CN112615820A - Replay attack detection method, device, equipment and storage medium - Google Patents
Replay attack detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112615820A CN112615820A CN202011404609.7A CN202011404609A CN112615820A CN 112615820 A CN112615820 A CN 112615820A CN 202011404609 A CN202011404609 A CN 202011404609A CN 112615820 A CN112615820 A CN 112615820A
- Authority
- CN
- China
- Prior art keywords
- message
- verification code
- data
- replay attack
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 238000012795 verification Methods 0.000 claims abstract description 164
- 238000000034 method Methods 0.000 claims abstract description 26
- 238000004364 calculation method Methods 0.000 claims abstract description 20
- 230000005540 biological transmission Effects 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 13
- 230000003139 buffering effect Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 44
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a replay attack detection method, a device, equipment and a storage medium, wherein the method comprises the following steps: receiving message data sent by a data sending end, wherein the message data comprises a message main body and an associated message verification code, and the message verification code is obtained through calculation of a safety message verification code function; calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body; and if the comparison verification code is consistent with the message verification code, inquiring whether a data record corresponding to the message verification code exists or not so as to determine whether the message data is a replay attack message or not. The scheme can quickly and efficiently detect the replay attack and tampering attack behaviors of the network data packet with lower system overhead.
Description
Technical Field
The embodiment of the application relates to the field of computers, in particular to a replay attack detection method, a replay attack detection device, replay attack detection equipment and a storage medium.
Background
Replay attacks are an attack often faced by a communicating entity in a network. In the replay attack, an attacker first performs eavesdropping attack on a target host, captures a network data packet received by the target host, and then sends a received historical data packet to the target host to try to cheat a target host system and destroy the security of the target host. This attack often threatens some security-related protocol data of the target host, such as user login protocol, key exchange protocol, etc.
The existing method for detecting replay attack mainly comprises the steps of system time synchronization, digital signature and internal clock of a block chain.
The first detection method is based on time synchronization of both communication parties, that is, the system time of a sender and the system time of a receiver keep synchronous and consistent, if the difference between the time stamp in a data packet of the sender and the system time of the receiver exceeds a certain threshold, or the time interval between the two data packets received by the receiver in sequence exceeds a certain threshold, the replay attack is determined. The method has the risk that an attacker modifies the timestamp of the data packet and bypasses a replay detection mechanism; in addition, it is difficult to strictly synchronize system time of both communication parties in the network, and the time overhead of network time synchronization is large, which is difficult to realize in reality.
The second detection method is based on digital signature, namely, a sender adds the digital signature to a data packet in the sent data packet, a receiver checks the digital signature of the data packet by using a signature checking key shared by the sender in advance when receiving the data packet, and if the check fails, the receiver considers the data packet to be a replay attack. The method can effectively detect whether the data packet is tampered, but cannot directly detect whether the data packet is replayed, in practice, replay attack is likely not to modify the content of the data packet but to directly and simply retransmit the historical data packet, and the signature of the historical data packet can still be successfully verified.
The third detection method is based on the internal clock of the block chain, on one block chain, according to the internal clock of the block node, whether the candidate transaction timestamp in the latest time period is in the verification range compared with the internal clock, and whether the candidate transaction identifier is in the identifier database of the block chain node synchronization, so as to achieve the goal of detecting the replay transaction. The method is mainly applied to the block chain, depends on a block node internal time and node synchronous identification database of the block chain, and is used in limited and specific scenes.
Disclosure of Invention
The embodiment of the invention provides a replay attack detection method, a replay attack detection device, equipment and a storage medium, which can quickly and efficiently detect replay attacks and tampering attack behaviors of network data packets with lower system overhead.
In a first aspect, an embodiment of the present invention provides a replay attack detection method, where the method includes:
receiving message data sent by a data sending end, wherein the message data comprises a message main body and an associated message verification code, and the message verification code is obtained through calculation of a safety message verification code function;
calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body;
and if the comparison verification code is consistent with the message verification code, inquiring whether a data record corresponding to the message verification code exists or not so as to determine whether the message data is a replay attack message or not.
In a second aspect, an embodiment of the present invention further provides another replay attack detection method, including:
acquiring message data to be sent and a stored shared key;
calculating a hash value of the message data through a one-way hash function, and calculating the shared secret key and the hash value through a secure message verification code function to obtain a message verification code;
and the message data and the message verification code are assembled and then sent to the data receiving end.
In a third aspect, an embodiment of the present invention further provides a replay attack detection apparatus, where the apparatus includes:
the message receiving module is used for receiving message data sent by the data sending end, wherein the message data comprises a message main body and an associated message verification code, and the message verification code is obtained through calculation of a safety message verification code function;
the verification code calculation module is used for calculating a comparison verification code of the message main body by utilizing a shared key through the safety message verification code function;
and the query determining module is used for querying whether a data record corresponding to the message verification code exists or not if the comparison verification code is consistent with the message verification code so as to determine whether the message data is a replay attack message or not.
In a fourth aspect, an embodiment of the present invention further provides another replay attack detection apparatus, where the apparatus includes:
the message acquisition module is used for acquiring message data to be sent and a stored shared key;
the message processing module is used for calculating a hash value of the message data through a one-way hash function and calculating the shared key and the hash value through a safety message verification code function to obtain a message verification code;
and the message sending module is used for assembling the message data and the message verification code and then sending the assembled message data and the assembled message verification code to the data receiving end.
In a fifth aspect, an embodiment of the present invention further provides a replay attack detection device, where the device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the replay attack detection method according to the embodiment of the present invention.
In a sixth aspect, the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the replay attack detection method according to the present invention.
In the embodiment of the invention, message data sent by a data sending end is received, the message data comprises a message main body and an associated message verification code, the message verification code is obtained by calculation through a safety message verification code function, a comparison verification code of the message main body is obtained by calculation through the safety message verification code function by using a shared key, and if the comparison verification code is consistent with the message verification code, whether a data record corresponding to the message verification code exists is inquired to determine whether the message data is a replay attack message.
Drawings
Fig. 1 is a flowchart of a replay attack detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of another replay attack detection method according to an embodiment of the present invention;
fig. 3 is a flowchart of another replay attack detection method according to an embodiment of the present invention;
fig. 4 is a flowchart of another replay attack detection method according to an embodiment of the present invention;
FIG. 4a is a diagram illustrating deletion of a timeout record in a data queue according to an embodiment of the present invention;
fig. 5 is a flowchart of another replay attack detection method according to an embodiment of the present invention;
fig. 6 is a block diagram of a replay attack detection apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of another replay attack detection apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad invention. It should be further noted that, for convenience of description, only some structures, not all structures, relating to the embodiments of the present invention are shown in the drawings.
Fig. 1 is a flowchart of a replay attack detection method according to an embodiment of the present invention, where the present embodiment is applicable to detecting a replay attack, and the method may be executed by a data receiving end computing device, and specifically includes the following steps:
step S101, receiving message data sent by a data sending end, wherein the message data comprises a message body and a related message verification code.
When the data sending end sends the message data, the data sending end carries out data processing on the message data to generate a message verification code associated with the message data, and sends the message data and the corresponding message verification code after combining. Illustratively, taking the message body M as an example, the message authentication code tag is calculated as follows:
tag=MAC(KMAC,H(M))
wherein MAC is a function of a security message authentication code, KMACH (M) is a hash value calculated from the message data M by a one-way hash function, which is a shared secret key stored at the data transmitting end. Wherein, the one-way hash function can calculate any length data to generate L byte fixed length abstract information B0B1B2…BL-2BL-1Including MD5 outputting 16B digest, SHA1 outputting 20B digest, SHA256 outputting 32B digest, SHA512 outputting 64B digest, etc. After generating the message verification code tag, the data sending end assembles the tag and the message data M to obtain message data { M, tag } for sending. Accordingly, the data receiving end receives the message data { M, tag }.
And step S102, calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body.
The shared secret key is stored at both the data sending end and the data receiving end.
In one embodiment, the method further comprises the step of performing shared key transmission at the data sending end and the data receiving end. Specifically, a secure network transmission channel is established between a data sending end and a data receiving end, the data sending end sends a shared key, and the data receiving end receives and stores the shared key.
After receiving the message data, calculating a message main body in the message data by using the stored shared secret key through a safety message verification code function to obtain a comparison verification code:
tag′=MAC(KMAC,H(M))
in cryptography, a secure message authentication code (MAC) is an integrity check tool used by both parties of communication and is a fixed length value obtained based on a secret key and a one-way hash function. The message authentication code function is in the form of MAC (K, h (M)), i.e., the input message data M of any length and the key K (the length is usually 128/256/512 bits) can be calculated to generate L-byte fixed-length integrity label B0B1B2…BL-2BL-1Commonly used MAC algorithms include HMAC-MD5 output 16B tags, HMAC-SHA1 output 20B tags, HMAC-SHA256 output 32B tags, HMAC-SHA512 output 64B tags, etc.
Step S103, if the comparison verification code is consistent with the message verification code, inquiring whether a data record corresponding to the message verification code exists or not so as to determine whether the message data is a replay attack message or not.
After the comparison verification code tag ' is calculated, whether the tag ' is consistent with the tag is determined, if the tag ' is not consistent with the tag is found through comparison, the message data is discarded, and no processing is performed. If the two are consistent, inquiring whether the record of the message verification code exists in the locally stored data, if so, judging the attack of replay, otherwise, judging the attack of replay as a normal data packet. Correspondingly, after the normal data packet is determined, the message verification code is stored and recorded.
According to the scheme, in the data transmission process, transmitted message data comprise a message main body and a related message verification code, the shared key is used for calculating and comparing the verification code to perform anti-tampering verification on the message data, meanwhile, whether a data record corresponding to the message verification code exists or not is inquired to determine whether the message data are replay attack messages or not, the replay attack detection method does not depend on time synchronization, data are guaranteed to prevent tampering, meanwhile, replay attack can be efficiently determined, the mode is limited to a block chain scene, and the application degree is higher.
Fig. 2 is a flowchart of another replay attack detection method provided in an embodiment of the present invention, in which a timestamp mechanism is incorporated into a replay attack detection process. As shown in fig. 2, the technical solution is as follows:
step S201, receiving message data sent by a data sending end, where the message data includes a message body and an associated message authentication code.
Step S202, determining the timestamp difference of receiving the message data and sending the message data.
In one embodiment, the message body M includes a Data content part and a Data transmission timestamp, i.e., M ═ { Data, stmestamp } when the Data content is transmitted by a corresponding Data transmitter, and when a Data receiver receives the message Data, a corresponding Data reception timestamp rtiestamp is determined, and a difference Δ T between the Data reception timestamp and the Data transmission timestamp ═ rtiestamp-stmestamp | is calculated.
Step S203, determining whether the timestamp difference is smaller than a preset time value, if so, executing step S204, otherwise, executing step S205.
Illustratively, the preset time value is T, if Δ T > T, it is determined that the transmission is timed out, and step S205 is executed to discard the message data. If the timestamp difference is less than the preset time value, step S204 is performed.
And step S204, calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body.
And step S205, discarding the message data.
Step S206, judging whether the message verification code is consistent with the comparison verification code, if so, executing step S207, otherwise, executing step S205.
Step S207, inquiring whether there is a data record corresponding to the message authentication code, if so, executing step S208, otherwise, executing step S205.
And step S208, storing the message verification code.
According to the scheme, the difference value of the timestamps of receiving the message data and sending the message data is determined, whether the difference value of the timestamps is smaller than a preset time value or not is judged, if the difference value of the timestamps is not smaller than the preset time value, the message data is discarded to remove abnormal data packets, and a replay attack detection mechanism is further improved.
Fig. 3 is a flowchart of another replay attack detection method according to an embodiment of the present invention, where a hash table storage structure is introduced. As shown in fig. 3, the technical solution is as follows:
step S301, receiving message data sent by a data sending end, wherein the message data comprises a message body and an associated message verification code.
Step S302, a comparison verification code of the message body is obtained through the safety message verification code function by utilizing a shared key calculation.
Step S303, if the comparison verification code is consistent with the message verification code, searching whether a key value corresponding to the message verification code exists in a stored hash table, and if so, determining that the message is a replay attack message.
The hash table is a data structure for directly accessing a stored data Value (Value) according to a Key Value (Key Value). The method maps the Key Value to a position in a table, and carries out access record on the Value of the stored data Value so as to accelerate the searching speed.
Specifically, when the verification code is compared with the message verification code to be consistent, whether a record of a Key which is tag exists is searched in a HashTable, if the Key record exists in the table, a replay attack is determined, the abnormal data packet is discarded without processing, and if the Key record is not found in the HashTable, a normal data packet is determined.
According to the scheme, the data searching speed is obviously improved and the replay detection mechanism is further optimized by using the hash table data structure.
Fig. 4 is a flowchart of another replay attack detection method according to an embodiment of the present invention, which shows a replay attack detection method for reducing system overhead, where the message authentication code and the data reception timestamp of the message data are stored in the hash table in an associated manner, and at the same time, the message authentication code and the reception timestamp are inserted into a cache queue, and are scanned from a head of the cache queue at preset intervals, and a tuple to be deleted exceeding a preset difference time is taken out, and a data element corresponding to the tuple to be deleted is deleted in the hash table, and the tuple to be deleted is deleted in the cache queue. As shown in fig. 4, the technical solution is as follows:
step S401, receiving message data sent by a data sending end, wherein the message data comprises a message body and an associated message verification code.
Step S402, determining the timestamp difference of the message data receiving and the message data sending.
And S403, judging whether the timestamp difference is smaller than a preset time value, if so, executing S404, otherwise, executing S405.
Step S404, calculating a comparison verification code of the message body by using a shared key through the safety message verification code function.
And step S405, discarding the message data.
Step S406, judging whether the message verification code is consistent with the comparison verification code, if so, executing step S407, otherwise, executing step S405.
Step S407, inquiring whether there is a data record corresponding to the message authentication code, if so, executing step S408, otherwise, executing step S405.
Step S408, storing the message verification code and the data receiving timestamp of the message data in the hash table in an associated manner.
Specifically, { tag, rtimesamp } is inserted into the hash table HashTable.
Step S409, inserting the message verification code and the reception timestamp into a cache queue, scanning from the head of the cache queue at preset intervals, taking out tuples to be deleted exceeding preset difference time, deleting data elements corresponding to the tuples to be deleted in the hash table, and deleting the tuples to be deleted in the cache queue.
Fig. 4a is a schematic diagram of deleting a timeout record in a data queue according to an embodiment of the present invention. In one embodiment, the data receiving end sets a buffer time window w and a deletion operation time interval NAs the preset time, as shown in fig. 4a, the processing operation of data cleaning is performed every N minutes. Specifically, scanning is performed from the head of the buffer queue, and the tuple e to be deleted exceeding the preset difference time T is taken out1,e2,., the relationship between the preset difference time T and the buffer window w may be: w is 2T. According to e1.tag,e2Tag, the elements of the corresponding key are deleted from the hash table HashTable, while these tuples are deleted from the cache Queue.
According to the scheme, the message verification code and the receiving timestamp are inserted into the cache queue, scanning is carried out from the head of the cache queue at intervals of preset time, tuples to be deleted exceeding preset difference time are taken out, data elements corresponding to the tuples to be deleted are deleted in the hash table, and the tuples to be deleted are deleted in the cache queue, so that the data of the hash table are deleted actively, and the system memory overhead of a data receiving end is reduced remarkably.
On the basis of the technical scheme, the cache time window is determined according to the maximum time difference value set by the system, and the preset time is set according to the maximum tolerance system overhead.
Fig. 5 is a flowchart of another replay attack detection method provided in an embodiment of the present invention, where the embodiment is applicable to detecting a replay attack, and the method may be executed by a data sending end computing device, and specifically includes the following steps:
step S501, obtaining message data to be sent and a stored shared key.
Wherein, the shared secret key is also stored correspondingly at the data receiving end.
Step S502, calculating the hash value of the message data through a one-way hash function, and calculating the shared secret key and the hash value through a safety message verification code function to obtain a message verification code.
Wherein, the standard secure one-way hash function can calculate any length data to generate L byte fixed length abstract information B0B1B2…BL-2BL-1Including MD5 outputting 16B digest, SHA1 outputting 20B digest, SHA256 outputting 32B digest, SHA512 outputting 64B digest, etc. In the scheme, when a data sending end sends message data, the data sending end performs data processing on the message data to generate a message verification code associated with the message data, and sends the message data and the corresponding message verification code after combining. Illustratively, taking the message body M as an example, the message authentication code tag is calculated as follows:
tag=MAC(KMAC,H(M))
step S503, the message data and the message verification code are assembled and then sent to the data receiving end.
Illustratively, after generating the message authentication code tag, the tag is assembled with the message data M to obtain message data { M, tag } for transmission.
After a data receiving end receives message data { M, tag }, calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body; and if the comparison verification code is consistent with the message verification code, inquiring whether a data record corresponding to the message verification code exists or not so as to determine whether the message data is a replay attack message or not.
According to the method, the message data to be sent and the stored shared key are obtained, the hash value of the message data is calculated through the one-way hash function, the shared key and the hash value are calculated through the safety message verification code function to obtain the message verification code, the message data and the message verification code are assembled and then sent to the data receiving end, the retransmission detection mechanism is constructed through the calculation irreversibility of the one-way hash function, and the safe and replay attack prevention transmission of the data is achieved.
Fig. 6 is a block diagram of a replay attack detection apparatus according to an embodiment of the present invention, where the apparatus is configured to execute the replay attack detection method according to the foregoing data receiving end embodiment, and has functional modules and beneficial effects corresponding to the execution method. As shown in fig. 6, the apparatus specifically includes: a message receiving module 101, an authentication code calculation module 102, and a query determination module 103, wherein,
the message receiving module 101 is configured to receive message data sent by a data sending end, where the message data includes a message body and an associated message authentication code, and the message authentication code is obtained through secure message authentication code function calculation;
the verification code calculation module 102 is configured to calculate, by using a shared key through the secure message verification code function, a comparison verification code of the message body;
a query determining module 103, configured to query whether a data record corresponding to the message authentication code exists if the comparison authentication code is consistent with the message authentication code, so as to determine whether the message data is a replay attack message.
According to the scheme, message data sent by a data sending end is received, the message data comprises a message main body and an associated message verification code, the message verification code is obtained through calculation of a safety message verification code function, a comparison verification code of the message main body is obtained through calculation of a shared key through the safety message verification code function, and if the comparison verification code is consistent with the message verification code, whether a data record corresponding to the message verification code exists is inquired, so that whether the message data is a replay attack message is determined.
In a possible embodiment, the system further includes a timestamp processing module 104, configured to, before the comparison verification code of the message body is calculated by the secure message verification code function using the shared key:
determining a timestamp difference for receiving the message data and sending the message data;
determining whether the timestamp difference value is smaller than a preset time value;
the verification code calculation module 102 is specifically configured to:
and if the timestamp difference is smaller than the preset time value, calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body.
In one possible embodiment, the timestamp processing module 104 is further configured to:
and if the timestamp difference is greater than or equal to the preset time value, discarding the message data.
In one possible embodiment, the verification code calculation module 102 is further configured to:
and if the comparison verification code is not consistent with the message verification code, discarding the message data.
In a possible embodiment, the query determining module 103 is specifically configured to:
and searching whether a key value corresponding to the message verification code exists in a stored hash table, and if so, determining that the message is a replay attack message.
In a possible embodiment, the data storage module 105 is further configured to:
and if the key value corresponding to the message verification code does not exist in the stored hash table, determining that the message data is a normal data packet, and storing the message verification code and the data receiving time stamp of the message data into the hash table in an associated manner.
In one possible embodiment, the method further includes, after storing the message authentication code and the data reception timestamp association of the message data in the hash table, a queue processing module 106:
inserting the message authentication code and the receiving timestamp into a buffer queue;
scanning from the head of the cache queue at preset time intervals, taking out tuples to be deleted exceeding preset difference time, deleting data elements corresponding to the tuples to be deleted in the hash table, and deleting the tuples to be deleted in the cache queue.
In a possible embodiment, the buffering time window is determined according to a maximum time difference value set by a system, and the preset time is set according to a maximum tolerance system overhead.
In a possible embodiment, the device further includes a key transmission module 107, configured to establish a secure network transmission channel with the data end before receiving message data sent by the data sending end, and send the shared key to the data sending end through the secure network transmission.
Fig. 7 is a block diagram of another replay attack detection apparatus according to an embodiment of the present invention, where the apparatus is configured to execute the replay attack detection method according to the foregoing data sending end embodiment, and has functional modules and beneficial effects corresponding to the execution method. As shown in fig. 7, the apparatus specifically includes: a message acquisition module 301, a message processing module 302, and a message sending module 303, wherein,
a message obtaining module 301, configured to obtain message data to be sent and a stored shared key;
a message processing module 302, configured to calculate a hash value of the message data through a one-way hash function, and calculate the shared key and the hash value through a secure message authentication code function to obtain a message authentication code;
a message sending module 303, configured to assemble the message data and the message verification code and send the assembled message data and message verification code to the data receiving end.
According to the scheme, the message data to be sent and the stored shared key are obtained, the hash value of the message data is calculated through the one-way hash function, the shared key and the hash value are calculated through the safety message verification code function to obtain the message verification code, the message data and the message verification code are assembled and then sent to the data receiving end, the retransmission detection mechanism is constructed through the calculation irreversibility of the one-way hash function, and the safe and replay attack prevention transmission of the data is achieved.
Fig. 8 is a schematic structural diagram of a replay attack detection apparatus according to an embodiment of the present invention, as shown in fig. 8, the apparatus includes a processor 201, a memory 202, an input device 203, and an output device 204; the number of the processors 201 in the device may be one or more, and one processor 201 is taken as an example in fig. 8; the processor 201, the memory 202, the input device 203 and the output device 204 in the apparatus may be connected by a bus or other means, and fig. 8 illustrates the connection by a bus as an example. The memory 202, which is a computer-readable storage medium, may be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the replay attack detection method in the embodiment of the present invention. The processor 201 executes various functional applications of the device and data processing by executing software programs, instructions, and modules stored in the memory 202, that is, implements the replay attack detection method described above. The input device 203 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the apparatus. The output device 204 may include a display device such as a display screen.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, perform a replay attack detection method, the method comprising:
receiving message data sent by a data sending end, wherein the message data comprises a message main body and an associated message verification code, and the message verification code is obtained through calculation of a safety message verification code function;
calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body;
and if the comparison verification code is consistent with the message verification code, inquiring whether a data record corresponding to the message verification code exists or not so as to determine whether the message data is a replay attack message or not.
Embodiments of the present invention also provide another storage medium containing computer-executable instructions, which when executed by a computer processor, perform a replay attack detection method, the method comprising:
acquiring message data to be sent and a stored shared key;
calculating a hash value of the message data through a one-way hash function, and calculating the shared secret key and the hash value through a secure message verification code function to obtain a message verification code;
and the message data and the message verification code are assembled and then sent to the data receiving end.
From the above description of the embodiments, it is obvious for those skilled in the art that the embodiments of the present invention can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better implementation in many cases. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions to make a computer device (which may be a personal computer, a service, or a network device) perform the methods described in the embodiments of the present invention.
It should be noted that, in the embodiment of the replay attack detection apparatus, the included units and modules are only divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the embodiment of the invention.
It should be noted that the foregoing is only a preferred embodiment of the present invention and the technical principles applied. Those skilled in the art will appreciate that the embodiments of the present invention are not limited to the specific embodiments described herein, and that various obvious changes, adaptations, and substitutions are possible, without departing from the scope of the embodiments of the present invention. Therefore, although the embodiments of the present invention have been described in more detail through the above embodiments, the embodiments of the present invention are not limited to the above embodiments, and many other equivalent embodiments may be included without departing from the concept of the embodiments of the present invention, and the scope of the embodiments of the present invention is determined by the scope of the appended claims.
Claims (14)
1. A replay attack detection method, comprising:
receiving message data sent by a data sending end, wherein the message data comprises a message main body and an associated message verification code, and the message verification code is obtained through calculation of a safety message verification code function;
calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body;
and if the comparison verification code is consistent with the message verification code, inquiring whether a data record corresponding to the message verification code exists or not so as to determine whether the message data is a replay attack message or not.
2. The method of claim 1, further comprising, before calculating the comparison verification code of the message body by the secure message verification code function using the shared key, the steps of:
determining a timestamp difference for receiving the message data and sending the message data;
determining whether the timestamp difference value is smaller than a preset time value;
correspondingly, the obtaining of the comparison verification code of the message body by using the shared key through the secure message verification code function includes:
and if the timestamp difference is smaller than the preset time value, calculating by using a shared key through the safety message verification code function to obtain a comparison verification code of the message main body.
3. The method of claim 2, wherein the message data is discarded if the timestamp difference is greater than or equal to the preset time value.
4. The method of claim 1, wherein the message data is discarded if the comparison verification code and the message verification code are not identical.
5. The method of any of claims 1-4, wherein querying whether a data record corresponding to the message authentication code exists to determine whether the message data is a replay attack message comprises:
and searching whether a key value corresponding to the message verification code exists in a stored hash table, and if so, determining that the message is a replay attack message.
6. The method as claimed in claim 5, wherein if there is no key value corresponding to the message authentication code in the stored hash table, determining that the message data is a normal data packet, and storing the message authentication code and the data reception timestamp of the message data in association with each other in the hash table.
7. The method of claim 6, further comprising, after storing the message authentication code and the data reception timestamp association of the message data in the hash table:
inserting the message authentication code and the receiving timestamp into a buffer queue;
scanning from the head of the cache queue at preset time intervals, taking out tuples to be deleted exceeding preset difference time, deleting data elements corresponding to the tuples to be deleted in the hash table, and deleting the tuples to be deleted in the cache queue.
8. The method of claim 7, wherein the buffering time window is determined according to a maximum time difference value set by a system, and the preset time is set according to a maximum tolerable system overhead.
9. The method of claim 1, further comprising, before receiving the message data sent by the data sender:
and establishing a secure network transmission channel with the data end, and transmitting the shared key to the data transmitting end through the secure network transmission.
10. A replay attack detection method, comprising:
acquiring message data to be sent and a stored shared key;
calculating a hash value of the message data through a one-way hash function, and calculating the shared secret key and the hash value through a secure message verification code function to obtain a message verification code;
and the message data and the message verification code are assembled and then sent to the data receiving end.
11. A replay attack detection apparatus, comprising:
the message receiving module is used for receiving message data sent by the data sending end, wherein the message data comprises a message main body and an associated message verification code, and the message verification code is obtained through calculation of a safety message verification code function;
the verification code calculation module is used for calculating a comparison verification code of the message main body by utilizing a shared key through the safety message verification code function;
and the query determining module is used for querying whether a data record corresponding to the message verification code exists or not if the comparison verification code is consistent with the message verification code so as to determine whether the message data is a replay attack message or not.
12. A replay attack detection apparatus, comprising:
the message acquisition module is used for acquiring message data to be sent and a stored shared key;
the message processing module is used for calculating a hash value of the message data through a one-way hash function and calculating the shared key and the hash value through a safety message verification code function to obtain a message verification code;
and the message sending module is used for assembling the message data and the message verification code and then sending the assembled message data and the assembled message verification code to the data receiving end.
13. A replay attack detection device, the device comprising: one or more processors; storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the replay attack detection method of any one of claims 1 to 10 or claim 11.
14. A storage medium containing computer-executable instructions for performing the replay attack detection method of any one of claims 1-10 or claim 11 when executed by a computer processor.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011404609.7A CN112615820A (en) | 2020-12-05 | 2020-12-05 | Replay attack detection method, device, equipment and storage medium |
| PCT/CN2021/132904 WO2022116883A1 (en) | 2020-12-05 | 2021-11-24 | Replay attack detection method, apparatus, and device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011404609.7A CN112615820A (en) | 2020-12-05 | 2020-12-05 | Replay attack detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112615820A true CN112615820A (en) | 2021-04-06 |
Family
ID=75229039
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011404609.7A Pending CN112615820A (en) | 2020-12-05 | 2020-12-05 | Replay attack detection method, device, equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112615820A (en) |
| WO (1) | WO2022116883A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500328A (en) * | 2022-01-20 | 2022-05-13 | 深圳市迈睿迈特环境科技有限公司 | Data communication method, device and computer readable storage medium |
| CN114491668A (en) * | 2022-01-24 | 2022-05-13 | 杭州数钮科技有限公司 | Data tampering detection method, system, device and storage medium |
| WO2022116883A1 (en) * | 2020-12-05 | 2022-06-09 | 百果园技术(新加坡)有限公司 | Replay attack detection method, apparatus, and device, and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296791B (en) * | 2022-06-20 | 2024-07-09 | 河海大学 | Replay attack preventing device and method for field bus |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0324356D0 (en) * | 2003-10-17 | 2003-11-19 | Toshiba Res Europ Ltd | Methods and apparatus for secure data communication links |
| CN1980124A (en) * | 2005-12-05 | 2007-06-13 | 刘任 | Key digital identification method using once variable quantity |
| CN101800989A (en) * | 2010-01-19 | 2010-08-11 | 重庆邮电大学 | Anti-replay-attack system for industrial wireless network |
| US20110066856A1 (en) * | 2009-09-17 | 2011-03-17 | Oki Electric Industry Co., Ltd. | Communication data freshness confirmation system |
| CN107979466A (en) * | 2016-07-27 | 2018-05-01 | 北京计算机技术及应用研究所 | The safe Enhancement Method of iSCSI protocol based on Diffie-Hellman agreements |
| CN108833346A (en) * | 2018-05-04 | 2018-11-16 | 北京天元创新科技有限公司 | A kind of industrial control system safety communicating method and device |
| CN109145593A (en) * | 2018-07-04 | 2019-01-04 | 杭州涂鸦信息技术有限公司 | A kind of method, apparatus and computer equipment of Internet of Things net filtration invalid data |
| WO2020052335A1 (en) * | 2018-09-12 | 2020-03-19 | 华为技术有限公司 | Method for sending message, method for verifying message, device, and communication system |
| CN111385258A (en) * | 2018-12-28 | 2020-07-07 | 广州市百果园信息技术有限公司 | Data communication method, device, client, server and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615820A (en) * | 2020-12-05 | 2021-04-06 | 百果园技术(新加坡)有限公司 | Replay attack detection method, device, equipment and storage medium |
-
2020
- 2020-12-05 CN CN202011404609.7A patent/CN112615820A/en active Pending
-
2021
- 2021-11-24 WO PCT/CN2021/132904 patent/WO2022116883A1/en active Application Filing
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0324356D0 (en) * | 2003-10-17 | 2003-11-19 | Toshiba Res Europ Ltd | Methods and apparatus for secure data communication links |
| CN1980124A (en) * | 2005-12-05 | 2007-06-13 | 刘任 | Key digital identification method using once variable quantity |
| US20110066856A1 (en) * | 2009-09-17 | 2011-03-17 | Oki Electric Industry Co., Ltd. | Communication data freshness confirmation system |
| CN101800989A (en) * | 2010-01-19 | 2010-08-11 | 重庆邮电大学 | Anti-replay-attack system for industrial wireless network |
| CN107979466A (en) * | 2016-07-27 | 2018-05-01 | 北京计算机技术及应用研究所 | The safe Enhancement Method of iSCSI protocol based on Diffie-Hellman agreements |
| CN108833346A (en) * | 2018-05-04 | 2018-11-16 | 北京天元创新科技有限公司 | A kind of industrial control system safety communicating method and device |
| CN109145593A (en) * | 2018-07-04 | 2019-01-04 | 杭州涂鸦信息技术有限公司 | A kind of method, apparatus and computer equipment of Internet of Things net filtration invalid data |
| WO2020052335A1 (en) * | 2018-09-12 | 2020-03-19 | 华为技术有限公司 | Method for sending message, method for verifying message, device, and communication system |
| CN110896390A (en) * | 2018-09-12 | 2020-03-20 | 华为技术有限公司 | Message sending method, message verification method, device and communication system |
| CN111385258A (en) * | 2018-12-28 | 2020-07-07 | 广州市百果园信息技术有限公司 | Data communication method, device, client, server and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 刘瑞挺: "全国计算机等级考试三级教程 网络技术", 南开大学出版社 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022116883A1 (en) * | 2020-12-05 | 2022-06-09 | 百果园技术(新加坡)有限公司 | Replay attack detection method, apparatus, and device, and storage medium |
| CN114500328A (en) * | 2022-01-20 | 2022-05-13 | 深圳市迈睿迈特环境科技有限公司 | Data communication method, device and computer readable storage medium |
| CN114491668A (en) * | 2022-01-24 | 2022-05-13 | 杭州数钮科技有限公司 | Data tampering detection method, system, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022116883A1 (en) | 2022-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022116883A1 (en) | Replay attack detection method, apparatus, and device, and storage medium | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| JP4608000B2 (en) | Secure and bandwidth efficient encryption synchronization method | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| CN113507483B (en) | Instant messaging method, device, server and storage medium | |
| US10122755B2 (en) | Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
| CN111901116B (en) | Identity authentication method and system based on EAP-MD5 improved protocol | |
| CN111988289A (en) | EPA industrial control network security test system and method | |
| US20090113065A1 (en) | Integrity mechanism for file transfer in communications networks | |
| JP2001223735A (en) | Data communication device and recording medium | |
| US9241048B2 (en) | Mechanism for processing network event protocol messages | |
| CN113905012A (en) | Communication method, device, equipment and medium | |
| CN111756698B (en) | Message transmission method, device, equipment and computer readable storage medium | |
| CN113162885B (en) | Safety protection method and device for industrial control system | |
| US20100070770A1 (en) | Systems and methods, apparatus, and computer readable media for intercepting and modifying hmac signed messages | |
| CN112055008A (en) | Identity authentication method and device, computer equipment and storage medium | |
| CN117639997A (en) | Network security time synchronization method and device | |
| CN117061212A (en) | Method, system, equipment and medium for isolating internal and external networks supporting block chain protocol | |
| CN109120608B (en) | Anti-replay safe communication processing method and device | |
| CN112350920A (en) | Instant communication system based on block chain | |
| CN114553412B (en) | Data transmission method, device, equipment and storage medium | |
| CN114884736B (en) | Safety protection method and device for explosion attack prevention | |
| EP3087714B1 (en) | A method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
| CN116094755A (en) | Bidirectional identity authentication method, first electronic device and second electronic device | |
| CN117914731A (en) | Network serial number prediction method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210406 |
|
| RJ01 | Rejection of invention patent application after publication |