有限公司 Account authentication method, device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587098A (en) * 2017-09-29 2019-04-05 阿里巴巴集团控股有限公司 A kind of Verification System and method, authorization server
CN111682936A (en) * 2020-06-03 2020-09-18 金陵科技学院 A Kerberos authentication system and method based on physical unclonable function

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587098A (en) * 2017-09-29 2019-04-05 阿里巴巴集团控股有限公司 A kind of Verification System and method, authorization server
CN111682936A (en) * 2020-06-03 2020-09-18 金陵科技学院 A Kerberos authentication system and method based on physical unclonable function

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116707817A (en) * 2023-05-17 2023-09-05 苏州浪潮智能科技有限公司 Account authentication method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US20200236147A1 (en) Brokered authentication with risk sharing
JP5620374B2 (en) Allow protected content for application sets
EP1933522B1 (en) Method and system for authentication
RU2308755C2 (en) System and method for providing access to protected services with one-time inputting of password
CN108259438B (en) Authentication method and device based on block chain technology
US9166966B2 (en) Apparatus and method for handling transaction tokens
US7178163B2 (en) Cross platform network authentication and authorization model
US8572686B2 (en) Method and apparatus for object transaction session validation
US8806602B2 (en) Apparatus and method for performing end-to-end encryption
US8752157B2 (en) Method and apparatus for third party session validation
CN106302346A (en) The safety certifying method of API Calls, device, system
US8572690B2 (en) Apparatus and method for performing session validation to access confidential resources
US8572724B2 (en) Method and apparatus for network session validation
US8793773B2 (en) System and method for providing reputation reciprocity with anonymous identities
Guirat et al. Formal verification of the W3C web authentication protocol
CN118245988A (en) Resource authorization method, device, medium and product for information management system
WO2021073383A1 (en) User registration method, user login method and corresponding device
CN116074107A (en) Communication data transmission method and device, electronic equipment and storage medium
US20130047262A1 (en) Method and Apparatus for Object Security Session Validation
US8572688B2 (en) Method and apparatus for session validation to access third party resources
US8726340B2 (en) Apparatus and method for expert decisioning
Covington et al. Attribute-based authentication model for dynamic mobile environments
CN115643088A (en) An authentication method and device
US8572687B2 (en) Apparatus and method for performing session validation
CN101084664A (en) Method and system for providing and utilizing a network trusted environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination