CN115459930A - API interface security verification processing method and device - Google Patents

API interface security verification processing method and device Download PDF

Info

Publication number
CN115459930A
CN115459930A CN202211113568.5A CN202211113568A CN115459930A CN 115459930 A CN115459930 A CN 115459930A CN 202211113568 A CN202211113568 A CN 202211113568A CN 115459930 A CN115459930 A CN 115459930A
Authority
CN
China
Prior art keywords
puzzle
service
verification
result
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211113568.5A
Other languages
Chinese (zh)
Inventor
孙政骁
周骁
孙浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202211113568.5A priority Critical patent/CN115459930A/en
Publication of CN115459930A publication Critical patent/CN115459930A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method and a device for security verification processing of an API (application program interface), relates to the technical field of information security, and can be used in the financial field or other technical fields. The method comprises the following steps: receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates; verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result; and if the first verification result and the second verification result are determined to be passed through verification, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer. The device performs the above method. The API interface security verification processing method and device provided by the embodiment of the invention can avoid the API interface from being attacked, such as replay attack and DDoS attack.

Description

API interface security verification processing method and device
Technical Field
The invention relates to the technical field of information security, in particular to a method and a device for verifying and processing the security of an API (application program interface).
Background
An API is a predefined function that is intended to provide other applications with access to relevant services without the need to access source code or know about its internal working mechanisms. With the development of cloud computing, mobile internet and internet of things, more and more applications deeply depend on services provided by the API. Essentially, APIs expose application logic and sensitive information, and thus the security of APIs becomes important, and the introduction of lack of security mechanisms will cause the entire project to face security issues relating to confidentiality, integrity, availability, and accountability.
With the continuous expansion of the API technology and the application range, the attack surface provided for malicious attackers is larger and larger, and challenges from multiple aspects are faced. Meanwhile, even if relevant mechanisms such as authorization authentication and data protection are established, an attacker still cannot be avoided from simulating normal user behaviors in an application layer, and a large amount of real IP is applied to launch large-scale attack. Therefore, more security measures are necessary for such security risks.
Disclosure of Invention
To solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for API interface security verification processing, which can at least partially solve the problems in the prior art.
In one aspect, the present invention provides a processing method for API interface security verification, including:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
Wherein the puzzle elements comprise a puzzle generation timestamp and a difficulty coefficient; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
comparing the puzzle generation timestamp with a current time;
and determining the first verification result according to the comparison result of the expected challenge time corresponding to the comparison time difference and the difficulty coefficient.
Wherein the puzzle element further comprises a signature element; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
checking the signature of the signature element, and determining the first verification result according to the result of checking the signature; the signature element encrypts puzzle seeds, the difficulty coefficient and the puzzle generation timestamp in advance to obtain the puzzle.
The processing method for the API interface security verification further comprises the following steps:
if the signature verification result is confirmed to be passed, searching the signature passing the signature verification in the signature cache;
and if the signature is not found, the puzzle certificate is verified to obtain a second verification result.
Wherein the puzzle proof comprises a first random number and a second random number previously obtained by the service consumer;
wherein the first random number and the second random number are not equal, and a first hash calculation result between the puzzle seed and the first random number is equal to a second hash calculation result between the puzzle seed and the second random number;
correspondingly, the verifying the puzzle certificate to obtain a second verification result includes:
and determining the second verification result according to the numerical comparison result of the first random number and the second random number and the calculation comparison result of the first hash calculation result and the second hash calculation result.
The API interface security verification processing method further comprises the following steps:
if the second verification result is confirmed to be verification passing, storing the signature into the signature cache, and starting timing;
and if the timing duration is determined to reach the expected challenge time, deleting the signature from the signature cache.
Wherein, before the step of receiving a service call request sent by a service consumer, the API interface security verification processing method further comprises:
receiving a puzzle challenge request sent by the service consumer, generating a puzzle seed, and acquiring a standard hash function;
determining a difficulty coefficient according to the load condition information of the service provider and the standard hash function;
encrypting the puzzle seed, the difficulty coefficient and the puzzle generation timestamp to obtain a signature element;
sending a puzzle challenge response result to the service consumer for the puzzle challenge request; the puzzle challenge response result carries the puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element.
In one aspect, the present invention provides an API interface security verification processing apparatus, including:
a receiving unit for receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
the verification unit is used for verifying the puzzle element to obtain a first verification result and verifying the puzzle certificate to obtain a second verification result;
and the forwarding unit is used for forwarding the service parameters to a service provider if the first verification result and the second verification result are determined to be passed through verification, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
In another aspect, an embodiment of the present invention provides an electronic device, including: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform a method comprising:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed through verification, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, including:
the non-transitory computer readable storage medium stores computer instructions that cause the computer to perform a method comprising:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle proof to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
The API interface security verification processing method and device provided by the embodiment of the invention receive a service call request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates; verifying the puzzle element to obtain a first verification result, and verifying the puzzle proof to obtain a second verification result; if the first verification result and the second verification result are determined to be passed through verification, the service parameter is forwarded to a service provider, and a service processing result returned by the service provider according to the service parameter is forwarded to the service consumer, so that an API interface can be prevented from being attacked, such as replay attack and DDoS attack.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a flowchart illustrating a processing method for API interface security verification according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a processing method for API interface security verification according to another embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an API interface security verification processing apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
Fig. 1 is a schematic flowchart of a processing method for API interface security verification according to an embodiment of the present invention, and as shown in fig. 1, the processing method for API interface security verification according to an embodiment of the present invention includes:
step S1: receiving a service invocation request sent by a service consumer; the service invocation request carries service parameters, puzzle elements and puzzle certificates.
Step S2: and verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result.
And step S3: and if the first verification result and the second verification result are determined to be passed through verification, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
In the above step S1, the device receives a service invocation request sent by a service consumer; the service invocation request carries service parameters, puzzle elements and puzzle certificates. The apparatus may be a computer device for executing the method, and may be, for example, a server, and may specifically be an API gateway. It should be noted that embodiments of the present invention relate to the acquisition and analysis of data that is authorized by the user.
As shown in fig. 2, the environment to which the embodiments of the present invention pertain includes a service consumer, a service provider, and an API gateway.
The service consumer is responsible for initiating a service calling request to the API gateway and generating a puzzle certificate to obtain related services; the API gateway is arranged between a service consumer and a service provider, and in the embodiment of the invention, the API gateway is responsible for generating and verifying the validity of the puzzle besides the traditional gateway functions of authority management, transmission protocol conversion, load balancing, flow monitoring and the like; and the service provider is responsible for receiving the service call request forwarded by the API gateway, processing the specific service and returning a processing result.
This step corresponds to step 3 in fig. 2, and the service parameters may be determined according to the specific service type. The puzzle elements include a puzzle seed, a puzzle generation timestamp, a difficulty coefficient, and a signature element, and the puzzle proof includes a first random number and a second random number previously obtained by the service consumer.
Before the step of receiving a service call request sent by a service consumer, the API interface security verification processing method further includes:
receiving a puzzle challenge request sent by the service consumer, generating a puzzle seed, and acquiring a standard hash function; this step corresponds to step 1 in fig. 2, and a standard hash function can be understood as a conventionally used hash function, such as SHA 1.
The standard hash function is denoted as H: {0,1} * →{0,1} l (ii) a Where denotes wildcards, i.e. messages of arbitrary length will generate a message digest of fixed length by Hash calculation. 0 and 1 represent binary values, the selectable value interval is determined by a selected hash function (if SHA1 is selected, the value interval is (1, 160)), and the selected hash function is used as a difficulty coefficient, that is, the message digest of the first l bits is taken as a valid bit, so that the difficulty of subsequently generating a valid certificate is determined, and the value of the difficulty coefficient can be determined according to the load condition information of the service provider, and specifically comprises the following steps:
the larger the load is, the larger the difficulty coefficient is, and the larger the calculation cost for generating a valid proof is; the smaller the load, the smaller the difficulty factor, and the less the computational cost to generate a valid proof.
Determining a difficulty coefficient according to the load condition information of the service provider and a standard hash function; specifically, the range of the value interval where l is located may be determined according to the type of the standard hash function, that is, SHA1 or SHA256, for example, SHA256 may have a value with a larger range than SHA1, that is, the upper limit of the SHA256 is no longer 160, and may be 256.
Determining the value of l in the range of the value range according to the load condition information, taking SHA1 as an example, if the load is smaller, the value of l can be closer to an endpoint value 1, and the difficulty coefficient is smaller at the moment; if the load is greater, the value of l may be closer to the endpoint value 160, where the difficulty factor is greater.
Encrypting the puzzle seed, the difficulty coefficient and the puzzle generation timestamp to obtain a signature element; the encryption algorithm may be selected from MD5 or SHA1 algorithm, etc., and is not particularly limited.
Sending a puzzle challenge response result to the service consumer for the puzzle challenge request; the puzzle challenge response result carries the puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element. The puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element are puzzle elements. This step corresponds to step 1.1 in fig. 2.
As step 2 in FIG. 2, the service consumer receives the puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element, and finds a puzzle certificate H (seed) r ,m 1 )=H(seed r ,m 2 ) And satisfy m 1 ≠m 2 (ii) a Wherein m is 1 And m 2 Corresponding to the first random number and the second random number, respectively. The description is as follows:
generating m1, and summing the puzzle seed r Calculating the hash value to obtain a first hash calculation result H (seed) r ,m 1 ) Next, starting to find the random number, H (seed) needs to be satisfied r ,m 1 )=H(seed r ,m 2 ) And satisfy m 1 ≠m 2 If the second random number m satisfying the above two conditions can be found within a desired time 2 The challenge is considered successful, otherwise the challenge is considered failed.
It should be noted that the computational and time cost of finding a valid puzzle proof is mainly affected by the above difficulty factors.
The service consumer adds the puzzle certificate and the puzzle element into the request head as an authentication element and a service parameter together as a service calling request, and sends the service calling request to the API gateway, namely, the service calling request is initiated.
In the step S2, the device verifies the puzzle element to obtain a first verification result, and verifies the puzzle proof to obtain a second verification result. The puzzle elements comprise a puzzle generation timestamp and a difficulty coefficient; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
comparing the puzzle generation timestamp with a current time; the puzzle generation timestamp is the point in time at which the puzzle seed was generated.
And determining the first verification result according to the comparison result of the expected challenge time corresponding to the comparison time difference and the difficulty coefficient. It should be noted that the expected challenge time corresponding to the difficulty coefficient may be set autonomously according to an actual situation, and if the comparison time difference is less than or equal to the expected challenge time, it is determined that the time point of generating the puzzle seed is closer to the current time, and the service invocation request is valid, that is, the first verification result is passed.
If the comparison time difference is larger than the expected challenge time, the time point of generating the puzzle seed is far away from the current time, and the service calling request is determined to be invalid, namely the first verification result is failed. This step corresponds to step 3.1 in fig. 2.
It should be noted that the first verification result may include the verification result of the verification challenge time of step 3.1 in fig. 2, and the verification result may be directly used as the first verification result.
The first verification result may also comprise a combined verification result of steps subsequent to step 3.1 in fig. 2.
The puzzle element further comprises a signature element; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
checking the signature of the signature element, and determining the first verification result according to the result of checking the signature; and the signature element is obtained by encrypting the puzzle seed, the difficulty coefficient and the puzzle generation timestamp in advance. After verification through the timeout mechanism, as shown in step 3.2 in fig. 2, the signature element is checked, and if the result of the check is failure, it is determined that the service invocation request is invalid.
And if the signature verification result is successful, determining that the first verification result is passed.
The API interface security verification processing method further comprises the following steps:
if the signature verification result is confirmed to be passed, namely success is achieved, the signature passing the signature verification is searched in the signature cache;
and if the signature is not found, the puzzle certificate is verified to obtain a second verification result. If the signature is not found, the service calling request is not repeatedly sent in a short time, and the service calling request is determined to be effective. If the signature is found, the service calling request is repeatedly sent for a short time, and the service calling request is determined to be invalid.
The puzzle proof comprises a first random number and a second random number previously obtained by the service consumer;
wherein the first random number and the second random number are not equal, and a first hash computation result between the puzzle seed and the first random number is equal to a second hash computation result between the puzzle seed and the second random number;
correspondingly, the verifying the puzzle certificate to obtain a second verification result includes:
and determining the second verification result according to the numerical comparison result of the first random number and the second random number and the calculation comparison result of the first hash calculation result and the second hash calculation result. That is, the second verification result is determined to be passed according to the following expression:
H(seed r ,m 1 )=H(seed r ,m 2 ) And satisfy m 1 ≠m 2
And if at least one condition in the expression is not satisfied, determining that the second verification result is not passed. This step corresponds to step 3.3 in fig. 2.
The API interface security verification processing method further comprises the following steps:
if the second verification result is confirmed to be that the verification is passed, storing the signature into the signature cache, and starting timing;
and if the timing duration is determined to reach the expected challenge time, deleting the signature from the signature cache. This step corresponds to step 3.4 in fig. 2.
In the step S3, if the device determines that the first verification result and the second verification result are both verified, the device forwards the service parameter to the service provider, and forwards a service processing result returned by the service provider according to the service parameter to the service consumer. If at least one of the first verification result and the second verification result is not passed, the service parameter is not forwarded to the service provider. This step corresponds to step 3.5, step 3.5.1 and step 3.6 in fig. 2.
The embodiment of the invention has the following advantages:
1. by using the puzzle challenge mechanism, the API gateway can generate puzzles with different difficulty coefficients in real time according to the load condition of a service provider (namely a service processing server) so as to challenge and acquire services for a service consumer (namely a client). Because the cost required for generating the puzzle proof is much more than that of the verification proof, and the puzzle cannot be predicted in advance and calculated to prove, the mechanism can effectively defend DDoS attack of an application layer and ensure the usability of the service by dynamically adjusting the difficulty coefficient.
2. A time-out mechanism and a signature caching mechanism are utilized to ensure that the same legal certificate can only be used once, namely, the same service call request only provides one service. When the request is intercepted, replay or multiple replay attacks can be effectively resisted.
3. The security mechanism does not consume significant computational and memory resources and thus does not require dedicated nodes to implement.
The method of the embodiment of the invention realizes effective resistance to DDoS attack and data replay attack of an application layer by combining a timeout mechanism, a signature mechanism and a puzzle mechanism.
The API interface safety verification processing method provided by the embodiment of the invention receives a service call request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates; verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result; if the first verification result and the second verification result are determined to be passed, the service parameter is forwarded to a service provider, and a service processing result returned by the service provider according to the service parameter is forwarded to the service consumer, so that an API interface can be prevented from being attacked, such as replay attack and DDoS attack.
Further, the puzzle elements include a puzzle generation timestamp and a difficulty coefficient; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
comparing the puzzle generation timestamp with a current time; reference is made to the above description and no further description is made.
And determining the first verification result according to the comparison result of the expected challenge time corresponding to the comparison time difference and the difficulty coefficient. Reference is made to the above description and no further description is made.
The API interface security verification processing method provided by the embodiment of the invention is based on a timeout mechanism, and can prevent the API interface from being attacked.
Further, the puzzle element further comprises a signature element; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
checking the signature of the signature element, and determining the first verification result according to the result of checking the signature; the signature element encrypts puzzle seeds, the difficulty coefficient and the puzzle generation timestamp in advance to obtain the puzzle. Reference is made to the above description and no further description is made.
The API interface security verification processing method provided by the embodiment of the invention is based on a signature mechanism, and can prevent the API interface from being attacked.
Further, the API interface security verification processing method further includes:
if the signature verification result is confirmed to be passed, searching the signature passing the signature verification in the signature cache; reference is made to the above description and no further description is made.
And if the signature is not found, the puzzle certificate is verified to obtain a second verification result. Reference is made to the above description and no further description is given.
The API interface security verification processing method provided by the embodiment of the invention is further based on a timeout mechanism, and can prevent the API interface from being attacked.
Further, the puzzle proof includes a first random number and a second random number previously obtained by the service consumer;
wherein the first random number and the second random number are not equal, and a first hash computation result between the puzzle seed and the first random number is equal to a second hash computation result between the puzzle seed and the second random number; reference is made to the above description and no further description is made.
Correspondingly, the verifying the puzzle certificate to obtain a second verification result includes:
and determining the second verification result according to the numerical comparison result of the first random number and the second random number and the calculation comparison result of the first hash calculation result and the second hash calculation result. Reference is made to the above description and no further description is made.
The API interface security verification processing method provided by the embodiment of the invention is further based on a puzzle mechanism, and can prevent the API interface from being attacked.
Further, the API interface security verification processing method further includes:
if the second verification result is confirmed to be that the verification is passed, storing the signature into the signature cache, and starting timing; reference is made to the above description and no further description is made.
And if the timing duration is determined to reach the expected challenge time, deleting the signature from the signature cache. Reference is made to the above description and no further description is made.
The API interface security verification processing method provided by the embodiment of the invention further realizes that the API interface is prevented from being attacked based on a timeout mechanism.
Further, before the step of receiving a service call request sent by a service consumer, the API interface security verification processing method further includes:
receiving a puzzle challenge request sent by the service consumer, generating a puzzle seed, and acquiring a standard hash function; reference is made to the above description and no further description is made.
Determining a difficulty coefficient according to the load condition information of the service provider and the standard hash function; reference is made to the above description and no further description is made.
Encrypting the puzzle seed, the difficulty coefficient and the puzzle generation timestamp to obtain a signature element; reference is made to the above description and no further description is given.
Sending a puzzle challenge response result to the service consumer for the puzzle challenge request; the puzzle challenge response result carries the puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element. Reference is made to the above description and no further description is made.
The API interface safety verification processing method provided by the embodiment of the invention can acquire puzzle elements, so that a service consumer can acquire puzzle certificates based on the puzzle elements, and the safety verification comprehensiveness of the API interface is ensured.
It should be noted that the API interface security verification processing method provided in the embodiment of the present invention may be used in the financial field, and may also be used in any technical field other than the financial field.
Fig. 3 is a schematic structural diagram of an API interface security verification processing apparatus according to an embodiment of the present invention, and as shown in fig. 3, the API interface security verification processing apparatus according to the embodiment of the present invention includes a receiving unit 301, a verifying unit 302, and a forwarding unit 303, where:
the receiving unit 301 is configured to receive a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates; the verification unit 302 is configured to verify the puzzle element to obtain a first verification result, and verify the puzzle certification to obtain a second verification result; the forwarding unit 303 is configured to forward the service parameter to a service provider if it is determined that both the first verification result and the second verification result are verified, and forward a service processing result returned by the service provider according to the service parameter to the service consumer.
Specifically, the receiving unit 301 in the device is configured to receive a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates; the verification unit 302 is configured to verify the puzzle element to obtain a first verification result, and verify the puzzle proof to obtain a second verification result; the forwarding unit 303 is configured to forward the service parameter to a service provider if it is determined that the first verification result and the second verification result are both verified, and forward a service processing result returned by the service provider according to the service parameter to the service consumer.
The API interface safety verification processing device provided by the embodiment of the invention receives a service call request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates; verifying the puzzle element to obtain a first verification result, and verifying the puzzle proof to obtain a second verification result; if the first verification result and the second verification result are determined to be passed, the service parameter is forwarded to a service provider, and a service processing result returned by the service provider according to the service parameter is forwarded to the service consumer, so that an API interface can be prevented from being attacked, such as replay attack and DDoS attack.
Further, the puzzle elements include a puzzle generation timestamp and a difficulty coefficient; correspondingly, the verification unit 302 is specifically configured to:
comparing the puzzle generation timestamp with a current time;
and determining the first verification result according to the comparison result of the expected challenge time corresponding to the comparison time difference and the difficulty coefficient.
The API interface security verification processing device provided by the embodiment of the invention is based on a timeout mechanism, and can prevent the API interface from being attacked.
Further, the puzzle element further comprises a signature element; correspondingly, the verification unit 302 is specifically configured to:
checking the signature element, and determining the first verification result according to the signature checking result; the signature element encrypts puzzle seeds, the difficulty coefficient and the puzzle generation timestamp in advance to obtain the puzzle.
The API interface security verification processing device provided by the embodiment of the invention is based on a signature mechanism, and can prevent the API interface from being attacked.
Further, the API interface security verification processing apparatus is further configured to:
if the signature verification result is confirmed to be passed, searching the signature passing the signature verification in the signature cache;
and if the signature is not found, the puzzle certificate is verified to obtain a second verification result.
The API interface security verification processing device provided by the embodiment of the invention is further based on a timeout mechanism, and can prevent the API interface from being attacked.
Further, the puzzle proof includes a first random number and a second random number previously obtained by the service consumer;
wherein the first random number and the second random number are not equal, and a first hash computation result between the puzzle seed and the first random number is equal to a second hash computation result between the puzzle seed and the second random number;
correspondingly, the verification unit 302 is specifically configured to:
and determining the second verification result according to the numerical comparison result of the first random number and the second random number and the calculation comparison result of the first hash calculation result and the second hash calculation result.
The API interface security verification processing method provided by the embodiment of the invention is further based on a puzzle mechanism, and can prevent the API interface from being attacked.
Further, the API interface security verification processing apparatus is further configured to:
if the second verification result is confirmed to be verification passing, storing the signature into the signature cache, and starting timing;
and if the timing duration is determined to reach the expected challenge time, deleting the signature from the signature cache.
The API interface safety verification processing device provided by the embodiment of the invention further realizes that the API interface is prevented from being attacked based on a timeout mechanism.
Further, prior to the step of receiving a service call request sent by a service consumer, the API interface security verification processing means is further for:
receiving a puzzle challenge request sent by the service consumer, generating a puzzle seed, and acquiring a standard hash function;
determining a difficulty coefficient according to the load condition information of the service provider and the standard hash function;
encrypting the puzzle seed, the difficulty coefficient and the puzzle generation timestamp to obtain a signature element;
sending a puzzle challenge response result to the service consumer for the puzzle challenge request; the puzzle challenge response result carries the puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element.
The API interface safety verification processing device provided by the embodiment of the invention can acquire puzzle elements, so that a service consumer can acquire puzzle certificates based on the puzzle elements, and the safety verification comprehensiveness of the API interface is ensured.
The embodiment of the API interface security verification processing apparatus provided in the embodiment of the present invention may be specifically configured to execute the processing flows of the above method embodiments, and the functions of the embodiment are not described herein again, and refer to the detailed description of the above method embodiments.
Fig. 4 is a schematic structural diagram of an entity of an electronic device according to an embodiment of the present invention, and as shown in fig. 4, the electronic device includes: a processor (processor) 401, a memory (memory) 402, and a bus 403;
the processor 401 and the memory 402 complete communication with each other through a bus 403;
the processor 401 is configured to call the program instructions in the memory 402 to execute the methods provided by the above-mentioned method embodiments, for example, including:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above method embodiments, for example, including:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle proof to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
The present embodiment provides a computer-readable storage medium, which stores a computer program, where the computer program causes the computer to execute the method provided by the foregoing method embodiments, for example, the method includes:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed through verification, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In the description herein, reference to the description of the terms "one embodiment," "a particular embodiment," "some embodiments," "for example," "an example," "a particular example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. An API interface security verification processing method is characterized by comprising the following steps:
receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
verifying the puzzle element to obtain a first verification result, and verifying the puzzle certificate to obtain a second verification result;
and if the first verification result and the second verification result are determined to be passed through verification, forwarding the service parameters to a service provider, and forwarding a service processing result returned by the service provider according to the service parameters to the service consumer.
2. The API interface security validation processing method of claim 1, wherein the puzzle element comprises a puzzle generation timestamp and a difficulty coefficient; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
comparing the puzzle generation timestamp with the current time;
and determining the first verification result according to the comparison result of the expected challenge time corresponding to the comparison time difference and the difficulty coefficient.
3. The API interface security verification processing method of claim 2, wherein the puzzle element further comprises a signature element; correspondingly, the verifying the puzzle element to obtain a first verification result includes:
checking the signature of the signature element, and determining the first verification result according to the result of checking the signature; the signature element encrypts puzzle seeds, the difficulty coefficient and the puzzle generation timestamp in advance to obtain the puzzle.
4. The API interface security validation processing method of claim 3, further comprising:
if the signature verification result is confirmed to be passed, searching the signature passing the signature verification in the signature cache;
and if the signature is not found, the puzzle certificate is verified to obtain a second verification result.
5. The API interface security verification processing method of claim 4, wherein the puzzle proof comprises a first random number and a second random number previously obtained by the service consumer;
wherein the first random number and the second random number are not equal, and a first hash calculation result between the puzzle seed and the first random number is equal to a second hash calculation result between the puzzle seed and the second random number;
correspondingly, the verifying the puzzle certificate to obtain a second verification result includes:
and determining the second verification result according to the numerical comparison result of the first random number and the second random number and the calculation comparison result of the first hash calculation result and the second hash calculation result.
6. The API interface security validation processing method of claim 5, further comprising:
if the second verification result is confirmed to be that the verification is passed, storing the signature into the signature cache, and starting timing;
and if the timing duration is determined to reach the expected challenge time, deleting the signature from the signature cache.
7. An API interface security verification processing method according to any one of claims 1 to 6, wherein before the step of receiving a service call request sent by a service consumer, the API interface security verification processing method further comprises:
receiving a puzzle challenge request sent by the service consumer, generating a puzzle seed, and acquiring a standard hash function;
determining a difficulty coefficient according to the load condition information of the service provider and the standard hash function;
encrypting the puzzle seed, the difficulty coefficient and the puzzle generation timestamp to obtain a signature element;
sending a puzzle challenge response result to the service consumer for the puzzle challenge request; the puzzle challenge response result carries the puzzle seed, the puzzle generation timestamp, the difficulty coefficient, and the signature element.
8. An API interface security verification processing apparatus, comprising:
a receiving unit for receiving a service invocation request sent by a service consumer; the service calling request carries service parameters, puzzle elements and puzzle certificates;
the verification unit is used for verifying the puzzle element to obtain a first verification result and verifying the puzzle certificate to obtain a second verification result;
and the forwarding unit is used for forwarding the service parameter to a service provider if the first verification result and the second verification result are determined to be passed through verification, and forwarding a service processing result returned by the service provider according to the service parameter to the service consumer.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202211113568.5A 2022-09-14 2022-09-14 API interface security verification processing method and device Pending CN115459930A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211113568.5A CN115459930A (en) 2022-09-14 2022-09-14 API interface security verification processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211113568.5A CN115459930A (en) 2022-09-14 2022-09-14 API interface security verification processing method and device

Publications (1)

Publication Number Publication Date
CN115459930A true CN115459930A (en) 2022-12-09

Family

ID=84303456

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211113568.5A Pending CN115459930A (en) 2022-09-14 2022-09-14 API interface security verification processing method and device

Country Status (1)

Country Link
CN (1) CN115459930A (en)

Similar Documents

Publication Publication Date Title
Yuan et al. Public integrity auditing for dynamic data sharing with multiuser modification
US9342683B2 (en) Stateless attestation system
KR100823738B1 (en) Method for integrity attestation of a computing platform hiding its configuration information
CN111262889B (en) Authority authentication method, device, equipment and medium for cloud service
US20080037791A1 (en) Method and apparatus for evaluating actions performed on a client device
KR20210134655A (en) Security systems and related methods
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
Jung et al. Data management and searching system and method to provide increased security for IoT platform
Chen et al. Security analysis and improvement of user authentication framework for cloud computing
KR20220066114A (en) Processing requests to control information stored on multiple servers
US10122755B2 (en) Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
EP3193485B1 (en) Device, server, system and method for data attestation
Yang et al. Iba: A secure and efficient device-to-device interaction-based authentication scheme for internet of things
Jiang Advanced secure user authentication framework for cloud computing
Sanchez-Gomez et al. Review of the main security threats and challenges in free-access public cloud storage servers
CN115834149A (en) Numerical control system safety protection method and device based on state cryptographic algorithm
CN113225348B (en) Request anti-replay verification method and device
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
CN115459930A (en) API interface security verification processing method and device
Ranjith et al. Intelligence based authentication-authorization and auditing for secured data storage
EP3776318B1 (en) Tamper-resistant data encoding for mobile devices
Yu et al. A Direct Anonymous Attestation Scheme Based on Mimic Defense Mechanism
Mishra A novel mechanism for cloud data management in distributed environment
Abbdal et al. An Efficient Public Verifiability and Data Integrity Using Multiple TPAs in Cloud Data Storage
Abbdal et al. Secure third party auditor for ensuring data integrity in cloud storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination