CN111510302A - Method and system for improving certificate verification efficiency in secure communication protocol - Google Patents
Method and system for improving certificate verification efficiency in secure communication protocol Download PDFInfo
- Publication number
- CN111510302A CN111510302A CN202010291613.0A CN202010291613A CN111510302A CN 111510302 A CN111510302 A CN 111510302A CN 202010291613 A CN202010291613 A CN 202010291613A CN 111510302 A CN111510302 A CN 111510302A
- Authority
- CN
- China
- Prior art keywords
- certificate
- equipment
- cache list
- signature value
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 105
- 238000012795 verification Methods 0.000 title claims abstract description 91
- 230000006854 communication Effects 0.000 title claims abstract description 39
- 238000004891 communication Methods 0.000 title claims abstract description 38
- 230000008569 process Effects 0.000 claims abstract description 82
- 239000003999 initiator Substances 0.000 claims description 15
- 238000010200 validation analysis Methods 0.000 abstract 2
- 230000007246 mechanism Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
The invention discloses a method for improving certificate verification efficiency in a secure communication protocol, which comprises the following steps: the first device receives the certificate from the second device, judges whether a cache list exists in the first device, if so, the first device judges whether a digest value of the certificate exists in the cache list, if not, the first device verifies whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the result, thus ending the process. The invention can solve the technical problems that the certificate validation in the existing secure communication protocol needs to carry out certificate validity check in each handshake/negotiation process aiming at the same certificate, so that the operation time of a processor is rather occupied, the operation overhead of a system is increased, and the certificate validation efficiency in the secure communication protocol is reduced.
Description
Technical Field
The invention belongs to the technical field of information security and internet communication, and particularly relates to a method and a system for improving certificate verification efficiency in a secure communication protocol.
Background
The existing Secure communication protocol mainly includes a Secure Sockets layer (L eye, SS L for short) and its successor Transport layer Security (Transport L eye Security, T L S for short) protocol, and an IPSec protocol, where SS L/T L S is a Security protocol providing Security and data integrity for network communication, and the SS L/T L S protocol includes a handshake protocol, a cipher specification change protocol, an alarm protocol and a record layer protocol providing confidentiality and integrity of data and identity authentication and replay attack resistance of a data source for network communication process, and an Internet Security protocol (IPSec for short) protecting a network Transport protocol family (a collection of some interrelated protocols) of the IP protocol by encrypting and authenticating packets of the IP protocol.
In The certificate verification of The existing secure communication protocol, The RFC specification issued by The internet engineering Task Force (IETF for short) specifies that The client (initiator) or The server (responder) needs to perform The validity check on The same signature certificate sent by The opposite party in each handshake/negotiation process of The two parties, and The GM/T0024 and SS L VPN specifications issued by The chinese national crypto-administration in 2014 and The GM/T0022 and IPSec VPN specifications also specify that The client (initiator) or The server (responder) needs to perform The validity check on The same signature certificate and The same encryption certificate sent by The opposite party in each handshake/negotiation process of The two parties.
However, the above procedure of performing the certificate validity check on the same certificate in each handshake/negotiation procedure takes a long time, which increases the operation overhead of the system and reduces the efficiency of the certificate verification of the secure communication protocol.
Disclosure of Invention
The present invention provides a method and a system for improving certificate verification efficiency in a secure communication protocol, aiming at solving the technical problems that the handshake/negotiation process in the existing secure communication protocol needs to perform certificate validity verification in each handshake/negotiation process aiming at the same certificate, which results in considerable occupation of processor operation time, increases system operation overhead, and reduces efficiency of the handshake/negotiation process in the secure communication protocol.
To achieve the above object, according to one aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (5) is carried out;
(4) and the first equipment acquires the certificate signature value validity verification result from the cache list according to the digest value of the certificate, continues handshaking/negotiation by using the result, and ends the process.
(5) And the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation continues using the result, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
Preferably, the secure communication protocol may be the SS L/T L S protocol or the IPSec protocol;
when the secure communication protocol is the SS L/T L S protocol, the first device and the second device can be a client or a server, when the first device is the client, the second device is the server, and when the first device is the server, the second device is the client;
the first device and the second device may be an initiator or a responder when the secure communication protocol is an IPSec protocol, the second device is a responder when the first device is an initiator, and the second device is an initiator when the first device is a responder.
Preferably, the process of constructing the storage list is to store the digest value of the certificate and the certificate signature value validity verification result in a table in a key-value pair manner.
Preferably, other attributes of the certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, key usage of the certificate, and the like.
According to another aspect of the present invention, there is provided a system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
A third module, which is arranged in the first device and is used for calculating the digest value of the certificate received by the first module, and judging whether the digest value of the certificate exists in the cache list, if so, entering the fourth module, otherwise, entering the fifth module;
and the fourth module is arranged in the first device and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate, continuing handshaking/negotiation by using the result and ending the process.
And a fifth module, which is arranged in the first device, and is used for verifying whether the certificate signature value is legal or not, if so, adding the digest value of the certificate and the certificate signature value validity verification result into the cache list, continuing handshaking/negotiating by using the result, and ending the process, otherwise, sending alarm information to the second device, disconnecting the handshaking/negotiating with the second device, and ending the process.
According to still another aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) the first device calculates the difference between the current timestamp and the duration of a preset timer, and judges whether the difference is greater than or equal to the corresponding storage time of the certificate in the cache list, if so, the step (6) is carried out, otherwise, the validity verification result of the certificate signature value obtained in the step (4) is utilized to continue handshake/negotiation, and the process is ended;
(6) and the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added/updated into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, when the difference value is smaller than the storage time of the certificate in the cache list in step (5), the first device checks whether other attributes of the certificate except the certificate signature value are legal, if so, the certificate signature value of the certificate is used to update the certificate signature value corresponding to the certificate in the cache list, and the current timestamp is used to replace the storage time of the certificate corresponding to the cache list, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
Preferably, after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation continues by using the result, and the process is ended, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended
According to another aspect of the present invention, there is provided a system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
The third module is arranged in the first equipment and used for calculating the digest value of the certificate received by the first module and judging whether the digest value of the certificate exists in the cache list or not, if so, the fourth module is accessed, and if not, the sixth module is accessed;
the fourth module is arranged in the first equipment and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate and entering the fifth module;
a fifth module, configured to calculate a difference between the current timestamp and a duration of a preset timer, and determine whether the difference is greater than or equal to a corresponding storage time of the certificate in the cache list, if so, enter the sixth module, otherwise, continue handshake/negotiation with the certificate signature value validity verification result obtained in the fourth module, and the process is ended;
and a sixth module, which is arranged in the first device, and is configured to check whether the certificate signature value is legal, if so, add the digest value of the certificate and the certificate signature value validity verification result to the cache list, and continue handshaking/negotiating using the result, and the process is ended, otherwise, send alarm information to the second device, disconnect the handshaking/negotiating with the second device, and end the process.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) the invention stores the signature value of the certificate by using the cache list, and only carries out validity check on other attributes of the certificate except the signature value of the certificate in the subsequent validity check process of the certificate, thereby reducing the operation time of a processor, reducing the system overhead and improving the certificate verification efficiency.
(2) The invention utilizes the timer mechanism to dynamically update the cache list, after the configured timing duration is started from a certain time point, the timer mechanism can check each item in the cache list, the item contains the entry of the time when the certificate is added into the cache list, the storage time when the certificate is added into the cache list and the timing duration are used for judging whether the time is less than the current timestamp, if so, the certificate is rechecked, and the digest value and the certificate signature value validity verification result of the certificate are updated into the cache list, otherwise, no processing is carried out on the certificate. Therefore, the verification state of the certificate can be updated regularly in the handshaking/negotiating process of the secure communication protocol, and the flexibility and the correctness are improved.
Drawings
Fig. 1 is a flowchart of a method for improving certificate verification efficiency in a secure communication protocol according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a method for improving the efficiency of certificate verification in a secure communication protocol according to a second embodiment of the present invention;
fig. 3 is a schematic diagram of the cache list constructed in step (2) of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The basic idea of the invention is that a certificate verification cache mechanism is established through a certificate verification link in the handshake/negotiation process of a secure communication protocol, an opposite terminal certificate which is verified to pass is added into a certificate verification cache list according to a certificate attribute combination and a timestamp configured by a user, and the validity period of the certificate verification cache is set. When the same certificate is handshake/negotiated again next time, firstly inquiring a certificate verification cache list, and if the same certificate exists and the certificate verification cache time is valid, skipping the certificate signature value verification step and verifying other attributes of the certificate; and if the certificate verification cache list does not exist, verifying the certificate, adding the verification result into the certificate verification cache list according to the certificate attribute combination and the timestamp configured by the user, and then carrying out subsequent handshake/negotiation process.
For the purpose of facilitating understanding of the present invention, the technical terms of the present invention will be explained and explained first:
client (Client) the user who sent the first round of exchanged information during the SS L protocol operation.
And the service end (Server) is not the user sending the first round exchange information during the operation of the SS L protocol.
Initiator (Initiator): the user who sent the first round of exchange information during IPSec protocol operation.
Responder (Responder): it is not the user who sends the first round of exchange information during IPSec protocol operation.
The invention is applied to the certificate checking process in the client and server handshaking phase of the SS L/T L S protocol or the negotiation phase of the initiator and the responder of the IPSec protocol.
As shown in fig. 1, according to an aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
specifically, the secure communication protocol of the present invention may be the SS L/T L S protocol or the IPSec protocol.
When the secure communication protocol of the present invention is the SS L/T L S protocol, the first device and the second device may be clients or servers, the second device being a server when the first device is a client, and the second device being a client when the first device is a server.
When the secure communication protocol of the present invention is the IPSec protocol, the first device and the second device may be an Initiator (Initiator) or a Responder (Responder), and when the first device is the Initiator, the second device is the Responder, and when the first device is the Responder, the second device is the Initiator.
In the present invention, the certificate is a signed certificate, or a signed certificate and an encrypted certificate.
(2) And the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
The process of constructing the storage list is to store the digest value of the certificate and the certificate signature value validity verification result in a form of key-value pairs in a table.
In particular, other attributes of a certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, key usage of the certificate, and the like.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (5) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, continues handshaking/negotiation by using the result, and ends the process;
(5) and the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
As a further preferred, after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and handshake/negotiation continues using the result, and the process is ended, otherwise, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is ended.
For example, if the serial number of the Certificate or the user verifies the Certificate, the serial number or the user information is sent to a Certificate Authority (CA), which gives a verification result, or the Certificate is searched for a locally stored CA Certificate.
As shown in fig. 2, according to another aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) the first equipment builds a cache list and checks whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended;
(3) the first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) the first device calculates the difference between the current timestamp and the duration of a preset timer, and judges whether the difference is greater than or equal to the corresponding storage time of the certificate in the cache list, if so, the step (6) is carried out, otherwise, the validity verification result of the certificate signature value obtained in the step (4) is utilized to continue handshake/negotiation, and the process is ended;
specifically, the duration of the preset timer is between 1 minute and 60 minutes.
The purpose of this step is to dynamically update the cache list by using a timer mechanism, after a configured timing duration elapses from a certain time point, the timer mechanism will check each entry in the cache list that contains the time when the certificate is added to the cache list, use the storage time when the certificate is added to the cache list plus the timing duration to be less than the current timestamp, if so, re-check the certificate, and update the digest value and the certificate signature value validity verification result of the certificate to the cache list, otherwise, do nothing to the cache list.
(6) And the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added/updated into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
As a further preferred, when the difference value is smaller than the storage time of the certificate corresponding to the cache list in step (5), the first device checks whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the certificate signature value of the certificate is used to update the certificate signature value corresponding to the certificate in the cache list, and the current timestamp is used to replace the storage time of the certificate corresponding to the cache list, and the process is ended, otherwise, the method sends alarm information to the second device, disconnects handshake/negotiation with the second device, and ends the process.
As a further preferred, after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation continues using the result, and the process is ended, otherwise, an alarm message is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (5) is carried out;
(4) and the first equipment acquires the certificate signature value validity verification result from the cache list according to the digest value of the certificate, continues handshaking/negotiation by using the result, and ends the process.
(5) And the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
2. The method according to claim 1, wherein after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes of the certificate except the certificate signature value are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation is continued using the result, and the process is ended, otherwise, an alarm message is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
3. The method of improving the efficiency of certificate verification in a secure communication protocol according to claim 1,
the secure communication protocol can be SS L/T L S protocol or IPSec protocol;
when the secure communication protocol is the SS L/T L S protocol, the first device and the second device can be a client or a server, when the first device is the client, the second device is the server, and when the first device is the server, the second device is the client;
the first device and the second device may be an initiator or a responder when the secure communication protocol is an IPSec protocol, the second device is a responder when the first device is an initiator, and the second device is an initiator when the first device is a responder.
4. The method according to claim 1, wherein the step of constructing the storage list includes storing the digest value of the certificate and the validity verification result of the signature value of the certificate in a table in a key-value pair manner.
5. The method of claim 2, wherein the other attributes of the certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, key usage of the certificate, etc.
6. A system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
A third module, which is arranged in the first device and is used for calculating the digest value of the certificate received by the first module, and judging whether the digest value of the certificate exists in the cache list, if so, entering the fourth module, otherwise, entering the fifth module;
and the fourth module is arranged in the first device and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate, continuing handshaking/negotiation by using the result and ending the process.
And a fifth module, which is arranged in the first device, and is used for verifying whether the certificate signature value is legal or not, if so, adding the digest value of the certificate and the certificate signature value validity verification result into the cache list, continuing handshaking/negotiating by using the result, and ending the process, otherwise, sending alarm information to the second device, disconnecting the handshaking/negotiating with the second device, and ending the process.
7. A method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) the first device calculates the difference between the current timestamp and the duration of a preset timer, and judges whether the difference is greater than or equal to the corresponding storage time of the certificate in the cache list, if so, the step (6) is carried out, otherwise, the validity verification result of the certificate signature value obtained in the step (4) is utilized to continue handshake/negotiation, and the process is ended;
(6) and the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added/updated into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
8. The method according to claim 7, wherein when the difference is smaller than the storage time of the certificate in the cache list in step (5), the first device checks whether other attributes of the certificate except the certificate signature value are legal, if so, the certificate signature value of the certificate is used to update the certificate signature value corresponding to the certificate in the cache list, and the current timestamp is used to replace the storage time of the certificate in the cache list, and the process is ended, otherwise, the second device sends alarm information, and disconnects handshake/negotiation with the second device, and the process is ended.
9. The method according to claim 7, wherein after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes of the certificate except the certificate signature value are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation is continued using the result, and the process is ended, otherwise, an alarm message is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
10. A system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
The third module is arranged in the first equipment and used for calculating the digest value of the certificate received by the first module and judging whether the digest value of the certificate exists in the cache list or not, if so, the fourth module is accessed, and if not, the sixth module is accessed;
the fourth module is arranged in the first device and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate and then entering the fifth module;
a fifth module, which is arranged in the first device, and is configured to calculate a difference between the current timestamp and a duration of a preset timer, and determine whether the difference is greater than or equal to a corresponding storage time of the certificate in the cache list, if so, enter the sixth module, otherwise, continue handshake/negotiation by using a certificate signature value validity verification result obtained in the fourth module, and the process is ended;
and a sixth module, which is arranged in the first device, and is configured to check whether the certificate signature value is legal, if so, add the digest value of the certificate and the certificate signature value validity verification result to the cache list, and continue handshaking/negotiating using the result, and the process is ended, otherwise, send alarm information to the second device, disconnect the handshaking/negotiating with the second device, and end the process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010291613.0A CN111510302B (en) | 2020-04-14 | 2020-04-14 | Method and system for improving certificate verification efficiency in secure communication protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010291613.0A CN111510302B (en) | 2020-04-14 | 2020-04-14 | Method and system for improving certificate verification efficiency in secure communication protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111510302A true CN111510302A (en) | 2020-08-07 |
CN111510302B CN111510302B (en) | 2023-11-14 |
Family
ID=71864016
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010291613.0A Active CN111510302B (en) | 2020-04-14 | 2020-04-14 | Method and system for improving certificate verification efficiency in secure communication protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111510302B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113556738A (en) * | 2021-07-23 | 2021-10-26 | 广州鲁邦通物联网科技有限公司 | Key negotiation method between DTU (data transfer unit) equipment and node equipment, DTU equipment, node equipment and key negotiation system |
CN117176347A (en) * | 2023-11-02 | 2023-12-05 | 深圳市亲邻科技有限公司 | Mobile application certificate verification method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102279880A (en) * | 2011-07-28 | 2011-12-14 | 深圳市五巨科技有限公司 | Method and system for updating cache in real time |
CN106603229A (en) * | 2016-12-26 | 2017-04-26 | 北京小米移动软件有限公司 | Method and device for generating signature information |
CN106911477A (en) * | 2015-12-23 | 2017-06-30 | 上海格尔软件股份有限公司 | The accelerated method of its result is cached for digital certificate authentication equipment at a slow speed |
CN107026738A (en) * | 2016-02-01 | 2017-08-08 | 阿里巴巴集团控股有限公司 | Digital certificate updating method, digital signature verification method and digital authentication device |
US20190253444A1 (en) * | 2017-05-26 | 2019-08-15 | Shenyang Institute Of Automation, Chinese Academy Of Sciences | Dynamic security method and system based on multi-fusion linkage response |
-
2020
- 2020-04-14 CN CN202010291613.0A patent/CN111510302B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102279880A (en) * | 2011-07-28 | 2011-12-14 | 深圳市五巨科技有限公司 | Method and system for updating cache in real time |
CN106911477A (en) * | 2015-12-23 | 2017-06-30 | 上海格尔软件股份有限公司 | The accelerated method of its result is cached for digital certificate authentication equipment at a slow speed |
CN107026738A (en) * | 2016-02-01 | 2017-08-08 | 阿里巴巴集团控股有限公司 | Digital certificate updating method, digital signature verification method and digital authentication device |
CN106603229A (en) * | 2016-12-26 | 2017-04-26 | 北京小米移动软件有限公司 | Method and device for generating signature information |
US20190253444A1 (en) * | 2017-05-26 | 2019-08-15 | Shenyang Institute Of Automation, Chinese Academy Of Sciences | Dynamic security method and system based on multi-fusion linkage response |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113556738A (en) * | 2021-07-23 | 2021-10-26 | 广州鲁邦通物联网科技有限公司 | Key negotiation method between DTU (data transfer unit) equipment and node equipment, DTU equipment, node equipment and key negotiation system |
CN117176347A (en) * | 2023-11-02 | 2023-12-05 | 深圳市亲邻科技有限公司 | Mobile application certificate verification method and system |
CN117176347B (en) * | 2023-11-02 | 2024-02-06 | 深圳市亲邻科技有限公司 | Mobile application certificate verification method and system |
Also Published As
Publication number | Publication date |
---|---|
CN111510302B (en) | 2023-11-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109561066B (en) | Data processing method and device, terminal and access point computer | |
CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
KR100953095B1 (en) | Super peer based peer-to-peer network system and peer authentication method therefor | |
US20060236091A1 (en) | Encryption method for SIP message and encrypted SIP communication system | |
CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
US8274401B2 (en) | Secure data transfer in a communication system including portable meters | |
CN103503408A (en) | System and method for providing access credentials | |
CN111884811B (en) | Block chain-based data evidence storing method and data evidence storing platform | |
CN113612610B (en) | Session key negotiation method | |
WO2011026296A1 (en) | Method for authenticating entities by introducing an on-line trusted third party | |
CN110808829A (en) | SSH authentication method based on key distribution center | |
CN112968910B (en) | Replay attack prevention method and device | |
CN109729000B (en) | Instant messaging method and device | |
CN111510302A (en) | Method and system for improving certificate verification efficiency in secure communication protocol | |
CN112769854A (en) | Security protocol authentication method and system supporting multiple kinds of digital identity information | |
CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
CN113539523B (en) | Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm | |
CN113596147B (en) | Message pushing method, device, equipment and storage medium | |
CN213938340U (en) | 5G application access authentication network architecture | |
CN111598558B (en) | Billing method, billing node server and payer node server | |
CN105681364B (en) | A kind of IPv6 mobile terminal attack resistance method based on enhancing binding | |
CN110532741B (en) | Personal information authorization method, authentication center and service provider | |
CN115296847B (en) | Flow control method, flow control device, computer equipment and storage medium | |
KR20130036523A (en) | Apparatus and method for transmitting/receiving remote authentication dial in user service packets in a network system | |
JP5118834B2 (en) | Fraud check system for time authentication service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |