CN111181940A

Movatterモバイル変換

Info

Publication number: CN111181940A
Application number: CN201911330500.0A
Authority: CN
Inventors: 谢江华; 王鸿
Original assignee: Guojiu Big Data Co ltd
Current assignee: Guojiu Big Data Co ltd
Priority date: 2019-12-20
Filing date: 2019-12-20
Publication date: 2020-05-19

Abstract

The embodiment of the invention relates to a data verification method and a data verification system. In the method, the client can perform verification calculation on the service data according to the first user identification information to obtain a first verification result, and send the first verification result, the service data and the first user ID in the first user identification information to the server. And the server performs check calculation on the service data based on the pre-stored second user identification information to obtain a second check result on the premise of determining that the first user ID is consistent with the pre-stored second user ID, and then determines whether the service data passes the data safety check according to the consistency of the first check result and the second check result. Therefore, even if the third party intercepts the first verification result, the service data and the second user ID sent by the client, the second verification result cannot be determined according to the service data and the second user ID, and the service data and the first verification result cannot be falsified based on the second verification result, so that the reliability of the data security verification result can be ensured.

Description

Data verification method and data verification system

Technical Field

The invention relates to the technical field of data verification, in particular to a data verification method and a data verification system.

Background

With the development of big data, data transmission has become an essential part of people's production and life. The user datagram protocol is a connectionless transport layer protocol and has the advantages of small data transmission delay and high data transmission efficiency. However, when the user datagram protocol is used for data transmission, problems of data missing transmission and data interception and tampering occur, which may cause the conditions of incompleteness, inaccuracy, security risk and the like of data received by a receiving end. Therefore, integrity and security checks of the received data are required.

In the prior art, hash value calculation is mainly performed on service data, and consistency comparison is performed on the calculated hash value to verify the integrity and security of the received data. But the reliability of the data security verification result obtained by the method is poor.

Disclosure of Invention

In order to overcome at least the above-mentioned deficiencies in the prior art, an object of the present invention is to provide a data verification method and a data verification system.

In a first aspect of the embodiments of the present invention, a data verification method is provided, where the data verification method is applied to a server and a client that are in communication connection with each other, and the method includes:

the client performs verification calculation on the service data sent to the server by the client according to the first user identification information distributed to the client by the server to obtain a first verification result; sending the first verification result, the service data and the first user ID in the first user identification information to the server; wherein the first user identification information is user identification information based on SSL secure connection;

the server judges whether the first user ID is consistent with a pre-stored second user ID; if the service data are consistent with the first user identification information, carrying out check calculation on the received service data according to the prestored first user identification information to obtain a first check result;

the server judges whether the first check result and the second check result are consistent; if the received service data are consistent with the service data, judging that the received service data pass the verification, and sending response data to the client according to the received service data; and if the data is inconsistent with the data, judging that the received service data has data security risk, and discarding the received service data.

In an alternative embodiment, the sending, by the server, response data to the client according to the received service data includes:

the server carries out verification calculation on the response data according to the second user identification information to obtain a third verification result;

and the server sends the third verification result, the response data and the second user ID to the client.

In an alternative embodiment, the method further comprises:

the client judges whether the first user ID is consistent with the received second user ID; if the first user identification information is consistent with the second user identification information, carrying out verification calculation on the received response data by adopting the first user identification information to obtain a fourth verification result;

the client judges whether the third verification result and the fourth verification result are consistent, and if so, the received response data is judged to pass the verification; if the received response data are inconsistent, the data security risk of the received response data is judged, and the received response data are discarded.

In an alternative implementation, the first user identification information includes a first agreed key and a first dynamic random number, and the client performs a verification calculation on the service data sent by the client to the server according to the first user identification information allocated by the server to the client, so as to obtain a first verification result, where the method includes:

the client determines the first agreed key and the first dynamic random number in the first user identification information;

and the client checks and calculates the service data according to the first agreed secret key and the first dynamic random number to obtain the first checking result.

In an alternative implementation, the second user identification information includes a second agreed key and a second dynamic random number, and the server performs a check calculation on the received service data according to the second user identification information to obtain a second check result, including:

the server determines a second agreed secret key and a second dynamic random number in the second user identification information;

the server combines the second agreed secret key, the second dynamic random number and the service data to obtain temporary data;

and the server adopts a CRC (Cyclic redundancy check) algorithm to carry out check calculation on the temporary data to obtain the second check result.

In a second aspect of the embodiments of the present invention, a data verification system is provided, including a server and a client that are communicatively connected to each other;

the client is used for carrying out verification calculation on the service data sent to the server by the client according to the first user identification information distributed to the client by the server to obtain a first verification result; sending the first verification result, the service data and the first user ID in the first user identification information to the server; wherein the first user identification information is user identification information based on SSL secure connection;

the server is used for judging whether the first user ID is consistent with a pre-stored second user ID; if the service data are consistent with the first user identification information, carrying out check calculation on the received service data according to the prestored first user identification information to obtain a first check result;

the server is used for judging whether the first check result is consistent with the second check result; if the received service data are consistent with the service data, judging that the received service data pass the verification, and sending response data to the client according to the received service data; and if the data is inconsistent with the data, judging that the received service data has data security risk, and discarding the received service data.

In an alternative embodiment, the server is configured to:

In an alternative embodiment, the client is further configured to:

judging whether the first user ID is consistent with the received second user ID; if the first user identification information is consistent with the second user identification information, carrying out verification calculation on the received response data by adopting the first user identification information to obtain a fourth verification result;

judging whether the third verification result is consistent with the fourth verification result, and if so, judging that the received response data passes the verification; if the received response data are inconsistent, the data security risk of the received response data is judged, and the received response data are discarded.

In an alternative embodiment, the first user identification information includes a first provisioning key and a first dynamic random number, and the client is configured to:

determining the first agreed key and the first dynamic random number in the first user identification information;

and performing check calculation on the service data according to the first agreed secret key and the first dynamic random number to obtain the first check result.

In an alternative embodiment, the second user identification information includes a second provisioning key and a second dynamic random number, and the server is configured to:

determining a second agreed secret key and a second dynamic random number in the second user identification information;

combining the second agreed secret key, the second dynamic random number and the service data to obtain temporary data;

and performing check calculation on the temporary data by adopting a CRC (Cyclic redundancy check) algorithm to obtain the second check result.

According to the data verification method and the data verification system provided by the embodiment of the invention, the first user identification information distributed by the server to the client is stored locally at the client, the client can perform verification calculation on the service data according to the first user identification information to obtain a first verification result, and then the first verification result, the service data and the first user ID in the first user identification information are sent to the server.

And the server performs verification calculation on the service data based on the second user identification information locally stored in the server to obtain a second verification result on the premise of determining that the first user ID is consistent with the second user ID locally stored in the server, and then determines whether the service data passes data security verification according to the consistency of the first verification result and the second verification result.

Since the second check result is obtained by the server performing check calculation on the service data according to the second user identification information stored locally, even if the first check result, the service data, and the second user ID sent by the client are intercepted by the third party, the third party cannot determine the second check result according to the service data and the second user ID and tamper the service data and the first check result based on the second check result. Thus, the reliability of the data security check result can be ensured.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.

Fig. 1 is a system architecture diagram of a data verification system according to an embodiment of the present invention.

Fig. 2 is a flowchart of a data verification method according to an embodiment of the present invention.

Fig. 3 is a schematic diagram of user identification information allocation according to an embodiment of the present invention.

Fig. 4 is a schematic diagram of data verification according to an embodiment of the present invention.

Fig. 5 is a block diagram of a server according to an embodiment of the present invention.

Fig. 6 is a schematic diagram of a server according to an embodiment of the present invention.

Icon:

100-a data verification system;

101-a server; 1011-a receiving module; 1012-check calculation module; 1013-a judgment module; 1014-a processor; 1015-memory; 1016-a bus;

102-client.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

In order to better understand the technical solutions of the present invention, the following detailed descriptions of the technical solutions of the present invention are provided with the accompanying drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the examples of the present invention are the detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and the examples of the present invention may be combined with each other without conflict.

In the data verification method provided by the embodiment of the invention, the first user identification information allocated by the server to the client is stored locally at the client, the client can perform verification calculation on the service data according to the first user identification information to obtain a first verification result, and then the first verification result, the service data and the first user ID in the first user identification information are sent to the server.

Further, the server performs check calculation on the service data based on the second user identification information locally stored in the server to obtain a second check result on the premise that the first user ID is determined to be consistent with the second user ID locally stored in the server, and then determines whether the service data passes the data security check according to the consistency of the first check result and the second check result.

It can be understood that, since the second check result is obtained by the server performing the check calculation on the service data according to the second user identification information stored locally, even if the first check result, the service data, and the second user ID sent by the client are intercepted by the third party, the third party cannot determine the second check result according to the service data and the second user ID and tamper the service data and the first check result based on the second check result. Thus, the reliability of the data security check result can be ensured.

In detail, please refer to fig. 1 in conjunction with the figure, which is a system architecture diagram of adata verification system 100 according to an embodiment of the present invention. As seen in fig. 1, thedata verification system 100 includes aserver 101 and aclient 102 communicatively coupled to each other.

In this embodiment, theserver 101 and theclient 102 may be applied to the fields of new energy charging piles, video communications, and the like. In these fields, the amount of data to be transmitted can reach more than MB, the number of communications can reach more than thousand times per second, and generally, a user datagram protocol is used for data transmission. Therefore, in order to prevent a third party from performing a network attack on theserver 101 and theclient 102 by using false legitimate data or tampering with legitimate data, data security verification needs to be performed on data transmitted between theserver 101 and theclient 102.

The common method for performing data security check by performing hash value calculation on data has poor reliability. In detail, the description of the hash value calculation is performed with the interaction between theserver 101 and theclient 102 shown in fig. 1.

Theclient 102 calculates the hash value of the service data before sending the service data, and then sends the service data and the calculated hash value to theserver 101, when theserver 101 receives the service data and the hash value at theclient 102 side, the server will calculate the hash value of the received service data again, and then compare the calculated hash value with the received hash value, and if the hash value is not consistent, discard the received service data.

However, when the hash value is used to verify the integrity of the data, if the service data and the hash value are intercepted at the same time, the service data and the hash value are also easily tampered, in this case, the service data and the hash value received by theserver 101 may also be tampered, and it is difficult to ensure the reliability of the data security verification result.

For this reason, the present embodiment is an improvement on thedata verification system 100 shown in fig. 1, and provides a data verification method capable of ensuring the reliability of a data security verification result, where the data verification method is applied to thedata verification system 100 shown in fig. 1, and the data verification method may include the following steps:

step S21, the client carries out check calculation to the service data sent to the server by the client according to the first user identification information distributed by the server to the client, and a first check result is obtained; and sending the first verification result, the service data and the first user ID in the first user identification information to the server.

Step S22, the server judges whether the first user ID is consistent with a pre-stored second user ID; and if the service data are consistent with the first user identification information, carrying out check calculation on the received service data according to the prestored first user identification information to obtain a first check result.

Step S23, the server determines whether the first check result and the second check result are consistent; if the received service data are consistent with the service data, judging that the received service data pass the verification, and sending response data to the client according to the received service data; and if the data is inconsistent with the data, judging that the received service data has data security risk, and discarding the received service data.

In step S21, the first user identification information is a type of user identification information provided by theserver 101 based on the SSL secure connection, and the user identification information includes a user ID, a provisioning key, and a dynamic random number. In detail, the user ID in one user identification information is unique.

Referring to fig. 3, before step S21, theserver 101 needs to determine whether theclient 102 is legal, and then assigns the first user identification information to thelegal client 102. In detail, theserver 101 provides an API interface based on the user identification information of the SSL secure connection. Before the service data interaction with theserver 101, theclient 102 initiates an access application through an API interface provided by theserver 101.

Accordingly, after receiving the access application sent by theclient 102, theserver 101 will determine whether the access application is legal. For example, theserver 101 may check the identity authentication information carried in the access application, determine that the access application sent by theclient 102 is a legal application if the identity authentication information is successfully checked, and allocate the first user identification information to theclient 102.

In an implementation, after theserver 101 allocates the first user identification information to theclient 102, the first user identification information is stored locally in theserver 101 for subsequent verification calculation. For the convenience of the subsequent description and distinction, the user identification information stored on theserver machine 101 side is defined as the second identification information.

In detail, the first user identification information includes a first user ID, a first provisioning key, and a first dynamic random number. Correspondingly, the second user identification information includes a second user ID, a second agreed key and a second dynamic random number.

It is understood that, through steps S21-S23, the first user identification information allocated by theserver 101 to theclient 102 is stored locally at theclient 102, and theclient 102 can perform a check calculation on the service data according to the first user identification information to obtain a first check result, and then send the first check result, the service data, and the first user ID in the first user identification information to theserver 101.

Further, on the premise that the first user ID is determined to be consistent with the second user ID locally stored in theserver 101, theserver 101 performs a check calculation on the service data based on the second user identification information locally stored in theserver 101 to obtain a second check result, and then determines whether the service data passes the data security check according to the consistency of the first check result and the second check result.

It can be understood that, since the second verification result is obtained by theserver 101 performing verification calculation on the service data according to the second user identification information stored locally, even if the first verification result, the service data, and the second user ID sent by theclient 102 are intercepted by a third party, the third party cannot determine the second verification result according to the service data and the second user ID and tamper the service data and the first verification result based on the second verification result. Thus, the reliability of the data security check result can be ensured.

Further, in step S23, theserver 101 also performs a check calculation on the response data before sending the response data to theclient 102. In detail, theserver 101 performs verification calculation on the response data according to the second user identification information to obtain a third verification result, and then sends the third verification result, the response data, and the second user ID to theclient 102.

Further, after receiving the third verification result, the response data and the second user ID sent by theserver 101, theclient 102 also performs corresponding verification calculation. In detail, theclient 102 determines whether the first user ID is consistent with the received second user ID. If the first user identification information is consistent with the second user identification information, carrying out verification calculation on the received response data to obtain a fourth verification result, then judging whether the third verification result is consistent with the fourth verification result, and if so, judging that the received response data passes the verification; if the received response data are inconsistent, the data security risk of the received response data is judged, and the received response data are discarded.

It is understood that whether theserver 101 receives the service data sent by theclient 102 or theclient 102 receives the response data sent by theserver 101, theserver 101 and theclient 102 perform check calculation respectively, and then send the check result, the service data and the corresponding user ID. Since the verification result is calculated on the local side of theserver 101 or theclient 102, even if the verification result, the service data and the corresponding user ID are intercepted by a third party, the verification result, the service data and the corresponding user ID cannot be completely tampered, so that the reliability of the data security verification result is ensured.

Referring to fig. 4, in an alternative implementation manner, in step S21, the client performs a verification calculation on the service data sent by the client to the server according to the first user identification information allocated by the server to the client, so as to obtain a first verification result, which may specifically include the following:

in step S211, the client determines the first agreed key and the first dynamic random number in the first user identification information.

In step S212, the client performs check calculation on the service data according to the first agreed key and the first dynamic random number, so as to obtain the first check result.

In detail, theclient 102 may combine the first agreed-upon key, the first dynamic random number, and the service data into a temporary data, and then perform a check calculation on the temporary data by using a CRC algorithm to obtain a first check result.

Correspondingly, when it is determined that the first user ID and the second user ID are consistent, theserver 101 may determine, according to the second user ID, a second agreed key and a second dynamic random number in the second user identification information, then combine the second agreed key, the second dynamic random number, and the service data to obtain temporary data, and further perform a check calculation on the temporary data by using a CRC algorithm to obtain the second check result.

It is understood that the determination manner of the third check result and the fourth check result is also based on the CRC check algorithm, and therefore will not be further described here.

On the basis, an embodiment of the present invention further provides a data verification method, which is applied to theserver 101 in fig. 1, and the method may include the following steps:

step S31, receiving the first verification result, the service data, and the first user ID sent by the client.

Step S32, judging whether the first user ID is consistent with a pre-stored second user ID; and if the service data are consistent with the first user identification information, carrying out check calculation on the received service data according to the prestored first user identification information to obtain a first check result.

Step S33, determining whether the first check result and the second check result are consistent; if the received service data are consistent with the service data, judging that the received service data pass the verification, and sending response data to the client according to the received service data; and if the data is inconsistent with the data, judging that the received service data has data security risk, and discarding the received service data.

Since the implementation principle of steps S31-S33 is similar to that of steps S21-S23 shown in fig. 2, no further description is made here.

On the basis, as shown in fig. 5, a block diagram of aserver 101 according to an embodiment of the present invention is provided, where theserver 101 includes:

thereceiving module 1011 is configured to receive the first verification result, the service data, and the first user ID sent by the client.

Thecheck calculation module 1012 determines whether the first user ID is consistent with a pre-stored second user ID; and if the service data are consistent with the first user identification information, carrying out check calculation on the received service data according to the prestored first user identification information to obtain a first check result.

A determiningmodule 1013 configured to determine whether the first check result and the second check result are consistent; if the received service data are consistent with the service data, judging that the received service data pass the verification, and sending response data to the client according to the received service data; and if the data is inconsistent with the data, judging that the received service data has data security risk, and discarding the received service data.

Alternatively, theserver 101 includes a processor and a memory, thereceiving module 1011, the checkingcalculation module 1012, the judgingmodule 1013, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.

The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to one or more than one, and the reliability of the data security check result is ensured by adjusting the kernel parameters.

An embodiment of the present invention provides a readable storage medium, on which a program is stored, which, when executed by a processor, implements the data verification method.

The embodiment of the invention provides a processor, which is used for running a program, wherein the data verification method is executed when the program runs.

In the embodiment of the present invention, as shown in fig. 6, theserver 101 includes at least oneprocessor 1014, and at least onememory 1015, a bus connected with theprocessor 1014; wherein, theprocessor 1014 and thememory 1015 complete the communication with each other through thebus 1016;processor 1014 is configured to invoke program instructions inmemory 1015 to perform the data verification methods described above.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, systems and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing MySQL server to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing MySQL server, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a MySQL server comprises one or more processors (CPUs), memory and a bus. The MySQL server may also include input/output interfaces, network interfaces, and the like.

The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip. The memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage MySQL server, or any other non-transmission medium that can be used to store information that can be accessed by a computing MySQL server. As defined herein, computer readable media does not include transitory computer readable media such as modulated data signals and carrier waves.

It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or MySQL server that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or MySQL server. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in the process, method, article of manufacture, or MySQL server that comprises the element.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

In summary, according to the above-mentioned solution provided by the embodiment of the present invention, the first user identification information allocated by the server to the client is stored locally at the client, and the client can perform a check calculation on the service data according to the first user identification information to obtain a first check result, and then send the first check result, the service data, and the first user ID in the first user identification information to the server.

The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A data verification method, applied to a server and a client communicatively connected to each other, the method comprising:

2. The data verification method of claim 1, wherein the server sends response data to the client according to the received service data, and the response data comprises:

3. The data verification method of claim 2, further comprising:

4. The data verification method according to any one of claims 1 to 3, wherein the first user identification information includes a first agreed key and a first dynamic random number, and the client performs verification calculation on the service data sent by the client to the server according to the first user identification information allocated to the client by the server to obtain a first verification result, including:

5. The data verification method according to any one of claims 1 to 3, wherein the second user identification information includes a second agreed key and a second dynamic random number, and the server performs verification calculation on the received service data according to the second user identification information to obtain a second verification result, including:

6. A data checking system is characterized by comprising a server and a client which are in communication connection with each other;

7. The data verification system of claim 6, wherein the server is configured to:

8. The data verification system of claim 7, wherein the client is further configured to:

9. The data verification system according to any one of claims 6 to 8, wherein the first user identification information includes a first provisioning key and a first dynamic random number, and the client is configured to:

10. The data verification system according to any one of claims 6 to 8, wherein the second user identification information includes a second provisioning key and a second dynamic random number, and the server is configured to: