[go: up one dir, main page]

CN116668130A - A protection method, system, server and storage medium for web interaction - Google Patents

A protection method, system, server and storage medium for web interaction Download PDF

Info

Publication number
CN116668130A
CN116668130A CN202310653238.3A CN202310653238A CN116668130A CN 116668130 A CN116668130 A CN 116668130A CN 202310653238 A CN202310653238 A CN 202310653238A CN 116668130 A CN116668130 A CN 116668130A
Authority
CN
China
Prior art keywords
target
credential information
client
information
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310653238.3A
Other languages
Chinese (zh)
Inventor
雷小辉
马坤
赵培源
郑玮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Clover Cyber Technology Co ltd
Original Assignee
Xi'an Clover Cyber Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Clover Cyber Technology Co ltd filed Critical Xi'an Clover Cyber Technology Co ltd
Priority to CN202310653238.3A priority Critical patent/CN116668130A/en
Publication of CN116668130A publication Critical patent/CN116668130A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本申请公开一种Web交互的防护方法、系统、服务器及存储介质,涉及信息安全技术领域,能够提高Web交互的安全性。具体方案包括:接收客户端发送的登录请求,登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息;对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息;将目标凭证信息发送至客户端,以使客户端在之后登录服务器时,使用目标凭证信息登录服务器。

The application discloses a protection method, system, server and storage medium for Web interaction, relates to the technical field of information security, and can improve the security of Web interaction. The specific solution includes: receiving the login request sent by the client, the login request includes the unique identification information of the browser to be logged in and the credential information of the client, the credential information is used to indicate the credential information that the client is allowed to log in to the server; and the credential information are encrypted to obtain the target credential information; the target credential information is sent to the client, so that the client uses the target credential information to log in to the server when logging in to the server later.

Description

一种Web交互的防护方法、系统、服务器及存储介质A protection method, system, server and storage medium for web interaction

技术领域technical field

本申请涉及信息安全技术领域,尤其涉及一种Web交互的防护方法、系统、服务器及存储介质。The present application relates to the technical field of information security, in particular to a protection method, system, server and storage medium for Web interaction.

背景技术Background technique

当前的信息交互中,客户端、服务端交互模式已成为主流交互模式,其在现代信息系统中有着极其重要的作用。伴随web发展,web交互中的表单、接口请求的相关安全性问题愈发凸显,表单和接口的安全性研究和相关产品布局已经成为各个网络安全的一项重要事项。In the current information interaction, the client-server interaction mode has become the mainstream interaction mode, which plays an extremely important role in modern information systems. With the development of the web, security issues related to forms and interface requests in web interactions have become increasingly prominent. The security research and related product layout of forms and interfaces have become an important issue in various network security.

但是,面对不同的业务场景、应用环境、各样化部署、不同防护要求以及独特的业务场景,传统的web交互中的表单和接口防护策略显得力不从心,因此,需要加强对表单和接口的安全防护。However, in the face of different business scenarios, application environments, various deployments, different protection requirements, and unique business scenarios, traditional web interaction protection strategies for forms and interfaces are insufficient. Therefore, it is necessary to strengthen the security of forms and interfaces protection.

发明内容Contents of the invention

本申请提供一种Web交互的防护方法、系统、服务器及存储介质,能够提高web交互的安全性。The present application provides a protection method, system, server and storage medium for web interaction, which can improve the security of web interaction.

为达到上述目的,本申请采用如下技术方案:In order to achieve the above object, the application adopts the following technical solutions:

本申请实施例第一方面,提供了一种Web交互的防护方法,其特征在于,应用于服务器,方法包括:In the first aspect of the embodiment of the present application, a protection method for Web interaction is provided, which is characterized in that it is applied to a server, and the method includes:

接收客户端发送的登录请求,登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息;Receive the login request sent by the client, the login request includes the unique identification information of the browser to log in and the credential information of the client, and the credential information is used to indicate the credential information that the client is allowed to log in to the server;

对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息;Encrypt the unique identification information and credential information to obtain the target credential information;

将目标凭证信息发送至客户端,以使客户端在之后登录服务器时,使用目标凭证信息登录服务器。The target credential information is sent to the client, so that the client uses the target credential information to log in to the server when logging in to the server later.

在一个实施例中,对唯一标识信息和凭证信息进行加密处理,包括:In one embodiment, encrypting the unique identification information and credential information includes:

利用非对称加密方法或MD5加密方法对唯一标识信息和凭证信息进行加密处理。The unique identification information and credential information are encrypted using an asymmetric encryption method or an MD5 encryption method.

在一个实施例中,将目标凭证信息发送至客户端后,方法还包括:In one embodiment, after sending the target credential information to the client, the method further includes:

接收客户端发送的请求信息,请求信息中包括目标凭证信息,请求信息用于请求相应的接口信息或表单信息;Receive the request information sent by the client, the request information includes the target credential information, and the request information is used to request the corresponding interface information or form information;

执行请求信息,得到执行结果;Execute the request information and get the execution result;

获取请求信息对应的目标加密方式,根据目标加密方式和目标凭证信息对执行结果进行加密,得到密文结果,并将密文结果发送至客户端。Obtain the target encryption method corresponding to the request information, encrypt the execution result according to the target encryption method and target credential information, obtain the ciphertext result, and send the ciphertext result to the client.

在一个实施例中,服务器中预存储了不同类型的请求信息与重要性级别以及与加密级别之间的映射关系,以及预存储了加密级别与加密方式之间的关联关系;In one embodiment, the server pre-stores the mapping relationship between different types of request information and the importance level and the encryption level, and pre-stores the association relationship between the encryption level and the encryption method;

获取请求信息对应的目标加密方式,包括:Obtain the target encryption method corresponding to the request information, including:

根据映射关系,确定请求信息对应的目标加密级别;According to the mapping relationship, determine the target encryption level corresponding to the requested information;

根据关联关系,获取目标加密级别对应的目标加密方式。According to the association relationship, the target encryption method corresponding to the target encryption level is obtained.

在一个实施例中,根据目标加密方式和目标凭证信息对执行结果进行加密,得到密文结果,包括:In one embodiment, the execution result is encrypted according to the target encryption method and target credential information to obtain the ciphertext result, including:

根据加密方式和目标凭证信息生成加密函数,利用加密函数对执行结果进行加密,得到密文结果。Generate an encryption function according to the encryption method and target credential information, and use the encryption function to encrypt the execution result to obtain the ciphertext result.

在一个实施例中,方法还包括:服务器中还预存储了加密级别与混淆规则之间的对应关系;In one embodiment, the method further includes: the server also pre-stores the correspondence between encryption levels and obfuscation rules;

根据加密方式和目标凭证信息生成加密函数之后,方法还包括:After the encryption function is generated according to the encryption method and the target credential information, the method further includes:

生成加密函数对应的解密函数;Generate a decryption function corresponding to the encryption function;

根据对应关系,获取目标加密级别对应的目标混淆规则;Obtain the target obfuscation rules corresponding to the target encryption level according to the corresponding relationship;

利用目标混淆规则对解密函数进行混淆处理,得到目标解密函数。The decryption function is obfuscated by the target obfuscation rules, and the target decryption function is obtained.

在一个实施例中,得到目标解密函数之后,方法还包括:In one embodiment, after obtaining the target decryption function, the method further includes:

利用目标凭证信息和目标混淆规则确定混淆值;Determining obfuscation values using target credential information and target obfuscation rules;

将密文结果、目标解密函数和混淆值发送至客户端,以使客户端利用混淆值和目标凭证信息确定出目标混淆规则之后,使用目标混淆规则对目标解密函数进行反混淆处理,得到解密函数,利用解密函数对密文结果进行解析,得到执行结果。Send the ciphertext result, target decryption function, and obfuscation value to the client, so that the client can use the obfuscation value and target credential information to determine the target obfuscation rule, and use the target obfuscation rule to de-obfuscate the target decryption function to obtain the decryption function , using the decryption function to analyze the ciphertext result to obtain the execution result.

本申请实施例第二方面,提供了一种Web交互的防护系统,系统包括:服务器和客户端;In the second aspect of the embodiment of the present application, a protection system for Web interaction is provided, and the system includes: a server and a client;

服务器,用于接收客户端发送的登录请求,登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息;The server is configured to receive a login request sent by the client, the login request includes the unique identification information of the browser to be logged in and the credential information of the client, and the credential information is used to indicate the credential information that the client is allowed to log in to the server;

服务器,还用于对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息,将目标凭证信息发送至客户端;The server is further configured to encrypt the unique identification information and the credential information, obtain the target credential information, and send the target credential information to the client;

客户端,用于在之后登录服务器时,使用目标凭证信息登录服务器。The client is used to log in to the server using the target credential information when logging in to the server later.

本申请实施例第三方面,提供了一种服务器,包括存储器和处理器,存储器存储有计算机程序,计算机程序被处理器执行时实现本申请实施例第一方面中的Web交互的防护方法。The third aspect of the embodiment of the present application provides a server, including a memory and a processor, the memory stores a computer program, and when the computer program is executed by the processor, the method for protecting Web interaction in the first aspect of the embodiment of the present application is implemented.

本申请实施例第四方面,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现本申请实施例第一方面中的Web交互的防护方法。The fourth aspect of the embodiment of the present application provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the method for protecting Web interaction in the first aspect of the embodiment of the present application is implemented.

本申请实施例提供的技术方案带来的有益效果至少包括:The beneficial effects brought by the technical solutions provided by the embodiments of the present application at least include:

本申请实施例提供的Web交互的防护方法,应用于服务器,通过接收客户端发送的登录请求,登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息;对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息;将目标凭证信息发送至客户端,以使客户端在之后登录服务器时,使用目标凭证信息登录服务器。由于现有技术中使用客户端的凭证信息登录浏览器,而客户端的凭证信息与浏览器无关,一旦获取到特定浏览器的凭证信息就可以使用其他方式在别的浏览器甚至无需浏览器即可实现伪造请求,存在安全隐患,而本申请使用待登录的浏览器的唯一标识信息和客户端的凭证信息并通过加密重新生成的目标凭证信息,在后续使用目标凭证信息登录服务器时,如果使用目标凭证跨浏览器登录后无法直接执行业务交互,安全性更高,避免了使用A浏览器登录,使用B或C浏览器直接访问的安全风险。The protection method for Web interaction provided by the embodiment of this application is applied to the server, and by receiving the login request sent by the client, the login request includes the unique identification information of the browser to log in and the credential information of the client, and the credential information is used to instruct the client The terminal is allowed to log in to the server's credential information; encrypt the unique identification information and credential information to obtain the target credential information; send the target credential information to the client, so that the client can use the target credential information to log in to the server when logging in to the server later . Since the existing technology uses the client's credential information to log in to the browser, and the client's credential information has nothing to do with the browser, once the credential information of a specific browser is obtained, it can be implemented in other browsers or even without a browser. There are security risks in forging requests. However, this application uses the unique identification information of the browser to be logged in and the client's credential information and regenerates the target credential information through encryption. When using the target credential information to log in to the server later, if the target credential After the browser is logged in, business interaction cannot be performed directly, and the security is higher, which avoids the security risk of using browser A to log in and using browser B or C to directly access.

附图说明Description of drawings

图1为本申请实施例提供的一种Web交互的防护方法的流程图一;FIG. 1 is a flow chart 1 of a protection method for Web interaction provided by an embodiment of the present application;

图2为本申请实施例提供的一种Web交互的防护方法的流程图二;FIG. 2 is a second flow chart of a method for protecting web interaction provided by an embodiment of the present application;

图3为本申请实施例提供的一种Web交互的防护系统的结构图;FIG. 3 is a structural diagram of a protection system for Web interaction provided by an embodiment of the present application;

图4为本申请实施例提供的一种服务器的内部结构示意图。FIG. 4 is a schematic diagram of an internal structure of a server provided in an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this application.

以下,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。在本公开实施例的描述中,除非另有说明,“多个”的含义是两个或两个以上。Hereinafter, the terms "first" and "second" are used for descriptive purposes only, and cannot be understood as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features. In the description of the embodiments of the present disclosure, unless otherwise specified, "plurality" means two or more.

另外,“基于”或“根据”的使用意味着开放和包容性,因为“基于”或“根据”一个或多个条件或值的过程、步骤、计算或其他动作在实践中可以基于额外条件或超出的值。In addition, the use of "based on" or "according to" is meant to be open and inclusive, because a process, step, calculation or other action "based on" or "according to" one or more conditions or values may in practice be based on additional conditions or value exceeded.

图1为本申请实施例提供的一种Web交互的防护方法流程图,该方法应用于服务器,具体包括以下步骤:Fig. 1 is a flow chart of a protection method for Web interaction provided by the embodiment of the present application. The method is applied to a server and specifically includes the following steps:

步骤101、接收客户端发送的登录请求。Step 101, receiving a login request sent by a client.

登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息。其中,浏览器的唯一标识信息可以为浏览器原语。The login request includes the unique identification information of the browser to be logged in and the credential information of the client, and the credential information is used to indicate the credential information that the client is allowed to log in to the server. Wherein, the unique identification information of the browser may be a browser primitive.

步骤102、对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息。Step 102: Encrypt the unique identification information and credential information to obtain target credential information.

其中,凭证信息可以为客户端登录时携带的cookie。cookie类型为“小型文本文件”,是某些网站为了辨别用户身份,进行Session跟踪而储存在用户本地终端上的数据(通常经过加密),由用户客户端计算机暂时或永久保存的信息。Wherein, the credential information may be a cookie carried when the client logs in. The cookie type is "small text file", which is the data (usually encrypted) stored on the user's local terminal by some websites in order to identify the user's identity and track the session, and the information is temporarily or permanently stored by the user's client computer.

可选的,对唯一标识信息和凭证信息进行加密处理的过程可以为:利用非对称加密方法或MD5加密方法对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息。Optionally, the process of encrypting the unique identification information and credential information may be: using an asymmetric encryption method or an MD5 encryption method to encrypt the unique identification information and credential information to obtain target credential information.

步骤103、将目标凭证信息发送至客户端,以使客户端在之后登录服务器时,使用目标凭证信息登录服务器。Step 103 , sending the target credential information to the client, so that the client will use the target credential information to log in to the server when logging in to the server later.

本申请实施例提供的Web交互的防护方法,应用于服务器,通过接收客户端发送的登录请求,登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息;对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息;将目标凭证信息发送至客户端,以使客户端在之后登录服务器时,使用目标凭证信息登录服务器。由于现有技术中使用客户端的凭证信息登录浏览器,而客户端的凭证信息与浏览器无关,一旦获取到特定浏览器的凭证信息就可以使用其他方式在别的浏览器甚至无需浏览器即可实现伪造请求,存在安全隐患,而本申请使用待登录的浏览器的唯一标识信息和客户端的凭证信息并通过加密重新生成的目标凭证信息,在后续使用目标凭证信息登录服务器时,如果使用目标凭证跨浏览器登录后无法直接执行业务交互,安全性更高,避免了使用A浏览器登录,使用B或C浏览器直接访问的安全风险。The protection method for Web interaction provided by the embodiment of this application is applied to the server, and by receiving the login request sent by the client, the login request includes the unique identification information of the browser to log in and the credential information of the client, and the credential information is used to instruct the client The terminal is allowed to log in to the server's credential information; encrypt the unique identification information and credential information to obtain the target credential information; send the target credential information to the client, so that the client can use the target credential information to log in to the server when logging in to the server later . Since the existing technology uses the client's credential information to log in to the browser, and the client's credential information has nothing to do with the browser, once the credential information of a specific browser is obtained, it can be implemented in other browsers or even without a browser. There are security risks in forging requests. However, this application uses the unique identification information of the browser to be logged in and the client's credential information and regenerates the target credential information through encryption. When using the target credential information to log in to the server later, if the target credential After the browser is logged in, business interaction cannot be performed directly, and the security is higher, which avoids the security risk of using browser A to log in and using browser B or C to directly access.

如图2所示,在步骤103将目标凭证信息发送至客户端后,方法还包括:As shown in Figure 2, after the target credential information is sent to the client in step 103, the method further includes:

步骤201、接收客户端发送的请求信息,请求信息中包括目标凭证信息,请求信息用于请求相应的接口信息或表单信息;Step 201, receiving request information sent by the client, the request information includes target credential information, and the request information is used to request corresponding interface information or form information;

需要说明的是,服务器在接收到请求信息后,会对客户端的权限进行校验,确定当前客户端是否有执行该请求信息的权限,若确定通过权限校验,则执行步骤203,若没有通过权限校验,则向客户端发送类似权限校验未通过,不能执行当前请求的提示信息。It should be noted that, after receiving the request information, the server will check the authority of the client to determine whether the current client has the authority to execute the request information. If it is determined that the authority verification is passed, step 203 will be executed. If not Permission verification, then send a prompt message to the client that the permission verification fails and the current request cannot be executed.

步骤202、执行请求信息,得到执行结果。Step 202, execute the request information, and obtain the execution result.

其中,执行结果可以理解为当前请求信息的请求结果。此时的执行结果为明文信息。Wherein, the execution result can be understood as the request result of the current requested information. The execution result at this time is plain text information.

步骤203、获取请求信息对应的目标加密方式,根据目标加密方式和目标凭证信息对执行结果进行加密,得到密文结果,并将密文结果发送至客户端。Step 203: Obtain the target encryption method corresponding to the request information, encrypt the execution result according to the target encryption method and the target credential information, obtain the ciphertext result, and send the ciphertext result to the client.

其中,服务器中预存储了不同类型的请求信息与重要性级别以及与加密级别之间的映射关系,以及预存储了加密级别与加密方式之间的关联关系;Wherein, the server pre-stores the mapping relationship between different types of request information and the importance level and the encryption level, and pre-stores the association relationship between the encryption level and the encryption method;

例如:如果请求的接口是核心业务,则针对该接口的请求会获取到较高级别的重要性判断,同时得到对应的加密级别。For example: if the requested interface is a core business, the request for this interface will obtain a higher level of importance judgment and the corresponding encryption level.

那么,获取请求信息对应的目标加密方式的过程可以为:根据映射关系,确定请求信息对应的目标加密级别;根据关联关系,获取目标加密级别对应的目标加密方式。这样根据请求的接口或表单的重要性使用不同加密方式动态加密和防护,避免静态加密因秘钥泄露或秘钥猜测等扩大影响阈的安全隐患问题。同时将接口或表单信息按照预设重要程度划分重要性,根据不同重要和防护级别,使用不同难度和防护程度的防护方式,从而有效避免了防护不足和过分防护的问题。Then, the process of obtaining the target encryption method corresponding to the request information may be: according to the mapping relationship, determining the target encryption level corresponding to the request information; according to the association relationship, obtaining the target encryption method corresponding to the target encryption level. In this way, different encryption methods are used to dynamically encrypt and protect according to the importance of the requested interface or form, so as to avoid security risks that may expand the impact threshold of static encryption due to key leakage or key guessing. At the same time, the interface or form information is divided into importance according to the preset importance, and according to different importance and protection levels, different protection methods with different degrees of difficulty and protection are used, thus effectively avoiding the problems of insufficient protection and excessive protection.

具体的,上述根据目标加密方式和目标凭证信息对执行结果进行加密,得到密文结果的过程可以为:根据加密方式和目标凭证信息生成加密函数,利用加密函数对执行结果进行加密,得到密文结果。Specifically, the above-mentioned process of encrypting the execution result according to the target encryption method and target credential information to obtain the ciphertext result can be: generate an encryption function according to the encryption method and target credential information, use the encryption function to encrypt the execution result, and obtain the ciphertext result.

此外,服务器中还预存储了加密级别与混淆规则之间的对应关系;相应的,根据加密方式和目标凭证信息生成加密函数之后,服务器还会生成加密函数对应的解密函数;根据对应关系,获取目标加密级别对应的目标混淆规则;利用目标混淆规则对解密函数进行混淆处理,得到目标解密函数。利用目标凭证信息和目标混淆规则确定混淆值;最后,将密文结果、目标解密函数和混淆值发送至客户端。客户端再利用混淆值和目标凭证信息确定出目标混淆规则之后,使用目标混淆规则对目标解密函数进行反混淆处理,得到解密函数,利用解密函数对密文结果进行解析,得到执行结果。这样通过动态生成混淆规则,可以避免多次使用同一规则造成解密函数泄漏的安全风险。In addition, the server also pre-stores the correspondence between the encryption level and the obfuscation rules; correspondingly, after generating the encryption function according to the encryption method and the target credential information, the server will also generate the decryption function corresponding to the encryption function; according to the correspondence, obtain A target obfuscation rule corresponding to the target encryption level; using the target obfuscation rule to obfuscate the decryption function to obtain the target decryption function. Determine the obfuscation value by using the target credential information and the target obfuscation rules; finally, send the ciphertext result, the target decryption function and the obfuscation value to the client. After the client uses the obfuscation value and target credential information to determine the target obfuscation rule, it uses the target obfuscation rule to de-obfuscate the target decryption function to obtain the decryption function, and uses the decryption function to analyze the ciphertext result to obtain the execution result. In this way, by dynamically generating the obfuscation rules, the security risk of leaking the decryption function caused by using the same rule multiple times can be avoided.

通过将请求结果、解密函数均密文返回给客户端,避免直接暴漏被劫持后解密的风险,同时混淆规则在客户端需加密后目标凭证信息进行解密,确保即使混淆规则被劫持也无法破解的问题。By returning the ciphertext of the request result and the decryption function to the client, the risk of decryption after being hijacked is avoided. At the same time, the obfuscation rules need to be encrypted on the client side and the target credential information is decrypted to ensure that even if the obfuscation rules are hijacked, they cannot be cracked. The problem.

如图3所示,本申请实施例提供了一种Web交互的防护系统,系统包括:服务器11和客户端12;As shown in Figure 3, the embodiment of the present application provides a protection system for Web interaction, the system includes: a server 11 and a client 12;

服务器11,用于接收客户端发送的登录请求,登录请求中包括待登录的浏览器的唯一标识信息和客户端的凭证信息,凭证信息用于指示客户端被允许登录服务器的凭证信息;The server 11 is configured to receive a login request sent by the client, wherein the login request includes the unique identification information of the browser to be logged in and the credential information of the client, and the credential information is used to indicate that the client is allowed to log in to the server credential information;

服务器11,还用于对唯一标识信息和凭证信息进行加密处理,得到目标凭证信息,将目标凭证信息发送至客户端;The server 11 is further configured to encrypt the unique identification information and the credential information, obtain the target credential information, and send the target credential information to the client;

客户端12,用于在之后登录服务器时,使用目标凭证信息登录服务器。The client 12 is configured to use the target credential information to log in to the server when logging in to the server later.

在一个实施例中,服务器11具体用于:利用非对称加密方法或MD5加密方法对唯一标识信息和凭证信息进行加密处理。In one embodiment, the server 11 is specifically configured to: use an asymmetric encryption method or an MD5 encryption method to encrypt the unique identification information and credential information.

在一个实施例中,服务器11还用于:In one embodiment, the server 11 is also used for:

接收客户端12发送的请求信息,请求信息中包括目标凭证信息,请求信息用于请求相应的接口信息或表单信息;Receive the request information sent by the client 12, the request information includes target credential information, and the request information is used to request corresponding interface information or form information;

执行请求信息,得到执行结果;Execute the request information and get the execution result;

获取请求信息对应的目标加密方式,根据目标加密方式和目标凭证信息对执行结果进行加密,得到密文结果,并将密文结果发送至客户端12。Obtain the target encryption method corresponding to the request information, encrypt the execution result according to the target encryption method and the target credential information, obtain the ciphertext result, and send the ciphertext result to the client 12 .

在一个实施例中,服务器中预存储了不同类型的请求信息与重要性级别以及与加密级别之间的映射关系,以及预存储了加密级别与加密方式之间的关联关系;In one embodiment, the server pre-stores the mapping relationship between different types of request information and the importance level and the encryption level, and pre-stores the association relationship between the encryption level and the encryption method;

服务器11具体用于:The server 11 is specifically used for:

根据映射关系,确定请求信息对应的目标加密级别;According to the mapping relationship, determine the target encryption level corresponding to the requested information;

根据关联关系,获取目标加密级别对应的目标加密方式。According to the association relationship, the target encryption method corresponding to the target encryption level is obtained.

在一个实施例中,服务器11具体用于:In one embodiment, the server 11 is specifically used for:

根据加密方式和目标凭证信息生成加密函数,利用加密函数对执行结果进行加密,得到密文结果。Generate an encryption function according to the encryption method and target credential information, and use the encryption function to encrypt the execution result to obtain the ciphertext result.

在一个实施例中,服务器11中还预存储了加密级别与混淆规则之间的对应关系;In one embodiment, the server 11 also pre-stores the correspondence between encryption levels and obfuscation rules;

服务器11还用于:生成加密函数对应的解密函数;根据对应关系,获取目标加密级别对应的目标混淆规则;利用目标混淆规则对解密函数进行混淆处理,得到目标解密函数。The server 11 is further configured to: generate a decryption function corresponding to the encryption function; obtain a target obfuscation rule corresponding to the target encryption level according to the corresponding relationship; use the target obfuscation rule to obfuscate the decryption function to obtain the target decryption function.

在一个实施例中,服务器11还用于:利用目标凭证信息和目标混淆规则确定混淆值;将密文结果、目标解密函数和混淆值发送至客户端12;In one embodiment, the server 11 is further configured to: determine the obfuscation value by using the target credential information and the target obfuscation rule; send the ciphertext result, the target decryption function and the obfuscation value to the client 12;

客户端12还用于:利用混淆值和目标凭证信息确定出目标混淆规则之后,使用目标混淆规则对目标解密函数进行反混淆处理,得到解密函数,利用解密函数对密文结果进行解析,得到执行结果。The client 12 is also used for: after using the obfuscation value and the target credential information to determine the target obfuscation rule, use the target obfuscation rule to de-obfuscate the target decryption function to obtain the decryption function, use the decryption function to analyze the ciphertext result, and execute result.

本实施例提供的Web交互的防护系统,可以执行上述方法实施例,其实现原理和技术效果类似,在此不再多加赘述。关于Web交互的防护系统的具体限定可以参见上文中对于Web交互的防护方法的限定,在此不再赘述。The protection system for Web interaction provided by this embodiment can execute the above-mentioned method embodiment, and its implementation principle and technical effect are similar, so no more details are given here. For the specific limitations of the protection system for Web interaction, please refer to the limitation of the protection method for Web interaction above, and will not be repeated here.

本申请实施例提供的Web交互的防护方法的执行主体可以为服务器或服务器集群,本申请实施例对此不作具体限定。The execution subject of the protection method for Web interaction provided in the embodiment of the present application may be a server or a server cluster, which is not specifically limited in the embodiment of the present application.

图4为本申请实施例提供的一种服务器的内部结构示意图。如图4所示,该服务器包括通过系统总线连接的处理器和存储器。其中,该处理器用于提供计算和控制能力。存储器可包括非易失性存储介质及内存储器。非易失性存储介质存储有操作系统和计算机程序。该计算机程序可被处理器所执行,以用于实现以上各个实施例提供的Web交互的防护方法的步骤。内存储器为非易失性存储介质中的操作系统和计算机程序提供高速缓存的运行环境。FIG. 4 is a schematic diagram of an internal structure of a server provided in an embodiment of the present application. As shown in FIG. 4, the server includes a processor and a memory connected through a system bus. Among them, the processor is used to provide calculation and control capabilities. The memory may include non-volatile storage media and internal memory. Nonvolatile storage media store operating systems and computer programs. The computer program can be executed by a processor, so as to realize the steps of the method for protecting web interaction provided by the above embodiments. The internal memory provides a cached operating environment for the operating system and computer programs in the non-volatile storage medium.

本领域技术人员可以理解,图4中示出服务器的内部结构图,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的电子设备的限定,具体的服务器可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art can understand that the internal structure diagram of the server shown in FIG. 4 is only a block diagram of a part of the structure related to the solution of this application, and does not constitute a limitation on the electronic equipment on which the solution of this application is applied. Specifically The server may include more or fewer components than shown in the figures, or combine certain components, or have a different arrangement of components.

本申请另一实施例中,还提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现如本申请实施例的Web交互的防护方法的步骤。In another embodiment of the present application, there is also provided a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for protecting Web interaction according to the embodiment of the present application are implemented.

本申请另一实施例中,还提供一种计算机程序产品,该计算机程序产品包括计算机指令,当计算机指令在服务器上运行时,使得服务器执行上述方法实施例所示的方法流程中Web交互的防护方法执行的各个步骤。In another embodiment of the present application, a computer program product is also provided. The computer program product includes computer instructions. When the computer instructions are run on the server, the server is made to perform the protection of Web interaction in the method flow shown in the above method embodiments. The individual steps performed by the method.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机执行指令时,全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digitalsubscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When computer-executed instructions are loaded and executed on a computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. A computer can be a general purpose computer, special purpose computer, a computer network, or other programmable apparatus. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or may contain one or more data storage devices such as servers and data centers that can be integrated with the medium. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state disk (solid state disk, SSD)) and the like.

以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. For the sake of concise description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, they should be It is considered to be within the range described in this specification.

以上实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above examples only express several implementation modes of the present application, and the description thereof is relatively specific and detailed, but should not be construed as limiting the scope of the patent. It should be noted that those skilled in the art can make several modifications and improvements without departing from the concept of the present application, and these all belong to the protection scope of the present application. Therefore, the scope of protection of the patent application should be based on the appended claims.

Claims (10)

1. A method for protecting Web interactions, applied to a server, the method comprising:
receiving a login request sent by a client, wherein the login request comprises unique identification information of a browser to be logged in and credential information of the client, and the credential information is used for indicating that the client is allowed to log in the credential information of the server;
encrypting the unique identification information and the credential information to obtain target credential information;
and sending the target credential information to the client so that the client logs in the server by using the target credential information when logging in the server later.
2. The method of claim 1, wherein said encrypting said unique identification information and said credential information comprises:
and encrypting the unique identification information and the credential information by using an asymmetric encryption method or an MD5 encryption method.
3. The method of claim 1, wherein after the sending the target credential information to the client, the method further comprises:
receiving request information sent by the client, wherein the request information comprises the target credential information and is used for requesting corresponding interface information or form information;
executing the request information to obtain an execution result;
and obtaining a target encryption mode corresponding to the request information, encrypting the execution result according to the target encryption mode and the target credential information to obtain a ciphertext result, and sending the ciphertext result to the client.
4. A method according to claim 3, wherein the server prestores mapping relations between different types of request information and importance levels and encryption levels, and prestores association relations between encryption levels and encryption modes;
the obtaining the target encryption mode corresponding to the request information comprises the following steps:
determining a target encryption level corresponding to the request information according to the mapping relation;
and acquiring a target encryption mode corresponding to the target encryption level according to the association relation.
5. The method of claim 4, wherein encrypting the execution result according to the target encryption manner and the target credential information to obtain a ciphertext result comprises:
and generating an encryption function according to the encryption mode and the target credential information, and encrypting the execution result by using the encryption function to obtain the ciphertext result.
6. The method of claim 5, wherein the method further comprises: the corresponding relation between the encryption level and the confusion rule is pre-stored in the server;
after the encryption function is generated according to the encryption mode and the target credential information, the method further comprises:
generating a decryption function corresponding to the encryption function;
acquiring a target confusion rule corresponding to the target encryption level according to the corresponding relation;
and carrying out confusion processing on the decryption function by utilizing the target confusion rule to obtain a target decryption function.
7. The method of claim 6, wherein after the obtaining the target decryption function, the method further comprises:
determining a confusion value by utilizing the target credential information and the target confusion rule;
and sending the ciphertext result, the target decryption function and the confusion value to the client so that the client can determine the target confusion rule by using the confusion value and the target credential information, then performing anti-confusion processing on the target decryption function by using the target confusion rule to obtain the decryption function, and analyzing the ciphertext result by using the decryption function to obtain the execution result.
8. A Web interactive protection system, the system comprising: a server and a client;
the server is used for receiving a login request sent by the client, wherein the login request comprises unique identification information of a browser to be logged in and credential information of the client, and the credential information is used for indicating that the client is allowed to log in the credential information of the server;
the server is further configured to encrypt the unique identification information and the credential information to obtain target credential information, and send the target credential information to the client;
the client is used for logging in the server by using the target credential information when logging in the server later.
9. A server comprising a memory and a processor, the memory storing a computer program that when executed by the processor implements the Web interaction prevention method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method of protecting Web interactions of any of claims 1-7.
CN202310653238.3A 2023-06-05 2023-06-05 A protection method, system, server and storage medium for web interaction Pending CN116668130A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310653238.3A CN116668130A (en) 2023-06-05 2023-06-05 A protection method, system, server and storage medium for web interaction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310653238.3A CN116668130A (en) 2023-06-05 2023-06-05 A protection method, system, server and storage medium for web interaction

Publications (1)

Publication Number Publication Date
CN116668130A true CN116668130A (en) 2023-08-29

Family

ID=87722069

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310653238.3A Pending CN116668130A (en) 2023-06-05 2023-06-05 A protection method, system, server and storage medium for web interaction

Country Status (1)

Country Link
CN (1) CN116668130A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090006861A1 (en) * 2007-06-27 2009-01-01 Bemmel Jeroen Ven Method and Apparatus for Preventing Internet Phishing Attacks
CN112019541A (en) * 2020-08-27 2020-12-01 平安国际智慧城市科技股份有限公司 Data transmission method and device, computer equipment and storage medium
CN115348084A (en) * 2022-08-15 2022-11-15 北京分贝通科技有限公司 System login method, device, system, equipment and medium
WO2023022719A1 (en) * 2021-08-19 2023-02-23 Visa International Service Association System, method, and computer program product for securing authorization cookies and access tokens

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090006861A1 (en) * 2007-06-27 2009-01-01 Bemmel Jeroen Ven Method and Apparatus for Preventing Internet Phishing Attacks
CN112019541A (en) * 2020-08-27 2020-12-01 平安国际智慧城市科技股份有限公司 Data transmission method and device, computer equipment and storage medium
WO2023022719A1 (en) * 2021-08-19 2023-02-23 Visa International Service Association System, method, and computer program product for securing authorization cookies and access tokens
CN115348084A (en) * 2022-08-15 2022-11-15 北京分贝通科技有限公司 System login method, device, system, equipment and medium

Similar Documents

Publication Publication Date Title
US11431495B2 (en) Encrypted file storage
US9749130B2 (en) Distributing keys for decrypting client data
US11489660B2 (en) Re-encrypting data on a hash chain
CN108259438A (en) A kind of method and apparatus of the certification based on block chain technology
US10305693B2 (en) Anonymous secure socket layer certificate verification in a trusted group
US11063922B2 (en) Virtual content repository
US11916922B2 (en) Digital content access control
CN117992993B (en) Data management and control method and system based on trusted execution environment
CN111988262B (en) Authentication method, authentication device, server and storage medium
CN116248368A (en) Identity authentication method, system, equipment and storage medium based on block chain
KR102741305B1 (en) System and method for controlling file encryption and decryption permissions in shared folders
CN106295366B (en) Sensitive data identification method and device
CN116668130A (en) A protection method, system, server and storage medium for web interaction
CN114584313B (en) Equipment physical identity authentication method, system, device and first platform
CN112565156A (en) Information registration method, device and system
CN119203181B (en) Data access method, device, equipment and readable storage medium
CN113271306B (en) Data request and transmission method, device and system
CN115695035B (en) Oil and gas field business data authorization method, device, electronic device and readable medium based on cloud storage
CN119094145A (en) Website login method and device
CN119808112A (en) Data processing method, device, electronic device and storage medium
CN118869257A (en) A method, device, system and medium for encrypting and decrypting connection information
GB2590520A (en) Data sharing via distributed ledgers
WO2020000789A1 (en) Method and device for implementing access authentication
JP2016218573A (en) Terminal device, server, content operation monitoring system, content operation monitoring method, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination