WO2018149004A1

WO2018149004A1 - Authentication method and system

Info

Publication number: WO2018149004A1
Application number: PCT/CN2017/076603
Authority: WO
Inventors: 胡龙军
Original assignee: 武汉斗鱼网络科技有限公司
Priority date: 2017-02-17
Filing date: 2017-03-14
Publication date: 2018-08-23
Also published as: CN106911684B; CN106911684A

Abstract

Proposed are an authentication method and system. In the method, authentication information is added to Header information of an HTTP request of a client terminal, and finally, an authentication operation is performed. The present invention has the following beneficial effects: 1. adding authentication information to Header information of an HTTP request will not lead to inconsistency of URLs in the Header information of the HTTP request; and 2. a special authentication encryption character string generation algorithm can effectively prevent malicious imitation of a third party.

Description

Authentication method and system

cross reference

The present application is hereby incorporated by reference in its entirety in its entirety in its entirety in its entirety in the the the the the the the the the

Technical field

The present invention relates to the field of communication technologies, and in particular, to an authentication method and system.

Background technique

At present, Internet software products are mainly divided into two categories from product audiences, including popular Internet products for end consumers, such as Sina Weibo Web, Zhizhi Web. The characteristics of such products are that the objects of such products are human, and most of the provided media content is unstructured text (such as novels, blogs), pictures, audio and video, and the like. Another type of product is aimed at the computer, that is, the main form of the service is an API (Application Programming Interface) that provides a programming interface, which is convenient for programmers to use the API for secondary development. The characteristics of this type of product are that the service object is a computer, and the media content provided is mostly structured text, such as XML, JSON, and the like.

Authentication refers to verifying that a user has the right to access the system. Traditional authentication is verified by a password. The premise of this approach is that each user who receives the password is already authorized. When a user is created, the user is assigned a password, which can be specified by the administrator or by the user. The weakness of this method is very obvious: once the password is stolen or the user loses the password, the situation will be very troublesome. The administrator needs to re-edit the user password, and manually verify the user's legal identity before modifying the password. In order to overcome the shortcomings of this authentication method, a more reliable authentication method is needed. The current mainstream authentication method is to use the authentication and authorization to verify the positive of the digital signature. True or not.

For the API type product, the common practice for authenticating the corresponding user terminal accessing it is to use the corresponding authentication encryption algorithm to generate the authentication encrypted string corresponding to the request information of the user terminal together with the request information sent by the user terminal. Sended to the server that needs to be accessed, the server uses PHP (ertext Preprocessor), which is a general-purpose open source scripting language for authentication operations.

However, different large technology companies will design their own authentication encryption algorithms for their own security reasons. At the same time, the use of PHP for authentication operations cannot meet the higher requirements for authentication efficiency in many cases.

Summary of the invention

The present invention provides an authentication method and system for overcoming the above problems or at least partially solving the above problems.

According to an aspect of the present invention, an authentication method is provided, including:

Step 1: Add an API interface public key, a current client terminal time, and an authentication encrypted character string in the HTTP request to the client terminal HTTP request header information;

Step 2: Receive an HTTP request from the client terminal, confirm that the API interface public key in the header information is correct, and confirm that the difference between the client terminal time and the current server time is less than a preset threshold;

Step 3: Confirm that the authentication encrypted string is correct.

According to another aspect of the present invention, an authentication system is provided, including an encryption module, a first confirmation module, and a second confirmation module:

The cryptographic module is connected to the first acknowledgment module, and configured to generate an authentication encrypted character string; adding an API interface public key, a current client terminal time, and an authentication encrypted character string to the client terminal HTTP request header information;

The first confirmation module is connected to the encryption module and the second confirmation module, respectively, for receiving the HTTP request of the client terminal, confirming that the API interface public key is correct, and confirming that the client terminal time and the current server time difference are Less than a preset threshold;

The second confirmation module is connected to the first confirmation module, and is configured to confirm that the authentication encrypted string is correct.

The present application proposes an authentication method and system, which adds authentication information, Nginx, to the client terminal HTTP request header information. The invention has the following beneficial effects: 1. Adding the authentication information to the HTTP request Header header information does not cause the Url of the HTTP request Header header information to be inconsistent; 2. The special authentication encryption string generation algorithm can effectively prevent the third party. Malicious imitation.

DRAWINGS

1 is a schematic overall flow chart of an authentication method according to an embodiment of the present invention;

2 is a schematic flow chart of an authentication method according to an embodiment of the present invention;

3 is a schematic diagram of an overall framework of an authentication system according to an embodiment of the present invention;

4 is a structural block diagram of an apparatus of an authentication system according to an embodiment of the present invention.

detailed description

The technical solutions in the embodiments of the present invention will be clearly and completely described in conjunction with the drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention. First, some technical terms involved in the specific embodiments of the present invention will be described.

HTTP: Request message from client to server.

Header: Header header information carried in the HTTP request.

API (Application Programming Interface): Yes Some predefined functions are designed to provide the ability for applications and developers to access a set of routines based on a piece of software or hardware without having to access the source code or understand the details of the internal workings.

Public Key and Private Key are a pair of keys obtained by an algorithm (ie, a public key and a private key). The public key is the public part of the key pair, and the private key is not. The public part. Public keys are typically used to encrypt session keys, verify digital signatures, or encrypt data that can be decrypted with the corresponding private key. The key pair obtained by this algorithm is guaranteed to be unique worldwide. When using this key pair, if one piece of data is used to encrypt a piece of data, it must be decrypted with another key. For example, encrypting data with a public key must be decrypted with a private key. If it is encrypted with a private key, it must be decrypted with a public key, otherwise the decryption will not succeed.

Public Key AID: The public key used for API interface encryption.

Key AID: The key used by the API interface to encrypt, not external, provided by the server.

MD5: Message Digest Algorithm MD5 (Information-Summary Algorithm 5).

GET request: The type of request sent by the HTTP client, indicating that a file is requested from the web server.

Post request: The type of request sent by the HTTP client, indicating that the data is sent to the web server for processing by the web server.

Authentication Encryption String: An encrypted string used for authentication according to certain rules.

Nginx: is a lightweight web server / reverse proxy server and email (IMAP / POP3) proxy service.

Proxy_cache: Built-in caching module that comes with Nginx.

Url: The Uniform Resource Identifier (or URI) is a string that identifies the name of an Internet resource.

Lua is a small scripting language. A complete Lua interpreter is only 200k. In all current scripting engines, Lua is the fastest.

FIG. 1 is a schematic diagram showing the overall flow of an authentication method in a specific embodiment of the present invention. As a whole, the method includes the following steps: Step 1: Add an API request public key, a current client terminal time, and an authentication encrypted character string in an HTTP request to the client terminal HTTP request header information; Step 2, receive the client terminal HTTP The request confirms that the API interface public key is correct; confirms that the client terminal time and the current server time difference are less than a preset threshold; and step 3, confirms that the authentication encrypted string is correct.

In the above specific embodiment of the present invention, the HTTP request header information of the encrypted information client terminal does not cause the HTTP request Url to be inconsistent, and the server cache cannot be hit because the request Url is inconsistent.

In another embodiment of the present invention, an authentication method, the authentication encrypted string in the step 1 is generated by the following steps: S11, the first character of the uniform resource identifier in the HTTP request is / "Delete; S12, the character string obtained by deleting the character "/" and the API interface public key in the HTTP request, the client terminal time, and the get parameter string in the HTTP request of the client terminal are sorted according to a preset sorting rule; Sequencing the sorted strings in sequence; S13, inserting an API interface key in a specified position in the string obtained after the splicing; obtaining an authentication encrypted string; converting the authentication encrypted string into MD5 code.

In the above specific embodiment of the present invention, the authentication encrypted string generated by the special generation rule can effectively prevent the third party crawling or malicious attack, thereby improving the security of the accessed server. Because MD5 is an irreversible encryption algorithm, it has high security and is widely used to judge file integrity. Therefore, converting the generated authentication encrypted string to MD5 code can effectively prevent the final authentication encrypted string from being reversed. To the crack, a higher degree of security and validity of the authentication encrypted string is guaranteed.

In another embodiment of the present invention, an authentication method, before the step 2, further includes: Confirming that the client terminal HTTP request Header header information includes both an API interface public key, a client terminal time, and an authentication encrypted string. After the above steps are completed, the confirmation process of step 2 is performed to avoid the step 2 confirmation operation in the full frame of the three fields, which wastes unnecessary server resources and time.

In another embodiment of the present invention, an authentication method, the step 3 further includes: adding the customer identity information to the API interface public key, and confirming, according to the API interface public key access authority, that the client terminal has the Permissions for HTTP requests. In this embodiment, the identity information of the client may be added to the API interface key pair, and the identity of the API interface public key included in the HTTP request is checked before the authentication encrypted string operation of step 3 is performed. Whether the access authority corresponding to the information can support the client terminal having the authority of the HTTP request.

In another embodiment of the present invention, an authentication method, the generating an authentication encrypted string in the step 1 further includes: S11', confirming that the HTTP request includes post information; S12', the post is The information parameter string is spliced with the uniform resource identifier of the first character "/", the API interface public key, the client terminal time, and the get parameter string in the client terminal HTTP request, and the characters are pressed after the splicing The preset sorting rule is sorted; S13', the API interface key is inserted in the specified position of the string obtained after sorting, and the authentication encrypted string is obtained; and the authentication encrypted string is converted into the MD5 code.

In another embodiment of the present invention, an authentication method, the preset threshold in the step 2 is ≤ 5 minutes. The reason why the preset threshold is set to 5 minutes in this embodiment is that the Url of each HTTP request is time-limited, and even if the Url is caught by the packet capture, it can only use up to 5 minutes. Therefore, in order to ensure that the authenticated HTTP request is still valid, the preset threshold should be set to no more than 5 minutes.

In another embodiment of the present invention, in an authentication method, the preset sorting rule in the step 1 is: sorting according to the ascending/descending order of the first letter of each string. The sorting rule in this embodiment is only one of them, and the initials of each string are raised in the 26 alphabets. / Sort in descending order. The actual operation of the present invention is not limited to the above two sorting rules, and the string sorting purpose of the present invention can be achieved as long as it is a fixed scrambled sorting rule.

FIG. 2 is a schematic diagram showing the overall flow of an authentication method according to another embodiment of the present invention. In general, the following steps are included:

The client terminal attaches the public key aid, the client current request timestamp time, and the authentication encryption string auth to the HTTP request header.

The above specific encryption auth generation algorithm is as follows: (1) the requested interface address uri (ie /api/thirdPart/live) part, intercepted from the second bit (ie api/v1/live); (2) the characters obtained in the above steps After the string is concatenated with the get parameter, the public key aid, and time, it is sorted in ascending order according to the initial name of each parameter string. The public key aid contains customer identity information. (3) When the post data is included in the user HTTP request, the last step is sorted and then connected to the get parameter string with the & symbol, and then the sort operation of the previous step is performed, and then the secret key is inserted into the specified position in the string. Finally, an encrypted string (api/thirdPart/live?aid=xxx&limit=10&offset=30&time=146 8897751+client key KEY+post parameter string) is obtained; and the string is converted into an MD5 code.

The lua module in the server Nginx checks whether the header contains three fields: aid, time, and auth; the server checks the validity of the public key aid; the server checks whether the time passed by the client and the time error of the server are within 5 minutes; Check the public key AID access permission range; check whether the authentication string is correct.

Use Nginx's proxy_cache caching function to proxy the business logic to the php if there is no hit cache, and return directly if hit.

In another embodiment of the present invention, an authentication method is performed by the scripting language lua module in the web server Nginx.

Nginx: is a lightweight web server / reverse proxy server and email (IMAP / POP3) proxy service. It is characterized by less memory and strong concurrency. In fact, Nginx's concurrency capability does perform better in the same type of web server. Lua is A small scripting language, a full Lua interpreter but 200k, Lua script processing is the fastest in all current scripting engines. The authentication operation script implemented by Lua is embedded in the Nginx as a module to perform the authentication operations of steps 2 and 3, and the authentication speed is directly improved in the authentication operation implemented by PHP in the prior art.

In another embodiment of the present invention, an authentication method, after the step 3, further includes: when the acquisition target information of the HTTP request is not in the server cache, using the cache module proxy_cache in the web server Nginx The agent processes the business logic into the hypertext preprocessor. Proxy_cache is a built-in cache module that comes with Nginx. When the HTTP request does not get the desired information in the server cache, the Proxy_cache delegates to the PHP processing business logic. If the user terminal HTTP request hits the server cache, it directly returns the content it needs.

FIG. 3 is a schematic diagram showing the overall structure of an authentication system in a specific embodiment of the present invention. Generally, the encryption module A1, the first confirmation module A2, and the second confirmation module A3 are included: the encryption module A1 is connected to the first confirmation module A2, and is used to generate an authentication encrypted character string; Adding an API interface public key, a current client terminal time, and an authentication encryption string to the Header header information; the first confirmation module A2 is connected to the encryption module A1 and the second confirmation module A3, respectively, for receiving the client The terminal HTTP request confirms that the API interface public key is correct; and confirms that the client terminal time and the current server time difference are less than a preset threshold; the second confirmation module A3 is connected to the first confirmation module A2 for confirming The authentication encrypted string is correct.

In another embodiment of the present invention, an authentication system, the encryption module A1 further includes an authentication encrypted string generating unit, configured to: use a first character of the uniform resource identifier in the HTTP request. /"delete; will remove the character "/" to get the string and HTTP The API parameter public key, the client terminal time, and the get parameter string in the client terminal HTTP request are sorted according to a preset sorting rule; the sorted strings are sequentially spliced; The API interface key is inserted in the specified position in the string; the authentication encrypted string is obtained; and the authentication encrypted string is converted into the MD5 code.

In the above specific embodiment of the present invention, the authentication encrypted string generating unit can effectively prevent third party crawling or malicious attack intrusion through the authentication encrypted string generated by the special generating rule, thereby improving the security of the accessed server. Because MD5 is an irreversible encryption algorithm, it has high security and is widely used to judge file integrity. Therefore, converting the generated authentication encrypted string to MD5 code can effectively prevent the final authentication encrypted string from being reversed. To the crack, a higher degree of security and validity of the authentication encrypted string is guaranteed.

In another embodiment of the present invention, an authentication system is further configured to: confirm that the client terminal HTTP request header information includes an API interface public key, a client terminal time, and an authentication. Encrypt the string. After the above steps are completed, the confirmation process of step 2 is performed to avoid the step 2 confirmation operation in the full frame of the three fields, which wastes unnecessary server resources and time.

In another embodiment of the present invention, an authentication system, the encryption module A1 is further configured to add customer identity information to an API interface public key; and the first confirmation module is further configured to access according to an API interface public key. The authority confirms that the client terminal has the authority to the HTTP request. In this embodiment, the identity information of the client may be added to the API interface key pair, and the identity of the API interface public key included in the HTTP request is checked before the authentication encrypted string operation of step 3 is performed. Whether the access authority corresponding to the information can support the client terminal having the authority of the HTTP request.

In another embodiment of the present invention, an authentication system is further configured to confirm that the HTTP request includes post information, and the post information parameter string and the first character are deleted. /" Uniform resource identifier, API interface public key, client terminal time and get parameter string in the client terminal HTTP request are spliced, and the above characters are sorted according to a preset sorting rule after splicing; characters obtained after sorting String specification The location is inserted into the API interface key to obtain an authentication encrypted string; the authentication encrypted string is converted into an MD5 code. In the specific embodiment of the present invention, when the POST information is included in the HTTP request sent by the client terminal, the POST information may be added to the authentication encrypted string to be sorted, thereby increasing the complexity of the authentication encrypted string. Further improve the security of the server.

In another embodiment of the present invention, an authentication system, the preset threshold in the first confirmation module is ≤ 5 minutes. The reason why the preset threshold is set to 5 minutes in this embodiment is that the Url of each HTTP request is time-limited, and even if the Url is caught by the packet capture, it can only use up to 5 minutes. Therefore, in order to ensure that the authenticated HTTP request is still valid, the preset threshold should be set to no more than 5 minutes.

In another embodiment of the present invention, an authentication system, the preset sorting rule in the encryption module is: sorting according to the ascending/descending order of the first letter of each string. The sorting rule in this embodiment is only one of them, and the first letter of each character string is sorted in ascending/descending order in the 26 alphabets. The actual operation of the present invention is not limited to the above two sorting rules, and the string sorting purpose of the present invention can be achieved as long as it is a fixed scrambled sorting rule.

In another embodiment of the present invention, an authentication system, the first confirmation module and the second confirmation module are implemented by a script language lua module in a web server Nginx. Nginx: is a lightweight web server / reverse proxy server and email (IMAP / POP3) proxy service. It is characterized by less memory and strong concurrency. In fact, Nginx's concurrency capability does perform better in the same type of web server. Lua is a small scripting language. A complete Lua interpreter is only 200k. In all current scripting engines, Lua scripting is the fastest. The authentication operation script implemented by Lua is embedded in the Nginx as a module to perform the authentication operations of steps 2 and 3, and the authentication speed is directly improved in the authentication operation implemented by PHP in the prior art.

In another embodiment of the present invention, an authentication system further includes a proxy module, coupled to the second confirmation module A3, for obtaining the target information of the HTTP request. When not in the server cache, the cache module proxy_cache in the web server Nginx is used to proxy the business logic to the hypertext preprocessor. Proxy_cache is a built-in cache module that comes with Nginx. When the HTTP request does not get the desired information in the server cache, the Proxy_cache delegates to the PHP processing business logic. If the user terminal HTTP request hits the server cache, it directly returns the content it needs.

FIG. 4 is a structural block diagram of an apparatus for illustrating an authentication method according to another embodiment of the present application.

Referring to FIG. 4, the device for operating a database includes: a processor 401, a memory 402, and a bus 403;

The processor 401 and the memory 402 complete communication with each other through the bus 403.

The processor 401 is configured to invoke a program instruction in the memory 402 to perform the method provided by the foregoing method embodiments, for example, including: adding an HTTP request in an API request to the client terminal HTTP request header information. The key, the current client terminal time, and the authentication encrypted character string; receiving the HTTP request of the client terminal, confirming that the API interface public key in the Header header information is correct, and confirming that the difference between the client terminal time and the current server time is less than a preset threshold. ; Confirm that the authentication encrypted string is correct.

Another embodiment of the present application discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are When executed, the computer can perform the method provided by the foregoing method embodiments, for example, including: adding an API interface public key, a current client terminal time, and an authentication encrypted character string in the HTTP request to the client terminal HTTP request header information; Receiving the client terminal HTTP request, confirming that the API interface public key in the header information is correct, confirming that the client terminal time and the current server time difference are less than a preset threshold; and confirming that the authentication encrypted string is correct.

Another embodiment of the present application discloses a non-transitory computer readable storage medium storing computer instructions that cause the computer to perform the operations provided by the various method embodiments described above Method, for example comprising: at the guest The client terminal HTTP request Header header information adds an API request public key, a current client terminal time, and an authentication encrypted character string in the HTTP request; receives the client terminal HTTP request, and confirms that the API interface public key in the Header header information is correct, and confirms The difference between the client terminal time and the current server time is less than a preset threshold; and the authentication encrypted string is confirmed to be correct.

A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

The apparatus and the like of an authentication method described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as the unit may be or may be It is not a physical unit, it can be located in one place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without deliberate labor.

Through the description of the above embodiments, those skilled in the art can clearly understand that the various embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware. Based on such understanding, the above-described technical solutions may be embodied in the form of software products in essence or in the form of software products, which may be stored in a computer readable storage medium such as ROM/RAM, magnetic Discs, optical discs, etc., include instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments or portions of the embodiments.

Finally, the method of the present application is only a preferred embodiment and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

An authentication method, comprising:

Step 1: Add an API interface public key, a current client terminal time, and an authentication encrypted character string in the HTTP request to the client terminal HTTP request header information;

Step 2: Receive an HTTP request from the client terminal, confirm that the API interface public key in the header information is correct, and confirm that the difference between the client terminal time and the current server time is less than a preset threshold;

Step 3: Confirm that the authentication encrypted string is correct.
The method according to claim 1, wherein the authentication encrypted string in the step 1 is generated by the following steps:

S11. Delete the first character “/” of the uniform resource identifier in the HTTP request.

S12. The character string obtained by deleting the character “/” and the API interface public key in the HTTP request, the client terminal time, and the get parameter string in the HTTP request of the client terminal are sorted according to a preset sorting rule; After each string is spliced in order;

S13. Insert an API interface key in the specified position in the string obtained after the splicing; obtain an authentication encrypted string; and convert the authentication encrypted string into an MD5 code.
The method according to claim 1, wherein the step 2 further comprises: confirming that the client terminal HTTP request Header header information includes an API interface public key, a client terminal time, and an authentication encrypted character string.
The method according to claim 1, wherein the step 3 further comprises: adding the customer identity information to the API interface public key, and confirming that the client terminal has the HTTP request according to the API interface public key access authority. Permissions.
The method of claim 1, wherein the generating the authentication encrypted string in the step 1 further comprises:

S11', confirming that the HTTP request includes post information;

S12, splicing the post information parameter string with the uniform resource identifier of the first character "/", the API interface public key, the client terminal time, and the get parameter string in the client terminal HTTP request. After splicing, the above characters are sorted according to a preset sorting rule;

S13', inserting an API interface key in the specified position of the string obtained after sorting, obtaining an authentication encrypted string; and converting the authentication encrypted string into an MD5 code.
The method of claim 1 wherein said predetermined threshold in step 2 is ≤ 5 minutes.
The method according to claim 2, wherein the preset sorting rule in the step 1 is: sorting the respective character strings in ascending/descending order of the first letter.
The method of claim 2 wherein said steps 2, 3 are performed by a scripting language lua module in web server Nginx.
The method of claim 8, wherein the step 3 further comprises: when the acquisition target information of the HTTP request is not in the server cache, using the cache module proxy_cache in the web server Nginx to proxy to the super The business logic is processed in the text preprocessor.
An authentication system, comprising: an encryption module, a first confirmation module, and a second confirmation module:

The cryptographic module is connected to the first acknowledgment module, and configured to generate an authentication encrypted character string; adding an API interface public key, a current client terminal time, and an authentication encrypted character string to the client terminal HTTP request header information;

The first confirmation module is connected to the encryption module and the second confirmation module, respectively, for receiving the HTTP request of the client terminal, confirming that the API interface public key is correct, and confirming that the client terminal time and the current server time difference are Less than a preset threshold;

The second confirmation module is connected to the first confirmation module, and is configured to confirm that the authentication encrypted string is correct.
An apparatus for authenticating a method, comprising:

At least one processor;

At least one memory communicatively coupled to the processor, wherein:

The memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1-9.
A computer program product, comprising: a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, The computer performs the method of any one of claims 1 to 9.
A non-transitory computer readable storage medium, wherein the non-transitory computer readable storage medium stores computer instructions, the computer instructions causing the computer to perform the method of any one of claims 1 to 9. .