CN109831311A - A kind of server validation method, system, user terminal and readable storage medium storing program for executing - Google Patents
A kind of server validation method, system, user terminal and readable storage medium storing program for executing Download PDFInfo
- Publication number
- CN109831311A CN109831311A CN201910217655.7A CN201910217655A CN109831311A CN 109831311 A CN109831311 A CN 109831311A CN 201910217655 A CN201910217655 A CN 201910217655A CN 109831311 A CN109831311 A CN 109831311A
- Authority
- CN
- China
- Prior art keywords
- server
- public key
- certificate
- root
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
This application discloses a kind of server validation methods, this method foundation no longer whether legal as differentiation server using the verification result of root certificate, but the root public key that the preset configuration server generates in the client carried out data transmission with the server of some websites based on HTTPS agreement, the server is when responding the access request that the client is sent, it will use root private key encryption server public key corresponding with the root public key and obtain pseudo server certificate, send whether the server of server certificate is true destination server so that whether client can decrypt the pseudo server certificate by built-in root public key to verify, since the root private key is only maintained in server itself after generation, safety is protected, to improve the safety of data transmission.The application further simultaneously discloses a kind of server authentication system, user terminal and computer readable storage medium, has above-mentioned beneficial effect.
Description
Technical field
This application involves HTTPS technical field, in particular to a kind of server validation method, system, user terminal and meter
Calculation machine readable storage medium storing program for executing.
Background technique
HTTPS agreement is the new network data transmission association that SSL encryption layer is added on the basis of http protocol and develops
View, can transmitted data based on this agreement in the form of ciphertext in client and server, to ensure that data exist
The safety transmitted in network.
Be based on before HTTPS agreement establishes encrypted data transmission access in client and server, client first to
Server end sends access request, and server end responds the access request and returns to client by certified authority
The server certificate that (Certificate Authority, CA) is issued, client also utilize preset by identical authenticating authority machine
The root certificate that structure is issued carries out legitimate verification to the server certificate, if the server certificate is really by identical authenticating authority machine
Structure is issued, and will will assert that the server by legitimate verification is legal, true at this time by legitimate verification, client
Real destination server can use the server public key being contained in the server certificate to encrypt an encryption close later
Key, the encryption key will be as using the key that data to be transmitted encrypts in the encrypted data transmission access.
Since the overall process of HTTPS agreement has been disclosed, the data theft person of malicious attacker or malice be would be possible to
So that client is thought the third party destination server by way of distorting the root certificate in client, and by between
Third party between the client and server palms off server end (in client) and client (in server simultaneously
End is apparently), due to the root certificate after distorting will identify from third-party pseudo- certificate be it is legal, which will act as one
Role that is a while may obtaining the clear data from client and server end exists, and plays to the safe transmission of data
Very big threat.
Therefore, how to overcome in the prior art root certificate be maliciously tampered HTTPS data caused to transmit unsafe technology
Defect provides a kind of mechanism of safer authentication server legitimacy, is those skilled in the art's urgent problem to be solved.
Summary of the invention
The main purpose of the application is to provide a kind of server validation method, system, user terminal and computer-readable
Storage medium, it is intended to solve the problems, such as to cause the transmission of HTTPS data unsafe because root certificate is maliciously tampered in the prior art, mention
Rise safety when data are transmitted based on HTTPS agreement.
To achieve the above object, this application provides a kind of server validation method, which includes:
Access request is initiated to destination server;
It receives the destination server and the pseudo server generated after server public key encryption is demonstrate,proved using preset root private key
Book;Wherein, the root private key and root public key are a pair of of unsymmetrical key that the destination server pre-generates;
Judge the root public key decryption whether the pseudo server certificate can be built in client;
If the pseudo server certificate can determine that the destination server is legal by the root public key successful decryption,
And data to be transmitted is encrypted using the server public key obtained after decryption, and the ciphertext obtained after encryption is sent to the target
Server;
If the pseudo server certificate cannot be decrypted by the root public key, determine that the destination server is illegal, and
Stop the information exchange between the destination server.
Optionally, the server validation method further include:
Receive the server label generated after the destination server signs to authentication string using privacy key
Name;Wherein, the authentication string is contained in the access request;
It is corresponding, before determining that the destination server is legal, further includes:
The server signature is decrypted using the server public key, obtains actual authentication character string;
Judge whether the actual authentication character string and the authentication string in the access request are consistent;
If consistent, the step for determining that the destination server is legal is executed;
If inconsistent, the judgement illegal step of destination server is executed.
Optionally, the authentication string information is specially the random number for utilizing random algorithm to generate.
Optionally, the server validation method further include:
The root public key being built in the client is updated by preset path, and the root public key recorded when updating every time replaces
Change information.
Optionally, the server validation method further include:
Receive the true server certificate that the destination server is issued by certified authority;
The legitimacy of the true server certificate is verified using the root certificate that the certified authority is issued;
It is corresponding, after the pseudo server certificate described in the pre-buried root public key successful decryption, determining the target clothes
Before business device is legal, further includes:
Judge whether the true server certificate is legal;
If the true server certificate is legal, the step for determining that the destination server is legal is executed.
To achieve the above object, present invention also provides a kind of system of authentication server legitimacy, which includes:
Access request initiates unit, for initiating access request to destination server;
Pseudo server certificate receiving unit, for receiving the destination server using preset root private key to server public affairs
The pseudo server certificate generated after key encryption;Wherein, the root private key and root public key are what the destination server pre-generated
A pair of of unsymmetrical key;
Successful decryption judging unit, the root that whether can be built in client for judging the pseudo server certificate
Public key decryptions;
Legal judgement and encrypted transmission unit, can be by the root public key successful decryption for working as the pseudo server certificate
When, determine that the destination server is legal, and encrypt data to be transmitted using the server public key obtained after decryption, and will encryption
The ciphertext obtained afterwards is sent to the destination server;
Illegal judgement and processing unit, for determining when the pseudo server certificate cannot be decrypted by the root public key
The destination server is illegal, and stops the information exchange between the destination server.
Optionally, the server authentication system further include:
Server signature receiving unit, for receive the destination server using privacy key to authentication string into
The server signature generated after row signature;Wherein, the authentication string is contained in the access request;
It is corresponding, the server authentication system further include:
Server signature decryption unit, for using the server public affairs before determining that the destination server is legal
Key decrypts the server signature, obtains actual authentication character string;
Authentication string consistency judging unit, for judging in the actual authentication character string and the access request
Whether authentication string is consistent;
The first execution unit of legal judgement, for when the actual authentication character string with from the certification in the access request
When character string is consistent, the step for determining that the destination server is legal is executed;
The first execution unit of illegal judgement, for when the actual authentication character string with from recognizing in the access request
When card character string is inconsistent, the judgement illegal step of destination server is executed.
Optionally, the server authentication system further include:
Root public key updates and replacement information recording unit, for being built in the client by preset path update
Root public key, and record root public key replacement information when updating every time.
Optionally, the server authentication system further include:
True server certificate receiving unit, the true service issued for receiving the destination server by certified authority
Device certificate;
True certificate legitimate verification unit, the root certificate for being issued using the certified authority verify the true clothes
The legitimacy of business device certificate;
It is corresponding, the server authentication system further include:
The true legal judging unit of certificate, for after the pseudo server certificate described in the pre-buried root public key successful decryption,
Before determining that the destination server is legal, judge whether the true server certificate is legal;
Legal Predicated execution second unit described determines the mesh for executing when the true server certificate is legal
The step of marking server legitimacy.
To achieve the above object, present invention also provides a kind of user terminal, the user terminal includes memory, processing
Device and bus are stored with the server authentication program that can be run on the processor on the memory, and the server is tested
Card program is transferred to the processor by the bus, and realizes following steps when being executed by the processor:
Access request is initiated to destination server;
It receives the destination server and the pseudo server generated after server public key encryption is demonstrate,proved using preset root private key
Book;Wherein, the root private key and root public key are a pair of of unsymmetrical key that the destination server pre-generates;
Judge the root public key decryption whether the pseudo server certificate can be built in client;
If the pseudo server certificate can determine that the destination server is legal by the root public key successful decryption,
And data to be transmitted is encrypted using the server public key obtained after decryption, and the ciphertext obtained after encryption is sent to the target
Server;
If the pseudo server certificate cannot be decrypted by the root public key, determine that the destination server is illegal, and
Stop the information exchange between the destination server.
Optionally, it is also realized when the server authentication program is executed by the processor:
The root public key being built in the client is updated by preset path, and the root public key recorded when updating every time replaces
Change information.
Optionally, it is also realized when the server authentication program is executed by the processor:
Receive the server label generated after the destination server signs to authentication string using privacy key
Name;Wherein, the authentication string is contained in the access request;
It is corresponding, before determining that the destination server is legal, further includes:
The server signature is decrypted using the server public key, obtains actual authentication character string;
Judge whether the actual authentication character string and the authentication string in the access request are consistent;
If consistent, the step for determining that the destination server is legal is executed;
If inconsistent, the judgement illegal step of destination server is executed.
Optionally, it is also realized when the server authentication program is executed by the processor:
Receive the true server certificate that the destination server is issued by certified authority;
The legitimacy of the true server certificate is verified using the root certificate that the certified authority is issued;
It is corresponding, after the pseudo server certificate described in the pre-buried root public key successful decryption, determining the target clothes
Before business device is legal, further includes:
Judge whether the true server certificate is legal;
If the true server certificate is legal, the step for determining that the destination server is legal is executed.
To achieve the above object, the application still further provides a kind of computer readable storage medium, the computer
Server authentication program is stored on readable storage medium storing program for executing, the server authentication program can be held by one or more processor
Row, to realize the server validation method as described in above content.
Obviously, server validation method provided by the present application, no longer using the verification result of root certificate as differentiation server
Whether legal foundation, but it is pre- in the client carried out data transmission with the server of some websites based on HTTPS agreement
The root public key that first built-in server generates, the server will use and are somebody's turn to do when responding the access request that the client is sent
Whether the corresponding root private key encryption server public key of root public key obtains pseudo server certificate, can be by built-in with client
Root public key decrypts the pseudo server certificate to verify and send whether the server of server certificate is true destination server, by
Server itself is only maintained in after generation in the root private key, safety is protected, to improve the peace of data transmission
Quan Xing.
The application additionally provides a kind of server authentication system, user terminal and computer readable storage medium, tool simultaneously
There is above-mentioned beneficial effect, details are not described herein.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of flow chart of server validation method provided by the embodiments of the present application;
Fig. 2 is the flow chart of another server validation method provided by the embodiments of the present application;
Fig. 3 is the flow chart of another server validation method provided by the embodiments of the present application;
Fig. 4 is a kind of structural block diagram of server authentication system provided by the embodiments of the present application;
Fig. 5 is a kind of structural schematic diagram of user terminal provided by the embodiments of the present application.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not
For limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative work
Every other embodiment obtained is put, shall fall within the protection scope of the present invention.
The description and claims of this application and term " first ", " second ", " third ", " in above-mentioned attached drawing
The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage
The data that solution uses in this way are interchangeable under appropriate circumstances, so that the embodiments described herein can be in addition to illustrating herein
Or the sequence other than the content of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that
Cover it is non-exclusive include, for example, containing the process, method, system, product or equipment of a series of steps or units need not limit
In step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, produce
The other step or units of product or equipment inherently.
It should be noted that the description for being related to " first ", " second " etc. in the present invention is used for description purposes only, and cannot
It is interpreted as its relative importance of indication or suggestion or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the
One ", the feature of " second " can explicitly or implicitly include at least one of the features.In addition, the skill between each embodiment
Art scheme can be combined with each other, but must be based on can be realized by those of ordinary skill in the art, when technical solution
Will be understood that the combination of this technical solution is not present in conjunction with there is conflicting or cannot achieve when, also not the present invention claims
Protection scope within.
Embodiment one
Referring to Figure 1, Fig. 1 is a kind of flow chart of server validation method provided by the embodiments of the present application, needs to illustrate
, the executing subject of each step is client in the present embodiment, i.e., client is connect establishing HTTPS with a server
Before transmitting encrypted data, need to verify the legitimacy of its identity, the present embodiment is intended to illustrate this Shen from the angle of client
Inventive point please realizes operations performed by purpose with carried out by comprising following steps:
S101: access request is initiated to destination server;
Access request is initiated to destination server first, this step establishes the head that HTTPS is connect as with destination server
A step exists.Wherein, which would generally include the parameter of some clients, such as type, version, the branch of client
The letter such as compression algorithm candidate list, random number and some additional extended fields of the Encryption Algorithm candidate list, support held
Breath, it is therefore intended that allow the server for receiving these information that can select suitable algorithm to carry out the behaviour such as subsequent data encryption
Make.In the specific access request which information specific limit should will not be done herein in conjunction with practical application scene flexible choice comprising
It is fixed, and it is present invention point that this step, which is not, is intended only as establishing with server essential in HTTPS connection procedure
One step exists, and the application does not do any change being different from the prior art to this step.
S102: it receives destination server and the pseudo server generated after server public key encryption is demonstrate,proved using preset root private key
Book;
On the basis of S101, the destination server that client sends access request is received, puppet will be returned to client
Server certificate.Wherein, pseudo server certificate be destination server using the root private key additionally generated in advance to server public key
It is obtained after encryption.
It should be noted that the root private key and the subsequent root public key that will be used be destination server advance with it is non-right
Claim Encryption Algorithm additionally to generate, only generates server public affairs using rivest, shamir, adelman according to conventional means in the prior art
Key and privacy key.It is raw that scheme i.e. provided herein needs each destination server to advance with rivest, shamir, adelman
At two pairs of public and private keys, one pair of them are exactly root public key and root private key, and another pair is server public key and privacy key.Wherein,
The usage mode of server public key and privacy key is no difference with the prior art, and difference is, this step also utilizes root private
Key obtains pseudo server certificate after removing encryption server public key.Further, in the mistake using root private key encryption server public key
Cheng Zhong can also increase some other information and be encrypted together with server public key, so as to gather around in the pseudo server certificate generated
There are more information, more information can be obtained after the successful decryption pseudo server certificate by also meaning that, these information
It shows to be worth accordingly all in accordance with its meaning that can be expressed.
S103: the root public key decryption whether pseudo server certificate can be built in client is judged, if it is, holding
Row S105, otherwise executes S104;
On the basis of S102, can this step be intended to be judged by client be decrypted with preset configuration in the root public key of itself
The pseudo server certificate received, and whether the server for obtaining sending the pseudo server certificate according to judging result is legal
Conclusion.
Opposite with the root private key used when encryption server public key is the root public key, sends the puppet in order to verify
For it whether previous existence, can be by the root public key preset configuration in meeting and this at the server of the root public key for the server of server certificate
Server is established in the client of HTTPS connection, specifically, built-in manner can be using the side being directly built in program code
Formula can also install mode etc. on the client by the way of necessary plug-in unit, as long as can accomplish carrying out this step
The root public key can be used for decryption verification by client before rapid, herein and be not specifically limited.
Further, it is contemplated that the mode that root public key may need replacing ensures its safety, can also be by default
Routing update is built in the root public key in client, and records root public key replacement information when updating every time, so as to later period retrospect
It uses.
S104: determine that destination server is illegal, and stop the information exchange between destination server;
This step is established on the basis of the judging result of S103 is that the pseudo server certificate cannot be decrypted by root public key, is said
It is not root private key corresponding with root public key that bright encryption, which obtains the key of the pseudo server certificate, can prove to issue puppet clothes yet
The server of business device certificate is not the server that client really wants access to, because if being the service really wanted access to
Device, under the premise of holding its root public key, being centainly being capable of successful decryption.
Therefore, can not successful decryption receive pseudo server certificate when, will judgement send the pseudo server certificate
Server be illegal server, and loss additional in order to prevent, will also stop it is subsequent all between the server
Information exchange.Even, which can also be pulled in blacklist, to judge that the pseudo server certificate that it is sent whether can
Before being enough decrypted, judging result is just obtained according to the blacklist.
S105: determining that destination server is legal, and encrypts data to be transmitted using the server public key obtained after decryption, and
The ciphertext obtained after encryption is sent to destination server.
This step is established on the basis of the judging result of S103 is that the pseudo server certificate can be decrypted by root public key, is said
Bright encrypt obtains the key exactly root private key corresponding with root public key of the pseudo server certificate, for root private key only by destination service
Device itself is come the considerations of preservation, successful decryption means that the server for sending the pseudo server certificate is that client is really wanted
The server of connection is accessed, establishes, in other words, the server for sending the pseudo server certificate is legal server.
Therefore, after determining the legitimacy of server of the access request in response to sending, it is already possible to the service
Device establishes HTTPS connection to transmit the data of encryption, and the key of encrypting plaintext data is then to after the decryption of pseudo server certificate
Server public key is obtained, can be only decrypted by being stored in the privacy key of server itself.
According to the method for authentication server legitimacy provided in this embodiment, this method is no longer with the verification result of root certificate
The foundation whether legal as differentiation server, but data biography is carried out being based on HTTPS agreement with the server of some websites
The root public key that the preset configuration server generates in defeated client, the server are responding the access request sent of the client
When, will use root private key encryption server public key corresponding with the root public key and obtain pseudo server certificate, with client whether
The pseudo server certificate can be decrypted by built-in root public key to verify and send whether the server of server certificate is true
Destination server, since the root private key is only maintained in server itself after generation, safety is protected, to be promoted
The safety of data transmission.
Embodiment two
Fig. 2 is referred to, Fig. 2 is the flow chart of another server validation method provided by the embodiments of the present application, this implementation
Whether it can authentication server public key be further real server public key that example provides a kind of on the basis of example 1
Method prevents existing various unexpected under complex situations so that the considerations of verifying to server legitimacy is more thoughtful
Situation appearance is distorted, is included the following steps:
S201: access request is initiated to destination server;
S202: it receives destination server and the pseudo server generated after server public key encryption is demonstrate,proved using preset root private key
Book;
S203: the server label generated after destination server signs to authentication string using privacy key are received
Name;
In addition to S202 step, the present embodiment will also receive destination server using privacy key to authentication string into
The server signature that generates after row signature, i.e. destination server will also use the privacy key only held by itself to from comprising
The character string (i.e. subsequent step use authentication string) that part in access request can be used for authentication is signed,
With the server signature using generation come the correctness of further authentication server public key.
It should be noted that S202 and S203 be two relatively independent steps, and there is no must successively before sequence
Relationship is two steps that may be performed simultaneously completely under conditions of computing resource allows.
S204: judge the root public key decryption whether pseudo server certificate can be built in client, if it is hold
Row S205, otherwise executes S207;
S205: server signature is decrypted using server public key, obtains actual authentication character string;
The foundation of this step is that pseudo server certificate can be built in the root public key in client in the judging result of S204
On the basis of decryption, client will access the server public key decrypted from pseudo server certificate at this time, at this time will
The server signature is decrypted using the server public key, and is obtained comprising character string therein, and the character string will be as practical
Authentication string exists.Specifically, can be generated at random for client using random algorithm one of the authentication string is random
Number, what can also be generated using remaining same or like mode will be used to compare the character string of consistency, not do herein specific
It limits.
S206: judge whether actual authentication character string is consistent with the authentication string in access request, if it is executes
Otherwise S208 executes S207;
On the basis of S205, this step is intended to be judged by client the actual authentication character string and oneself sending originally
Whether the authentication string for being contained in access request is consistent.If the two is consistent, illustrate to return to pseudo server certificate, clothes to oneself
The server of business device signature is strictly the server for receiving the access request of oneself sending, and is able to further demonstrate and decrypt
The reliability of the server public key arrived.
S207: determine that destination server is illegal, and stop the information exchange between destination server;
The foundation of this step is in the root public key solution that the judging result of S204 is that pseudo server certificate can not be built in client
On the basis of close or the judging result of S206 is the actual authentication character string base inconsistent with the authentication string in access request
On plinth, wherein if the reason of being oriented to this step is the judging result of S204, illustrate to send the server of pseudo server certificate not
It is the server for being built in the client of root public key and recognizing, it may also be said to be to there are other server intercepts for being intended to personation to arrive
Client is sent to the request of real service device, and attempts to palm off, due to its do not know real service device can send can by root public affairs
Key decryption pseudo server certificate, therefore will be judged as it is illegal, to not establish continuous with it;If being oriented to this step
Reason is the judging result of S206, then illustrates that the server for returning to above-mentioned data has been got access by way of personation and asked
It asks, and possesses the privacy key of real service device, root private key, but its mechanism for not understanding server signature, therefore be based on
This will also determine that it is illegal server, i.e., be not the server for really wanting to set up HTTPS connection.
S208: determining that destination server is legal, and encrypts data to be transmitted using the server public key obtained after decryption, and
Data to be transmitted is sent to destination server in the form of ciphertext.
The foundation of this step is the authentication string one in actual authentication character string and access request in the judging result of S206
On the basis of cause, illustrate that the server for returning to above-mentioned data not only possesses the privacy key of real service device, root private key, and
Solution exists only in the server signature mode consulted between client and real service device, therefore by multiple judgement, can be with
The further legitimacy for determining destination server.
The present embodiment on the basis of example 1, additionally negotiates the generation side of determining server signature by increasing
Formula, further to determine whether server is real server, it can be found that the access that can get client sending is asked
Privacy key, the root private key asked, possess real service device do not know the illegal service of server signature generating mode but
Device is able to further improve the reliability of judging result, so that data are able to safer carry out with real server
Encrypted transmission.
In another embodiment for being different from the present embodiment, also server signature is also used as the one of pseudo server certificate
Part is encrypted by root private key together with server public key, can also realize identical effect.
Embodiment three
Fig. 3 is referred to, Fig. 3 is the flow chart of another server validation method provided by the embodiments of the present application, this implementation
Example on the basis of the various embodiments described above, additionally provide a kind of legality identification method in combination with tradition based on root certificate and
The preferred legality identification method of legality identification method based on pre-buried root public key, it should be noted that since tradition is based on
The legitimate verification mode of root certificate has been proved to unreliable, therefore its verification result will be only provided by the present application as starting
Another precondition of verification mode, i.e., it is final still with the legitimate verification side provided by the present application based on pre-buried root public key
Subject to the result of method, include the following steps:
S301: access request is initiated to destination server;
S302: the true server certificate that destination server is issued by certified authority is received;
S303: the legitimacy of true server certificate is verified using the root certificate that certified authority is issued;
S302 and S303 is that tradition is returned based on the preset root certificate issued by certified authority come authentication server
True server certificate mode.
S304: it receives destination server and the pseudo server generated after server public key encryption is demonstrate,proved using preset root private key
Book;
It is that have obtained the destination server be legitimate service to conventional authentication mode that this step, which establishes the judging result in S303,
On the basis of device, it is intended to carry out subsequent authentication further according to mode provided by the present application.
S305: judge the root public key decryption whether pseudo server certificate can be built in client itself;
S306: determining that destination server is legal, and encrypts data to be transmitted using the server public key obtained after decryption, and
Data to be transmitted is sent to destination server in the form of ciphertext;
S307: determine that destination server is illegal, and stop the information exchange between destination server.
The present embodiment can be on the basis of the various embodiments described above, by successively carrying out conventional authentication mode and the application is new
In the mechanism of the verification mode of offer, the illegal scene in part is weeded out by conventional authentication mode, while can also be to not pre-
The server for being first provided with corresponding server root public key carries out legitimate verification, so that the client application range is wider, not only
It is limited to be preset with the legitimate verification of the server of root public key.
Because situation is complicated, it can not enumerate and be illustrated, those skilled in the art should be able to recognize according to the application
The basic skills principle combination actual conditions of offer may exist many examples, in the case where not paying enough creative works,
It should within the scope of protection of this application.
Example IV
Fig. 4 is referred to, Fig. 4 is a kind of structural block diagram of server authentication system provided by the embodiments of the present application, the system
May include:
Access request initiates unit 100, for initiating access request to destination server;
Pseudo server certificate receiving unit 200, for receiving destination server using preset root private key to server public affairs
The pseudo server certificate generated after key encryption;Wherein, root private key and root public key are that a pair that destination server pre-generates is non-right
Claim key;
Successful decryption judging unit 300, the root that whether can be built in client for judging pseudo server certificate
Public key decryptions;
Legal judgement and encrypted transmission unit 400, for sentencing when pseudo server certificate can be by root public key successful decryption
Set the goal server legitimacy, and encrypt data to be transmitted using the server public key that obtains after decryption, and will obtain after encryption
Ciphertext is sent to destination server;
Illegal judgement and processing unit 500, for when pseudo server certificate cannot be decrypted by root public key, determining target clothes
Business device is illegal, and stops the information exchange between destination server.
Further, which can also include:
Server signature receiving unit signs authentication string using privacy key for receiving destination server
The server signature generated after name;Wherein, authentication string is contained in access request;
Corresponding, which can also include:
Server signature decryption unit, for being decrypted and being taken using server public key before determining that destination server is legal
Business device signature, obtains actual authentication character string;
Authentication string consistency judging unit, for judging the certification character in actual authentication character string and access request
It whether consistent goes here and there;
The first execution unit of legal judgement, for when actual authentication character string with from the authentication string one in access request
When cause, the step for determining that destination server is legal is executed;
The first execution unit of illegal judgement, for when actual authentication character string with from the authentication string in access request
When inconsistent, execute and determine the illegal step of destination server.
Further, which can also include:
Root public key updates and replacement information recording unit, public for updating the root being built in client by preset path
Key, and record root public key replacement information when updating every time.
Further, which can also include:
True server certificate receiving unit is demonstrate,proved for receiving destination server by the true server that certified authority is issued
Book;
True certificate legitimate verification unit, the root certificate for being issued using certified authority verify true server certificate
Legitimacy;
Corresponding, which can also include:
The true legal judging unit of certificate is used for after pre-buried root public key successful decryption pseudo server certificate, is determining mesh
Before marking server legitimacy, judge whether true server certificate is legal;
Legal Predicated execution second unit determines that destination server is legal for executing when server certificate is legal surely
The step of.
The system of the authentication server legitimacy is corresponding with the method for authentication server legitimacy, and the present embodiment is as one
A product embodiments corresponding with embodiment of the method exist, and have beneficial effect identical with embodiment of the method, no longer superfluous herein
It states.
Embodiment five
Hereinabove by several different embodiments to such as how safer, more reliable mode authentication server is legal
Property method illustrate and describe, the application also provides a kind of entity hardware device corresponding with this method, this partial content original
Reason is corresponding with scheme section, and details are not described herein again for the part of realization principle, below by the hardware group to the entity hardware device
At being described, Fig. 5 is referred to, Fig. 5 is a kind of user terminal (terminal of carrying client end function provided by the embodiments of the present application
Equipment) structural schematic diagram:
The user terminal 600 includes memory 610, processor 620 and bus 630, and being stored on memory 610 can be
The server authentication program run on processor 620, the server authentication program are received simultaneously by bus 630 by processor 620
, it can be achieved that being used for each step of authentication server legitimacy as described in above-described embodiment when execution.
Wherein, memory 610 includes at least a type of readable storage medium storing program for executing, and readable storage medium storing program for executing includes flash memory, hard
Disk, multimedia card, card-type memory (for example, SD or DX memory etc.), magnetic storage, disk, CD etc..Memory 610
It can be the internal storage unit of user terminal 600, such as the hard disk of the user terminal 600 in some embodiments.Memory
610 are also possible to match on the External memory equipment of the user terminal 600, such as the user terminal 600 in further embodiments
Standby plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD)
Card, flash card (Flash Card) etc..Further, memory 610 can also be simultaneously by internal storage unit and external storage
Equipment forms simultaneously.Further, what memory 610 can be not only used for that storage is installed in the user terminal 600 various answers
With software and Various types of data, can be also used for temporarily storing the data that has exported or will export.
Processor 620 can be in some embodiments central processing unit (Central Processing Unit, CPU),
Controller, microcontroller, microprocessor or other data processing chips, the program code for being stored in run memory 610
Or processing data, such as execute server proving program etc..
Bus 630 can be Peripheral Component Interconnect standard (peripheral component interconnect, abbreviation
PCI) bus or expanding the industrial standard structure (extended industry standard architecture, abbreviation EISA)
Bus etc..The bus can be divided into address bus, data/address bus, control bus etc..For convenient for indicating, only with one pair in Fig. 5
It is indicated to hollow index line, it is not intended that an only bus or a type of bus.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.In several embodiments provided herein, it should be understood that disclosed system, device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of unit, only
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of device or unit
It connects, can be electrical property, mechanical or other forms.
Unit may or may not be physically separated as illustrated by the separation member, shown as a unit
Component may or may not be physical unit, it can and it is in one place, or may be distributed over multiple networks
On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
It, can if integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product
To be stored in a computer readable storage medium.Based on this understanding, the technical solution of the application substantially or
Say that all or part of the part that contributes to existing technology or the technical solution can embody in the form of software products
Out, which is stored in a storage medium, including some instructions are used so that a computer equipment
(can be personal computer, server or the network equipment etc.) executes the method gone out given in each embodiment of the application
All or part of the steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey
The medium of sequence code.
It should be noted that the serial number of the above embodiments of the invention is only for description, do not represent the advantages or disadvantages of the embodiments.And
The terms "include", "comprise" herein or any other variant thereof is intended to cover non-exclusive inclusion, so that packet
Process, device, article or the method for including a series of elements not only include those elements, but also including being not explicitly listed
Other element, or further include for this process, device, article or the intrinsic element of method.Do not limiting more
In the case where, the element that is limited by sentence "including a ...", it is not excluded that including process, device, the article of the element
Or there is also other identical elements in method.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of server validation method, which is characterized in that the server validation method includes:
Access request is initiated to destination server;
The destination server is received using preset root private key to the pseudo server certificate generated after server public key encryption;Its
In, the root private key and root public key are pre-generated a pair of of the unsymmetrical key of the destination server;
Judge the root public key decryption whether the pseudo server certificate can be built in client;
If the pseudo server certificate can be decrypted by the root public key, determine that the destination server is legal, and uses solution
The server public key encryption data to be transmitted obtained after close, and the ciphertext obtained after encryption is sent to the destination server;
If the pseudo server certificate cannot be decrypted by the root public key, determine that the destination server is illegal, and stop
With the information exchange between the destination server.
2. server validation method according to claim 1, which is characterized in that further include:
Receive the server signature generated after the destination server signs to authentication string using privacy key;Its
In, the authentication string is contained in the access request;
It is corresponding, before determining that the destination server is legal, further includes:
The server signature is decrypted using the server public key, obtains actual authentication character string;
Judge whether the actual authentication character string and the authentication string in the access request are consistent;
If consistent, the step for determining that the destination server is legal is executed;
If inconsistent, the judgement illegal step of destination server is executed.
3. server validation method according to claim 2, which is characterized in that the authentication string be specially using with
The random number that machine algorithm generates.
4. server validation method according to claim 1, which is characterized in that further include:
The root public key being built in the client is updated by preset path, and records root public key when updating every time and replaces letter
Breath.
5. server validation method according to any one of claims 1 to 4, which is characterized in that further include:
Receive the true server certificate that the destination server is issued by certified authority;
The legitimacy of the true server certificate is verified using the root certificate that the certified authority is issued;
It is corresponding, after the pseudo server certificate described in the pre-buried root public key successful decryption, determining the destination server
Before legal, further includes:
Judge whether the true server certificate is legal;
If the true server certificate is legal, the step for determining that the destination server is legal is executed.
6. a kind of server authentication system, which is characterized in that the server authentication system includes:
Access request initiates unit, for initiating access request to destination server;
Pseudo server certificate receiving unit adds server public key using preset root private key for receiving the destination server
The pseudo server certificate generated after close;Wherein, the root private key and root public key are a pair that the destination server pre-generates
Unsymmetrical key;
Successful decryption judging unit, the root public key that whether can be built in client for judging the pseudo server certificate
Decryption;
Legal judgement and encrypted transmission unit, are used for when the pseudo server certificate can be by the root public key successful decryption,
Determine that the destination server is legal, and encrypts data to be transmitted using the server public key obtained after decryption, and will be after encryption
Obtained ciphertext is sent to the destination server;
Illegal judgement and processing unit are used for when the pseudo server certificate cannot be decrypted by the root public key, described in judgement
Destination server is illegal, and stops the information exchange between the destination server.
7. a kind of user terminal, which is characterized in that the user terminal includes memory, processor and bus, the memory
On be stored with the server authentication program that can be run on the processor, the server authentication program passes through the bus quilt
It is transmitted to the processor, and realizes following steps when being executed by the processor:
Access request is initiated to destination server;
The destination server is received using preset root private key to the pseudo server certificate generated after server public key encryption;Its
In, the root private key and root public key are pre-generated a pair of of the unsymmetrical key of the destination server;
Judge the root public key decryption whether the pseudo server certificate can be built in client;
If the pseudo server certificate can determine that the destination server is legal, and make by the root public key successful decryption
Data to be transmitted is encrypted with the server public key obtained after decryption, and the ciphertext obtained after encryption is sent to the destination service
Device;
If the pseudo server certificate cannot be decrypted by the root public key, determine that the destination server is illegal, and stop
With the information exchange between the destination server.
8. user terminal according to claim 7, which is characterized in that the server authentication program is held by the processor
It is also realized when row:
Receive the server signature generated after the destination server signs to authentication string using privacy key;Its
In, the authentication string is contained in the access request;
It is corresponding, before determining that the destination server is legal, further includes:
The server signature is decrypted using the server public key, obtains actual authentication character string;
Judge whether the actual authentication character string and the authentication string in the access request are consistent;
If consistent, the step for determining that the destination server is legal is executed;
If inconsistent, the judgement illegal step of destination server is executed.
9. user terminal according to claim 7 or 8, which is characterized in that the server authentication program is by the processing
Device is also realized when executing:
Receive the true server certificate that the destination server is issued by certified authority;
The legitimacy of the true server certificate is verified using the root certificate that the certified authority is issued;
It is corresponding, after the pseudo server certificate described in the pre-buried root public key successful decryption, determining the destination server
Before legal, further includes:
Judge whether the true server certificate is legal;
If the true server certificate is legal, the step for determining that the destination server is legal is executed.
10. a kind of computer readable storage medium, which is characterized in that be stored with server on the computer readable storage medium
Proving program, the server authentication program can be executed by one or more processor, to realize such as claim 1 to 5 times
Server validation method described in one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910217655.7A CN109831311B (en) | 2019-03-21 | 2019-03-21 | Server verification method, system, user terminal and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910217655.7A CN109831311B (en) | 2019-03-21 | 2019-03-21 | Server verification method, system, user terminal and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109831311A true CN109831311A (en) | 2019-05-31 |
| CN109831311B CN109831311B (en) | 2022-04-01 |
Family
ID=66870938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910217655.7A Active CN109831311B (en) | 2019-03-21 | 2019-03-21 | Server verification method, system, user terminal and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109831311B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110868291A (en) * | 2019-11-26 | 2020-03-06 | 普联技术有限公司 | Data encryption transmission method, device, system and storage medium |
| CN110971616A (en) * | 2019-12-24 | 2020-04-07 | 广州市百果园信息技术有限公司 | Connection establishing method based on secure transport layer protocol, client and server |
| CN111131215A (en) * | 2019-12-18 | 2020-05-08 | 深圳市任子行科技开发有限公司 | Non-perception audit deployment method and device |
| CN111698682A (en) * | 2020-06-12 | 2020-09-22 | 深圳天度物联信息技术有限公司 | Data transmission method based on public WiFi network environment, server and storage medium |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
| CN113381855A (en) * | 2021-06-11 | 2021-09-10 | 上海哔哩哔哩科技有限公司 | Communication method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
| CN106161366A (en) * | 2015-04-03 | 2016-11-23 | 上海庆科信息技术有限公司 | The method and system that a kind of SSL of minimizing takes up room |
| CN106685983A (en) * | 2017-01-13 | 2017-05-17 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | Data recovery method and device based on SSL protocol |
| US20170324567A1 (en) * | 2014-12-16 | 2017-11-09 | Panasonic Intellectual Property Management Co., Lt d. | Signature verification device, signature generation device, signature processing system, signature verification method, and signature generation method |
| CN107360124A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method and device, WAP and user terminal |
| CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
-
2019
- 2019-03-21 CN CN201910217655.7A patent/CN109831311B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
| US20170324567A1 (en) * | 2014-12-16 | 2017-11-09 | Panasonic Intellectual Property Management Co., Lt d. | Signature verification device, signature generation device, signature processing system, signature verification method, and signature generation method |
| CN106161366A (en) * | 2015-04-03 | 2016-11-23 | 上海庆科信息技术有限公司 | The method and system that a kind of SSL of minimizing takes up room |
| CN107360124A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method and device, WAP and user terminal |
| CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
| CN106685983A (en) * | 2017-01-13 | 2017-05-17 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | Data recovery method and device based on SSL protocol |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110868291A (en) * | 2019-11-26 | 2020-03-06 | 普联技术有限公司 | Data encryption transmission method, device, system and storage medium |
| CN111131215A (en) * | 2019-12-18 | 2020-05-08 | 深圳市任子行科技开发有限公司 | Non-perception audit deployment method and device |
| CN110971616A (en) * | 2019-12-24 | 2020-04-07 | 广州市百果园信息技术有限公司 | Connection establishing method based on secure transport layer protocol, client and server |
| CN110971616B (en) * | 2019-12-24 | 2022-04-01 | 广州市百果园信息技术有限公司 | Connection establishing method based on secure transport layer protocol, client and server |
| CN111698682A (en) * | 2020-06-12 | 2020-09-22 | 深圳天度物联信息技术有限公司 | Data transmission method based on public WiFi network environment, server and storage medium |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
| CN113381855A (en) * | 2021-06-11 | 2021-09-10 | 上海哔哩哔哩科技有限公司 | Communication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109831311B (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831311A (en) | A kind of server validation method, system, user terminal and readable storage medium storing program for executing | |
| CN105450406B (en) | The method and apparatus of data processing | |
| CN105933353B (en) | The realization method and system of secure log | |
| WO2018050081A1 (en) | Device identity authentication method and apparatus, electric device, and storage medium | |
| CN109309565A (en) | A kind of method and device of safety certification | |
| US20190165947A1 (en) | Signatures for near field communications | |
| CN107317677B (en) | Secret key storage and equipment identity authentication method and device | |
| CN109067528A (en) | Crypto-operation, method, cryptographic service platform and the equipment for creating working key | |
| EP2304636A1 (en) | Mobile device assisted secure computer network communications | |
| JP2012530311A5 (en) | ||
| CN109729523A (en) | A kind of method and apparatus of terminal networking certification | |
| JP2005196776A (en) | Safe data communication method and its system between communication terminal and communication equipment | |
| CN109417545A (en) | For downloading the technology of network insertion profile | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN110868294B (en) | Key updating method, device and equipment | |
| CN109347625A (en) | Crypto-operation, method, cryptographic service platform and the equipment for creating working key | |
| CN109361508A (en) | Data transmission method, electronic equipment and computer readable storage medium | |
| EP2827529B1 (en) | Method, device, and system for identity authentication | |
| CN109218334A (en) | Data processing method, device, access control equipment, certificate server and system | |
| CN105791244B (en) | For the method for routing change, border router and system between control domain | |
| CN112422500A (en) | Cross-platform data transmission method and device, storage medium and electronic device | |
| CN109272314A (en) | A kind of safety communicating method and system cooperateing with signature calculation based on two sides | |
| KR101358375B1 (en) | Prevention security system and method for smishing | |
| CN105430649B (en) | WIFI cut-in method and equipment | |
| CN105578464B (en) | A kind of WLAN certificate identification method, the apparatus and system of enhancing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |