Ways to prevent data fraud

I. Example

Let's look at a classic example of data fraud:

After successful login to some websites, the browser's cookie will set the serviceToken value, and the server can obtain user information through this value.

If the serviceToken is hijacked, others can use your identity to perform various operations.

Most scalper software also uses this principle. You do not need to obtain your account password, but only need to obtain the serviceToken, and then use these serviceToken values ​​to perform various operations with your identity.

Is there a solution on the server side to determine that the data sent is really sent by me?

Second, the plan

At the heart of this question is the question of identification: the data really belongs to you!

2.1 Prerequisites

We can take advantage of the capabilities of public and private keys.The realization of this scheme requires:

1. A public and private key pair is required on the requester

2. Ensure the security of the private key and the private key will not be leaked

2.2 Flowchart

2.3 Description

1. When obtaining serviceToken, the server uses the server's private key to sign the combination (device public key device.pub and serviceToken), so that the device public key and serviceToken are associated together

2. When using serviceToken, you need to pass ts_sign and the device public key device.pub. The server uses the server public key to verify whether these three data are legal. If they are legal, it indicates that the server signed theIt is this device public key device.pub and this serviceToken

3. The last remaining problem to be solved is, how does the server know that this request is initiated by the private key holder?Because the request data uses the device private key device.key to sign req_sign, and uses the passed device public key device.pub to verify the signature. If it passes, it can be confirmed that it is indeed sent by the private key holder

   li>

Through this series of derivations, we can achieve the effect of data fraud prevention.

III. Summary

A lot of preconditions are needed to realize this solution, and the complexity of the system has also increased, but it is indeed a very delicate design.What other solutions do you know of to prevent fraudulent use of data?

Last

If you like my articles, you can pay attention to my public account (programmer Malatang)

My personal blog is: https://shidawuhen.github.io/

Review of past articles:

0. Design Pattern

1. Recruitment

2. Thinking

3. Storage

4. Algorithm Series

5. Reading Notes

6. Widget

7. Architecture

8. Network

9. Go language