阅读说明：本技术 一种单点登录跳转链接的安全保护方法及系统 (Security protection method and system for single sign-on jump link ) 是由 李宪状 颜秉珩 冯振 于 2021-06-24 设计创作，主要内容包括：本发明实施例提供了一种单点登录跳转链接的安全保护方法及系统,在第一软件系统向第二软件系统跳转前,使用usbKey账户认证方式对第一软件系统中的账户名进行校验；若通过所述账户名校验,则第一软件系统将单点登录跳转链接URL发送给第二软件系统；第二软件系统接收所述URL,对所述URL进行校验；若通过所述URL校验,则跳转进入第二软件系统。本发明所述方法和系统通过多个软件系统之间共同协商的校验码,使用共同的加解密方式,传递互信码,再加上时间差校验,将超过时间限制的URL请求过滤掉,再增加usbKey账户认证的方式,从而达到使软件系统免受未授权的非法访问。(The embodiment of the invention provides a security protection method and a security protection system for single sign-on jump links, wherein before a first software system jumps to a second software system, an account name in the first software system is verified in a usbKey account authentication mode; if the account name is verified, the first software system sends the single-point login skip link URL to the second software system; the second software system receives the URL and verifies the URL; and if the URL passes the verification, jumping to a second software system. The method and the system transmit the mutual communication code by using a common encryption and decryption mode through the common negotiated check code among a plurality of software systems, filter the URL request exceeding the time limit by adding the time difference check, and increase the mode of usbKey account authentication, thereby preventing the software systems from unauthorized illegal access.)

1. A single sign-on jump link security protection method, a user logs on a first software system first, characterized in that, the method includes:

before the first software system jumps to the second software system, checking an account name in the first software system by using a usbKey account authentication mode;

if the account name is verified, the first software system sends the single-point login skip link URL to the second software system;

the second software system receives the URL and verifies the URL;

and if the URL passes the verification, jumping to a second software system.

2. The method for protecting security of a single sign-on jump link according to claim 1, wherein the checking of the account name in the first software system using the usbKey account authentication method specifically comprises:

and the first software system reads the account name in the usbKey account authentication equipment, and whether the account name is the same as the login account name of the first software system is compared.

3. The method as claimed in claim 1, wherein the URL includes three parameters, which are a login account name of the second software system, a login password ciphertext of the second software system, and a check code.

4. The method for protecting the single sign-on jump link as claimed in claim 3, wherein the second software system checks the URL, specifically:

carrying out primary check on the check code in the URL;

if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification.

5. The method for protecting the single sign-on jump link as claimed in claim 4, wherein the check code in the URL is checked once, specifically:

converting the check code ciphertext into a check code plaintext by using an encryption and decryption algorithm;

sending the mutual trust code incloudos in the clear text of the check code to a background for mutual trust code check;

if the mutual information code is verified, reading a timestamp of the URL generated by the first software system in a plaintext of the verification code, and making a difference between the timestamp and the current time of the second software system to obtain an actual time difference delta t;

if Δ t < ═ Δ t _ max, the one-time check is passed.

6. The method for protecting the security of the single sign-on jump link according to claim 1, wherein when the hardware device where the client of the first software system and the client of the second software system are located is connected to the usbKey account authentication device, the user can log in the first software system and/or the second software system.

7. A security protection system of single sign-on jump link, realized based on the method of any one of claims 1-6, characterized in that the system comprises:

the first software system is used for providing a login account name and a login password of the first software system;

the usbKey account authentication equipment is used for storing the account name of the user;

the first verification module is used for verifying the account name in the first software system through the usbKey account authentication equipment;

the skip link generation module is used for generating a single sign-on skip link URL;

a second software system for receiving the URL;

and the second verification module is used for verifying the URL by the second software system.

8. The system for protecting security of a single sign-on jumped link according to claim 7, wherein the jumped link generating module generates a single sign-on jumped link URL, specifically comprising:

the account generation unit is used for generating a login account name of the second software system;

the password generating unit is used for generating a login password ciphertext of the second software system;

and the check code generating unit is used for generating a check code ciphertext, wherein the check code ciphertext comprises the mutual information code incloudos, the check time difference delta t _ max and a timestamp when the first software system generates the URL.

9. The system for protecting security of a single sign-on jump link according to claim 8, wherein the second authentication module verifies the URL by a specific process comprising:

carrying out primary check on the check code in the URL;

if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification.

10. The system for protecting security of a single sign-on jump link according to claim 9, wherein the check code in the URL is checked once, specifically:

converting the check code ciphertext into a check code plaintext by using an encryption and decryption algorithm;

sending the mutual trust code incloudos in the clear text of the check code to a background for mutual trust code check;

if the mutual information code is verified, reading a timestamp of the URL generated by the first software system in a plaintext of the verification code, and making a difference between the timestamp and the current time of the second software system to obtain an actual time difference delta t;

if Δ t < ═ Δ t _ max, the one-time check is passed.

Technical Field

The invention relates to the technical field of software systems, in particular to a security protection method and system for single sign-on jump links.

Background

At the initial stage of enterprise informatization development, application systems in enterprises are few, and a single user only needs to remember login passwords of one or two systems, but with the rapid development of enterprise informatization, because no single system can cover all business scenes in the enterprises, application systems contacted by the user are inevitably more and more, and it is a very common phenomenon that one enterprise has multiple sets of application systems. Since each of these different application systems has its own independent authentication and authorization system, the user must remember more login passwords at the same time. From the security point of view, the passwords of the users should be different, but the user has limited memorability, and the multiple login passwords are almost the same, which causes contradiction in terms of security and convenience.

In this context, the concept of single sign-on arises. So-called single sign-on, a simple and crude explanation is that a user, after having logged on to one application, can use this identity to access different applications. One of the ways is to achieve the effect of user log-in exemption by carrying authentication information in the jump link, for example, the following two carrying forms:

http://10.89.78.21/ssoaccount＝test&passwd＝XXXXXXX

http://10.89.78.21/ssotoken＝XXXXXXX

the first link is in a form of transmitting a user name and a password in a URL (uniform resource locator), after the target system receives the two parameters, the legality of the two parameters is verified, and if the two parameters are legal, login-free access to the target system is allowed.

The second link is to transmit a token in the URL, where the token is issued by the destination system, and the destination system checks the validity of the token after receiving the token, and if the token is valid, allows login-free access to the destination system.

However, in the two forms, if the link is leaked out, anyone can hold the link for unlimited time and unlimited jump system. This creates a great hidden danger to the security of the single sign-on jump link, which makes the system have the risk of unauthorized illegal access.

Disclosure of Invention

The embodiment of the invention provides a security protection method and a security protection system for a single sign-on jump link, which can prevent the security problem of unlimited time and unlimited jump after the single sign-on jump link between software systems is leaked out and protect the software systems from unauthorized illegal access.

The embodiment of the invention discloses the following technical scheme:

the invention provides a security protection method of single sign-on jump link, user firstly logs on the first software system, the method includes:

before the first software system jumps to the second software system, checking an account name in the first software system by using a usbKey account authentication mode;

if the account name is verified, the first software system sends the single-point login skip link URL to the second software system;

the second software system receives the URL and verifies the URL;

and if the URL passes the verification, jumping to a second software system.

Further, the checking the account name in the first software system by using the usbKey account authentication mode specifically includes:

and the first software system reads the account name in the usbKey account authentication equipment, and whether the account name is the same as the login account name of the first software system is compared.

Further, the URL includes three parameters, which are a login account name of the second software system, a login password ciphertext of the second software system, and a check code, and the check code includes three parameters, which are the mutual trust code incloudos, the check time difference Δ t _ max, and a timestamp when the URL is generated by the first software system.

Further, the second software system checks the URL, specifically:

carrying out primary check on the check code in the URL;

if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification.

Further, once checking the check code in the URL specifically includes:

converting the check code ciphertext into a check code plaintext by using an encryption and decryption algorithm;

sending the mutual trust code incloudos in the clear text of the check code to a background for mutual trust code check;

if the mutual information code is verified, reading a timestamp of the URL generated by the first software system in a plaintext of the verification code, and making a difference between the timestamp and the current time of the second software system to obtain an actual time difference delta t;

if Δ t < ═ Δ t _ max, the one-time check is passed.

Further, the encryption and decryption algorithm used by the first software system, the second software system and the check code is an AES 128-bit encryption and decryption algorithm, and the encryption and decryption key used in the encryption and decryption algorithm is preset by the first software system and the second software system.

Further, the first software system and the second software system access to the NTP server simultaneously.

Further, when the hardware device where the client of the first software system and the client of the second software system are located is connected with the usbKey account authentication device, the user can log in the first software system and/or the second software system.

The second aspect of the present invention provides a security protection system for single sign-on jump link, comprising:

the first software system is used for providing a login account name and a login password of the first software system;

the usbKey account authentication equipment is used for storing the account name of the user;

the first verification module is used for verifying the account name in the first software system through the usbKey account authentication equipment;

the skip link generation module is used for generating a single sign-on skip link URL;

a second software system for receiving the URL;

and the second verification module is used for verifying the URL by the second software system.

Further, the generating module of the jump link generates a single sign-on jump link URL, which specifically includes:

the account generation unit is used for generating a login account name of the second software system;

the password generating unit is used for generating a login password ciphertext of the second software system;

and the check code generating unit is used for generating a check code ciphertext, wherein the check code ciphertext comprises the mutual information code incloudos, the check time difference delta t _ max and a timestamp when the first software system generates the URL.

Further, the specific process of the second verification module for verifying the URL is as follows:

carrying out primary check on the check code in the URL;

if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification.

Further, once checking the check code in the URL specifically includes:

converting the check code ciphertext into a check code plaintext by using an encryption and decryption algorithm;

sending the mutual trust code incloudos in the clear text of the check code to a background for mutual trust code check;

if the mutual information code is verified, reading a timestamp of the URL generated by the first software system in a plaintext of the verification code, and making a difference between the timestamp and the current time of the second software system to obtain an actual time difference delta t;

if Δ t < ═ Δ t _ max, the one-time check is passed.

The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:

before the first software system jumps to the second software system, the account name in the usbKey account authentication device is read by the first software system, and the account name is checked by comparing the account name with the login account name of the first software system to determine whether the account name is the same or not. And if the account name is verified, the first software system sends the single-point login skip link URL to the second software system, and the second software system receives the URL and verifies the URL. Verifying the URL includes: carrying out primary check on the check code in the URL; if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification. And if the URL passes the verification, jumping to a second software system. The method of the invention transmits the mutual communication code by the common negotiated check code among a plurality of software systems in a common encryption and decryption mode, filters the URL request exceeding the time limit by adding the time difference check, and increases the mode of usbKey account authentication, thereby preventing the software systems from unauthorized illegal access.

In the single sign-on jump-link security protection system provided by the invention, the usbKey account authentication device is used for storing the account name of the user, and the first verification module verifies the account name in the first software system through the usbKey account authentication device; after the account name is verified, the first software system sends the single-point login skip link URL to the second software system, and the second verification module verifies the URL received by the second software system. The second verification module verifying the URL comprises: carrying out primary check on the check code in the URL; if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification. And if the URL passes the verification, jumping to a second software system. The system transmits the mutual communication code by using a common encryption and decryption mode through the check code negotiated among a plurality of software systems, filters the URL request exceeding the time limit by adding time difference verification and increases the mode of usbKey account authentication, thereby preventing the software systems from unauthorized illegal access.

Drawings

In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.

FIG. 1 is a flow chart of one embodiment of the method of the present invention;

FIG. 2 is a flowchart illustrating a check of the check code in the URL according to an embodiment of the present invention;

fig. 3 is a block diagram of the system according to the second embodiment of the present invention.

Detailed Description

In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.

URL, Uniform Resource Locator, used to identify a Resource on the world Wide Web.

The AES encryption algorithm is a universal symmetric encryption algorithm in the world, the encryption and decryption are both performed by using the same key, and the key is a character string which is randomly defined.

NTP servers, Network Time Protocol (Network Time Protocol) servers, are widely used in the field of computer Time synchronization to unify the holding Time of different computers.

Example one

Fig. 1 is a flowchart of a method according to an embodiment of the present invention.

The user firstly logs in the first software system, and the method comprises the following steps:

before the first software system jumps to the second software system, checking an account name in the first software system by using a usbKey account authentication mode;

if the account name is verified, the first software system sends the single-point login skip link URL to the second software system;

the second software system receives the URL and checks the URL;

and if the URL passes the verification, jumping to the second software system.

Before logging in, the first software system and the second software system must access the NTP server at the same time to ensure the consistency of system time.

When the hardware equipment where the clients of the first software system and the second software system are located is connected with the usbKey account authentication equipment, the user can log in the first software system and/or the second software system.

The encryption and decryption algorithm used by the first software system, the second software system and the check code is an AES 128-bit encryption and decryption algorithm, and the encryption and decryption key used in the encryption and decryption algorithm is preset by the first software system and the second software system.

The account name in the first software system is verified in a usbKey account authentication mode, and the method specifically comprises the following steps:

and the first software system reads the account name in the usbKey account authentication equipment, and whether the account name is the same as the login account name of the first software system is compared.

The method comprises the steps that a first software system reads an account name account in current usbKey account authentication equipment, the account name account contains a user unique identifier, if the login account name account of the first software system is inconsistent with the account name account in the usbKey, skipping of a system A to a system B is limited, and if the login account name account of the first software system is consistent with the account name account in the usbKey, the account name check is passed.

After the account name is verified, the first software system sends the single-point login skip link URL to the second software system.

When jumping from a first software system to a second software system, the single sign-on jump link URL needs to carry a check code validator, which is encrypted by both parties, and the URL is exemplified as follows:

http://10.89.78.21/ssoaccount＝test&passwd＝NFefsgJBqLx3rmxrEAZb0A＝＝&validator＝hdOY9wDG/Gl6Drt2oAF71C6ZoO14dCmPr5mTnORhm1g＝

the URL includes three parameters, which are a login account name of the second software system, a login password ciphertext of the second software system, and a check code validator.

The login account name of the second software system is "test" in the example, the login password ciphertext of the second software system is encrypted by using the AES 128-bit encryption algorithm, the encrypted key is negotiated in advance between the first software system and the second software system, for example, the login password ciphertext is NFefsgJBqLx3rmxrEAZb0A ═ the login password plaintext is asdfghjkl, and the key is 123456.

The check code validator includes three parameters, which are the mutual communication code include, the check time difference Δ t _ max, and the timestamp of the first software system when generating the URL. The verification code validator is used as a parameter of the URL to assist in enhancing the security of the URL.

The verification code validator uses an AES 128-bit encryption algorithm for encryption, and the encryption and decryption keys are negotiated in advance by the first software system and the second software system. For example, in the example, the ciphertext of the check code validator is hdOY9wDG/Gl6Drt2oAF71C6ZoO14dCmPr5 mtorm 1g ═ and the plaintext of the check code validator is include +1622107256391+10 min. validator consists of three parts: incloudos is a mutual communication code and is negotiated by a first software system and a second software system in advance, 1622107256391 is a timestamp when the first software system generates a URL, 10min is a check time difference delta t _ max, and the delta t _ max is also negotiated by the first software system and the second software system in advance.

After receiving the URL, the second software system first determines whether the URL carries a login account name of the second software system, a login password ciphertext of the second software system, and a verification code validator. None of these three parameters is available, and if there is no parameter, the login page of the second software system is redirected directly.

The second software system checks the URL, and specifically comprises the following steps:

carrying out primary check on a check code validator in the URL;

if the first verification is not passed, directly redirecting to a login page of a second software system;

if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification.

The second software system checks the validator parameter, so that the AES128 decryption algorithm negotiated in advance by the first software system and the second software system has an encryption/decryption key of 123456, for example, the decrypted validator is incloudos +1622107256391+10 min.

As shown in fig. 2, a flowchart of performing a check on the check code validator in the URL according to an embodiment of the present invention specifically includes:

converting the check code ciphertext into a check code plaintext by using an AES128 encryption and decryption algorithm;

sending the mutual trust code incloudos in the clear text of the check code to a background for mutual trust code check; judging whether the incloudos is consistent with the previously negotiated mutual trust code, and if not, directly redirecting to a login page of a second software system;

if the verification passes through the mutual trust code verification, reading a time stamp 1622107256391 when the first software system generates the URL in the plaintext of the verification code, calculating the time stamp as 2021-05-2717:20:56:391, and performing difference on the time stamp and the current time 2021-05-2717:27:59:527 of the second software system to obtain the actual time difference delta tt as 7min3s136 ms;

if Δ t > Δ t _ max, the system B is directly redirected to the login page of the system B, and if Δ t < ═ Δ t _ max, the system B passes a check.

If the verification passes, the AES128 decryption algorithm negotiated in advance by the first software system and the second software system is used to decrypt the login password ciphertext of the second software system into the login password plaintext, and the login password plaintext decrypted by the example is asdfghjkl. And sending the login account name and the login password plaintext of the second software system to a background for secondary verification.

If not, the login page of the second software system is directly redirected. If the verification is passed, smoothly jumping to enter a second software system,

before the first software system jumps to the second software system, the account name in the usbKey account authentication device is read by the first software system, and the account name is checked by comparing the account name with the login account name of the first software system to determine whether the account name is the same or not. And if the account name is verified, the first software system sends the single-point login skip link URL to the second software system, and the second software system receives the URL and verifies the URL. Verifying the URL includes: carrying out primary check on the check code in the URL; if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification. And if the URL passes the verification, jumping to a second software system. The method of the invention transmits the mutual communication code by the common negotiated check code among a plurality of software systems in a common encryption and decryption mode, filters the URL request exceeding the time limit by adding the time difference check, and increases the mode of usbKey account authentication, thereby preventing the software systems from unauthorized illegal access.

Example two

As shown in fig. 3, which is a block diagram of a system according to a second embodiment of the present invention, the system includes:

the first software system is used for providing a login account name and a login password of the first software system;

the usbKey account authentication equipment is used for storing the account name of the user;

the first verification module is used for verifying the account name in the first software system through the usbKey account authentication equipment;

the skip link generation module is used for generating a single sign-on skip link URL;

a second software system for receiving the URL;

and the second verification module is used for verifying the URL by the second software system.

Before logging in, the first software system and the second software system must access the NTP server at the same time to ensure the consistency of system time.

When the hardware equipment where the clients of the first software system and the second software system are located is connected with the usbKey account authentication equipment, the user can log in the first software system and/or the second software system.

The encryption and decryption algorithm used by the first software system, the second software system and the check code is an AES 128-bit encryption and decryption algorithm, and the encryption and decryption key used in the encryption and decryption algorithm is preset by the first software system and the second software system.

The first verification module verifies the account name in the first software system, and specifically comprises the following steps:

and the first software system reads the account name in the usbKey account authentication equipment, and whether the account name is the same as the login account name of the first software system is compared.

The method comprises the steps that a first software system reads an account name account in current usbKey account authentication equipment, the account name account contains a user unique identifier, if the login account name account of the first software system is inconsistent with the account name account in the usbKey, skipping of a system A to a system B is limited, and if the login account name account of the first software system is consistent with the account name account in the usbKey, the account name check is passed.

After the account name is verified, the first software system sends the single-point login skip link URL to the second software system.

The jump link generation module generates a single sign-on jump link URL, and specifically comprises:

the account generation unit is used for generating a login account name of the second software system;

the password generating unit is used for generating a login password ciphertext of the second software system;

and the check code generating unit is used for generating a check code ciphertext, wherein the check code ciphertext comprises the mutual information code incloudos, the check time difference delta t _ max and a timestamp when the first software system generates the URL.

When jumping from a first software system to a second software system, the single sign-on jump link URL needs to carry a check code validator, which is encrypted by both parties, and the URL is exemplified as follows:

http://10.89.78.21/ssoaccount＝test&passwd＝NFefsgJBqLx3rmxrEAZb0A＝＝&validator＝hdOY9wDG/Gl6Drt2oAF71C6ZoO14dCmPr5mTnORhm1g＝

the URL includes three parameters, which are a login account name of the second software system, a login password ciphertext of the second software system, and a check code validator.

The login account name of the second software system is "test" in the example, the login password ciphertext of the second software system is encrypted by using the AES 128-bit encryption algorithm, the encrypted key is negotiated in advance between the first software system and the second software system, for example, the login password ciphertext is NFefsgJBqLx3rmxrEAZb0A ═ the login password plaintext is asdfghjkl, and the key is 123456.

The check code validator includes three parameters, which are the mutual communication code include, the check time difference Δ t _ max, and the timestamp of the first software system when generating the URL. The verification code validator is used as a parameter of the URL to assist in enhancing the security of the URL.

The verification code validator uses an AES 128-bit encryption algorithm for encryption, and the encryption and decryption keys are negotiated in advance by the first software system and the second software system. For example, in the example, the ciphertext of the check code validator is hdOY9wDG/Gl6Drt2oAF71C6ZoO14dCmPr5 mtorm 1g ═ and the plaintext of the check code validator is include +1622107256391+10 min. validator consists of three parts: incloudos is a mutual communication code and is negotiated by a first software system and a second software system in advance, 1622107256391 is a timestamp when the first software system generates a URL, 10min is a check time difference delta t _ max, and the delta t _ max is also negotiated by the first software system and the second software system in advance.

After receiving the URL, the second software system first determines whether the URL carries a login account name of the second software system, a login password ciphertext of the second software system, and a verification code validator. None of these three parameters is available, and if there is no parameter, the login page of the second software system is redirected directly.

The specific process of the second verification module for verifying the URL comprises the following steps:

carrying out primary check on a check code validator in the URL;

if the first verification is not passed, directly redirecting to a login page of a second software system;

if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification.

The second software system checks the validator parameter, so that the AES128 decryption algorithm negotiated in advance by the first software system and the second software system has an encryption/decryption key of 123456, for example, the decrypted validator is incloudos +1622107256391+10 min.

The check code in the URL is checked for one time, and the check code comprises the following specific steps:

converting the check code ciphertext into a check code plaintext by using an AES128 encryption and decryption algorithm;

sending the mutual trust code incloudos in the clear text of the check code to a background for mutual trust code check; judging whether the incloudos is consistent with the previously negotiated mutual trust code, and if not, directly redirecting to a login page of a second software system;

if the verification passes through the mutual trust code verification, reading a time stamp 1622107256391 when the first software system generates the URL in the plaintext of the verification code, calculating the time stamp as 2021-05-2717:20:56:391, and performing difference on the time stamp and the current time 2021-05-2717:27:59:527 of the second software system to obtain the actual time difference delta tt as 7min3s136 ms;

if Δ t > Δ t _ max, the system B is directly redirected to the login page of the system B, and if Δ t < ═ Δ t _ max, the system B passes a check.

If the verification passes, the AES128 decryption algorithm negotiated in advance by the first software system and the second software system is used to decrypt the login password ciphertext of the second software system into the login password plaintext, and the login password plaintext decrypted by the example is asdfghjkl. And sending the login account name and the login password plaintext of the second software system to a background for secondary verification.

If not, the login page of the second software system is directly redirected. If the verification is passed, smoothly jumping to enter a second software system,

in the single sign-on jump-link security protection system provided by the invention, the usbKey account authentication device is used for storing the account name of the user, and the first verification module verifies the account name in the first software system through the usbKey account authentication device; after the account name is verified, the first software system sends the single-point login skip link URL to the second software system, and the second verification module verifies the URL received by the second software system. The second verification module verifying the URL comprises: carrying out primary check on the check code in the URL; if the first time of verification is passed, the login password ciphertext of the second software system is decrypted into a login password plaintext by using an encryption and decryption algorithm, and the login account name and the login password plaintext of the second software system are sent to a background for second time of verification. And if the URL passes the verification, jumping to a second software system. The system transmits the mutual communication code by using a common encryption and decryption mode through the check code negotiated among a plurality of software systems, filters the URL request exceeding the time limit by adding time difference verification and increases the mode of usbKey account authentication, thereby preventing the software systems from unauthorized illegal access.

The foregoing is only a preferred embodiment of the present invention, and it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the invention, and such modifications and improvements are also considered to be within the scope of the invention.