CN100499453C - Method of the authentication at client end - Google Patents
Method of the authentication at client end Download PDFInfo
- Publication number
- CN100499453C CN100499453C CNB2004100703130A CN200410070313A CN100499453C CN 100499453 C CN100499453 C CN 100499453C CN B2004100703130 A CNB2004100703130 A CN B2004100703130A CN 200410070313 A CN200410070313 A CN 200410070313A CN 100499453 C CN100499453 C CN 100499453C
- Authority
- CN
- China
- Prior art keywords
- client
- random number
- application server
- certificate
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Abstract
Attestation center of client end is setup for carrying out attestation for client end. The attestation center of client end is connected to application server. The method includes following steps: (1) client end initiates request of access with carried information of software version at client end to the application server; the application server launches request for attestation center of client end to carry out attestation for the client end; (2) the attestation center of client end carries out attestation for the client end; (3) determining whether client end is passed attestation in step (2); if yes, then application server accepts request of access from client end; otherwise, refusing the request of access. The invention prevents malicious attack launched by illegal user through connection built between client end and server, builds regulation of network order.
Description
Technical field
The present invention relates to network safety filed, relate in particular to a kind of method of client certificate.
Background technology
In recent years along with the continuous extension and the development of information technology and network application, fast, the Internet has become government with the mobile network easily, the enterprises and individuals carries out information transmission and the platform that exchanges.No matter cable network or wireless network, its business all is to carry out according to the agreement of standard, so the server in the network is subjected to coming from the attack of client through regular meeting, causes data message to lose in a large number and damage, and increases the manpower and the material resources of network operation.
Avoid the user by client to the method for server attack to be at present: the user identity to client carries out authentication, the message between client and the server is carried out encipherment protection and the data of transmission is carried out completeness check etc.Protected mode to user profile in the prior art has following two kinds:
(1) encrypts and authentication.
In cable network, client and application server (AS) are encrypted and are authenticated according to simple authenticated flow process as shown in Figure 1.Described simple authenticated flow process may further comprise the steps:
Step 101. client and AS consulted encryption algorithm.
In this step, client at first exchange with AS both sides the cryptographic algorithm that can support; Then, client and AS consult the concrete cryptographic algorithm that adopts.
Step 102. client sends to AS with user name and the pairing password of this user name.
After step 103.AS receives the username and password of client, carry out authentication, judge whether the corresponding relation of user name and password is correct according to the cryptographic algorithm of consulting in the step 101; Then, AS sends to client with authentication responses, indicates authenticating result.
Above-mentioned flow process is mainly used in the lower occasion of safety requirements, as connection foundation of PPP(Point-to-Point Protocol) etc.If there have been the cryptographic algorithm of acquiescence in client and AS, then both sides need not execution in step 101, but directly uses the algorithm of acquiescence to carry out authentication.
In such as global system for mobile communications mobile networks such as (GSM), client and AS carry out authentication according to flow process shown in Figure 2.This method may further comprise the steps:
Step 201. client sends authentication request to AS, and provides operator pre-assigned user ID.
Step 202~203.AS sends the authentication parameter request to database, and then database returns authentication parameter to AS and replys.
By above-mentioned two steps, AS obtains the authentication parameter of this client according to the user ID in the step 201 from database, this authentication parameter comprises a random number, cryptographic algorithm sequence number and uses result after the pairing cryptographic algorithm of cryptographic algorithm sequence number is encrypted described random number.
After step 204~206.AS was handed down to client with authentication parameter, client reported AS with cryptographic calculation results, and AS returns to client with authenticating result again.
In above-mentioned steps 204~206, at first, AS sends to client with cryptographic algorithm sequence number and the random number in the authentication parameter, selects cryptographic algorithm according to the cryptographic algorithm sequence number by client in its data storehouse; Then, the cryptographic algorithm that the client utilization chooses sends to AS with the result after the random number that comes from AS is encrypted; At last, random number encryption result that AS sends client and the random number encryption result who obtains from database compare, if it is consistent, think that then authentication is successful, promptly use the user of this client legal, then AS and client continue to use this cryptographic algorithm that the information of subsequent transmission is encrypted; Otherwise, think and promptly use the user of this client illegal by failed authentication, and refuse its access.
(2) digital certificate.
Digital certificate is to be used for the data file that cable network is set up client identity and electronic asset, can guarantee online communication safely, and usually is used to protect online transaction etc.
Digital certificate is provided as reliable third party by authentication center (CA).CA authenticates and comes by self-signing certificate the authenticity of certification to certificate holder's identity.After certificate carries out digital signing by CA, owing to contain information such as the term of validity of title, sequence number and certificate of holder's name and e-mail address, the CA that issues licence or failure period in the certificate, so the holder of digital certificate can be with its E-Passport as the own identity of proof.
Digital certificate adopts public key system, promptly utilizes a pair of key that matches each other to encrypt, decipher.Each user sets a PKI and open to one group of user by me, is used for encrypting and certifying signature; Also utilize only being decrypted and signing of own setting simultaneously for the private key known to me.When sending a classified document, transmit leg uses the data encryption of recipient's PKI to transmission, and the recipient then uses the private key deciphering of oneself, and information just can arrive the destination safe and punctually like this.The digital certificate mode guarantees that encryption and decryption is an irreversible process, and the private key that promptly only obtains the user could be decrypted the data of the public key encryption that uses this private key correspondence.
Digital certificate is the higher authentication mode of level of security in the cable network, and it is mainly used in such as in the information exchanging processes such as ecommerce.As shown in Figure 3, the digital certificate mode may further comprise the steps:
Step 301. user A utilizes the private key of self to sign to sent data message, shows self identity.
Step 302~304. user A at first carry out session with CA, the PKI of request user B; Then, CA is handed down to user A with the PKI of user B; Then, user A uses the PKI of user B that data are encrypted.
Step 305. user A is with data encrypted, and promptly ciphertext sends to user B.
Step 306. user B uses the private key of self that ciphertext is decrypted after receiving the ciphertext of user A transmission.
In the application of reality,, then can directly begin the identifying procedure of combine digital certificate mode from step 302 if user A is reluctant to indicate transmit leg in information transmitted.
In the network of client and server composition, client can be regarded as above-mentioned user A, and server then is above-mentioned user B.
The shortcoming of each authentication method of prior art is:
1. in the encryption and authentication mode of cable network, because a server authentication is used the user's of client identity, forged by other people, thereby can set up and being connected of server, so fail safe is lower and user name and pairing password thereof are very easy.
2. in mobile network's encryption and authentication mode, the major measure that guarantees fail safe is maintaining secrecy of cryptographic algorithm, in case and cryptographic algorithm is revealed, palmed off validated user by other people then very easily, and then initiation malicious attack with server connects.
3. in the digital certificate mode, the information of various its fail safes of proof that comprised in the certificate can be forged by the mode of simulation CA by beyond the CA other people; In addition, CA only issues a digital certificate to every kind of client software, and then other people can connect with server by the software that duplicates validated user, and then initiates malicious attack.
4. for operator,, therefore exist such as unifying problems such as upgrading and charge to client software at aspects such as upgrading, management, operations owing to the effective control device that lacks client software; In addition, illegitimate client software can cause professional jejune impression to the user, destroys the image of operator.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of method of client certificate, prevent the attack of client server.
For achieving the above object, the invention provides a kind of method of client certificate, this method may further comprise the steps:
A. the client application server is initiated the access request carry the client software version information, and application server is initiated request that this client is authenticated to the client certificate center again;
B. the client certificate center authenticates the information of client;
C. whether judge client by the authentication among the step B, if pass through, then application server is accepted the access request of described client, otherwise, refuse the access request of this client.
Described client access belonging district, then described client certificate center is client certificate center, ownership district.
Described step B may further comprise the steps:
B11. application server is to the encrypted public key sequence number of this client of client certificate center requests and contain the random number of client certificate center with the respective private keys signature, then, random number and PKI sequence number are selected according to the version information parameter of client in the client certificate center, and after using respective private keys that random number is signed, random number is sent to application server with the PKI sequence number;
B12. application server is handed down to client with random number and PKI sequence number, and requesting client is submitted the authentication sign to, after client is selected PKI according to the PKI sequence number, digital signature to random number is verified, if it is the client certificate center that client is confirmed the transmit leg of this random number, then the signing certificate to random number and supplier carries out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption, otherwise, finish this identifying procedure;
B13. client will send to application server by the client certificate sign that the random number after encrypted certificate and the encryption is formed, and application server is submitted to the client certificate center with the client certificate sign;
B14. authentication is carried out to after the authentication sign deciphering in the client certificate center, then the mode of authenticating result by authentication response is sent to application server.
Adopt the authenticated user identity and the software mode in client access belonging district, then described step B11 further comprises:
When the client certificate center sends to application server with random number and PKI sequence number, require application server that effective user ID is provided, then, application server authenticates user's identity, if user's identity is legal, then continue execution in step B12, otherwise, refuse it and insert application server, and finish the user identity and the software authentication flow process in client access belonging district;
Described step B12 further comprises:
When application server is handed down to client with random number and PKI sequence number, judge whether self contains the user ID of this client, if, then require client to submit to and comprise the client certificate sign that software authentication identifies, otherwise, require client to provide to comprise the client certificate of software authentication sign and user ID to identify.
Described step B12 further comprises:
If it is the client certificate center that client is confirmed the transmit leg of this random number, then user ID is joined in the signing certificate after the encryption.
Described client inserts the visit district, and then described client certificate center comprises client certificate center, ownership district and client certificate center, visit district.
Described step B may further comprise the steps:
B21. application server is distinguished the encrypted public key sequence number of this client of client certificate center requests and is contained the random number of client certificate center with the respective private keys signature to visit, then, the client certificate center, ownership district of this client of mind-set sends the request of encrypted public key sequence number in the visit district client certificate, random number and PKI sequence number are selected according to the version information parameter of client in the client certificate center by the ownership district, and after using respective private keys that random number is signed, random number is sent to client certificate center, visit district with the PKI sequence number, and client certificate center, visit district application server is again carried out the encrypted public key sequence number and is replied;
B22. application server is handed down to client with random number and PKI sequence number, and requesting client is submitted the authentication sign to, after client is selected PKI according to the PKI sequence number, digital signature to random number is verified, if it is the client certificate center that client is confirmed the transmit leg of this random number, then the signing certificate to random number and supplier carries out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption, otherwise, finish this identifying procedure;
B23. client will send to application server by the client certificate sign that the random number after encrypted certificate and the encryption is formed, application server is submitted to client certificate center, visit district with the client certificate sign, client certificate center, mind-set ownership district sends authentication request in the visit district client certificate, submits the client certificate sign to;
B24. authentication is carried out after to the deciphering of authentication sign in client certificate center in ownership district's, then the mode of result by authentication response is sent to client certificate center, visit district, and client certificate center, visit district sends to application server with the result again.
Adopt client to insert the authenticated user identity and the software mode in visit district, then described B21 further comprises:
Ownership district is replied random number and PKI sequence number at the client certificate center by the encrypted public key sequence number mode sends to visit and distinguishes the client certificate center, require client certificate center, visit district that effective user ID is provided, client certificate center, visit district application server is again carried out the encrypted public key sequence number and is replied, then, application server authenticates user's identity, if user's identity is legal, then continue execution in step B22, otherwise, refuse it and insert application server, and finish user identity and software authentication flow process that client inserts the visit district;
Described step B22 further comprises:
When application server is handed down to client with random number and PKI sequence number, judge whether self contains the user ID of this client, if, then require client to submit to and comprise the client certificate sign that software authentication identifies, otherwise, require client to provide to comprise the client certificate of software authentication sign and user ID to identify.
Described step B22 further comprises:
If it is the client certificate center that client is confirmed the transmit leg of this random number, then also user ID to be joined in the signing certificate after the encryption.
Use the present invention, client certificate center (CCC) authenticates the client software that the user uses, and has only authentication success, just allows the client access server; In addition, under to the security requirement condition with higher, CCC all carries out authentication to user's identity and client software, has fully guaranteed the fail safe of information interaction.Particularly, the present invention has following beneficial effect:
1. operator's PKI and certificate different to the different clients software distribution, and the different editions to client software of the same race also distributes different PKIs and certificate, improved anti-counterfeiting power, avoided the malicious attack of disabled user by connecting and initiate with server, standard network order.
2. under to the security requirement condition with higher, CCC is the identity of authenticated user at first, again client software is carried out authentication under the legal situation of user identity, just allows the access of client under the authentication case of successful.By double authentication, the client software that the user identity that assurance and server connect and this user use is all legal, has prevented the behavior that connects with server by the legal client software of bootlegging effectively.
3. therefore the regular client software that has only supplier to issue among the present invention can improve the economic benefit of each software vendor by authentication.
4. for operator,, can unify upgrading and charge etc. comparatively easily, easily the behavior of standard and leading subscriber by the key message that the present invention can grasp client software.
Description of drawings
Fig. 1 is the flow chart of encryption in the existing cable network with authentication mode.
Fig. 2 is the flow chart of encryption among the existing mobile network with authentication mode.
Fig. 3 is the flow chart of existing digital certificate mode.
Fig. 4 is a client authentication process schematic diagram of the present invention.
Fig. 5 is the schematic diagram of the Authentication Client software mode embodiment in client access belonging of the present invention district.
Fig. 6 inserts the schematic diagram of the Authentication Client software mode embodiment in visit district for client of the present invention.
Fig. 7 is the authenticated user identity in client access belonging of the present invention district and the schematic diagram of software mode embodiment.
Fig. 8 inserts the authenticated user identity in visit district and the schematic diagram of software mode embodiment for client of the present invention.
Embodiment
For making purpose of the present invention, technical scheme clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The present invention is a kind of method of client certificate, its basic thought is: set up a network that comprises client, client certificate center and AS, when client-requested inserts AS, AS submits to the client certificate center with the information of client, carry out authentication by the client certificate center, then accept the access request of the client of authentication success.
The present invention has proposed the notion at client certificate center in order to realize the authentication to client.The English full name at client certificate center is: Client Certification Center, be abbreviated as CCC, and it is a kind of node of operator, its effect is the true and false of differentiating certificate.Between CCC and the AS, all be connected between the CCC of heterogeneous networks, among the present invention, the communication interface between CCC and the AS is called the Ca interface, the interface of CCC between the heterogeneous networks is called the Can interface by communication interface.
Among the present invention, operator is right from CA request key according to supplier's request, then the PKI of cipher key pair is distributed to supplier's software, and a certificate such as sequence number also can be provided simultaneously.Every kind of software is all inequality from PKI and certificate that operator obtains, and the software of promptly different suppliers exploitation has different PKIs and certificate, and the different editions of same software also has different PKIs and certificate.
The present invention authenticates client according to flow process shown in Figure 4.At first, the CCC of operator is to supplier's software distribution certificate, and this certificate is sent to supplier together with the PKI storehouse that obtains from CA, and described PKI storehouse can dynamically update by aerial download (OTA) mode; Then, supplier carries out digital signature with the private key of self, signing certificate is put in the software that client will use again; Client software is at first to the CCC of operator request PKI sequence number and random number, then in the PKI storehouse that operator sends, seek the pairing PKI of above-mentioned PKI sequence number, and then utilize PKI and random number that signing certificate is encrypted, and in encrypted certificate, carry self information according to the authentication needs, as the sign of client or the version number of client software etc.; The CCC that the encrypted certificate that client will have been carried various information sends to operator verifies.
The detailed process of above-mentioned CCC checking is: CCC at first utilizes corresponding private key to be decrypted, and signing certificate, random number and the client of isolating supplier is carried on the information in the encrypted certificate; Utilize the pairing PKI of supplier's private key that signing certificate is deciphered then, judge the true and false of certificate, simultaneously random number and client-side information are checked, judge whether client is legal.
The authentication method of client can pass through Authentication Client software and Authentication Client identity and client software dual mode, avoids server to be subjected to coming from the attack of client.Because client is access server or by the strange land agent access server, so no matter be that cable network or mobile network all can be divided into client access belonging district and two kinds of situations are distinguished in visit directly.Therefore, the authentication method of client of the present invention is divided into and is following four kinds of situations: the Authentication Client software mode in client access belonging district, client insert the Authentication Client software mode in visit district, the authenticated user identity in client access belonging district and the authenticated user identity and the software mode in software mode and client access visit district.
Embodiment 1: the Authentication Client software mode in client access belonging district.
Client access belonging district comprises two kinds of situations: a kind of for containing the client-side information that requirement inserts among the CCC of cable network, another kind is roamed for mobile network's client.In the above two kinds of cases, CCC links to each other with AS by the Ca interface, and AS links together with client again.
As shown in Figure 5, this method may further comprise the steps:
The access request that the client software version information is carried in initiation to AS of step 501. client.
In this step, the version information of client software comprises distributing and releasing corporation and version number etc.
Step 502~504.AS asks the encrypted public key sequence number of this client and contains the random number of CCC with the respective private keys signature to CCC; Then, CCC selects random number and PKI sequence number according to the version information of client, and after using respective private keys that random number is signed, and random number is carried in the request of encrypted public key sequence number with the PKI sequence number sends to AS; Then, AS replys random number and PKI sequence number by the encrypted public key sequence number mode is handed down to client, and requesting client is submitted the authentication sign to.
Step 505. client is selected PKI according to the PKI sequence number, simultaneously the digital signature of random number is verified; After the transmit leg of having confirmed this random number is CCC, random number and supplier's signing certificate is carried out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption.
This step is when confirming the transmit leg of random number, because being CCC, this random number carries out ciphering signature with the private key that request inserts the client of AS, therefore client uses the PKI of self that this random number is decrypted, if can decipher then show that the transmit leg of random number is CCC; Otherwise client thinks that the transmit leg of random number is not CCC.
Step 506. client will send to AS by the mode that the client certificate sign that random number after encrypted certificate, the encryption and software version number are formed is replied by the authentication sign.
Step 507.AS submits to CCC with the client certificate sign by authentication request.
Step 508~509.CCC carries out authentication to after the authentication sign deciphering, then the mode of result by authentication response is sent to AS; AS inserts client according to authenticating result and replys, and indicates the connection of whether accepting client.
In this step, if the certificate after the deciphering is true, random number is correct and software version number is legal, then CCC thinks that this client software passes through authentication; Otherwise, this authenticating client software failure.
Because in the present embodiment, what client inserted is the ownership district, the CCC in the present embodiment is ownership district CCC (HCCC).
Embodiment 2: client inserts the Authentication Client software mode in visit district.
When the client of cable network had inserted that roaming takes place client among the CCC that do not contain its security information or the mobile network, that client inserts all was visit district CCC (VCCC).Because VCCC does not have the security information of client, thus VCCC need and the HCCC of client between carry out alternately, finish authentication to client software.
As shown in Figure 6, the Authentication Client software mode in client access visit district may further comprise the steps:
The access request that the client software version information is carried in initiation to AS of step 601. client.
In this step, the version information of client software comprises distributing and releasing corporation and version number etc.
Step 602~606.AS asks the encrypted public key sequence number of this client and contains the random number of CCC with the respective private keys signature to VCCC; Because VCCC does not contain the security information of this client, so VCCC is to the HCCC of this client request encrypted public key sequence number; Then, HCCC selects random number and PKI sequence number according to the version information parameter of client, and after using respective private keys that random number is signed, the mode that random number is replied by the encrypted public key sequence number with the PKI sequence number sends to VCCC, and VCCC carries out the encrypted public key sequence number to AS again and replys; Then, AS is handed down to client with random number and PKI sequence number by the mode that authenticates identification request, and requesting client is submitted the authentication sign to.
Step 607. client is selected PKI according to the PKI sequence number, simultaneously the digital signature of random number is verified; After the transmit leg of having confirmed this random number is CCC, random number and supplier's signing certificate is carried out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption.
Step 608~609. clients will send to AS by the mode that the client certificate sign that random number after encrypted certificate, the encryption and software version number are formed is replied by the authentication sign; AS sends to VCCC by authentication request, request authentication with the client certificate sign again.
Step 610.VCCC submits to HCCC with the client certificate sign by the mode of authentication request, and request HCCC authenticates this client software.
Step 611~613.HCCC carries out authentication to after the authentication sign deciphering, then the mode of result by authentication response is sent to VCCC; VCCC sends authenticating result to AS again; AS inserts client according to authenticating result and replys, and indicates the connection that whether receives client.
The difference of present embodiment and embodiment 1 is: VCCC does not comprise the security information of the client that requirement inserts, therefore by VCCC as transfer, the software of client is carried out authentication by HCCC; From the angle of idiographic flow, present embodiment has increased step 603,604,610 and 611 4 steps.
Embodiment 3: the authenticated user identity and the software mode in client access belonging district.
Under to the security requirement condition with higher, CCC can be earlier to the authenticating identity of client; If client identity is legal, then continue client software is carried out authentication, otherwise, directly refuse the connection request of this client.For identity that can checking client, operator sets up corresponding relation with client software certificate and User Identity and is stored among the CCC when opening an account to the user.
As shown in Figure 7, the authenticated user identity and the software mode in client access belonging district may further comprise the steps:
The access request that the client software version information is carried in initiation to AS of step 701. client.
Step 702.AS sends to CCC with the version information of client software, asks the encrypted public key sequence number of this client software and contains the random number of CCC with the respective private keys signature.
Step 703.CCC selects random number and PKI sequence number according to the version information of client software, and after using respective private keys that random number is signed, the mode that random number is replied by the encrypted public key sequence number with the PKI sequence number sends to AS, requires AS that effective user ID is provided simultaneously.
In this step effectively user ID be meant the sign of non-AS account number, as user's phone number or user name or the like.
Step 704.AS authenticates user's identity, if user's identity is legal, then continues execution in step 705; Otherwise, refuse it and insert AS, and finish the user identity and the software authentication flow process in client access belonging district.
This step is used existing method validation user's as shown in Figure 1 identity.
Step 705.AS is handed down to client with random number and PKI sequence number by the mode that authenticates identification request, and judges whether self contains the user ID of this client, if then require client to submit to and comprise the client certificate sign that software authentication identifies; Otherwise require client to provide to comprise the client certificate of software authentication sign and user ID to identify.
Step 706. client is selected PKI according to the PKI sequence number, simultaneously the digital signature of random number is verified; After the transmit leg of having confirmed this random number is CCC, random number and supplier's signing certificate is carried out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption; In addition, needing client to provide under the situation of user ID, user ID is being joined in the signing certificate after the encryption.
The mode that step 707. client will be identified by authentication response by the client certificate that the random number after encrypted certificate and the encryption is formed sends to AS.
Step 708.AS submits to CCC with the client certificate sign.
Step 709~710.CCC carries out authentication after to client certificate sign deciphering, then the mode of result by authentication response is sent to AS; AS inserts client according to authenticating result and replys, and indicates the connection that whether receives client.
In this step, if the certificate after the deciphering is true, random number is correct, software version number is legal and the corresponding relation of user ID and software version number is correct, then CCC thinks that this client passes through authentication; Otherwise, this client failed authentication.
Present embodiment only under all legal situation of user that desire initiate to connect and the employed client software of this user, is just set up the connection that client arrives server, has improved fail safe.In addition, if legal client software by other user's bootleggings, then CCC can find this bootlegging situation by the corresponding relation of checking user and client software, and then refuses the connection that all use the disabled user of this client software.
Because in the present embodiment, what client inserted is the ownership district, so the CCC in the present embodiment is HCCC.
Embodiment 4: client inserts the authenticated user identity and the software mode in visit district.
As shown in Figure 8, present embodiment may further comprise the steps:
The access request that the client software version information is carried in initiation to AS of step 801. client.
Step 802~803.AS is to VCCC request encrypted public key sequence number and contain the random number of CCC with the respective private keys signature; VCCC is to the HCCC of this client request encrypted public key sequence number;
Step 804~805.HCCC selects random number and PKI sequence number according to the version information of client software, and after using respective private keys that random number is signed, the mode that random number is replied by the encrypted public key sequence number with the PKI sequence number sends to VCCC, requires VCCC that effective user ID is provided simultaneously; VCCC will carry out the encrypted public key sequence number to AS again and reply.
Step 806.AS authenticates user's identity, if user's identity is legal, then continues execution in step 807; Otherwise, refuse it and insert AS, and finish to insert under the visit district situation identifying procedure user identity and client software.
This step is used existing method validation user's as shown in Figure 1 identity.
Step 807.AS is handed down to client with random number and PKI sequence number, and judges whether self contains the user ID of this client, if then require client to submit to and comprise the client certificate sign that software authentication identifies; Otherwise require client to provide to comprise the client certificate of software authentication sign and user ID to identify.
Step 808. client is selected PKI according to the PKI sequence number, simultaneously the digital signature of random number is verified; After the transmit leg of having confirmed this random number is CCC, random number and supplier's signing certificate is carried out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption; In addition, needing client to provide under the situation of user ID, user ID is being joined in the signing certificate after the encryption.
Step 809~810. clients will send to AS by the mode that the client certificate sign that the random number after encrypted certificate and the encryption is formed is replied by the authentication sign; AS sends to VCCC, request authentication with the client certificate sign again.
Step 811.VCCC submits to HCCC with the client certificate sign, and request HCCC authenticates this client software.
Step 812~814.HCCC carries out authentication to after the authentication sign deciphering, then the mode of result by authentication response is sent to VCCC; VCCC sends authenticating result to AS again; AS inserts client according to authenticating result and replys, and indicates the connection that whether receives client.
The difference of present embodiment and embodiment 3 is: VCCC does not comprise the security information of the client that requirement inserts, therefore by VCCC as transfer, the software of client is carried out authentication by HCCC; From the angle of idiographic flow, present embodiment has increased step 803,804,811 and 812 4 steps.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1, a kind of method of client certificate is characterized in that, the client certificate center that client is authenticated is set, and set client certificate center is connected with application server, and this method is further comprising the steps of:
A. the client application server is initiated the access request carry the client software version information, and application server is initiated request that this client is authenticated to the client certificate center again;
B. the client certificate center authenticates the information of client;
C. whether judge client by the authentication among the step B, if pass through, then application server is accepted the access request of described client, otherwise, refuse the access request of this client.
2, the method for claim 1 is characterized in that, described client access belonging district, and then described client certificate center is client certificate center, ownership district.
3, method as claimed in claim 1 or 2 is characterized in that, described step B may further comprise the steps:
B11. application server is to the encrypted public key sequence number of this client of client certificate center requests and contain the random number of client certificate center with the respective private keys signature, then, random number and PKI sequence number are selected according to the version information parameter of client in the client certificate center, and after using respective private keys that random number is signed, random number is sent to application server with the PKI sequence number;
B12. application server is handed down to client with random number and PKI sequence number, and requesting client is submitted the authentication sign to, after client is selected PKI according to the PKI sequence number, digital signature to random number is verified, if it is the client certificate center that client is confirmed the transmit leg of this random number, then the signing certificate to random number and supplier carries out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption, otherwise, finish this identifying procedure;
B13. client will send to application server by the client certificate sign that the random number after encrypted certificate and the encryption is formed, and application server is submitted to the client certificate center with the client certificate sign;
B14. authentication is carried out to after the authentication sign deciphering in the client certificate center, then the mode of authenticating result by authentication response is sent to application server.
4, method as claimed in claim 3 is characterized in that, adopts the authenticated user identity and the software mode in client access belonging district, and then described step B11 further comprises:
When the client certificate center sends to application server with random number and PKI sequence number, require application server that effective user ID is provided, then, application server authenticates user's identity, if user's identity is legal, then continue execution in step B12, otherwise, refuse it and insert application server, and finish the user identity and the software authentication flow process in client access belonging district;
Described step B12 further comprises:
When application server is handed down to client with random number and PKI sequence number, judge whether self contains the user ID of this client, if, then require client to submit to and comprise the client certificate sign that software authentication identifies, otherwise, require client to provide to comprise the client certificate of software authentication sign and user ID to identify.
5, method as claimed in claim 4 is characterized in that, described step B12 further comprises:
If it is the client certificate center that client is confirmed the transmit leg of this random number, then user ID is joined in the signing certificate after the encryption.
6, the method for claim 1 is characterized in that, described client inserts the visit district, and then described client certificate center comprises client certificate center, ownership district and client certificate center, visit district.
7, as claim 1 or 6 described methods, it is characterized in that described step B may further comprise the steps:
B21. application server is distinguished the encrypted public key sequence number of this client of client certificate center requests and is contained the random number of client certificate center with the respective private keys signature to visit, then, the client certificate center, ownership district of this client of mind-set sends the request of encrypted public key sequence number in the visit district client certificate, random number and PKI sequence number are selected according to the version information parameter of client in the client certificate center by the ownership district, and after using respective private keys that random number is signed, random number is sent to client certificate center, visit district with the PKI sequence number, and client certificate center, visit district application server is again carried out the encrypted public key sequence number and is replied;
B22. application server is handed down to client with random number and PKI sequence number, and requesting client is submitted the authentication sign to, after client is selected PKI according to the PKI sequence number, digital signature to random number is verified, if it is the client certificate center that client is confirmed the transmit leg of this random number, then the signing certificate to random number and supplier carries out cryptographic calculation, and the software version number of client self is carried in the signing certificate after the encryption, otherwise, finish this identifying procedure;
B23. client will send to application server by the client certificate sign that the random number after encrypted certificate and the encryption is formed, application server is submitted to client certificate center, visit district with the client certificate sign, client certificate center, mind-set ownership district sends authentication request in the visit district client certificate, submits the client certificate sign to;
B24. authentication is carried out after to the deciphering of authentication sign in client certificate center in ownership district's, then the mode of result by authentication response is sent to client certificate center, visit district, and client certificate center, visit district sends to application server with the result again.
8, method as claimed in claim 7 is characterized in that, adopts client to insert the authenticated user identity and the software mode in visit district, and then described B21 further comprises:
Ownership district is replied random number and PKI sequence number at the client certificate center by the encrypted public key sequence number mode sends to visit and distinguishes the client certificate center, require client certificate center, visit district that effective user ID is provided, client certificate center, visit district application server is again carried out the encrypted public key sequence number and is replied, then, application server authenticates user's identity, if user's identity is legal, then continue execution in step B22, otherwise, refuse it and insert application server, and finish user identity and software authentication flow process that client inserts the visit district;
Described step B22 further comprises:
When application server is handed down to client with random number and PKI sequence number, judge whether self contains the user ID of this client, if, then require client to submit to and comprise the client certificate sign that software authentication identifies, otherwise, require client to provide to comprise the client certificate of software authentication sign and user ID to identify.
9, method as claimed in claim 8 is characterized in that, described step B22 further comprises:
If it is the client certificate center that client is confirmed the transmit leg of this random number, then also user ID to be joined in the signing certificate after the encryption.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100703130A CN100499453C (en) | 2004-07-29 | 2004-07-29 | Method of the authentication at client end |
| PCT/CN2005/001157 WO2006024216A1 (en) | 2004-07-29 | 2005-07-29 | A method for implementing certificating and a system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100703130A CN100499453C (en) | 2004-07-29 | 2004-07-29 | Method of the authentication at client end |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1728636A CN1728636A (en) | 2006-02-01 |
| CN100499453C true CN100499453C (en) | 2009-06-10 |
Family
ID=35927668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100703130A Expired - Fee Related CN100499453C (en) | 2004-07-29 | 2004-07-29 | Method of the authentication at client end |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100499453C (en) |
| WO (1) | WO2006024216A1 (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192926B (en) * | 2006-11-28 | 2011-03-30 | 北京握奇数据系统有限公司 | Account protection method and system |
| JP2008181228A (en) * | 2007-01-23 | 2008-08-07 | Sony Corp | Management system, management method, terminal equipment, management server, and program |
| CN101127744B (en) * | 2007-09-29 | 2010-10-13 | 杭州华三通信技术有限公司 | Separation prompt method and system for illegal client and gateway device |
| CN101971567A (en) * | 2007-12-05 | 2011-02-09 | 株式会社日立制作所 | Dhcp client server system, dhcp client device and dhcp server device |
| CN101860521B (en) * | 2009-04-13 | 2013-05-08 | 中国联合网络通信集团有限公司 | Authentication treatment method and system |
| CN101998575B (en) * | 2009-08-24 | 2013-04-24 | 华为技术有限公司 | Method, device and system for access control |
| CN102202040B (en) * | 2010-03-26 | 2014-06-04 | 联想(北京)有限公司 | Client authentication method and device |
| CN103795692B (en) * | 2012-10-31 | 2017-11-21 | 中国电信股份有限公司 | Open authorization method, system and certification authority server |
| TWI529537B (en) * | 2013-06-04 | 2016-04-11 | 晨星半導體股份有限公司 | Display with mobile high-definition link port and signal processing method thereof |
| CN103327489B (en) * | 2013-06-28 | 2017-04-05 | 宇龙计算机通信科技(深圳)有限公司 | The method and system of certification |
| US10033720B2 (en) * | 2014-05-28 | 2018-07-24 | Futurewei Technologies, Inc. | Method and system for creating a certificate to authenticate a user identity |
| CN114826570A (en) * | 2022-03-30 | 2022-07-29 | 微位(深圳)网络科技有限公司 | Certificate acquisition method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100811419B1 (en) * | 2000-12-07 | 2008-03-07 | 주식회사 케이티 | Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption |
| CN100473000C (en) * | 2001-12-07 | 2009-03-25 | 高通股份有限公司 | Authentication in a hybrid communications network |
| CN1268093C (en) * | 2002-03-08 | 2006-08-02 | 华为技术有限公司 | Distribution method of wireless local area network encrypted keys |
-
2004
- 2004-07-29 CN CNB2004100703130A patent/CN100499453C/en not_active Expired - Fee Related
-
2005
- 2005-07-29 WO PCT/CN2005/001157 patent/WO2006024216A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| CN1728636A (en) | 2006-02-01 |
| WO2006024216A1 (en) | 2006-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102134302B1 (en) | Wireless network access method and apparatus, and storage medium | |
| US9489498B2 (en) | Digital rights management using trusted processing techniques | |
| JP4599852B2 (en) | Data communication apparatus and method, and program | |
| FI115098B (en) | Authentication in data communication | |
| US8214649B2 (en) | System and method for secure communications between at least one user device and a network entity | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| CA2812847C (en) | Mobile handset identification and communication authentication | |
| US8327143B2 (en) | Techniques to provide access point authentication for wireless network | |
| CN1929371B (en) | Method for negotiating key share between user and peripheral apparatus | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| KR102177794B1 (en) | Distributed device authentication protocol in internet of things blockchain environment | |
| JP4803145B2 (en) | Key sharing method and key distribution system | |
| JP2008099267A (en) | Method for securing session between wireless terminal and equipment in network | |
| CA2551113A1 (en) | Authentication system for networked computer applications | |
| CN101512537A (en) | Method and system for secure processing of authentication key material in an Ad Hoc Wireless Network | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN108964896B (en) | Kerberos identity authentication system and method based on group key pool | |
| EP1493243B1 (en) | Secure file transfer | |
| CN100499453C (en) | Method of the authentication at client end | |
| CN108964895B (en) | User-to-User identity authentication system and method based on group key pool and improved Kerberos | |
| JP4783340B2 (en) | Protecting data traffic in a mobile network environment | |
| CN100450305C (en) | Safety service communication method based on general authentification frame | |
| CN104468074A (en) | Method and equipment for authentication between applications | |
| US20040255121A1 (en) | Method and communication terminal device for secure establishment of a communication connection | |
| CN114760046A (en) | Identity authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090610 Termination date: 20130729 |