Internet Security Issues

Others 2022-04-28 09:46:17 views: 0

Internet Security Issues

 

 

       When it comes to Internet security, people will think of man-in-the-middle attacks, DNS hijacking, proxy servers, etc. With so many dangers, how can we ensure that our systems are really secure enough?

 

 

 

An Effective Method: End to End Encryption

 

    How to understand end-to-end encryption? The core has the following two points:

 

  • During the exchange between client and server, data is encrypted
  • Since it is encrypted, the encrypted key is used, and the encrypted key used by each client should be different.

 

Solution:

 

  1. Simulate the encryption process of Https and generate a sessionKey to encrypt the data during interaction
  2. This method has been evaluated by hackers and is indeed effectively prevented from being attacked.

 

process

 

  1. The front end requests the back end to get the public key
  2. The front end generates a 16-bit cKey (UUID), encrypts it with the public key, and sends it to the back end
  3. After the backend gets the encrypted content, decrypt it with the private key and get the cKey
  4. The backend generates a 16-bit sKey (UUID), and then XORs the two keys together to generate a sessionKey
  5. Save cKey, sKey, sessionKey to DB, and the data should be encrypted, and there is a sessionId (UUID) as a unique identifier, sessionId does not need to be encrypted
  6. Then encrypt the sKey and sessionId with cKey and return it to the front end, and the front end decrypts it with its own cKey to get the sKey
  7. Then the front end does an XOR to generate a sessionKey and save it in the runtime of the App
  8. The parameters of each request are encrypted with sessionKey with a string such as userId=1&name=AA, and then the sessionId is placed in the header of the request.
  9. After the backend gets the data, it first finds the sessionKey and IV corresponding to the database according to the sessionId, then decrypts these two values, and then uses this other value to decrypt encData.

 

 

 

 

Question 1: During the End to End Encryption process, the public key of the back end needs to be obtained. Can it be improved?

 

The key to the problem:

 

  1. Now the public key and private key of the server are fixed and placed on a secure machine of the server. Can they be changed to be variable?

 

Solutions:

 

  1. 每次用户需要生成sessionKey的时候,先用deviceId作为key,在redis中查查,看有没有对应吖pubic key、private key,如果有就拿出来用,如果没有就重新生成一对。
  2. 因为deviceId每台机器都不一样,所以生成的public key、private key是不一样的。

 

 

 

 

问题二:即使做好了加密,如果被人拦截到请求的所有数据,怕不怕被用来重复提交

 

问题关键:

 

  1. 这种敏感的请求,应该有个超时时间来记录什么时候无效
  2. 同时,不能重复使用

 

解决思路:

 

  1. 客户端发起请求时,生成一个timeStemp,这是当前提交的时间。
  2. 服务端拿到请求后,首先检查timeStemp,跟当前时间比较,看是否超过5分钟,如果超过就是无效的,如果不超过就是有效的。
  3. 那在这5分钟的时间内,怎么保证不会被重复请求呢?
  4. 使用redis做分布式锁,设置一个clientRef(16位UUID)作为key,在第一次请求时,看拿不拿得到redis的一个key。
  5. 如果拿得到,证明已经执行过了,可以直接抛异常。
  6. 如果拿不到,证明还没有执行过,那就执行请求。
  7. key的超时时间是5分钟,5分钟后自动删除,这样就可以补充这5分钟的空隙了。

 

 

 

问题三:如果跟第三方系统交互,要防止请求数据被中间人篡改了,怎么办?

 

关键问题:

 

  1. 怎么检查被篡改过?数字签名

 

解决思路:

 

  1. 先跟第三方约定数字签名的加密算法,如:SHA256
  2. 第三方请求过来时,生成timeStamp,clientRef,以及request json body一起组成一串字符串,用算法进行加密,名字叫signature(数字签名)
  3. 第三方请求中,header中,放timeStamp,clientRef,signature
  4. 我们服务端收到请求后,将timeStemp,clientRef,request json body,以相同的规则,组成字符串,再用算法进行加密
  5. 加密后的值和signature比较,看是否相等
  6. 如果相等就没问题,不相等就抛异常

 

如何改进:

 

  1. 可以从加密算法中改进,可以用Hash,对称加密,非对称加密(事先要把public key的证书给第三方)
  2. timeStamp,clientRef,signature,组成字符串的规则可以跟第三方约定好,保证不会那么容易被猜到

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326254851&siteId=291194637
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com