CN106330449A - Method for verifying validity of digital certificate and authentication server - Google Patents
Method for verifying validity of digital certificate and authentication server Download PDFInfo
- Publication number
- CN106330449A CN106330449A CN201510381509.XA CN201510381509A CN106330449A CN 106330449 A CN106330449 A CN 106330449A CN 201510381509 A CN201510381509 A CN 201510381509A CN 106330449 A CN106330449 A CN 106330449A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- subelement
- verification
- checking
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Abstract
The present invention provides a method for verifying the validity of a digital certificate. The method belongs to the field of network security technology, and solves the technical problem that the digital certificate authentication method is not easy to expand. The method relates to an authentication server including a message receiving module and a digital certificate verifying module. The digital certificate authentication module is provided with a verification scheme allocation unit that is used for allocating and setting a verification scheme for verifying the validity of the verification digital certificate. A message receiving module receives a digital certificate authentication request message containing the contents of the digital certificate, and sends the request to the digital certificate verifying module for verification. If the verification of the validity of the digital certificate is not passed according to the selected verification scheme, the validity of the verification of the digital certificate fails to be determined; otherwise, the validity of the digital certificate is determined to be successful. This method realizes the expansion of digital certificate verification schemes. Accordingly, the present invention also provides an authentication server.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of method verifying digital certificate validity
And authentication server.
Background technology
At present based on WLAN authentication and privacy infrastructure (WLAN Authentication and
Privacy Infrastructure, be called for short WAPI) agreement WLAN in, authentication server entity
After (Authentication Service Entity, be called for short ASE) receives request of certificate authentication, only to receiving
Digital certificate format is the most correctly verified with the state that whether is revoked.It is right that proof procedure relates to use
The cryptological technique that in digital certificate, digital signature authentication etc. are complicated, needs to consume substantial amounts of calculating resource, as
Really hacker arbitrarily collects an invalid digital certificate and is continually transmitted to ASE, it will successfully take ASE big
The calculating resource of amount and time, form effective Denial of Service attack (Denial of Service is called for short DOS),
Other validated users are caused normally to communicate with ASE.Simultaneously as numeral is demonstrate,proved by checking content
Use in the scope of business whether book limits when digital certificate issuer issues this digital certificate and do not verify,
The digital certificate of one field legal authorization may be used for other unauthorized fields, causing information security by hacker
Accident.
In a word, current generally to digital certificate authentication method relative immobilization, single, do not account for follow-up such as
What extension, and there is certain security risk.
Summary of the invention
In order to solve above-mentioned technical problem, the present invention provides following technical scheme:
A kind of method verifying digital certificate validity, the method relates to authentication server, this authentication server
Including message reception module and digital certificate authentication module, described digital certificate authentication module is provided with checking
Arrangements unit, described proof scheme dispensing unit carries out configuration and arranges for configuration verification digital certificate
The proof scheme of effectiveness;
Described message reception module receives digital certificate and differentiates request message, and described digital certificate differentiates that request disappears
Breath includes digital certificate content;The digital certificate content received is committed to institute by described message reception module
State digital certificate authentication module to verify;Described digital certificate authentication module is tested from described according to checking demand
Card arrangements unit select corresponding proof scheme to perform concrete checking in the proof scheme of configuration
Process;
If the validation verification of digital certificate cannot be passed through by the described proof scheme according to selecting, it is determined that
Digital certificate validity authentication failed;Otherwise, it determines digital certificate validity is proved to be successful.
Additionally, present invention simultaneously provides a kind of authentication server for verifying digital certificate validity, its bag
Include message reception module, digital certificate authentication module, it is characterised in that described digital certificate authentication module bag
Include proof scheme dispensing unit;
Described message reception module is used for receiving digital certificate discrimination request grouping;
Described proof scheme dispensing unit is for the proof scheme of configuration verification digital certificate validity.
The technical scheme that the present invention provides, well reducing authentication server increases and deletes proof scheme
Complexity, achieves authentication server having when relating to multiple proof scheme by proof scheme dispensing unit
Effect configuration and controlling, contributes to the extension of proof scheme, revises and the operation such as deletion;It addition, by selecting
The effectiveness of configured proof scheme checking digital certificate, also improves digital certificate authentication efficiency.
Accompanying drawing explanation
The method flow schematic diagram that Fig. 1 provides for the present invention;
Fig. 2 is the embodiment of the present invention one schematic flow sheet;
Fig. 3 is the embodiment of the present invention two schematic flow sheet;
Fig. 4 is the embodiment of the present invention three schematic flow sheet;
Fig. 5 is embodiment of the present invention network topology schematic diagram;
The authentication server structural representation that Fig. 6 provides for the embodiment of the present invention.
Detailed description of the invention
With embodiment offer of the present invention verified below in conjunction with the accompanying drawings digital certificate validity method and
Authentication server illustrates in greater detail.
As shown in Figure 1 and Figure 6, the method for the checking digital certificate validity that the present invention provides, it relates to mirror
Other server, described authentication server includes message reception module and digital certificate authentication module, and the method has
Body includes:
S100, is provided with proof scheme dispensing unit, described proof scheme in described digital certificate authentication module
Dispensing unit carries out configuration and arranges the proof scheme for configuration verification digital certificate validity;
S200, described message reception module receives digital certificate and differentiates request message, and described digital certificate differentiates
Request message includes digital certificate content;The digital certificate content received is carried by described message reception module
Extremely described digital certificate authentication module is handed over to verify;Described digital certificate authentication module according to checking demand from
Described proof scheme dispensing unit select corresponding proof scheme to perform specifically in the proof scheme of configuration
Proof procedure;
S300, if the validation verification of digital certificate cannot be passed through according to the described proof scheme selected,
Then determine digital certificate validity authentication failed;Otherwise, it determines digital certificate validity is proved to be successful.
Preferably, described authentication server can also include digital certificate parsing module, be used for resolving numeral
Request of certificate authentication is grouped to obtain digital certificate content.
Preferably, described configuration is set to create proof scheme database table, described proof scheme database table
Including Verification Project field and switch value field, described Verification Project field is used for identity verification scheme;Described
Enabling of proof scheme realizes by arranging switch value, when described switch value is for opening, enables corresponding
Proof scheme;When described switch value is set off, do not enable corresponding proof scheme.
Preferably, proof scheme described in S100 can be white list list verification, blacklist list checking,
Digital certificate is suitable and revokes in the proof scheme such as state verification and digital certificate range checking extremely
The combination of few any two kinds.Corresponding proof scheme is used proof scheme to join by described proof scheme dispensing unit
Putting database table to arrange, the proof scheme dispensing unit being configured with aforementioned authentication scheme the most just includes white
List list verification subelement, blacklist list are verified subelement, digital certificate format and revoke state verification
Subelement, digital certificate range checking subelement and digital certificate range checking subelement.Its
Middle digital certificate range refers to whether the issuer of digital certificate has permission and issues in certain range
Digital certificate or credibility in certain range of the issuer of digital certificate or digital certificate
This authority used in whether limiting certain range in issuing when.Meanwhile, described proof scheme
Dispensing unit is provided with switch value and verifies whether subelement is opened accordingly to determine, switch value under normal circumstances
It is set to when 1 represent unlatching, switch value to be set to when 0 and represents closedown.Described proof scheme dispensing unit has
Have and set up proof scheme configuration database table, increase and delete proof scheme and the function of configuration verification scheme.
Concrete, as shown in Table 1, described proof scheme dispensing unit creates proof scheme configuration database table,
Proof scheme configuration database table therein includes sequence number field, Verification Project field and switch value field.
Described sequence number field is major key, and sequence number value is incremented by automatically, and this sequence number field can be used for identifying corresponding authentication
The execution sequence (as 1 represents the first checking content, 2 represent the second checking content etc.) of case;Described checking item
The digital certificate authentication scheme that mesh field is supported for identity verification arrangements unit, this Verification Project field
The proof scheme of mark can be adjusted to corresponding sequence number sequence number word according to the checking order of local verification policy mandates
The position of segment identification.
Sequence number | Verification Project | Switch value |
1 | White list list verification | 0 or 1 |
2 | Blacklist list is verified | 0 or 1 |
3 | Digital certificate format and revoke state verification | 0 or 1 |
4 | Digital certificate range is verified | 0 or 1 |
… | … | … |
Table one
Preferably, described database table can also include verify sequence field (sequence number word in the case
Section is only a sequence number mark), as shown in Table 2, suitable by configuration preference level in checking sequence field
Sequence such as 1,2,3 etc., for the execution sequence identifying corresponding proof scheme.
Table two
Described digital certificate authentication scheme specifically can include white list list verification, blacklist list checking,
Digital certificate format and the most any two revoked in state verification and quadrature digital up-converter scope checking etc.
Kind combination, the most described proof scheme dispensing unit further comprises white list list verification subelement, black
List list verification subelement, digital certificate format and revoke state verification subelement and quadrature digital up-converter
Scope checking subelement.Described switch value field indicates whether to enable the authentication of Verification Project field identification
Case.In described proof scheme configuration database table, the concrete proof scheme of Verification Project field identification all can be flexible
Increase, revise and delete;The numerical value of the switch value field of the most each correspondence is used for representing corresponding checking
Whether scheme opens, it is generally the case that when the value of switch value field is that the Verification Project that 0 interval scale is corresponding is opened
Open, when the value of switch value field is that the Verification Project that 1 interval scale is corresponding is closed.Certainly, it is possible to by switch value
The value of field is set to Verification Project corresponding to 1 interval scale and opens, when the value of switch value field is 0 interval scale
Corresponding Verification Project is closed, and the present invention does not limits for the setting of the value of switch value field.
Preferably, described configuration arranges the mode configuration verification scheme also by XML.I.e. proof scheme
Dispensing unit configuration file in xml format exists, and this configuration file includes sequence number element, Verification Project
Element, checking sequential element and switch value element.Described switch value element is used for determining that corresponding checking is single
Whether unit opens, and switch value element is set to when 1 represent that unlatching, switch value element are set under normal circumstances
Representing closedown when 0, described proof scheme dispensing unit can be by the side of element in amendment XML configuration file
Formula carries out the increase of proof scheme, revises and delete.Mentioned by joining of XML mode configuration verification scheme
Put file example as follows:
<item>
<sequence number>1<sequence number/>
<yan Zhengxiangmu>White list list verification</Yan Zhengxiangmu>
<checking order>2</checking order>
<kai Guanzhi>0 or 1</Kai Guanzhi>
</item>
<item>
<sequence number>2<sequence number/>
<yan Zhengxiangmu>Blacklist list is verified</Yan Zhengxiangmu>
<checking order>3</checking order>
<kai Guanzhi>0 or 1</Kai Guanzhi>
</item>
<item>
<sequence number>3<sequence number/>
<yan Zhengxiangmu>Digital certificate format and revoke state verification</Yan Zhengxiangmu>
<checking order>4</checking order>
<kai Guanzhi>0 or 1</Kai Guanzhi>
</item>
<item>
<sequence number>4<sequence number/>
<yan Zhengxiangmu>Digital certificate range is verified</Yan Zhengxiangmu>
<checking order>1</checking order>
<kai Guanzhi>0 or 1</Kai Guanzhi>
</item>
The present invention make use of the configuration of proof scheme to arrange just and achieves multiple authentication in authentication server
The effectively configuration of case and control, the configuration utilizing described proof scheme dispensing unit to carry out proof scheme is provided with
Help the increase flexibly of authentication server proof scheme, revise and delete,
The mode pair of database table configuration verification scheme it is based on below with reference to Fig. 2, Fig. 3, Fig. 4, Fig. 5
It is explained in detail in specific implementation process of the present invention.
Embodiment one
Such as Fig. 2 and Fig. 5, described proof scheme dispensing unit is opened digital certificate range checking
Unit and digital certificate format and revoke state verification subelement.Concrete proof procedure describes in detail as follows.With
As a example by the WAPI network architecture, when described message reception module receives the digital certificate that access point AP sends
After discrimination request grouping, described digital certificate parsing module described digital certificate discrimination request grouping is resolved
To obtain digital certificate content, and will resolve after digital certificate content be submitted to described digital certificate authentication mould
By the digital certificate range in described digital certificate authentication module, block, first verifies that subelement performs to test
Card.Specifically: described digital certificate range checking subelement creates a digital certificate range table,
As shown in Table 3, described digital certificate range table includes sequence number field, digital certificate identification field and makes
By range field, wherein, sequence number field is major key, and sequence number value is incremented by automatically;Digital certificate identifier word segment table
Showing it is that digital certificate identifies content, digital certificate mark can be certificate serial number and issuer in digital certificate
The combination of title, it is also possible to be only certificate serial number.
Sequence number | Digital certificate identifies | Range |
1 | Certificate serial number 1+ issuer title | Scope 1/ scope 2/ scope 1/ scope 4 ... |
2 | Certificate serial number 2+ issuer title | Scope 1/ scope 2/ scope 1/ scope 4 ... |
3 | Certificate serial number 3+ issuer title | Scope 1/ scope 2/ scope 1/ scope 4 ... |
4 | Certificate serial number 4+ issuer title | Scope 1/ scope 2/ scope 1/ scope 4 ... |
… | … | … |
Table three
Described digital certificate range checking subelement can perform the query statement of SQL to digital certificate
Whether range inquires about in range field, judges according to the return value of SQL query statement;
If can inquire in described range field, digital certificate discrimination request grouping comprises
Digital certificate meets the range specified when digital certificate is issued, and the most described digital certificate range is verified
Subelement checking digital certificate range success, otherwise, described digital certificate range checking subelement
Checking digital certificate range failure.Wherein, digital certificate range record can increase or delete.
The information of authentication server increase or deletion digital certificate range record may be from digital certificate and issues
Sending out entity or network manager etc., the present invention is without limitation.
In other words, if digital certificate range checking subelement judges digital certificate discrimination request grouping
In the digital certificate that comprises do not meet the range specified time digital certificate is issued, then digital certificate authentication
The digital certificate authentication result that module obtains is unsuccessfully, then builds certificate by message transmission module and differentiates to ring
Packet transmission is answered to inform digital certificate authentication result or the right range of digital certificate to AP;If
Digital certificate range checking subelement judges the digital certificate comprised in digital certificate discrimination request grouping
Meet the range specified time digital certificate is issued, then continue next step checking.
Then by digital certificate format with revoke state verification subelement and verify, specifically:
Described digital certificate parsing module resolves described digital certificate discrimination request grouping and obtains digital certificate
Relevant information, described digital certificate format verifies the information of described digital certificate with revoking state verification subelement
Form whether with described authentication server known to form consistent, if inconsistent; digital certificate format and hanging
Pin-shaped state authentication failed, if consistent, digital certificate format and revoke state verification success;Institute in the present invention
The information format stating digital certificate is based on digital certificate standard X.509;
Or, after described authentication server utilizes the PKI of its digital certificate to calculate the parsing of described parsing module
The signature value of the digital certificate in described digital certificate discrimination request grouping, described digital certificate format and revoking
The signature value that state verification subelement calculates is the most identical with the signature value of described digital certificate, if not phase
With, then digital certificate format and revoke state verification failure, if identical, then digital certificate format and revoking
State is proved to be successful;
Or, with revoking state verification subelement, described digital certificate format verifies that described authentication server is current
Time and the effective time scope of digital certificate received, if described authentication server current time does not exists
In the effective range of the digital certificate received, then digital certificate format and revoke state verification failure;Otherwise,
Digital certificate format and revoke state verification success;
Or, described digital certificate format verifies the storage of described authentication server with revoking state verification subelement
The state of the digital certificate received whether be marked as having revoked, if being marked as revoking, then count
Word certificate format and revoke state verification failure, otherwise, digital certificate format and revoke state verification success.
In other embodiments, above-mentioned digital certificate format and revoke state verification subelement perform four kinds
Verification mode can be used in any combination, now, if any one authentication failed in combination, then it is assumed that
Described digital certificate format and revoke state verification subelement judge request of certificate authentication be grouped in the number that comprises
Word certificate format is incorrect or use state is invalid, i.e. digital certificate authentication failure;Otherwise, numeral card
Book is proved to be successful.
The digital certificate authentication result obtained based on above-mentioned checking digital certificate authentication module be successfully after, so
Build the transmission of certificate authentication response packet by message transmission module afterwards and inform that digital certificate authentication is tied to AP
Really.
The proof procedure that this embodiment is addressed is be applicable to digital certificate transmission wide-open network environment
Situation, this proof scheme can improve the verification efficiency of the digital certificate under this network environment well.
Embodiment two
Such as Fig. 3 and Fig. 5, open digital certificate format and revoke state in described proof scheme configuration module
Checking subelement, blacklist list checking subelement and or white list list verification subelement.The most authenticated
Journey describes in detail as follows.
As a example by the WAPI network architecture, first digital certificate format and revoke state verification subelement and start to hold
Row verifies the statement with embodiment one of the concrete proof procedure, and here is omitted.When digital certificate format and hanging
Pin-shaped state be verified after described blacklist list checking subelement and or white list list verification subelement open
Begin to verify, specifically include:
Described white list list verification subelement create a white list database table, the most described in vain
List data storehouse table includes sequence number field and white list value field, and wherein sequence number field is major key, and sequence number value is certainly
Dynamic incremental;White list value field represents that digital certificate identifies, and digital certificate mark can be to demonstrate,prove in digital certificate
Book serial number and the combination of issuer title, it is also possible to be only certificate serial number.
Sequence number | White list value |
1 | Certificate serial number 1+ issuer title |
2 | Certificate serial number 2+ issuer title |
3 | Certificate serial number 3+ issuer title |
4 | Certificate serial number 4+ issuer title |
… | … |
Table four
Described white list list verification subelement performs the query statement of SQL and whether exists numeral certificates identified
White list value field is inquired about, judges, if in return value according to the return value of SQL query statement
Comprise the digital certificate mark inquired about, then representing can in the white list value field of white list database table
To inquire the mark of the digital certificate comprised in digital certificate discrimination request grouping, otherwise, then represent in vain
The white list value field of list data storehouse table can not inquire digital certificate discrimination request grouping comprises
The mark of digital certificate;
If digital certificate can be inquired in the white list value field of white list database table differentiates request
The mark of the digital certificate comprised in packet, the most described white list list verification subelement performs white list checking
Pass through, make list list verification subelement clear and judge that the digital certificate comprised in request of certificate authentication packet exists
In white list, so that it is determined that digital certificate validity is proved to be successful;Otherwise, described white list list verification
Unit performs white list authentication failed, makes list list verification subelement clear and judges that request of certificate authentication is grouped
In other words, if white list list verification subelement judges to comprise in digital certificate discrimination request grouping
Digital certificate not in white list, then the digital certificate authentication result that digital certificate authentication unit obtains for lose
Lose, and inform digital certificate authentication by message transmission module structure certificate authentication response packet transmission to AP
Result;If white list list verification subelement judges the numeral card comprised in digital certificate discrimination request grouping
Book is in white list, then digital certificate validity is proved to be successful.
White list value during above-mentioned execution can increase or delete.Authentication server increases or deletes
The information of white list record may be from digital certificate and issues entity or network manager etc., and the present invention is to this
Do not limit.
The proof procedure of blacklist list checking subelement is as follows.
Described blacklist list checking subelement creates a black list database table, as shown in Table 5, described
Black list database table includes sequence number field and blacklist value field, and wherein, sequence number field is major key, sequence number
Value is incremented by automatically;Blacklist value field represents it is digital certificate mark, and digital certificate mark can be numeral card
Certificate serial number and the combination of issuer title in book, it is also possible to be only certificate serial number.
Sequence number | Blacklist value |
1 | Certificate serial number 1+ issuer title |
2 | Certificate serial number 2+ issuer title |
3 | Certificate serial number 3+ issuer title |
4 | Certificate serial number 4+ issuer title |
… | … |
Table five
Described blacklist list checking subelement performs the query statement of SQL and whether exists numeral certificates identified
Blacklist value field is inquired about, judges, if in return value according to the return value of SQL query statement
Comprise the digital certificate mark inquired about, then representing can in the blacklist value field of black list database table
To inquire the mark of the digital certificate comprised in digital certificate discrimination request grouping, otherwise, then represent black
The blacklist value field of list data storehouse table can not inquire digital certificate discrimination request grouping comprises
The mark of digital certificate;
If digital certificate can be inquired in the blacklist value field of black list database table differentiates request
The mark of the digital certificate comprised in packet, the most described blacklist list checking subelement performs blacklist checking
Do not pass through, illustrate that blacklist list checking subelement judges the digital certificate comprised in request of certificate authentication packet
So that it is determined that digital certificate validity authentication failed in blacklist;Otherwise, described blacklist list checking
Unit performs blacklist and is proved to be successful, and illustrates that blacklist list checking subelement judges that request of certificate authentication is grouped
In the digital certificate that comprises not in blacklist, so that it is determined that digital certificate validity is proved to be successful.
In other words, if blacklist list checking subelement judges the number comprised in request of certificate authentication packet
Word certificate is in blacklist, then the digital certificate authentication result that digital certificate authentication module obtains is unsuccessfully, so
Build the transmission of certificate authentication response packet by message transmission module afterwards and inform that digital certificate authentication is tied to AP
Really;If blacklist list checking subelement judges that the digital certificate comprised in request of certificate authentication packet does not exists
Blacklist then digital certificate validity is proved to be successful.
Blacklist value during above-mentioned execution can increase or delete.Authentication server increases or deletes
The information of blacklist record may be from digital certificate and issues entity or network manager etc., and the present invention is to this
Do not limit.
The digital certificate authentication result obtained based on above-mentioned checking digital certificate authentication module be successfully after, so
Build the transmission of certificate authentication response packet by message transmission module afterwards and inform that digital certificate authentication is tied to AP
Really.
The proof procedure that this embodiment is addressed is be applicable to a specific network environment, in an enterprise
LAN, the digital certificate of transmission is probably the most greatly the digital certificate issuer of enterprises and issues, each
The digital certificate limited amount comprised in the equipment used in platform Intranet, and according to equipment itself
Application contains only the certificate of certain application-specific, in this specific application environment closed, owing to numeral is demonstrate,proved
Book source and range of application are single.The proof scheme that this embodiment provides can improve this network rings well
The verification efficiency of the digital certificate under border.
Embodiment three
Such as Fig. 4 and Fig. 5, open in described proof scheme configuration module blacklist list checking subelement and
Or white list list verification subelement, digital certificate range checking subelement and digital certificate format and
Revoke state verification subelement.Concrete proof procedure describes in detail as follows.
As a example by the WAPI network architecture, when described message reception module receives the number that access point AP sends
After the packet of word request of certificate authentication, described digital certificate parsing module described digital certificate is differentiated request point
Group resolve to obtain digital certificate content, and will parsing after digital certificate content be submitted to described digital certificate
Authentication module, first by described blacklist list checking subelement and or white list list verification subelement execution
Checking, detailed proof procedure is with the description of embodiment two, and here is omitted.
Treat described blacklist list checking subelement and or the knot of white list list verification subelement execution checking
Fruit be by time, performed checking by digital certificate range checking subelement further, this proof procedure is together
The description of embodiment one, here is omitted.
Treat that described digital certificate range checking subelement performs the result of checking in the range of specific
Time, further by described digital certificate format with revoke state verification subelement and performs checking, as verified execution
It is proved to be successful by then digital certificate validity, otherwise, digital certificate validity authentication failed.
The digital certificate authentication result obtained based on above-mentioned checking digital certificate authentication module be successfully after, so
Build the transmission of certificate authentication response packet by message transmission module afterwards and inform that digital certificate authentication is tied to AP
Really.
The proof procedure that this embodiment is addressed is be applicable to a network communicating system, if certain several network
Only be defined to certain user use, other network everyone can use, then need to be defined to some and use
White list that the network equipment that family uses needs to first verify that in oneself equipment and or blacklist, if received
Digital certificate content be white list and or blacklist inside member, then can carry out subsequent authentication, if connect
The digital certificate content received not in the white list of equipment and or blacklist, no longer carry out follow-up checking work
Make, time-consuming.This proof scheme can improve the checking of the digital certificate under this network environment well
Efficiency.
In addition to above-described embodiment describes, the Verification Project field identification in described proof scheme dispensing unit
Proof scheme can also is that whether the issuer of digital certificate comprised in request of certificate authentication packet meets
The checking etc. of the level of security used, authentication server can also continue to according to proof scheme dispensing unit preset
The digital certificate comprised in numeral request of certificate authentication packet is verified by proof scheme, then passes through message
Sending module build certificate authentication response packet be sent to AP inform digital certificate authentication result or with checking
Relevant information content, the present invention is embodied as part and repeats no more this.
Additionally, the method verifying digital certificate validity that the present invention provides is not limited to above-described embodiment institute
The WAPI framework stated.Identical thinking based on the method verifying digital certificate validity that the present invention provides,
Present invention also offers a kind of corresponding authentication server, see Fig. 6.Specifically:
For verifying the authentication server of digital certificate validity, it includes message reception module, digital certificate
Authentication module, it is characterised in that described digital certificate authentication module includes proof scheme dispensing unit;
Described message reception module is used for receiving digital certificate discrimination request grouping;
Described proof scheme dispensing unit is for the proof scheme of configuration verification digital certificate validity.
Preferably, described authentication server can further include digital certificate parsing module, is used for resolving
Digital certificate content in digital certificate discrimination request grouping.
Preferably, described proof scheme dispensing unit farther includes white list list verification subelement, described
White list list verification subelement is for verifying that the digital certificate in described digital certificate discrimination request grouping is
No it is included in white list;
Described proof scheme dispensing unit farther includes blacklist list checking subelement, and described blacklist arranges
Table checking subelement is for verifying whether the digital certificate in described digital certificate discrimination request grouping is included in
In blacklist;
Described proof scheme dispensing unit farther includes digital certificate format and revokes state verification subelement,
Described digital certificate format and revoke state verification subelement for verifying the information format of described digital certificate
Whether with described authentication server known to form consistent;
Described proof scheme dispensing unit farther includes digital certificate range checking subelement, described number
Word certificate range checking subelement is in order to verify the number comprised in described digital certificate discrimination request grouping
Whether word certificate meets the range specified time digital certificate is issued.
Work process described in the function of each structure described in authentication server and working method and preceding method
Accordingly, here is omitted.
Obviously, those skilled in the art can carry out various change and modification without deviating from this to the present invention
Bright spirit and scope.So, if the present invention these amendment and modification belong to the claims in the present invention and
Within the scope of its equivalent technologies, then the present invention is also intended to comprise these change and modification.
Claims (13)
1. the method verifying digital certificate validity, the method relates to authentication server, and this discriminating takes
Business device includes message reception module and digital certificate authentication module, it is characterised in that
Being provided with proof scheme dispensing unit in described digital certificate authentication module, the configuration of described proof scheme is single
Unit carries out configuration and arranges the proof scheme for configuration verification digital certificate validity;
Described message reception module receives digital certificate and differentiates request message, and described digital certificate differentiates that request disappears
Breath includes digital certificate content;The digital certificate content received is committed to institute by described message reception module
State digital certificate authentication module to verify;Described digital certificate authentication module is tested from described according to checking demand
Card arrangements unit select corresponding proof scheme to perform concrete checking in the proof scheme of configuration
Process;
If the validation verification of digital certificate cannot be passed through by the described proof scheme according to selecting, it is determined that
Digital certificate validity authentication failed;Otherwise, it determines digital certificate validity is proved to be successful.
Method the most according to claim 1, it is characterised in that described configuration is set to create checking
Scheme database table, described proof scheme database table includes Verification Project field and switch value field, described
Verification Project field is used for identity verification scheme;Enabling by arranging switch value of described proof scheme is real
Existing, when described switch value is for opening, enable corresponding proof scheme;When described switch value is set off
Time, do not enable corresponding proof scheme.
Method the most according to claim 2, it is characterised in that described proof scheme database table is also
Including sequence number field and or checking sequence field, described checking sequence field is for controlling the execution of proof scheme
Sequentially.
4. according to the method described in claim 1 or 2 or 3, it is characterised in that described proof scheme is
White list list verification scheme, blacklist list proof scheme, digital certificate format and revoke state verification side
The combination of the most any two kinds in case and digital certificate range proof scheme;
Described proof scheme dispensing unit farther includes accordingly: white list list verification subelement, black
List list verification subelement, digital certificate format and revoke state verification subelement and digital certificate and use
The combination of the most any two kinds in scope checking subelement.
Method the most according to claim 4, it is characterised in that in described proof scheme dispensing unit
Enable digital certificate range checking subelement and digital certificate format and revoke state verification subelement with
The method of checking digital certificate validity, specifically includes:
1) digital certificate range is first carried out verify:
Described digital certificate range checking subelement creates a digital certificate range table, described number
Word certificate range table includes sequence number field, digital certificate identification field and range field;
Described digital certificate range checking subelement performs the query statement of SQL to be made digital certificate
Inquire about in range field with scope is no, judge according to the return value of SQL query statement;
If can inquire in described range field, digital certificate discrimination request grouping comprises
Digital certificate meets the range specified when digital certificate is issued, and the most described digital certificate range is verified
Subelement checking digital certificate range success, thus perform digital certificate format further and revoke state
Checking;
Otherwise, the checking subelement checking digital certificate range failure of described digital certificate range, from
And determine digital certificate validity authentication failed;
2) perform digital certificate format and revoke state verification:
Described digital certificate format verifies the information of described digital certificate content with revoking state verification subelement
Form whether with described authentication server known to form consistent, if inconsistent; digital certificate format and hanging
Pin-shaped state authentication failed, if consistent, digital certificate format and revoke state verification success;
Or, described authentication server utilizes the PKI of its digital certificate to calculate the discriminating request of described digital certificate
The signature value of the digital certificate in packet, described digital certificate format and revoke state verification subelement and calculate
Signature value the most identical with the signature value of described digital certificate, if it is not the same, then digital certificate format and
Revoke state verification failure, if the same digital certificate format and revoke state verification and be proved to be successful;
Or, with revoking state verification subelement, described digital certificate format verifies that described authentication server is current
Time and the effective time scope of digital certificate received, if described authentication server current time does not exists
In the effective range of the digital certificate received, then digital certificate format and revoke state verification failure;Otherwise,
Digital certificate format and revoke state verification success;
Or, described digital certificate format verifies the storage of described authentication server with revoking state verification subelement
The state of the digital certificate received whether be marked as having revoked, if being marked as revoking, then count
Word certificate format and revoke state verification failure, otherwise, digital certificate format and revoke state verification success.
Method the most according to claim 4, it is characterised in that in described proof scheme dispensing unit
Enable digital certificate format and revoke state verification subelement, blacklist list checking subelement and or white list
List verification subelement, with the method verifying digital certificate validity, specifically includes:
1) digital certificate format is first carried out and revokes state verification:
Described digital certificate format verifies the information of described digital certificate content with revoking state verification subelement
Form whether with described authentication server known to form consistent, if inconsistent; digital certificate format and hanging
Pin-shaped state authentication failed, if consistent, digital certificate format and revoke state verification success;
Or, described authentication server utilizes the PKI of its digital certificate to calculate the discriminating request of described digital certificate
The signature value of the digital certificate in packet, described digital certificate format and revoke state verification subelement and calculate
Signature value the most identical with the signature value of described digital certificate, if it is not the same, then digital certificate format and
Revoke state verification failure, if the same digital certificate format and revoke state verification success;
Or, with revoking state verification subelement, described digital certificate format verifies that described authentication server is current
Time and the effective time scope of digital certificate received, if described authentication server current time does not exists
In the effective range of the digital certificate received, then digital certificate format and revoke state verification failure;Otherwise,
Digital certificate format and revoke state verification success;
Or, described digital certificate format verifies the storage of described authentication server with revoking state verification subelement
The state of the digital certificate received whether be marked as having revoked, if being marked as revoking, then count
Word certificate format and revoke state verification failure, otherwise, digital certificate format and revoke state verification success;
2) blacklist row are performed until described digital certificate format after state verification runs succeeded further with revoking
Table checking and or white list list verification, specifically include:
Described blacklist list checking subelement creates a black list database table, described black list database
Table includes that sequence number field and blacklist value field, described blacklist value field are digital certificate mark;
Described blacklist list checking subelement performs the query statement of SQL and whether exists numeral certificates identified
White list value field is inquired about, judges according to the return value of SQL query statement;
If digital certificate can be inquired in the blacklist value field of black list database table differentiates request
The mark of the digital certificate comprised in packet, the most described blacklist list checking subelement performs blacklist checking
Failure;Otherwise, it determines described blacklist list checking subelement performs blacklist and is verified;With or,
Described white list list verification subelement creates a white list database table, described white list database
Table includes that sequence number field and white list value field, described white list value field are digital certificate mark;
Described white list list verification subelement performs the query statement of SQL and whether exists numeral certificates identified
White list value field is inquired about, judges according to the return value of SQL query statement;
If digital certificate can be inquired in the white list value field of white list database table differentiates request
The mark of the digital certificate comprised in packet, the most described white list list verification subelement performs white list checking
Pass through;Otherwise, it determines described white list list verification subelement performs white list authentication failed.
Method the most according to claim 4, it is characterised in that in described proof scheme dispensing unit
Enable blacklist list checking subelement and or white list list verification subelement, digital certificate range test
Demonstrate,prove subelement and digital certificate format and revoke state verification subelement with checking digital certificate validity
Method, specifically includes:
1) be first carried out blacklist list checking and or white list list verification, specifically include:
Described blacklist list checking subelement creates a black list database table, described black list database
Table includes that sequence number field and blacklist value field, described blacklist value field are digital certificate mark;
Described blacklist list checking subelement performs the query statement of SQL and whether exists numeral certificates identified
White list value field is inquired about, judges according to the return value of SQL query statement;
If digital certificate can be inquired in the blacklist value field of black list database table differentiates request
The mark of the digital certificate comprised in packet, the most described blacklist list checking subelement performs blacklist checking
Failure;Otherwise, it determines described blacklist list checking subelement performs blacklist and is verified;With or,
Described white list list verification subelement creates a white list database table, described white list database
Table includes that sequence number field and white list value field, described white list value field are digital certificate mark;
Described white list list verification subelement performs the query statement of SQL and whether exists numeral certificates identified
White list value field is inquired about, judges according to the return value of SQL query statement;
If digital certificate can be inquired in the white list value field of white list database table differentiates request
The mark of the digital certificate comprised in packet, the most described white list list verification subelement performs white list checking
Pass through;Otherwise, it determines described white list list verification subelement performs white list authentication failed;
2) blacklist list checking and or white list list verification success after, then perform digital certificate use
Scope is verified, specifically:
Described digital certificate range checking subelement creates a digital certificate range table, described number
Word certificate range table includes sequence number field, digital certificate identification field and range field;
Described digital certificate range checking subelement performs the query statement of SQL to be made digital certificate
Inquire about in range field with scope is no, judge according to the return value of SQL query statement;
If can inquire in described range field, digital certificate discrimination request grouping comprises
Digital certificate meets the range specified when digital certificate is issued, and the most described digital certificate range is verified
Subelement checking digital certificate range success;
Otherwise, the checking subelement checking digital certificate range failure of described digital certificate range, from
And determine digital certificate validity authentication failed;
3) after digital certificate range is proved to be successful, performs digital certificate format further and revokes state
Checking, specifically:
Described digital certificate format verifies the information of described digital certificate content with revoking state verification subelement
Form whether with described authentication server known to form consistent, if inconsistent; digital certificate format and hanging
Pin-shaped state authentication failed, if consistent, digital certificate format and revoke state verification success;
Or, described authentication server utilizes the PKI of its digital certificate to calculate the discriminating request of described digital certificate
The signature value of the digital certificate in packet, described digital certificate format and revoke state verification subelement and calculate
Signature value the most identical with the signature value of described digital certificate, if it is not the same, then digital certificate format and
Revoke state verification failure, if the same digital certificate format and revoke state verification success;
Or, with revoking state verification subelement, described digital certificate format verifies that described authentication server is current
Time and the effective time scope of digital certificate received, if described authentication server current time does not exists
In the effective range of the digital certificate received, then digital certificate format and revoke state verification failure;Otherwise,
Digital certificate format and revoke state verification success;
Or, described digital certificate format verifies the storage of described authentication server with revoking state verification subelement
The state of the digital certificate received whether be marked as having revoked, if being marked as revoking, then count
Word certificate format and revoke state verification failure, otherwise, digital certificate format and revoke state verification success.
Method the most according to claim 1, it is characterised in that described configuration arranges and can also is that XML
The configuration file of form, it includes sequence number element, Verification Project element, checking sequential element and switch value
Element;
Described checking sequential element is for controlling the execution sequence of proof scheme;
Described switch value element is used for determining whether corresponding proof scheme opens.
9. for verifying the authentication server of digital certificate validity, it include message reception module,
Digital certificate authentication module, it is characterised in that described digital certificate authentication module includes that proof scheme configuration is single
Unit;
Described message reception module is used for receiving digital certificate discrimination request grouping;
Described proof scheme dispensing unit is for the proof scheme of configuration verification digital certificate validity.
10. an authentication server as claimed in claim 9, it is characterised in that described proof scheme is joined
Putting unit and farther include white list list verification subelement, described white list list verification subelement is used for testing
Whether the digital certificate demonstrate,proved in described digital certificate discrimination request grouping is included in white list.
11. 1 kinds of authentication servers as claimed in claim 9, it is characterised in that described proof scheme is joined
Putting unit and farther include blacklist list checking subelement, described blacklist list checking subelement is used for testing
Whether the digital certificate demonstrate,proved in described digital certificate discrimination request grouping is included in blacklist.
12. 1 kinds of authentication servers as claimed in claim 9, it is characterised in that described proof scheme is joined
Put unit farther include digital certificate format and revoke state verification subelement, described digital certificate format and
Revoke whether state verification subelement differentiates service with described for the information format verifying described digital certificate
Known to device, form is consistent.
13. 1 kinds of authentication servers as claimed in claim 9, it is characterised in that described proof scheme is joined
Putting unit and farther include digital certificate range checking subelement, described digital certificate range is verified
Subelement is in order to verify whether the digital certificate comprised in described digital certificate discrimination request grouping meets numeral
The range specified when certificate authority.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510381509.XA CN106330449A (en) | 2015-07-02 | 2015-07-02 | Method for verifying validity of digital certificate and authentication server |
PCT/CN2016/081665 WO2017000676A1 (en) | 2015-07-02 | 2016-05-11 | Method for verifying the validity of digital certificate and authentication server therefor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510381509.XA CN106330449A (en) | 2015-07-02 | 2015-07-02 | Method for verifying validity of digital certificate and authentication server |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106330449A true CN106330449A (en) | 2017-01-11 |
Family
ID=57607716
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510381509.XA Pending CN106330449A (en) | 2015-07-02 | 2015-07-02 | Method for verifying validity of digital certificate and authentication server |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106330449A (en) |
WO (1) | WO2017000676A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108549809A (en) * | 2018-04-02 | 2018-09-18 | 郑州云海信息技术有限公司 | A kind of program process control method and system based on digital certificate |
CN110858804A (en) * | 2018-08-25 | 2020-03-03 | 华为技术有限公司 | Method for determining certificate status |
CN113242130A (en) * | 2021-04-01 | 2021-08-10 | 深圳国实检测技术有限公司 | Equipment digital certificate revocation method, electronic equipment and computer readable storage medium |
CN114073038A (en) * | 2019-06-28 | 2022-02-18 | 斑马技术公司 | Method and device for updating digital certificate |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116894109B (en) * | 2023-09-11 | 2024-01-09 | 北京格尔国信科技有限公司 | Method, system, device and storage medium for inquiring digital certificate |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101163012A (en) * | 2007-11-20 | 2008-04-16 | 江苏先安科技有限公司 | System and method of checking fine grit of digital certificate |
US20110238987A1 (en) * | 2010-03-24 | 2011-09-29 | Gm Global Technology Operations, Inc. | Adaptive certificate distribution mechanism in vehicular networks using forward error correcting codes |
CN102638346A (en) * | 2012-05-12 | 2012-08-15 | 杭州迪普科技有限公司 | Method and device for authorizing subscriber digital certificate |
CN103560889A (en) * | 2013-11-05 | 2014-02-05 | 江苏先安科技有限公司 | Precision identity authentication method between X509 digital certificate and certificate application |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100431210B1 (en) * | 2002-08-08 | 2004-05-12 | 한국전자통신연구원 | Validation Method of Certificate Validation Server using Certificate Policy Table and Certificate Policy Mapping Table in PKI |
JP2006244081A (en) * | 2005-03-02 | 2006-09-14 | Fuji Xerox Co Ltd | Server with authentication function and method |
US9544147B2 (en) * | 2009-05-22 | 2017-01-10 | Microsoft Technology Licensing, Llc | Model based multi-tier authentication |
CN102811218B (en) * | 2012-07-24 | 2013-07-31 | 江苏省电子商务服务中心有限责任公司 | Precision authentication method and device for digital certificate, and cloud authentication service system |
-
2015
- 2015-07-02 CN CN201510381509.XA patent/CN106330449A/en active Pending
-
2016
- 2016-05-11 WO PCT/CN2016/081665 patent/WO2017000676A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101163012A (en) * | 2007-11-20 | 2008-04-16 | 江苏先安科技有限公司 | System and method of checking fine grit of digital certificate |
US20110238987A1 (en) * | 2010-03-24 | 2011-09-29 | Gm Global Technology Operations, Inc. | Adaptive certificate distribution mechanism in vehicular networks using forward error correcting codes |
CN102638346A (en) * | 2012-05-12 | 2012-08-15 | 杭州迪普科技有限公司 | Method and device for authorizing subscriber digital certificate |
CN103560889A (en) * | 2013-11-05 | 2014-02-05 | 江苏先安科技有限公司 | Precision identity authentication method between X509 digital certificate and certificate application |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108549809A (en) * | 2018-04-02 | 2018-09-18 | 郑州云海信息技术有限公司 | A kind of program process control method and system based on digital certificate |
CN110858804A (en) * | 2018-08-25 | 2020-03-03 | 华为技术有限公司 | Method for determining certificate status |
CN110858804B (en) * | 2018-08-25 | 2022-04-05 | 华为云计算技术有限公司 | Method for determining certificate status |
CN114073038A (en) * | 2019-06-28 | 2022-02-18 | 斑马技术公司 | Method and device for updating digital certificate |
CN113242130A (en) * | 2021-04-01 | 2021-08-10 | 深圳国实检测技术有限公司 | Equipment digital certificate revocation method, electronic equipment and computer readable storage medium |
CN113242130B (en) * | 2021-04-01 | 2022-07-22 | 深圳国实检测技术有限公司 | Equipment digital certificate revocation method, electronic equipment and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2017000676A1 (en) | 2017-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10257161B2 (en) | Using neighbor discovery to create trust information for other applications | |
CN106330449A (en) | Method for verifying validity of digital certificate and authentication server | |
CN105933125B (en) | South orientation safety certifying method and device in a kind of software defined network | |
US8844009B2 (en) | Resilient device authentication system | |
JP2005184835A5 (en) | ||
CN102420690A (en) | Fusion and authentication method and system of identity and authority in industrial control system | |
CN111106940B (en) | Certificate transaction verification method of resource public key infrastructure based on block chain | |
CN101631114B (en) | Identity authentication method based on public key certificate and system thereof | |
CN114338242B (en) | Cross-domain single sign-on access method and system based on block chain technology | |
CN113850599B (en) | Cross-link transaction method and system applied to alliance link | |
CN110351263A (en) | A kind of Internet of Things authentication method based on super account book fabric | |
EP4312399A2 (en) | Methods and devices for public key management using a blockchain | |
CN106161361A (en) | The access method of a kind of cross-domain resource and device | |
Meadows et al. | Deriving, attacking and defending the GDOI protocol | |
CN101610515A (en) | A kind of Verification System and method based on WAPI | |
CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
US20130212642A1 (en) | Resilient Device Authentication System | |
CN109167771B (en) | Authentication method, device and equipment based on alliance chain and readable storage medium | |
CN114697061B (en) | Access control method, device, network side equipment, terminal and blockchain node | |
CN111666554B (en) | Certificate authentication method, device, equipment and storage medium | |
Liou et al. | T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs | |
US11575667B1 (en) | System and method for secure communications | |
CN116506118A (en) | Identity privacy protection method in PKI certificate transparentization service | |
CN114900336A (en) | Cross-unit secure sharing method and system for application system | |
US10447688B1 (en) | System for secure communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170111 |