CN102739659A

Movatterモバイル変換

Info

Publication number: CN102739659A
Application number: CN2012102002623A
Authority: CN
Inventors: 赵淦森; 巴钟杰; 李子柳; 李惊生
Original assignee: South China Normal University; GCI Science and Technology Co Ltd
Current assignee: South China Normal University; GCI Science and Technology Co Ltd
Priority date: 2012-06-16
Filing date: 2012-06-16
Publication date: 2012-10-17
Anticipated expiration: 2032-06-16
Also published as: CN102739659B

Abstract

本发明公开了一种防重放攻击的认证方法，该方法将客户端从登录认证服务器端获取的带有第一时间戳的认证凭据同服务请求传送到应用服务器，并使用单向数据链来标识用户请求的顺序，在登录认证服务器端计算当前时间与第一时间戳的时间差，并将判定结果、时间差及单向数据链值封装成校验信息发送给应用服务器，应用服务器根据接收到的单向数据链值判断该校验信息是否为重放信息，进一步还可以根据时间差、判定结果判断服务请求是否在有效时间内通过认证。本发明方法勿需时间同步，既避免了系统或协议的复杂又规避了时间同步导致的延迟，通过应用单向数据链保证用户请求不被重放攻击的可能。

The invention discloses an authentication method for anti-replay attack. The method transmits the authentication credential with the first time stamp and the service request obtained by the client from the login authentication server to the application server, and uses a one-way data link to Identify the sequence of user requests, calculate the time difference between the current time and the first timestamp on the login authentication server side, and package the judgment result, time difference and one-way data link value into verification information and send it to the application server. The one-way data link value judges whether the verification information is replay information, and further judges whether the service request passes the authentication within the valid time according to the time difference and the judgment result. The method of the invention does not need time synchronization, avoids the complexity of the system or protocol and avoids the delay caused by the time synchronization, and ensures that the user request is not subject to replay attacks through the application of a one-way data link.

Description

A kind of authentication method of anti-replay-attack

Technical field

The present invention relates to the communication system field of authentication, especially a kind of authentication method of anti-replay-attack.

Background technology

Replay Attack (Replay Attacks) is weighed again and is broadcast attack, replay attack or freshness attack (Freshness Attacks); Be meant that the assailant sends the bag that a destination host had received; Reach the purpose of fraud system; Be mainly used in the authentication process, destroy the correctness of authentication.Replay Attack continuous malice of meeting or rogue ground repeat an active data transmission, and the assailant utilizes network monitoring or other modes to steal authentication authority, issues certificate server to it again more afterwards, with the destruction authenticating safety.For example intercepting and capturing cookie and submit cookie to through monitoring http transfer of data or other modes is exactly a kind of Replay Attack, thereby the cookie that can easily duplicate others obtains corresponding authentication authority.

Suffer Replay Attack for fear of server; The general defense mechanism of judging based on the time that adopts in the prior art; And it is whether expired in order to guarantee that different server directly can be discerned the message that receives; Timestamp is played the part of an important role therein, because can there be regular hour difference problem in a side of mark timestamp with a side who receives message, generally can adopt IEEE1588 Precision Time Protocol (Precision Time Protocol; PTP), perhaps loose time synchronizing method carries out time synchronized.If adopt special time synchronization protocol, may cause communication protocol or system complicated more, to increase the unsteadiness of system; If adopt loose time synchronizing method; Promptly through between two services, carrying out three-way handshake; Server calculates the time maximum difference between them then; Then need system or agreement can stand the delay or the asynchronous problem of certain hour, but in some system or agreement this delay or asynchronous be unallowed.

Summary of the invention

The technical problem that the present invention will solve is: a kind of authentication method of the synchronous anti-replay-attack that do not take time is provided, and this method has improved the fail safe of Verification System.

In order to solve the problems of the technologies described above, the technical scheme that the present invention adopted is:

A kind of authentication method of anti-replay-attack may further comprise the steps:

Client is sent login request message to the login authentication server;

The login authentication server generates the authentication authority that comprises the very first time stamp that identifies the current time and gives client;

Client is sent services request, is arrived application server from the authentication authority of login authentication server and the one-way data chain value that oneself generates;

Application server will comprise that the information of authentication authority and one-way data chain value sends to the login authentication server;

The login authentication server judges the correctness of said authentication authority and calculates the current time and time difference that the very first time stabs, and result of determination, the said time difference of the correctness of the authentication authority that will be used to prove whether the user has logined and the one-way data chain value that receives are packaged into check information and send to application server;

Application server receives check information, judges whether the one-way data chain value that receives is up-to-date one-way data chain value, then is judged to be message playback if not, directly abandons this verification message; If then the services request of client is carried out service response according to check information.

Further as preferred embodiment, said application server carries out service response according to check information to the services request of client and may further comprise the steps:

Compared the effective time of time difference in the check information and setting, and whether the judgement time difference is greater than the effective time of setting, if then abandon this check information; Then carry out next step if not;

Judge whether result of determination is correct,, then abandon this check information if not if authentication authority is correctly then carried out service response.

Further as preferred embodiment, the effective time of said setting is from the application server end.

Further as preferred embodiment, the effective time of said setting is from the login authentication server end.

Further as preferred embodiment, can artificially adjust the effective time of said setting.

The invention has the beneficial effects as follows: the authentication method of anti-replay-attack of the present invention; To the verification of the Service Ticket term of validity time; It or not time difference at application server end verification Service Ticket; But the login authentication server end is transferred in the verification of the Service Ticket term of validity, and because stabbing by the login authentication server, produces the very first time on the Service Ticket, when the term of validity of verification Service Ticket, adopt the time of login authentication server local side and the very first time to stab relatively; Guarantee the accuracy of verification, do not needed the time of application server and login authentication server to carry out synchronously; The legal services request that has further guaranteed the user through the one-way data chain not by Replay Attack maybe.

Description of drawings

Be described further below in conjunction with the accompanying drawing specific embodiments of the invention:

Fig. 1 is the flow chart of steps of the authentication method of anti-replay-attack of the present invention;

Fig. 2 is the flow chart of steps that application server carries out the service response preferred embodiment in the authentication method of anti-replay-attack of the present invention to the services request of client according to check information;

Fig. 3 is the sketch map of the authentication method application scenarios of anti-replay-attack of the present invention;

Fig. 4 is the application sketch map of one-way data chain of the present invention.

Embodiment

With reference to Fig. 1, a kind of authentication method of anti-replay-attack may further comprise the steps:

Client is sent login request message to the login authentication server;

The login authentication server generates and comprises the very first time stamp Time that identifies the current time_SignOnAuthentication authority give client;

The login authentication server is judged the correctness of said authentication authority and is calculated current time Time_CurrentStab Time with the very first time_SignOnTime difference, result of determination, the said time difference of the correctness of the authentication authority that will be used to prove whether the user has logined and the one-way data chain value that receives are packaged into check information and send to application server;

Application server receives check information; Judge whether the one-way data chain value that receives is up-to-date one-way data chain value; Above-mentioned deterministic process is specially: the one-way data chain value that receives is carried out the hash function operation; Judge whether the result that hash function draws is consistent with the one-way data chain value of application server for storage,, and the data chainning value that receives is preserved the one-way data chain value of the original storage of replacement if consistently then the services request of client is carried out service response according to check information; Then be judged to be message playback if not, directly abandon this verification message.Application server first the customer in response end send services request the time; The one-way data chain value that receives is up-to-date one-way data chain value; So directly be stored on the application server, in the follow-up service response, application server needs that all the one-way data chain value in the check information is carried out the hash function operation and compares with the one-way data chain value of storing; Judge whether the one-way data chain value that receives is up-to-date one-way data chain value, to avoid the Replay Attack of client-side service request.

With reference to Fig. 4, one-way data chain (One-Way Chains) is also claimed hash chain, is a kind of cryptoguard scheme in insecure environments, but in the present invention, uses the playback that this mechanism prevents the service request information that client is sent.Fig. 4 has provided the formation structure and the application structure of one-way data chain, and the one-way data chain is by unidirectional execution one-way function (also claiming hash function) F generation repeatedly, and one-way function F algorithm is irreversible, can generate multistage one-way data chain value S like this_i, i.e. F (S_i)=S_I-1, and Fⁱ(S_i)=S₀Because when using, to S_iValue choose the reversed in order that order just generates with this data chainning, even therefore the third party has stolen a certain one-way data chain value of having used, also can't learn the one-way data chain value after the renewal, thereby can't carry out Replay Attack authentication message.The service request information that application server of the present invention utilizes the one-way data chain can guarantee that client is sent is reliably, and non-Replay Attack produces.

Further as preferred embodiment, with reference to Fig. 2, said application server carries out service response according to check information to the services request of client and may further comprise the steps:

Further as preferred embodiment, for example the effective time of this setting can from the internal memory of application server read from the application server end effective time of said setting.

Further as preferred embodiment; The effective time of said setting is from the login authentication server end; For example be included in the effective time of this setting in the check information of encapsulation; Application server can read from check information, has guaranteed to adjust at the login authentication server end value of predefined effective time like this.

Further as preferred embodiment, can artificially adjust the effective time of said setting, to adapt to different application scenarios.

S1: client is sent logging request to the login authentication server;

S2: the login authentication server sends login response and gives client, and login response is the authentication authority that generates at the login authentication server end, and this authentication authority comprises the very first time stamp Time that identifies the current time_SignOn, also comprise other information that are used for authentication, for example whether check code etc. logins success with identifying user;

S3: the user sends services request through client and gives application server, and this services request comprises that simultaneously including the very first time stabs Time_SignOnAuthentication authority and one-way data chain value etc.; The subscription client self maintained one-way data chain (One-Way Chains) with and up-to-date chain value, for example up-to-date chain value S₁₂

S4: application server is with authentication authority and one-way data chain value S₁₂Send to the login authentication server etc. relevant information etc.; Application server self is preserved the one-way data chain value S of checking last time₁₁

S5: the login authentication server is judged the generation result of determination according to the authentication information of storage to the correctness of authentication authority, and this result of determination is used to prove whether the user logins, and calculates the current time Time of self_CurrentStab Time with the very first time_SignOnTime difference, with result of determination, time difference and one-way data chain value S₁₂Be packaged into check information and send to application server;

S6: application server receives check information, judges the one-way data chain value S that receives₁₂Whether be up-to-date one-way data chain value, promptly to one-way data chain value S₁₂Carry out hash function operation, judged result whether with the one-way data chain value S of storage₁₁Unanimity then directly abandons this verification message if not; If then continue to read result of determination and time difference in the check information, if services request authentication success in the effective time of setting, then application server carries out service response.One-way data chain value in the storage of application server end can be updated to S₁₂Even the listener-in smells and visits one-way data chain value S like this₁₂, owing to can't derive up-to-date one-way data chain value S₁₃Thereby, avoided Replay Attack.

The authentication method of anti-replay-attack of the present invention; The local zone time that is stabbed the login authentication server that stabs with this very first time of generation the very first time on the authentication authority compares; Thereby saved the trouble of time synchronized; Not only avoided the complicacy of system or agreement but also evaded the delay that time synchronized causes, through use legal services request that the one-way data chain guarantees the user not by Replay Attack maybe.

More than be that preferable enforcement of the present invention is specified; But the invention is not limited to said embodiment; Those of ordinary skill in the art can also make all equivalent variations or replacement under the prerequisite of spirit of the present invention, distortion that these are equal to or replacement all are included in the application's claim institute restricted portion.

Claims

1. the authentication method of an anti-replay-attack is characterized in that, may further comprise the steps:

Client is sent login request message to the login authentication server;

The login authentication server judges the correctness of said authentication authority and calculates the current time and time difference that the very first time stabs, result of determination, said time difference and the one-way data chain value that receives is packaged into check information sends to application server;

2. the authentication method of a kind of anti-replay-attack according to claim 1, it is characterized in that: said application server carries out service response according to check information to the services request of client and may further comprise the steps:

3. the authentication method of a kind of anti-replay-attack according to claim 2, it is characterized in that: the effective time of said setting is from the application server end.

4. the authentication method of a kind of anti-replay-attack according to claim 2, it is characterized in that: the effective time of said setting is from the login authentication server end.

5. the authentication method of a kind of anti-replay-attack according to claim 3, it is characterized in that: can artificially adjust the effective time of said setting.