当前位置:网站首页>Ways to prevent data fraud
Ways to prevent data fraud
2022-08-09 11:44:00 【Programmer Malatang】
I. Example
Let's look at a classic example of data fraud:
After successful login to some websites, the browser's cookie will set the serviceToken value, and the server can obtain user information through this value.
If the serviceToken is hijacked, others can use your identity to perform various operations.
Most scalper software also uses this principle. You do not need to obtain your account password, but only need to obtain the serviceToken, and then use these serviceToken values to perform various operations with your identity.
Is there a solution on the server side to determine that the data sent is really sent by me?
Second, the plan
At the heart of this question is the question of identification: the data really belongs to you!
2.1 Prerequisites
We can take advantage of the capabilities of public and private keys.The realization of this scheme requires:
A public and private key pair is required on the requester
Ensure the security of the private key and the private key will not be leaked
2.2 Flowchart
2.3 Description
When obtaining serviceToken, the server uses the server's private key to sign the combination (device public key device.pub and serviceToken), so that the device public key and serviceToken are associated together
When using serviceToken, you need to pass ts_sign and the device public key device.pub. The server uses the server public key to verify whether these three data are legal. If they are legal, it indicates that the server signed theIt is this device public key device.pub and this serviceToken
The last remaining problem to be solved is, how does the server know that this request is initiated by the private key holder?Because the request data uses the device private key device.key to sign req_sign, and uses the passed device public key device.pub to verify the signature. If it passes, it can be confirmed that it is indeed sent by the private key holder
li>
Through this series of derivations, we can achieve the effect of data fraud prevention.
III. Summary
A lot of preconditions are needed to realize this solution, and the complexity of the system has also increased, but it is indeed a very delicate design.What other solutions do you know of to prevent fraudulent use of data?
Last
If you like my articles, you can pay attention to my public account (programmer Malatang)
My personal blog is: https://shidawuhen.github.io/
Review of past articles:
边栏推荐
猜你喜欢
随机推荐
Installation of gdb 10.2
fidder为什么不会抓包的问题
湖南进芯电子替代TIC2000的可能性
x86 Exception Handling and Interrupt Mechanism (1) Overview of the source and handling of interrupts
PAT1003
x86异常处理与中断机制(1)概述中断的来源和处理方式
【Basic model】Transformer-实现中英翻译
BeanFacroty和FactoryBean到底是什么?AppliacationContext它又是什么?
mysql参数学习----max_allowed_packet
学长告诉我,大厂MySQL都是通过SSH连接的
程序员的专属浪漫——用3D Engine 5分钟实现烟花绽放效果
enum in c language
[C language] creation and use of dynamic arrays
字符串 | 反转字符串 | 双指针法 | leecode刷题笔记
Redis的下载安装
[现代控制理论]5_系统的可控性_controllability
bat文件(批处理文件)运行时一闪而过解决方法
LeetCode_单调栈_中等_456.132 模式
预置第三方apk到MTK项目相关问题总结
The use of signal function (signal) in C language