CN117544322A - Browser identification method, device, equipment and storage medium - Google Patents
Browser identification method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117544322A CN117544322A CN202410035385.9A CN202410035385A CN117544322A CN 117544322 A CN117544322 A CN 117544322A CN 202410035385 A CN202410035385 A CN 202410035385A CN 117544322 A CN117544322 A CN 117544322A
- Authority
- CN
- China
- Prior art keywords
- browser
- user
- determining
- type
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000012795 verification Methods 0.000 claims abstract description 56
- 230000006870 function Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 230000000903 blocking effect Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 238000003491 array Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a browser identification method, device, equipment and storage medium, and relates to the technical field of computers. The method comprises the following steps: receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and a user credential; analyzing the user credentials to determine a user identification and an application identification of the user; determining an access strategy corresponding to the user based on the user identification and the application identification; and judging the type of the browser according to the access strategy and the information to be checked. Therefore, a more reliable browser identification mode is realized, the problem that the identification result of the browser is easy to forge and falsify in the prior art is solved, and meanwhile, the zero trust gateway can be combined to perform security control on user access application, so that a safer and more reliable network environment is provided for the user.
Description
Technical Field
The disclosure relates to the field of computer technologies, and in particular, to a method, a device, equipment and a storage medium for identifying a browser.
Background
In the authentication of a browser, the current popular technical means is mainly implemented by taking UA (User-Agent) information as a core, and the policy is to infer the category of the browser and version information thereof by analyzing UA text strings in an http header transmitted from the browser.
However, the UA data may suffer from artificial masquerading or compiling, which may not only make the identification result of the browser inaccurate, but may also expose the system to a risk of being attacked by a malicious attack.
Thus, how to improve the accuracy of browser identification is a current urgent problem to be solved.
Disclosure of Invention
The disclosure provides a method, a device, equipment and a storage medium for identifying a browser, which aim to solve one of the technical problems in the related art at least to a certain extent.
In a first aspect, the present disclosure provides a method for identifying a browser, performed by a gateway, including:
receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and a user credential;
analyzing the user credentials to determine a user identification and an application identification of the user;
Determining an access strategy corresponding to the user based on the user identification and the application identification;
and judging the type of the browser according to the access strategy and the information to be checked.
In a second aspect, the present disclosure provides an identification device of a browser, including:
the receiving module is used for receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and a user certificate;
the first determining module is used for analyzing the user credentials to determine user identifications and application identifications of the users;
the second determining module is used for determining an access strategy corresponding to the user based on the user identifier and the application identifier;
and the judging module is used for judging the type of the browser according to the access strategy and the information to be checked.
In a third aspect, the present disclosure provides an electronic device comprising: a processor; a memory for storing processor-executable instructions; the processor is configured to execute instructions to implement a method of identifying a browser.
In a fourth aspect, the present disclosure provides a computer-readable storage medium, which when executed by a processor of an electronic device, enables the electronic device to perform a method of recognizing a browser.
In a fifth aspect, the present disclosure provides a computer program product comprising a computer program for executing, by a processor, a method of identifying a browser.
In the embodiment of the disclosure, a gateway firstly receives a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and user credentials, then analyzes the user credentials to determine user identifications and application identifications of the user, then determines access strategies corresponding to the user based on the user identifications and the application identifications, and finally judges the type of the browser according to the access strategies and the information to be verified. Therefore, a more reliable browser identification mode is realized, the problem that the identification result of the browser is easy to forge and falsify in the prior art is solved, and meanwhile, the zero trust gateway can be combined to perform security control on user access application, so that a safer and more reliable network environment is provided for the user.
Additional aspects and advantages of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a flowchart illustrating a method for identifying a browser according to a first embodiment of the disclosure;
fig. 2 is a flowchart illustrating a method for identifying a browser according to a second embodiment of the disclosure;
fig. 3 is a schematic structural view of an identification device of a browser according to a fourth embodiment of the present disclosure;
fig. 4 illustrates a block diagram of an exemplary electronic device suitable for use in implementing embodiments of the present disclosure.
Specific embodiments of the present disclosure have been shown by way of the above drawings and will be described in more detail below. These drawings and the written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the disclosed concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Embodiments of the present disclosure are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for explaining the present disclosure and are not to be construed as limiting the present disclosure. On the contrary, the embodiments of the disclosure include all alternatives, modifications, and equivalents as may be included within the spirit and scope of the appended claims.
The current common means mainly uses UA (User-Agent) information as a core to implement browser authentication, and the policy is to analyze UA text strings transmitted from the browser, so as to infer the category of the browser and version information thereof. The UA is an HTTP header field, where the UA header includes a feature string that is used by the opposite end of the network protocol to identify the application type, operating system, software developer, and version number of the user agent software that originated the request. In practice, UA information may suffer from artificial masquerading or codification, which may not only make the recognition result of the browser inaccurate, but may also expose the system to a risk of being attacked by a malicious attack. In addition, the current technology does not have the capability of performing deep supervision or control on the behaviors of people when browsing websites after the identification of browser types is realized, which means that a monitoring gap still exists on the management level, so that enterprises are challenged in the aspect of internal network security management. Therefore, even if the browser type can be accurately identified, the method is insufficient for comprehensively controlling various online trends of users in enterprises, and the application breadth and depth of the prior art in the aspect of enterprise network behavior management are limited.
In order to overcome the defects in the prior art, the present disclosure provides a method, a device, equipment and a storage medium for identifying a browser, which provide a more reliable browser identification mode through the processes of signing and signature verification, solve the problem that the prior art is easy to forge and tamper with, and simultaneously can combine a zero trust gateway to perform security control on user access application.
It should be noted that, the execution body of the identification method of the browser in this embodiment may be an identification device of the browser, or may be any electronic device, where the device may be implemented by software and/or hardware.
The identification method of the browser according to the embodiment of the present disclosure will be described below with "gateway" as an execution subject.
Fig. 1 is a flowchart of a method for identifying a browser according to a first embodiment of the disclosure, as shown in fig. 1, the method includes:
s101: and receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and user credentials.
Wherein the check request may be a request for gateway check. When a user logs in the gateway through the browser, a verification request needs to be initiated to the gateway, then the gateway can verify the browser, and under the condition that the verification is passed, the identity authentication of the browser is determined to be passed.
The information to be verified may include a time stamp, a random string, a digest, and signature information, which is not limited herein.
The user credentials may be an encrypted ciphertext field. It should be noted that, when a browser initiates a request to a gateway, it needs to carry a user credential and information to be checked. Wherein the information to be verified may be located in the request header. The information to be checked and the user credentials are located in different fields.
S102: the user credentials are parsed to determine a user identification and an application identification of the user.
The user identification (user id) is a unique identification for characterizing the user, and the gateway side stores the user identification.
The application identifier may be an identifier of an application requested to be accessed by a user at a browser, and may uniquely characterize the application. In the embodiment of the present disclosure, the user identifier may be denoted as a user_id, and the application identifier may be denoted as an app_id, which is not limited herein.
It should be noted that, the user credential is an encrypted ciphertext field, such as "abcxxxxx", and by parsing "abcxxxxx", user_id=mr. Li, app_id=bardu. Wherein app_id is an application identifier, user_id is a user identifier, and this example is only one schematic illustration, and the disclosure is not limited thereto.
S103: and determining an access strategy corresponding to the user based on the user identification and the application identification.
It should be noted that, the access policies corresponding to different users will also generally be different. In the embodiment of the disclosure, an access policy is configured in the gateway in advance. The access policy may include, but is not limited to, a user identifier, an application identifier, a browser type, a handling action, and the like.
In the embodiment of the disclosure, the access policy commonly associated with the user identifier and the application identifier can be obtained from the cache as the access policy corresponding to the user.
The handling actions may include, but are not limited to, releasing access, blocking IP, blocking account numbers, logging out abnormal sessions.
Where releasing access may be understood as allowing access to the application and blocking access may be understood as not allowing access to the application.
The blocking IP may be understood as blocking the user client source IP, and subsequently not allowing the IP to revisit the application.
The blocking account may be understood as blocking the user account, and the user is not allowed to access the application later.
The abnormal session is understood as the current session of the user to be logged off, and the user needs to log in again before continuing to access the application.
It should be noted that the access policy may be configured in the gateway by the administrator in advance, for performing corresponding handling on the snow-no/non-snow-no browser access application.
S104: and judging the type of the browser according to the access strategy and the information to be checked.
Alternatively, it may first be determined whether the application is restricted to be accessible only to the first type of browser based on the access policy.
In the embodiment of the present disclosure, the first type of browser may be a snow-no browser, which is not limited herein.
It should be noted that, if the application is not limited to only the first type of browser, it is explained that any browser can access the application, and at this time, verification is not required.
In the embodiment of the disclosure, the browser which initiates the verification request currently is verified only if the application is limited to be accessible to the first type of browser. That is, only if the application restricts access to the first type of browser, a determination is made as to whether the browser is a first type of browser or a second type of browser.
If the application is limited to only the first type of browser, the information to be verified needs to be further verified.
The information to be checked at least comprises a time stamp, a random character string, a abstract and an encryption character string.
Specifically, under the condition that the time stamp, the random character string, the abstract and the encrypted character string pass verification, the browser is indicated to be of a first type, the verification is legal, and the request is valid; otherwise, the request is invalid, the identity is illegal, and the browser type is the second type browser.
Wherein the second type of browser may be a non-snowmobile browser.
It should be noted that, by checking the user identity, the timestamp, the random string, the digest and the encrypted string (signature), and judging the validity of the request according to the checking result, the multi-channel checking link applied in the gateway checking flow greatly increases the strictness of any request verification.
Optionally, in the case that the browser is of the first type, the gateway issues access policy and credentials for passing identity authentication to the browser.
Wherein the first type of browser may be a snow-North browser.
Optionally, in the case that the browser is of the second type, the browser is prohibited from accessing and acquiring the user log.
Wherein the second type of browser may be a non-snowmobile browser.
Specifically, if the browser is of the second type, the gateway intercepts the browser request, prevents bypassing the preconfigured management and control policy, and records and uploads the user log.
The user log includes fields of user identification, location, time, device name, and application resources, which are not limited herein.
It should be noted that, when the user performs the secure access application, the user is limited to use only a special snow-no browser (first type browser), so that strict requirements on file management and control are effectively achieved.
To further enhance security, measures may also be taken to prohibit other browsers from accessing the application, ensuring that software that has not been specifically verified is not able to access sensitive data. Therefore, high exclusivity is brought to the application, the specificity and the specificity of access are ensured, and meanwhile, the safety of the whole system is obviously improved because potential access channels are limited. In this way, applications and user data can be more strongly protected from unauthorized access, thereby maintaining the stability and reliability of the overall system.
In the embodiment of the disclosure, a gateway firstly receives a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and user credentials, then analyzes the user credentials to determine user identifications and application identifications of the user, then determines access strategies corresponding to the user based on the user identifications and the application identifications, and finally judges the type of the browser according to the access strategies and the information to be verified. Therefore, a more reliable browser identification mode is realized, the problem that the identification result of the browser is easy to forge and falsify in the prior art is solved, and meanwhile, the zero trust gateway can be combined to perform security control on user access application, so that a safer and more reliable network environment is provided for the user.
Fig. 2 is a flow chart illustrating a method for identifying a browser according to a second embodiment of the disclosure, and as shown in fig. 2, the method includes:
s201: in response to a user initiating a web page request to a browser, based on the browser adding a first timestamp and a first random string in a request header of the web page request, the first timestamp characterizes a time when the user initiated the web page request.
The web page request may be an http request sent by the user through the browser.
Specifically, after the browser intercepts the web page request, two fields, namely, a first timestamp and a first random string, may be added to the request header.
Wherein the first timestamp is a timestamp of a time when the user initiated the web page request.
The first random string may be a current randomly generated string.
It should be noted that, before the user initiates a web page request to the browser, the browser needs to be started first, and after the user opens the browser, the user knocks to establish a management channel. If the user does not log in, a log-in page can be displayed, and the user can input a user name and password to log in.
Optionally, after the browser establishes the management channel, the gateway issues the first key to the browser.
It should be noted that, the management channel may be established before login, and the management channel is used to implement the function of opening access rights of the port by knocking the door, so that by default, the gateway port is denied access (including the logged port) except for the port by knocking the door, and for the client browser, no rights are denied access, and the corresponding port rights need to be released by knocking the door through the management channel.
Further, after the browser main process establishes the management channel, the method provided by the gateway is called to obtain the issued first key.
Wherein the first key may be issued as a client key to the browser core service.
S202: and generating a first abstract corresponding to the webpage request according to the first timestamp and the first random character string.
Specifically, a first digest corresponding to the web page request may be generated based on the SHA-256 algorithm according to the first timestamp and the first random string.
SHA-256, which is a cryptographic hash function used to compress messages of arbitrary length into 256-bit digests, is used in digital signature, message authentication, and random number generation applications.
In the disclosed embodiment, the first timestamp is denoted by x-swow-sec-time, and the first random string is denoted by x-swow-sec-nonce. Wherein the first timestamp is in the order of milliseconds.
S203: and encrypting the first abstract based on the first key issued by the gateway to obtain an encrypted character string.
Optionally, the first digest may be encrypted based on a first key issued by the gateway to obtain an encrypted string.
In the disclosed embodiment, the encryption string is represented by x-now-sec-token.
S204: the first digest and the encrypted string are added to the request header.
The request header comprises a first timestamp, a first random character string, a first abstract and encryption character string waiting verification information.
S205: and receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and user credentials.
S206: the user credentials are parsed to determine a user identification and an application identification of the user.
S207: and determining an access strategy corresponding to the user based on the user identification and the application identification.
It should be noted that, the specific implementation manner of steps S205 to S207 may refer to the above embodiment, and will not be described herein.
S208: and determining the first application corresponding to the application identifier.
S209: and judging whether the first application is accessible only to the first type of browser according to the access strategy so as to obtain a first verification result.
The access policy comprises an accessible browser corresponding to the application.
S210: and if the first verification result is that only the first type browser is accessible, respectively verifying the first timestamp, the first random character string, the first abstract and the encrypted character string to obtain a second verification result.
Optionally, if the time difference between the current time and the time corresponding to the first timestamp is greater than a preset time threshold, or the current time is greater than the server time, determining that the first judgment result is not passed, otherwise, determining that the first judgment result is passed.
Specifically, the x-crank-sec-time header, i.e. the first timestamp, may be taken out from the request header, and if the difference between the time and the current time is greater than a preset time threshold (for example, 3 min), or the time is greater than the server time, the request is considered invalid, the access request is refused, and the user is prompted accordingly.
Optionally, if the first random string exists in the cache, determining that the second judgment result is not passed, otherwise, determining that the second judgment result is passed.
Optionally, the value of the x-nonce-sec-nonce field, that is, the value of the first random string field, may be extracted from the request header, and if the value exists, the access request is denied and the user is prompted accordingly, otherwise, the x-nonce-sec-nonce field is indicated as never being used before, and a value with an expiration time, that is, a random string value with an expiration time, is set in the cache, where the expiration time is to avoid occupying the cache space.
It should be noted that, the first timestamp is used to determine whether the current system time is expired. The first random string is used to determine uniqueness.
Optionally, the second digest may be calculated according to the first timestamp and the first random string, and if the second digest and the first digest are not matched, the third judgment result is determined to be not passed, otherwise, the third judgment result is passed.
Specifically, the second digest may be calculated by the SHA-256 algorithm from the first timestamp and the first random string. Further, the value of the second abstract can be compared with the first abstract to check whether the second abstract is matched with the first abstract, if so, the next step is carried out, the third judgment result is passed, otherwise, the access request is refused and the user is correspondingly prompted, and the third judgment result is not passed.
Optionally, the encrypted string may be decrypted based on the second key stored in the cache to obtain a third digest, and if the third digest and the first digest are not matched, the fourth judgment result is determined to be not passed, otherwise, the fourth judgment result is determined to be passed.
Specifically, the gateway key, that is, the second key, may be obtained according to the user_token, and the value (encrypted string) of the x-now-sec-token field is decrypted, that is, the value of the digest encryption request header field is decrypted, so as to obtain a decrypted third digest, and the third digest is matched with the first digest, if the third digest is not matched with the first digest, the fourth judgment result is determined to be not passed, otherwise, the fourth judgment result is passed.
The gateway generates a plurality of keys, the first key is used as a client key to be issued to the browser core service, the second key is used as a server key to be associated with the user and stored in the cache, the browser uses the key information to encrypt the abstract, and the gateway uses the key to decrypt the abstract.
In order to ensure the security and rationality of the key, a key issuing and managing method is adopted. These methods control the distribution process of the key through strict security protocols and procedures, ensuring that only authorized individuals can acquire and use the key. Meanwhile, in the aspect of management, multi-level strategies and technical measures can be implemented to monitor the use condition of the secret key and update or cancel the secret key which is possibly exposed or not safe any more in time, so that the safety and rationality of the secret key are effectively ensured, and a solid foundation is provided for the safety of the whole system.
Further, if the first, second, third and fourth judgment results are all passed, determining that the second verification result is that all verification passes by the first timestamp, the first random string, the first abstract and the encrypted string, otherwise, determining that all verification passes by the second verification result.
S211: and under the condition that the second checking result is that the first timestamp, the first random character string, the first abstract and the encrypted character string pass the checking, determining that the browser type is the first type browser, and otherwise, determining that the browser type is the second type browser.
As a possible implementation manner, in the embodiment of the present disclosure, the gateway may be an exclusive zero-trust gateway, the server may be an exclusive zero-trust server, and the credential may be a credential of an exclusive zero-trust identity authentication. Specifically, the gateway may be a snow nux zero trust gateway, the server may be a snow nux zero trust server, and the credential may be a credential for snow nux zero trust identity authentication, where the credentials for snow nux zero trust gateway, snow nux zero trust server, and snow nux zero trust identity authentication are all in the prior art, so that redundant description is omitted.
In summary, the embodiments of the present disclosure have at least the following beneficial effects:
(1) Only in the case where the four elements of the time stamp, the random string, the digest, and the signature are simultaneously tampered with and counterfeited, it is possible to cause an unauthorized request to be accepted erroneously with a very low occurrence probability. Because an attacker needs to tamper with the staggered authentication levels at the same time, the forging difficulty is high, and the accuracy of identifying the authenticity of the request is obviously improved. The gateway effectively ensures that all processed requests have necessary effectiveness and security, and ensures that the security protection system of the whole system has high resistance to potential threats.
(2) The method solves the problem that the browser identification process is easy to be counterfeited and tampered maliciously, and can remarkably improve the accuracy and reliability of the exclusive zero trust gateway when the type of the exclusive browser is identified, thereby providing a safer and more trusted network environment for users.
(3) The system has strong supervision capability, so that enterprises can accurately control application access behaviors of internal staff. Under this framework, if the verification result shows that the visitor is an authorized legal user and uses a specified proprietary browser to request an application program of an enterprise, the preset configuration of the enterprise is referred to, the compliant access behavior is allowed to be smoothly performed, the access authorization process depends on a series of complex authentication protocols and user identity verification processes, otherwise, if a certain access is found to come from an unauthorized user or the access attempt is not initiated through the proprietary browser, the system takes forced measures to immediately block the ineffective or non-conforming access requests of the security specification, so that the application and the data of the enterprise are protected from the threat of unsafe factors.
(4) By utilizing the signature technology, the system can analyze and identify the browser information of different users more accurately, so that the overall identification accuracy is improved, the reliability of the identification process is enhanced, and more personalized and safe network experience is provided for the users.
Fig. 3 is a block diagram of an identification device of a browser according to the present disclosure, and as shown in fig. 3, an identification device 400 of the browser includes:
a receiving module 410, configured to receive a verification request initiated by a user through a browser, where the verification request contains information to be verified and a user credential;
a first determining module 420, configured to parse the user credentials to determine a user identifier and an application identifier of the user;
a second determining module 430, configured to determine an access policy corresponding to the user based on the user identifier and the application identifier;
and the judging module 440 is configured to judge the type of the browser according to the access policy and the information to be verified.
Optionally, the receiving module further includes:
the first adding unit is used for responding to a webpage request initiated by a user to the browser, and adding a first timestamp and a first random character string in a request header of the webpage request based on the browser, wherein the first timestamp characterizes the time of the webpage request initiated by the user;
the generation unit is used for generating a first abstract corresponding to the webpage request according to the first timestamp and the first random character string;
The encryption unit is used for encrypting the first abstract based on the first secret key issued by the gateway so as to obtain an encryption character string;
and the second adding unit is used for adding the first abstract and the encrypted character string into the request head.
Optionally, the receiving module is further configured to:
and after the browser establishes a management channel, issuing the first key to the browser.
Optionally, the information to be verified at least includes the first timestamp, the first random string, the first digest, and the encrypted string, and the judging module includes:
the first determining unit is used for determining a first application corresponding to the application identifier;
the first acquisition unit is used for judging whether the first application is accessible only by the first type browser according to the access strategy so as to obtain a first verification result;
the second obtaining unit is used for respectively verifying the first timestamp, the first random character string, the first abstract and the encrypted character string if the first verification result is that only the first type browser is accessible, so as to obtain a second verification result;
and the second determining unit is used for determining that the browser type is the first type browser when the second checking result is that the first timestamp, the first random character string, the first abstract and the encrypted character string pass the checking, and otherwise, determining that the browser type is the second type browser.
Optionally, the second obtaining unit is specifically configured to:
if the time difference between the current time and the time corresponding to the first timestamp is larger than a preset time threshold value or the current time is larger than the server time, determining that the first judgment result is not passed, otherwise, determining that the first judgment result is passed;
if the first random character string exists in the cache, determining that the second judgment result is not passed, otherwise, determining that the second judgment result is passed;
calculating a second digest according to the first timestamp and the first random string;
if the second abstract is not matched with the first abstract, determining that a third judging result is not passed, otherwise, determining that the third judging result is passed;
decrypting the encrypted character string based on the second key stored in the cache to obtain a third abstract;
if the third abstract and the first abstract are not matched, determining that a fourth judging result is not passed, otherwise, determining that the fourth judging result is passed;
if the first judgment result, the second judgment result, the third judgment result and the fourth judgment result are all passed, determining that the second verification result is that all verification passes among the first timestamp, the first random character string, the first abstract and the encrypted character string, otherwise, determining that all verification does not pass among the second verification result.
Optionally, the determining module 440 is further configured to:
issuing credentials for passing the access policy and the identity authentication to the browser under the condition that the type of the browser is the first type of browser;
and under the condition that the browser is of the second type, prohibiting the browser from accessing and acquiring a user log.
Optionally, the first type browser is a snow-no browser, the second type browser is a non-snow-no browser, the gateway is an exclusive zero-trust gateway, the credentials passed by the identity authentication are credentials passed by the exclusive zero-trust identity authentication, the credentials passed by the identity authentication include the user identifier, and the user log includes fields of the user identifier, the location, the time, the device name and the application resource.
In the embodiment of the disclosure, a gateway firstly receives a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and user credentials, then analyzes the user credentials to determine user identifications and application identifications of the user, then determines access strategies corresponding to the user based on the user identifications and the application identifications, and finally judges the type of the browser according to the access strategies and the information to be verified. Therefore, a more reliable browser identification mode is realized, the problem that the identification result of the browser is easy to forge and falsify in the prior art is solved, and meanwhile, the zero trust gateway can be combined to perform security control on user access application, so that a safer and more reliable network environment is provided for the user. According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 4 illustrates a block diagram of an exemplary electronic device suitable for use in implementing embodiments of the present disclosure. The electronic device 12 shown in fig. 4 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 4, the electronic device 12 is in the form of a general purpose computing device. Components of the electronic device 12 may include, but are not limited to: one or more processors or processing units 16, a memory 28, and a bus 18 that connects the various system components, including the memory 28 and the processing unit 16.
Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include industry Standard architecture (Industry Standard Architecture; hereinafter ISA) bus, micro channel architecture (Micro Channel Architecture; hereinafter MAC) bus, enhanced ISA bus, video electronics standards Association (Video Electronics Standards Association; hereinafter VESA) local bus, and peripheral component interconnect (Peripheral Component Interconnection; hereinafter PCI) bus.
Electronic device 12 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
Memory 28 may include computer system readable media in the form of volatile memory, such as random access memory (Random Access Memory; hereinafter: RAM) 30 and/or cache memory 32. The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard disk drive"). Although not shown in fig. 4, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a compact disk read only memory (Compact Disc Read Only Memory; hereinafter CD-ROM), digital versatile read only optical disk (Digital Video Disc Read Only Memory; hereinafter DVD-ROM), or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of the various embodiments of the disclosure.
A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods in the embodiments described in this disclosure.
The electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with the electronic device 12, and/or any devices (e.g., network card, modem, etc.) that enable the electronic device 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks, such as a local area network (Local Area Network; hereinafter: LAN), a wide area network (Wide Area Network; hereinafter: WAN) and/or a public network, such as the Internet, via the network adapter 20. As shown, the network adapter 20 communicates with other modules of the electronic device 12 over the bus 18. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 12, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running programs stored in the memory 28, for example, implementing the methods mentioned in the foregoing embodiments.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present disclosure, the meaning of "a plurality" is at least two, such as two, three, etc., unless explicitly specified otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present disclosure in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present disclosure.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
Furthermore, each functional unit in the embodiments of the present disclosure may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. Although embodiments of the present disclosure have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the present disclosure, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the present disclosure.
Claims (10)
1. A method of identifying a browser, performed by a gateway, the method comprising:
receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and a user credential;
analyzing the user credentials to determine a user identification and an application identification of the user;
determining an access strategy corresponding to the user based on the user identification and the application identification;
and judging the type of the browser according to the access strategy and the information to be checked.
2. The method of claim 1, further comprising, prior to said receiving a user-initiated verification request via a browser:
responding to a user to initiate a webpage request to the browser, and adding a first timestamp and a first random character string in a request header of the webpage request based on the browser, wherein the first timestamp characterizes the time when the user initiates the webpage request;
Generating a first abstract corresponding to the webpage request according to the first timestamp and the first random character string;
encrypting the first abstract based on a first key issued by the gateway to obtain an encrypted character string;
the first digest and the encrypted string are added to the request header.
3. The method as recited in claim 2, further comprising:
and after the browser establishes a management channel, issuing the first key to the browser.
4. The method according to claim 2, wherein the information to be verified at least includes the first timestamp, the first random string, the first digest, and the encrypted string, and the determining the type of the browser according to the access policy and the information to be verified includes:
determining a first application corresponding to the application identifier;
judging whether the first application is accessible only to the first type browser according to the access strategy so as to obtain a first verification result;
if the first verification result is that only the first type browser is accessible, respectively verifying the first timestamp, the first random character string, the first abstract and the encrypted character string to obtain a second verification result;
And determining that the browser type is the first type browser under the condition that the second checking result is that the first timestamp, the first random character string, the first abstract and the encrypted character string pass checking, and otherwise, determining that the browser type is the second type browser.
5. The method of claim 4, wherein the verifying the first timestamp, the first random string, the first digest, and the encrypted string, respectively, to obtain the second verification result comprises:
if the time difference between the current time and the time corresponding to the first timestamp is larger than a preset time threshold value or the current time is larger than the server time, determining that the first judgment result is not passed, otherwise, determining that the first judgment result is passed;
if the first random character string exists in the cache, determining that the second judgment result is not passed, otherwise, determining that the second judgment result is passed;
calculating a second digest according to the first timestamp and the first random string;
if the second abstract is not matched with the first abstract, determining that a third judging result is not passed, otherwise, determining that the third judging result is passed;
Decrypting the encrypted character string based on the second key stored in the cache to obtain a third abstract;
if the third abstract and the first abstract are not matched, determining that a fourth judging result is not passed, otherwise, determining that the fourth judging result is passed;
if the first judgment result, the second judgment result, the third judgment result and the fourth judgment result are all passed, determining that the second verification result is that all verification passes among the first timestamp, the first random character string, the first abstract and the encrypted character string, otherwise, determining that all verification does not pass among the second verification result.
6. The method of claim 4, further comprising, after said determining the type of the browser based on the access policy and the information to be verified:
issuing credentials for passing the access policy and the identity authentication to the browser under the condition that the type of the browser is the first type of browser;
and under the condition that the browser is of the second type, prohibiting the browser from accessing and acquiring a user log.
7. The method of claim 6, wherein the step of providing the first layer comprises,
The first type browser is a Xueno browser, the second type browser is a non-Xueno browser, the gateway is an exclusive zero-trust gateway, the credentials passing through the identity authentication are the credentials of the exclusive zero-trust identity authentication, the credentials passing through the identity authentication contain the user identification, and the user log comprises fields of the user identification, the position, the time, the equipment name and the application resource.
8. An identification device of a browser, comprising:
the receiving module is used for receiving a verification request initiated by a user through a browser, wherein the verification request contains information to be verified and a user certificate;
the first determining module is used for analyzing the user credentials to determine user identifications and application identifications of the users;
the second determining module is used for determining an access strategy corresponding to the user based on the user identifier and the application identifier;
and the judging module is used for judging the type of the browser according to the access strategy and the information to be checked.
9. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
The memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1-7.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410035385.9A CN117544322B (en) | 2024-01-10 | 2024-01-10 | Browser identification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410035385.9A CN117544322B (en) | 2024-01-10 | 2024-01-10 | Browser identification method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117544322A true CN117544322A (en) | 2024-02-09 |
| CN117544322B CN117544322B (en) | 2024-03-22 |
Family
ID=89790430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410035385.9A Active CN117544322B (en) | 2024-01-10 | 2024-01-10 | Browser identification method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117544322B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118074985A (en) * | 2024-02-27 | 2024-05-24 | 北京雪诺科技有限公司 | Browser file management and control method, system, device and readable storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737328A (en) * | 2017-04-14 | 2018-11-02 | 新浪网技术(中国)有限公司 | A kind of browser client acts on behalf of recognition methods, system and device |
| CN109756479A (en) * | 2018-11-29 | 2019-05-14 | 武汉极意网络科技有限公司 | Request detection method and device is forged in browser |
| CN111211902A (en) * | 2019-11-29 | 2020-05-29 | 云深互联(北京)科技有限公司 | Digital signature method and device based on enterprise browser |
| CN112261012A (en) * | 2020-09-30 | 2021-01-22 | 北京鸿联九五信息产业有限公司 | Browser, server and webpage access method |
| CN112579998A (en) * | 2019-09-30 | 2021-03-30 | 北京京东尚科信息技术有限公司 | Webpage access method, management system and electronic equipment in information interaction platform |
| CN113849674A (en) * | 2020-06-28 | 2021-12-28 | 北京梆梆安全科技有限公司 | Method and device for identifying disguised user agent information and electronic equipment |
| CN114157568A (en) * | 2021-11-29 | 2022-03-08 | 北京锐安科技有限公司 | Browser security access method, device, equipment and storage medium |
| US20220191241A1 (en) * | 2020-12-15 | 2022-06-16 | Akamai Technologies, Inc. | Javascript engine fingerprinting using landmark features and API selection and evaluation |
| CN115102744A (en) * | 2022-06-16 | 2022-09-23 | 京东科技信息技术有限公司 | Data access method and device |
| CN116244756A (en) * | 2022-12-30 | 2023-06-09 | 统信软件技术有限公司 | Method and device for verifying browser plug-in and computing equipment |
| CN116310728A (en) * | 2023-03-28 | 2023-06-23 | 北京邮电大学 | Browser identification method based on CNN-Linformer model |
-
2024
- 2024-01-10 CN CN202410035385.9A patent/CN117544322B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737328A (en) * | 2017-04-14 | 2018-11-02 | 新浪网技术(中国)有限公司 | A kind of browser client acts on behalf of recognition methods, system and device |
| CN109756479A (en) * | 2018-11-29 | 2019-05-14 | 武汉极意网络科技有限公司 | Request detection method and device is forged in browser |
| CN112579998A (en) * | 2019-09-30 | 2021-03-30 | 北京京东尚科信息技术有限公司 | Webpage access method, management system and electronic equipment in information interaction platform |
| CN111211902A (en) * | 2019-11-29 | 2020-05-29 | 云深互联(北京)科技有限公司 | Digital signature method and device based on enterprise browser |
| CN113849674A (en) * | 2020-06-28 | 2021-12-28 | 北京梆梆安全科技有限公司 | Method and device for identifying disguised user agent information and electronic equipment |
| CN112261012A (en) * | 2020-09-30 | 2021-01-22 | 北京鸿联九五信息产业有限公司 | Browser, server and webpage access method |
| US20220191241A1 (en) * | 2020-12-15 | 2022-06-16 | Akamai Technologies, Inc. | Javascript engine fingerprinting using landmark features and API selection and evaluation |
| CN114157568A (en) * | 2021-11-29 | 2022-03-08 | 北京锐安科技有限公司 | Browser security access method, device, equipment and storage medium |
| CN115102744A (en) * | 2022-06-16 | 2022-09-23 | 京东科技信息技术有限公司 | Data access method and device |
| WO2023241060A1 (en) * | 2022-06-16 | 2023-12-21 | 京东科技信息技术有限公司 | Data access method and apparatus |
| CN116244756A (en) * | 2022-12-30 | 2023-06-09 | 统信软件技术有限公司 | Method and device for verifying browser plug-in and computing equipment |
| CN116310728A (en) * | 2023-03-28 | 2023-06-23 | 北京邮电大学 | Browser identification method based on CNN-Linformer model |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118074985A (en) * | 2024-02-27 | 2024-05-24 | 北京雪诺科技有限公司 | Browser file management and control method, system, device and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117544322B (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10063594B2 (en) | Network access control with compliance policy check | |
| JP6491192B2 (en) | Method and system for distinguishing humans from machines and for controlling access to network services | |
| EP1498800B1 (en) | Security link management in dynamic networks | |
| US7526654B2 (en) | Method and system for detecting a secure state of a computer system | |
| US10333930B2 (en) | System and method for transparent multi-factor authentication and security posture checking | |
| CN111510453B (en) | Business system access method, device, system and medium | |
| US20090328186A1 (en) | Computer security system | |
| CN117544322B (en) | Browser identification method, device, equipment and storage medium | |
| CN114598540A (en) | Access control system, method, device and storage medium | |
| KR20020060075A (en) | Method and apparatus for protecting file system based on digital signature certificate | |
| CN111917714A (en) | Zero trust architecture system and use method thereof | |
| CN104506480B (en) | The cross-domain access control method and system combined based on label with audit | |
| CN111147525A (en) | Authentication method, system, server and storage medium based on API gateway | |
| CN111143822A (en) | Application system access method and device | |
| CN115333840A (en) | Resource access method, system, device and storage medium | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| Aljawarneh et al. | A web client authentication system using smart card for e-systems: initial testing and evaluation | |
| Dul et al. | Protecting web applications from authentication attacks | |
| CN113868628B (en) | Signature verification method, signature verification device, computer equipment and storage medium | |
| CN102025492A (en) | WEB server and data protection method thereof | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| Alanazi et al. | The history of web application security risks | |
| Chryssanthou et al. | Security and trust in virtual healthcare communities | |
| CN114006699B (en) | Certificate issuing method in zero trust architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |