Nothing Special   »   [go: up one dir, main page]

CN101340289B - Replay attack preventing method and system thereof - Google Patents

Replay attack preventing method and system thereof Download PDF

Info

Publication number
CN101340289B
CN101340289B CN2008101187077A CN200810118707A CN101340289B CN 101340289 B CN101340289 B CN 101340289B CN 2008101187077 A CN2008101187077 A CN 2008101187077A CN 200810118707 A CN200810118707 A CN 200810118707A CN 101340289 B CN101340289 B CN 101340289B
Authority
CN
China
Prior art keywords
server end
intelligent key
key apparatus
accumulative total
client host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2008101187077A
Other languages
Chinese (zh)
Other versions
CN101340289A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Beijing Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Feitian Technologies Co Ltd filed Critical Beijing Feitian Technologies Co Ltd
Priority to CN2008101187077A priority Critical patent/CN101340289B/en
Publication of CN101340289A publication Critical patent/CN101340289A/en
Application granted granted Critical
Publication of CN101340289B publication Critical patent/CN101340289B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of information security, in particular to a method for preventing the replay attack in the process of network communication and a system thereof. In the invention, the present transaction information is prevented from being replayed by the following steps: arranging the same cumulative cardinal and units in a server terminal and an intelligent key device; the server terminal judges whether the present cumulative values are reasonable. For instance, in a transaction system, if the data of transaction information is replayed, the transaction occurs in a duplicated way and the server terminal can refuse the transaction information which is incompatible with strategies by checking the cumulative values.

Description

Anti-replay-attack method and system thereof
Technical field
The present invention relates to information security field, particularly a kind of in the network service process method and the system thereof of anti-replay-attack.
Background technology
In present technology,, adopt technology such as signature, authentication usually in order to guarantee the fail safe in the network service.Signature technology can be divided into digital signature and electronic signature again, and digital signature is meant that forming electronic cipher by certain crypto-operation generation series of sign and code signs, and replaces writing signature or seal.Digital signature is to use the most general, that technology is the most ripe, operability is the strongest a kind of electric endorsement method in present ecommerce, the E-Government.It has adopted standardized procedure and scientific method, is used to identify signer's identity and to the approval of an electronic data content.Electronic signature technology is meant the true identity that can discern the both sides negotiator in e-file, guarantees fail safe and the authenticity and the non repudiation of transaction, plays the electronic technology means with the signature of the handwritten signature or the equivalent effect of affixing one's seal.
The essence of authentication is that certified side has some information (no matter being some secret information or special hardware that some are held in one's own possession or individual distinctive biological information), except that certified side oneself, any third party (needs in the scheme of certification authority (CA) at some, except the certification authority (CA)) can not forge, the certified authenticating party that can enough make believes that he has those secrets (no matter be show those information to authenticating party or adopt the method for zero-knowledge proof) really, and then his identity has just obtained authentication.
But in the authentication process, the assailant can reach the purpose that realizes authentication by Replay Attack, and Replay Attack is meant that the assailant sends the bag that a destination host had received, reaches the purpose of fraud system.
Summary of the invention
The present invention has overcome above-mentioned shortcoming, and a kind of anti-replay-attack method and system thereof that safety guarantee is provided for network trading or communication is provided.
The present invention solves the technical scheme that its technical problem takes: a kind of anti-replay-attack method comprises
In the server end accumulative total cardinal sum accumulative total unit identical with setting in the intelligent key apparatus, described intelligent key apparatus adds up on the accumulative total radix according to the described unit that adds up, and the described accumulative total of described server end foundation unit adds up on the accumulative total radix;
Described intelligent key apparatus will include the identifying code of accumulative total currency and the Transaction Information of client host carries out digital signature, and first packet that will include signing messages, identifying code and Transaction Information mails to server end by described client host;
Described server end carries out signature verification to the signing messages in first packet that receives, from verify effective first packet, obtain the accumulative total currency again, described server end judges that current aggregate-value in the scope of setting, then concludes the business according to Transaction Information.
Described can the setting in server end and intelligent key apparatus in the identical accumulative total cardinal sum accumulative total unit step, the accumulative total radix in the described intelligent key apparatus are to utilize the accumulative total radix of described server end to proofread and correct to obtain.
Described server end can store the different accumulative total cardinal sum accumulative total unit of many groups, described intelligent key apparatus mails in the identifying code of described server end and also includes intelligent key apparatus information, described server end is according to the accumulative total cardinal sum of described intelligent key apparatus information acquisition correspondence accumulative total unit, and the accumulative total currency that receives is calculated and judges that result of calculation is whether in the scope of setting;
Described judge result of calculation whether the detailed process in the scope of setting be:
When described accumulative total radix is an initial time, when the accumulative total unit is the clock ticktack value, described server end is according to the initial time and the clock ticktack value of described intelligent key apparatus information acquisition correspondence, tick count and the ticktock sum number of times difference that drips is calculated, and judged that ticktock number of times difference is whether in the time window scope of setting; Described tick count is after the time when receiving first packet by server end deducting initial time and obtaining time difference, to obtain divided by the clock ticktack value with this time difference; Described ticktock sum is when described intelligent key apparatus carries out digital signature, obtains from the timer of described intelligent key apparatus;
When described accumulative total radix is the counting initial value, when the accumulative total unit is the counting step-length, described server end is according to the counting initial value and the counting step-length of described intelligent key apparatus information acquisition correspondence, described server subtracts each other the value of the counter preserved in the value of the counter that receives and the server database, and judges and subtract each other one or several counting the step-length whether result equals to set.
Before in server end and intelligent key apparatus, can setting the step of accumulative total cardinal sum accumulative total unit, also comprise described intelligent key apparatus internal judgment user's legitimacy.
Described intelligent key apparatus can mail to server end after currency is signed respectively with described Transaction Information and described accumulative total.
Described intelligent key apparatus will include the identifying code of accumulative total currency and the Transaction Information of client host carries out digital signature, to include signing messages, first packet of identifying code and Transaction Information also comprises before mailing to server end by described client host, described server end and described client host carry out two-way authentication, the exchange PKI, described server end utilizes described PKI, after encrypting, mail in the described intelligent key apparatus as the accumulative total radix of proofreading and correct, after described intelligent key apparatus utilizes private key to be decrypted, utilize described accumulative total radix that the accumulative total radix of described intelligent key apparatus is proofreaied and correct.
Described intelligent key apparatus mails to described server end after utilizing described PKI to encrypt self accumulative total unit, after described server end utilizes private key to be decrypted, obtain with described intelligent key apparatus in consistent accumulative total unit; Perhaps, described server end mails to described intelligent key apparatus after utilizing described PKI to encrypt self accumulative total unit, after described intelligent key apparatus utilizes private key to be decrypted, obtains the consistent accumulative total unit of described and described server end.
Described intelligent key apparatus adds up on the accumulative total radix voluntarily according to the described unit that adds up.
Described intelligent key apparatus is adding up on the accumulative total radix under the triggering of server end according to the described unit that adds up.
Described totally unit is the clock ticktack value, corresponding accumulative total radix is an initial time, described server end judges that result after current aggregate-value calculated is whether in the scope of setting, be specially judgement after carrying out timing on the basis of described initial time and number of times difference that tick count and ticktock sum dripped calculates, whether the ticktock number of times difference of acquisition is in the time window scope of setting; Described tick count is after the time when receiving first packet by server end deducting initial time and obtaining time difference, to obtain divided by the clock ticktack value with this time difference; Described ticktock sum is when described intelligent key apparatus carries out digital signature, obtains from the timer of described intelligent key apparatus.
The described unit that adds up can be the counting step-length, corresponding described accumulative total radix is the initial value of counter, described server end is judged result after current aggregate-value calculated whether in the scope of setting, and is specially to judge that described intelligent key apparatus carries out currency totally and whether differs one or several step-length with the accumulative total currency of described server end under the triggering of described server end.
A kind of anti-replay-attack system comprises server end, client host and intelligent key apparatus, in described server end and the described intelligent key apparatus identical initial time and clock ticktack value is arranged;
Described server end comprises:
Clock module is used to generate initial time,
First communication module is used for the initial time that clock module generates is sent to described client host, receives from cumulative time and Transaction Information that described client host is sent;
Judge module is used for judging that according to the current time that described intelligent key apparatus is sent the tick count and the sum that drips drip the number of times difference whether in the time window scope of setting; Described tick count is after the time when receiving first packet by server end deducting initial time and obtaining time difference, to obtain divided by the clock ticktack value with this time difference; Described ticktock sum is when described intelligent key apparatus is signed, and obtains from the timer of described intelligent key apparatus;
Described client host comprises:
Second communication module is used to realize communicate between described server end and the described client host;
Third communication module is used to realize communicate between described client host and the described intelligent key apparatus;
Input module is used for the user and imports authentication information and described Transaction Information;
Described intelligent key apparatus comprises:
Four-way letter module is used for described intelligent key apparatus current time and described Transaction Information are sent to described server end by described client host, and receives the initial time of sending from described client host;
Timing module is used for carrying out timing according to initial time and ticktock value;
Described intelligent key apparatus also can comprise signature blocks, is used for current time and Transaction Information are signed;
Described server end also can comprise authentication module, is used for current time behind the described signature and Transaction Information are verified.
Also can comprise authentication module in the described intelligent key apparatus, be used to verify whether the user identity of described client host is legal.
A kind of anti-replay-attack system comprises server end, client host and intelligent key apparatus, records identical counting initial value and radix step-length in described server end and the described intelligent key apparatus;
Described server end comprises:
First counting module is used for counting according to described counting initial value and counting step-length;
First communication module is used for sending the counting triggering signal to described client host, receives count value and the Transaction Information sent from described client host;
Judge module is used to judge whether the difference of the count value of the count value that receives from described intelligent key apparatus and first counting module equals one or several step-length;
Described client host comprises:
Second communication module is used to realize communicate between described server end and the described client host;
Third communication module is used to realize communicate between described client host and the described intelligent key apparatus;
Input module is used for the user and imports authentication information and described Transaction Information;
Described intelligent key apparatus comprises:
Second counting module is used for receiving under the triggering of the counting triggering signal of sending from described server end by described client host and counts;
Four-way letter module, be used for the count value of described intelligent key apparatus and the Transaction Information of described client host, send to described server end by described client host, and receive the counting triggering signal of sending from described server end by described client host;
Described intelligent key apparatus also can comprise signature blocks, is used for the count value and the Transaction Information of second counting module are signed;
Described server end also can comprise authentication module, is used for count value behind the described signature and Transaction Information are verified.
Also can comprise authentication module in the described intelligent key apparatus, whether the user identity that is used for the checking client main frame is legal.
Beneficial effect of the present invention: on the one hand, the present invention is by adding up unit at the server end accumulative total cardinal sum identical with setting in the intelligent key apparatus, judge by described server end whether current aggregate-value is reasonable, prevent that current Transaction Information from being reset, as in certain transaction system, if certain transaction message data is reset, then transaction will take place at double, and server can refuse not conform to the transaction message of strategy by the checking aggregate-value; On the other hand, in the present invention, key is that to be kept at intelligent key apparatus inner and can not be read out, and has so just further guaranteed the fail safe of key.
Description of drawings
Fig. 1 is the flow chart of embodiment one among the present invention;
Fig. 2 is the flow chart of embodiment two among the present invention;
Fig. 3 is the system construction drawing of embodiment three among the present invention;
Fig. 4 is the system construction drawing of embodiment four among the present invention.
Embodiment
Embodiment one is a kind of preferred embodiment of anti-replay-attack method, in the present embodiment, adds up with the time, and carries a clock module in the intelligent key apparatus (hereinafter to be referred as USB Key), can carry out time accumulative total voluntarily.The method of utilizing present embodiment to provide can prevent further that transaction is by Replay Attack.Below in conjunction with Fig. 1, specify method and step that the present invention realizes:
Step 401, USB Key and client host connect;
Step 402, USB Key wait for that the user imports authentication information;
Step 403, user import authentication information by client host to USB Key;
Whether step 404, USB Key internal verification user identity be legal, if legal then execution in step 406, otherwise execution in step 405;
The identity identification information of step 405, USB Key internal verification user input is an invalid information, by client host to the user prompt error message;
The identity identification information of step 406, USB Key internal verification user input is a legal information, allows the user that USB Key is operated;
Step 407, USB Key ask when server end sends the school by client host;
Step 408, ask when server end is received the school, carry out two-way authentication, in the process of two-way authentication, exchange PKI with client;
Wherein, the method of carrying out two-way authentication has: SSL (Secure Sockets Layer, the secure socket layer protocol layer), EAP-TLS (Extensible Authentication Protocol-Transport Layer Security, Extensible Authentication Protocol-Transport Layer Security), WAPI (WLAN Authentication and Privacy Infrastructure, WAPI), based on Harn digital signature and zero-knowledge proof, in the present embodiment, the method for preferred two-way authentication is SSL.
Step 409, server end current time are set to initial time TS, initial time TS is encrypted with the PKI of USB Key issue USB Key, and set in advance a time window;
The initial time TS that step 410, USB Key send the server end that receives is decrypted with private key, and initial time TS is set to the initial time TS of oneself, this moment, the timer of USB Key inside picked up counting, and the clock ticktack value TD that its inside sets in advance encrypted with the PKI of server end sent to server end;
Step 411, server end are decrypted the clock ticktack value TD that receives, and together are kept at clock ticktack value TD and initial time TS in the database with private key;
Step 412, USB Key wait for reception server end transmit operation instruction;
Step 413, USB Key receive the signature command that server end sends, and the hardware sequence number A2 that A1 and USB Key are counted in the timing when utilizing signature in the timer generates identifying code A;
Digital signature is carried out to Transaction Information M and identifying code A in step 414, USB Key inside, generates the first packet S, again Transaction Information M, identifying code A, the first packet S is together sent to server end;
In present embodiment step 414, to be the user be transferred to data message among the USBKey by client host to Transaction Information M.
In present embodiment step 414, the concrete grammar that carries out digital signature is as follows: USB Key tries to achieve digital digest with Transaction Information M and identifying code A with hash algorithm by client host, with signature private key to digital digest encrypt digital signature, generate the first packet S.
Step 415, server end receive the first packet S, note the time T 0 when receiving the first packet S, and the first packet S is carried out signature verification, judge whether first packet is effective, if effectively, then execution in step 417, if invalid, then execution in step 416;
In present embodiment step 415, the concrete grammar that carries out signature verification is as follows: server end is deciphered the first packet S with PKI, obtain digital digest, server end adopts same hash algorithm to generate new digital digest Transaction Information M and identifying code A again, two digital digests are compared, if the two coupling illustrates that then the first packet S is an effective data packets, if the two does not match, illustrate that then the first packet S is the invalid data bag.
Step 416, server are pointed out error message by client host to USB Key;
Step 417, server end take out the sequence number A2 of USB Key from identifying code A, initial time TS, the clock ticktack value TD of preservation during query steps 411 is operated from the database of server end as the index condition with sequence number A2;
Step 418, server end are according to initial time TS, clock ticktack value TD, time T difference TM, tick count AM 0 computing time when receiving the first packet S and the decision condition AMM of time window:
Time difference TM=T0-time of advent initial time TS
Tick count AM=time difference TM/ clock ticktack value TD
The decision condition AMM=tick count AM-of the time window total A1 that drips;
Step 419, server end are judged AMM whether in the scope of time window TW, if in this scope, then execution in step 420, if not in this scope, then execution in step 421;
Step 420, server end are proceeded transaction;
Step 421, the transaction of server end refusal.
Embodiment two is a kind of another kind of preferred embodiment of anti-replay-attack method, in the present embodiment, adds up with number of times, has a counting module among the described USB Key, and counts under the triggering of server end.The method of utilizing present embodiment to provide can prevent further that transaction is by Replay Attack.Below in conjunction with Fig. 2, specify method and step that the present invention realizes:
Step 501, USB Key and client host connect;
Step 502, USB Key wait for that the user imports authentication information;
Step 503, user import authentication information by client host to USB Key;
Whether step 504, USB Key internal verification user identity be legal, if legal then execution in step 506, otherwise execution in step 505;
The identity identification information of step 505, USB Key internal verification user input is an invalid information, by client host to the user prompt error message;
The identity identification information of step 506, USB Key internal verification user input is a legal information, allows the user that USB Key is operated;
Step 507, USB Key send communication request by client host to server end;
Step 508, server end receive communication request, carry out two-way authentication with client, exchange PKI in the process of two-way authentication;
The method of wherein carrying out two-way authentication has: SSL, EAP-TLS, WAPI, based on Harn digital signature and zero-knowledge proof, in the present embodiment, the method for preferred two-way authentication is SSL.
Step 509, server end are provided with the initial value and the counting step-length of internal counter, and this initial value and counting step-length are encrypted with the PKI of USB Key, send to USB Key by client host again;
Step 510, USB Key use the private key of oneself to be decrypted the initial value and the counting step-length that receive, and are set to the initial value and the counting step-length of the counter of oneself;
Step 511, USB Key wait for the operational order that the reception server end sends;
Step 512, USB Key receive the signature command that server end sends, when carrying out signature operation at every turn, the initial value of USB Key internal counter can add or deduct one or several counting step-length, and the value of this hour counter signed generate second packet, Transaction Information signed generates the 3rd packet, and value, Transaction Information, second packet, the 3rd packet with counter together sends to server end again;
In present embodiment step 512, to be the user be transferred to data message among the USB Key by client host to Transaction Information;
In present embodiment step 512, the concrete grammar that carries out digital signature is identical with endorsement method in the step 415 of embodiment 1.
Step 513, server end receive second packet, the 3rd packet, and second packet and the 3rd packet are carried out signature verification, judge whether second packet and the 3rd packet be effective, if effectively, then execution in step 515, if invalid, then execution in step 514;
In present embodiment step 513, the concrete grammar that carries out signature verification is identical with verification method in the step 416 of embodiment one.
Step 514, server end are pointed out error message by client host to USB Key;
Step 515, server end are subtracted each other the value of the counter preserved in the value of the counter that receives and the server end database, one or several counting step-length whether comparative result equals to set, if equal one or several counting step-length, then execution in step 516, if be not equal to one or several counting step-length, then execution in step 517;
Step 516, proceed to conclude the business and server end replaces with the value of the counter preserved in the database value of the counter that receives;
Step 517, server end require value, Transaction Information, second packet and the 3rd packet or the refusal transaction of USB Key retransmission counter.
Embodiment three is a kind of preferred embodiments of anti-replay-attack, can prevent further that transaction from by Replay Attack, below in conjunction with Fig. 3, being described in detail present embodiment:
Present embodiment comprises: server 1, client host 2, USB Key3, and wherein server end 1 comprises that clock module 101, the very first time are provided with module 102, authentication module 103, judge module 104, first memory module 105, first communication module 106; Client host 2 comprises second communication module 201, third communication module 202, input module 203; USB Key3 comprises that authentication module 301, signature blocks 302, timing module 303, second time are provided with module 304, second memory module 305, four-way letter module 306.
In server end 1,
Clock module 101 is used to generate current initial time;
The very first time is provided with module 102, is used to be provided with time window;
Authentication module 103 is used for the first packet S that receives is carried out signature verification;
Judge module 104 is used for computing time difference TM, tick count AM, ticktock number of times difference AMM, according to the cumulative time judgement time difference of sending in the described intelligent key apparatus whether in the time window scope of setting;
First memory module 105 is used for sequence number, initial time TS, clock ticktack value TD that server end 1 is stored USB Key3,
First communication module 106 is used for the initial time that clock module generates is sent to described client host, receives from cumulative time and Transaction Information that described client host is sent.
In client host 2,
Second communication module 201 is used for connecting between client host 2 and server end 1, realizes data communication and exchanges data between client host 2 and the server end 1;
Third communication module 202 is used for connecting between client host 2 and USB Key3, realizes data communication and exchanges data between client host 2 and the USB Key3;
Input module 203 is used for the user and imports authentication information and Transaction Information.
In USB Key3,
Authentication module 301, whether the user identity that is used for checking client main frame 2 is legal;
Signature blocks 302 is used for USB Key3 inside Transaction Information M and identifying code A is signed;
Timing module 303, the timer that is used for USB Key3 picks up counting;
Second time was provided with module 304, was used to be provided with the initial time TS of USB Key3;
Second memory module 305, the clock ticktack value, Transaction Information, the initial time that be used for USB Key3 storing subscriber information, set in advance;
Four-way letter module 306 is used for connecting by USB interface between USB Key3 and client host 2, realizes data communication and exchanges data between USB Key3 and the client host 2.
Embodiment four be anti-replay-attack system another kind of preferred embodiment, the system that utilizes present embodiment to provide can further prevent transaction by Replay Attack, below in conjunction with Fig. 4, specifies the system that the present invention realizes:
Present embodiment provides a kind of system of anti-replay-attack, this system comprises: server 1, client host 2, USB Key3, and wherein server end 1 comprises that first counting module 101, first is provided with module 102, authentication module 103, judge module 104, first computing module 105, first memory module 106, first communication module 107; Client host 2 comprises second communication module 201, third communication module 202, input module 203; USB Key3 comprises that authentication module 301, second counting module 302, second are provided with module 303, signature blocks 304, second memory module 305, four-way letter module 306, second computing module 307.
In server end 1,
First counting module 101 is used for server end 1 inside and counts;
First is provided with module 102, is used for initial value and counting step-length that server end 1 is provided with counter;
Authentication module 103 is used for 1 pair second packet of server end and carries out signature verification;
Judge module 104, be used for server end 1 value of the counter that receives and the value of the counter that server end 1 database is preserved are subtracted each other, judge whether the difference of the count value of the count value that described intelligent key apparatus receives and first counting module equals one or several step-length;
First computing module 105 is used for server end 1 value of the counter that receives and the value of the counter that server end 1 database is preserved is subtracted each other;
First memory module 106 is used for the value of server end 1 memory counter and counts step-length;
First communication module 107 is used for sending the counting triggering signal to described client host, receives count value and the Transaction Information sent from described client host.
In client host 2,
Second communication module 201 is used for connecting between client host 2 and server end 1, realizes data communication and exchanges data between client host 2 and the server end 1;
Third communication module 202 is used for connecting between client host 2 and USB Key3, realizes data communication and exchanges data between client host 2 and the USB Key3;
Input module 203 is used for the user and imports authentication information and Transaction Information.
In USB Key3,
Authentication module 301, whether the user identity that is used for checking client main frame 2 is legal;
Second counting module 302 is used for when carrying out signature operation, and USB Key internal counter adds initial value or deduct a counting step-length;
Second is provided with module 303, is used for initial value and counting step-length that USB Key3 is provided with counter;
Signature blocks 304 is used for USB Key3 the value and the Transaction Information of counter is signed;
Second memory module 305, be used for USB Key3 store transaction information, counter value, the counting step-length;
Four-way letter module 306 is used for connecting by USB interface between USB Key3 and client host 2, realizes data communication and exchanges data between USB Key3 and the client host 2;
Second computing module 307 is used for when carrying out signature operation, and USB Key3 internal counter adds initial value or deduct a counting step-length.
More than anti-replay-attack method provided by the present invention and system thereof are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (15)

1. an anti-replay-attack method is characterized in that: comprise
In the server end accumulative total cardinal sum accumulative total unit identical with setting in the intelligent key apparatus, described intelligent key apparatus adds up on the accumulative total radix according to the described unit that adds up, and the described accumulative total of described server end foundation unit adds up on the accumulative total radix;
Described intelligent key apparatus will include the identifying code of accumulative total currency and the Transaction Information of client host carries out digital signature, and first packet that will include signing messages, identifying code and Transaction Information mails to server end by described client host;
Described server end carries out signature verification to the signing messages in first packet that receives, from verify effective first packet, obtain the accumulative total currency again, described server end judges that current aggregate-value in the scope of setting, then concludes the business according to Transaction Information.
2. anti-replay-attack method according to claim 1, it is characterized in that: described in the server end accumulative total cardinal sum accumulative total unit step identical with setting in the intelligent key apparatus, the accumulative total radix in the described intelligent key apparatus is to utilize the accumulative total radix of server end to proofread and correct acquisition.
3. anti-replay-attack method according to claim 1, it is characterized in that: described server end stores the different accumulative total cardinal sum accumulative total unit of many groups, described intelligent key apparatus mails in the identifying code of described server end and also includes intelligent key apparatus information, described server end is according to the accumulative total cardinal sum of described intelligent key apparatus information acquisition correspondence accumulative total unit, and the accumulative total currency that receives is calculated and judges that result of calculation is whether in the scope of setting;
Described judge result of calculation whether the detailed process in the scope of setting be:
When described accumulative total radix is an initial time, when the accumulative total unit is the clock ticktack value, described server end is according to the initial time and the clock ticktack value of described intelligent key apparatus information acquisition correspondence, tick count and the ticktock sum number of times difference that drips is calculated, and judged that ticktock number of times difference is whether in the time window scope of setting; Described tick count is after the time when receiving first packet by server end deducting initial time and obtaining time difference, to obtain divided by the clock ticktack value with this time difference; Described ticktock sum is when described intelligent key apparatus carries out digital signature, obtains from the timer of described intelligent key apparatus; When described accumulative total radix is the counting initial value, when the accumulative total unit is the counting step-length, described server end is according to the counting initial value and the counting step-length of described intelligent key apparatus information acquisition correspondence, described server subtracts each other the value of the counter preserved in the value of the counter that receives and the server database, and judges and subtract each other one or several counting the step-length whether result equals to set.
4. anti-replay-attack method according to claim 1 is characterized in that: set the step of accumulative total cardinal sum accumulative total unit in server end and intelligent key apparatus before, also comprise intelligent key apparatus internal judgment user's legitimacy.
5. anti-replay-attack method according to claim 1 is characterized in that: described intelligent key apparatus mails to server end with described Transaction Information and described accumulative total after currency is signed respectively.
6. anti-replay-attack method according to claim 1, it is characterized in that: described intelligent key apparatus will include the identifying code of accumulative total currency and the Transaction Information of client host carries out digital signature, to include signing messages, first packet of identifying code and Transaction Information also comprises before mailing to server end by described client host, described server end and described client host carry out two-way authentication, the exchange PKI, described server end utilizes described PKI, after encrypting, mail in the described intelligent key apparatus as the accumulative total radix of proofreading and correct, after described intelligent key apparatus utilizes private key to be decrypted, utilize described accumulative total radix that the accumulative total radix of described intelligent key apparatus is proofreaied and correct.
7. anti-replay-attack method according to claim 6, it is characterized in that: described intelligent key apparatus mails to described server end after utilizing described PKI to encrypt self accumulative total unit, after described server end utilizes private key to be decrypted, obtain with described intelligent key apparatus in consistent accumulative total unit; Perhaps, described server end mails to intelligent key apparatus after utilizing described PKI to encrypt self accumulative total unit, after described intelligent key apparatus utilizes private key to be decrypted, obtains the consistent accumulative total unit of described and described server end.
8. anti-replay-attack method according to claim 1 is characterized in that: described intelligent key apparatus adds up on the accumulative total radix voluntarily according to the described unit that adds up.
9. anti-replay-attack method according to claim 1 is characterized in that: described intelligent key apparatus is adding up on the accumulative total radix under the triggering of described server end according to the described unit that adds up.
10. anti-replay-attack method according to claim 8, it is characterized in that: described totally unit is the clock ticktack value, corresponding accumulative total radix is an initial time, described server end judges that result after current aggregate-value calculated is whether in the scope of setting, be specially judgement after carrying out timing on the basis of described initial time and number of times difference that tick count and ticktock sum dripped calculates, whether the ticktock number of times difference of acquisition is in the time window scope of setting; Described tick count is after the time when receiving first packet by server end deducting initial time and obtaining time difference, to obtain divided by the clock ticktack value with this time difference; Described ticktock sum is when described intelligent key apparatus carries out digital signature, obtains from the timer of described intelligent key apparatus.
11. anti-replay-attack method according to claim 9, it is characterized in that: the described unit that adds up is the counting step-length, corresponding described accumulative total radix is the initial value of counter, described server end is judged result after current aggregate-value calculated whether in the scope of setting, and is specially to judge that described intelligent key apparatus carries out currency totally and whether differs one or several step-length with the accumulative total currency of server end under the triggering of server end.
12. an anti-replay-attack system comprises server end, client host and intelligent key apparatus, in described server end and the intelligent key apparatus identical initial time and clock ticktack value is arranged;
Described server end comprises:
Clock module is used to generate initial time;
First communication module is used for the initial time that clock module generates is sent to described client host, receives from cumulative time and Transaction Information that described client host is sent;
Judge module is used for current time of sending according to described intelligent key apparatus, and whether the ticktock number of times difference of judging tick count and the sum that drips is in the time window scope of setting; Described tick count is after the time when receiving first packet by server end deducting initial time and obtaining time difference, to obtain divided by the clock ticktack value with this time difference; Described ticktock sum is when described intelligent key apparatus is signed, and obtains from the timer of described intelligent key apparatus;
Described client host comprises:
Second communication module is used to realize communicate between described server end and the described client host;
Third communication module is used to realize communicate between described client host and the described intelligent key apparatus;
Input module is used for the user and imports authentication information and described Transaction Information;
Described intelligent key apparatus comprises:
Four-way letter module is used for described intelligent key apparatus current time and described Transaction Information are sent to server end by described client host, and receives the initial time of sending from described client host;
Timing module is used for carrying out timing according to initial time and ticktock value;
Described intelligent key apparatus also comprises signature blocks, is used for current time and Transaction Information are signed;
Described server end also comprises authentication module, is used for current time behind the described signature and Transaction Information are verified.
13. anti-replay-attack system according to claim 12 is characterized in that: also comprise authentication module in the described intelligent key apparatus, whether the user identity that is used for the checking client main frame is legal.
14. an anti-replay-attack system comprises server end, client host and intelligent key apparatus, records identical counting initial value and counting step-length in described server end and the intelligent key apparatus;
Described server end comprises:
First counting module is used for counting according to described counting initial value and counting step-length;
First communication module is used for sending the counting triggering signal to described client host, receives count value and the Transaction Information sent from described client host;
Judge module is used to judge whether the difference of the count value of the count value that receives from described intelligent key apparatus and first counting module equals one or several step-length;
Described client host comprises:
Second communication module is used to realize communicate between described server end and the described client host;
Third communication module is used to realize communicate between described client host and the described intelligent key apparatus;
Input module is used for the user and imports authentication information and described Transaction Information;
Described intelligent key apparatus comprises:
Second counting module is used for receiving under the triggering of the counting triggering signal of sending from described server end by described client host and counts;
Four-way letter module is used for the count value of described intelligent key apparatus and the Transaction Information of client host are sent to server end by described client host, and receives the counting triggering signal of sending from described server end by described client host;
Described intelligent key apparatus also comprises signature blocks, is used for the count value and the Transaction Information of second counting module are signed;
Described server end also comprises authentication module, is used for count value behind the described signature and Transaction Information are verified.
15. anti-replay-attack system according to claim 14 is characterized in that: also comprise authentication module in the described intelligent key apparatus, be used to verify whether the user identity of described client host is legal.
CN2008101187077A 2008-08-19 2008-08-19 Replay attack preventing method and system thereof Active CN101340289B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008101187077A CN101340289B (en) 2008-08-19 2008-08-19 Replay attack preventing method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008101187077A CN101340289B (en) 2008-08-19 2008-08-19 Replay attack preventing method and system thereof

Publications (2)

Publication Number Publication Date
CN101340289A CN101340289A (en) 2009-01-07
CN101340289B true CN101340289B (en) 2011-11-09

Family

ID=40214251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101187077A Active CN101340289B (en) 2008-08-19 2008-08-19 Replay attack preventing method and system thereof

Country Status (1)

Country Link
CN (1) CN101340289B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761560B (en) * 2012-08-01 2015-01-14 飞天诚信科技股份有限公司 Method and system for verifying information integrity
CN103701611B (en) * 2013-12-30 2017-01-18 天地融科技股份有限公司 Method for accessing and uploading data in data storage system
CN103763355B (en) * 2014-01-07 2017-02-01 天地融科技股份有限公司 Cloud data uploading and access control method
CN103973455B (en) * 2014-05-28 2018-09-18 天地融科技股份有限公司 A kind of information interacting method
CN105205666B (en) * 2014-06-17 2019-10-25 中国银联股份有限公司 Face-to-face method of payment and system based on bluetooth
US20160098670A1 (en) * 2014-10-01 2016-04-07 Continental Intelligent Transportation Systems, LLC Technological and Financial Partnerships to Enable a Package Exchange Service
CN109120608B (en) * 2018-08-01 2020-11-24 飞天诚信科技股份有限公司 Anti-replay safe communication processing method and device
EP3545665B1 (en) * 2018-12-29 2023-05-03 Advanced New Technologies Co., Ltd. System and method for detecting replay attack
CN111917694B (en) * 2019-05-09 2023-02-28 中兴通讯股份有限公司 TLS encrypted traffic identification method and device
CN114584328B (en) * 2022-05-09 2022-08-02 武汉四通信息服务有限公司 API interface access method, computer device and computer storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588851A (en) * 2004-09-09 2005-03-02 杭州中正生物认证技术有限公司 Biological identifying device and method for proofing replay attach
CN101184107A (en) * 2007-12-17 2008-05-21 北京飞天诚信科技有限公司 Network transaction system and method for executing network transaction using the system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588851A (en) * 2004-09-09 2005-03-02 杭州中正生物认证技术有限公司 Biological identifying device and method for proofing replay attach
CN101184107A (en) * 2007-12-17 2008-05-21 北京飞天诚信科技有限公司 Network transaction system and method for executing network transaction using the system

Also Published As

Publication number Publication date
CN101340289A (en) 2009-01-07

Similar Documents

Publication Publication Date Title
CN101340289B (en) Replay attack preventing method and system thereof
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
CN108270571B (en) Internet of Things identity authorization system and its method based on block chain
CN102722931B (en) Voting system and voting method based on intelligent mobile communication devices
CN101340437B (en) Time source regulating method and system
CN100566460C (en) Utilize authentication and cryptographic key negotiation method between the mobile entity that short message realizes
CN101674304B (en) Network identity authentication system and method
CN103428001B (en) A kind of implicit expression strengthens convenient WEB identity authentication method
CN101183932B (en) Security identification system of wireless application service and login and entry method thereof
US20070257813A1 (en) Secure network bootstrap of devices in an automatic meter reading network
CN103532713B (en) Sensor authentication and shared key production method and system and sensor
CN102739687B (en) Based on application service Network Access Method and the system of mark
CN101393628B (en) Novel network safe transaction system and method
CN109787987A (en) Electric power internet-of-things terminal identity identifying method based on block chain
CN106357396A (en) Digital signature method, digital signature system and quantum key card
CN103679436A (en) Electronic contract security system and method based on biological information identification
CN103095696A (en) Identity authentication and key agreement method suitable for electricity consumption information collection system
CN101442407A (en) Method and system for identification authentication using biology characteristics
CN103312691A (en) Method and system for authenticating and accessing cloud platform
CN101300808A (en) Method and arrangement for secure autentication
CN110035071A (en) A kind of long-range double factor mutual authentication method, client and server-side towards industrial control system
CN105656920A (en) Method and system for encryption and decryption of mailing data based on expressage
CN110060403A (en) The more ticket electronic voting methods of a people and system based on block chain
CN110020524A (en) A kind of mutual authentication method based on smart card
CN115065480A (en) Electronic contract system and signing method based on block chain certificate storage

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: FEITIAN TECHNOLOGIES CO., LTD.

Free format text: FORMER NAME: BEIJING FEITIAN CHENGXIN TECHNOLOGY CO., LTD.

CP03 Change of name, title or address

Address after: 100085 Beijing city Haidian District Xueqing Road No. 9 Ebizal building B block 17 layer

Patentee after: Feitian Technologies Co.,Ltd.

Address before: 100083, Haidian District, Xueyuan Road, Beijing No. 40 research, 7A building, 5 floor

Patentee before: FEITIAN TECHNOLOGIES Co.,Ltd.

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 17th floor, building B, Huizhi building, No.9, Xueqing Road, Haidian District, Beijing 100085

Patentee after: Feitian Technologies Co.,Ltd.

Country or region after: China

Address before: 100085 17th floor, block B, Huizhi building, No.9 Xueqing Road, Haidian District, Beijing

Patentee before: Feitian Technologies Co.,Ltd.

Country or region before: China

OL01 Intention to license declared
OL01 Intention to license declared