CN111510302A - Method and system for improving certificate verification efficiency in secure communication protocol - Google Patents

Method and system for improving certificate verification efficiency in secure communication protocol Download PDF

Info

Publication number
CN111510302A
CN111510302A CN202010291613.0A CN202010291613A CN111510302A CN 111510302 A CN111510302 A CN 111510302A CN 202010291613 A CN202010291613 A CN 202010291613A CN 111510302 A CN111510302 A CN 111510302A
Authority
CN
China
Prior art keywords
certificate
equipment
cache list
signature value
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010291613.0A
Other languages
Chinese (zh)
Other versions
CN111510302B (en
Inventor
朱东明
乔海权
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD, Beijing Infosec Technologies Co Ltd filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN202010291613.0A priority Critical patent/CN111510302B/en
Publication of CN111510302A publication Critical patent/CN111510302A/en
Application granted granted Critical
Publication of CN111510302B publication Critical patent/CN111510302B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention discloses a method for improving certificate verification efficiency in a secure communication protocol, which comprises the following steps: the first device receives the certificate from the second device, judges whether a cache list exists in the first device, if so, the first device judges whether a digest value of the certificate exists in the cache list, if not, the first device verifies whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the result, thus ending the process. The invention can solve the technical problems that the certificate validation in the existing secure communication protocol needs to carry out certificate validity check in each handshake/negotiation process aiming at the same certificate, so that the operation time of a processor is rather occupied, the operation overhead of a system is increased, and the certificate validation efficiency in the secure communication protocol is reduced.

Description

Method and system for improving certificate verification efficiency in secure communication protocol
Technical Field
The invention belongs to the technical field of information security and internet communication, and particularly relates to a method and a system for improving certificate verification efficiency in a secure communication protocol.
Background
The existing Secure communication protocol mainly includes a Secure Sockets layer (L eye, SS L for short) and its successor Transport layer Security (Transport L eye Security, T L S for short) protocol, and an IPSec protocol, where SS L/T L S is a Security protocol providing Security and data integrity for network communication, and the SS L/T L S protocol includes a handshake protocol, a cipher specification change protocol, an alarm protocol and a record layer protocol providing confidentiality and integrity of data and identity authentication and replay attack resistance of a data source for network communication process, and an Internet Security protocol (IPSec for short) protecting a network Transport protocol family (a collection of some interrelated protocols) of the IP protocol by encrypting and authenticating packets of the IP protocol.
In The certificate verification of The existing secure communication protocol, The RFC specification issued by The internet engineering Task Force (IETF for short) specifies that The client (initiator) or The server (responder) needs to perform The validity check on The same signature certificate sent by The opposite party in each handshake/negotiation process of The two parties, and The GM/T0024 and SS L VPN specifications issued by The chinese national crypto-administration in 2014 and The GM/T0022 and IPSec VPN specifications also specify that The client (initiator) or The server (responder) needs to perform The validity check on The same signature certificate and The same encryption certificate sent by The opposite party in each handshake/negotiation process of The two parties.
However, the above procedure of performing the certificate validity check on the same certificate in each handshake/negotiation procedure takes a long time, which increases the operation overhead of the system and reduces the efficiency of the certificate verification of the secure communication protocol.
Disclosure of Invention
The present invention provides a method and a system for improving certificate verification efficiency in a secure communication protocol, aiming at solving the technical problems that the handshake/negotiation process in the existing secure communication protocol needs to perform certificate validity verification in each handshake/negotiation process aiming at the same certificate, which results in considerable occupation of processor operation time, increases system operation overhead, and reduces efficiency of the handshake/negotiation process in the secure communication protocol.
To achieve the above object, according to one aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (5) is carried out;
(4) and the first equipment acquires the certificate signature value validity verification result from the cache list according to the digest value of the certificate, continues handshaking/negotiation by using the result, and ends the process.
(5) And the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation continues using the result, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
Preferably, the secure communication protocol may be the SS L/T L S protocol or the IPSec protocol;
when the secure communication protocol is the SS L/T L S protocol, the first device and the second device can be a client or a server, when the first device is the client, the second device is the server, and when the first device is the server, the second device is the client;
the first device and the second device may be an initiator or a responder when the secure communication protocol is an IPSec protocol, the second device is a responder when the first device is an initiator, and the second device is an initiator when the first device is a responder.
Preferably, the process of constructing the storage list is to store the digest value of the certificate and the certificate signature value validity verification result in a table in a key-value pair manner.
Preferably, other attributes of the certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, key usage of the certificate, and the like.
According to another aspect of the present invention, there is provided a system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
A third module, which is arranged in the first device and is used for calculating the digest value of the certificate received by the first module, and judging whether the digest value of the certificate exists in the cache list, if so, entering the fourth module, otherwise, entering the fifth module;
and the fourth module is arranged in the first device and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate, continuing handshaking/negotiation by using the result and ending the process.
And a fifth module, which is arranged in the first device, and is used for verifying whether the certificate signature value is legal or not, if so, adding the digest value of the certificate and the certificate signature value validity verification result into the cache list, continuing handshaking/negotiating by using the result, and ending the process, otherwise, sending alarm information to the second device, disconnecting the handshaking/negotiating with the second device, and ending the process.
According to still another aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) the first device calculates the difference between the current timestamp and the duration of a preset timer, and judges whether the difference is greater than or equal to the corresponding storage time of the certificate in the cache list, if so, the step (6) is carried out, otherwise, the validity verification result of the certificate signature value obtained in the step (4) is utilized to continue handshake/negotiation, and the process is ended;
(6) and the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added/updated into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, when the difference value is smaller than the storage time of the certificate in the cache list in step (5), the first device checks whether other attributes of the certificate except the certificate signature value are legal, if so, the certificate signature value of the certificate is used to update the certificate signature value corresponding to the certificate in the cache list, and the current timestamp is used to replace the storage time of the certificate corresponding to the cache list, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
Preferably, after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation continues by using the result, and the process is ended, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended
According to another aspect of the present invention, there is provided a system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
The third module is arranged in the first equipment and used for calculating the digest value of the certificate received by the first module and judging whether the digest value of the certificate exists in the cache list or not, if so, the fourth module is accessed, and if not, the sixth module is accessed;
the fourth module is arranged in the first equipment and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate and entering the fifth module;
a fifth module, configured to calculate a difference between the current timestamp and a duration of a preset timer, and determine whether the difference is greater than or equal to a corresponding storage time of the certificate in the cache list, if so, enter the sixth module, otherwise, continue handshake/negotiation with the certificate signature value validity verification result obtained in the fourth module, and the process is ended;
and a sixth module, which is arranged in the first device, and is configured to check whether the certificate signature value is legal, if so, add the digest value of the certificate and the certificate signature value validity verification result to the cache list, and continue handshaking/negotiating using the result, and the process is ended, otherwise, send alarm information to the second device, disconnect the handshaking/negotiating with the second device, and end the process.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) the invention stores the signature value of the certificate by using the cache list, and only carries out validity check on other attributes of the certificate except the signature value of the certificate in the subsequent validity check process of the certificate, thereby reducing the operation time of a processor, reducing the system overhead and improving the certificate verification efficiency.
(2) The invention utilizes the timer mechanism to dynamically update the cache list, after the configured timing duration is started from a certain time point, the timer mechanism can check each item in the cache list, the item contains the entry of the time when the certificate is added into the cache list, the storage time when the certificate is added into the cache list and the timing duration are used for judging whether the time is less than the current timestamp, if so, the certificate is rechecked, and the digest value and the certificate signature value validity verification result of the certificate are updated into the cache list, otherwise, no processing is carried out on the certificate. Therefore, the verification state of the certificate can be updated regularly in the handshaking/negotiating process of the secure communication protocol, and the flexibility and the correctness are improved.
Drawings
Fig. 1 is a flowchart of a method for improving certificate verification efficiency in a secure communication protocol according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a method for improving the efficiency of certificate verification in a secure communication protocol according to a second embodiment of the present invention;
fig. 3 is a schematic diagram of the cache list constructed in step (2) of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The basic idea of the invention is that a certificate verification cache mechanism is established through a certificate verification link in the handshake/negotiation process of a secure communication protocol, an opposite terminal certificate which is verified to pass is added into a certificate verification cache list according to a certificate attribute combination and a timestamp configured by a user, and the validity period of the certificate verification cache is set. When the same certificate is handshake/negotiated again next time, firstly inquiring a certificate verification cache list, and if the same certificate exists and the certificate verification cache time is valid, skipping the certificate signature value verification step and verifying other attributes of the certificate; and if the certificate verification cache list does not exist, verifying the certificate, adding the verification result into the certificate verification cache list according to the certificate attribute combination and the timestamp configured by the user, and then carrying out subsequent handshake/negotiation process.
For the purpose of facilitating understanding of the present invention, the technical terms of the present invention will be explained and explained first:
client (Client) the user who sent the first round of exchanged information during the SS L protocol operation.
And the service end (Server) is not the user sending the first round exchange information during the operation of the SS L protocol.
Initiator (Initiator): the user who sent the first round of exchange information during IPSec protocol operation.
Responder (Responder): it is not the user who sends the first round of exchange information during IPSec protocol operation.
The invention is applied to the certificate checking process in the client and server handshaking phase of the SS L/T L S protocol or the negotiation phase of the initiator and the responder of the IPSec protocol.
As shown in fig. 1, according to an aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
specifically, the secure communication protocol of the present invention may be the SS L/T L S protocol or the IPSec protocol.
When the secure communication protocol of the present invention is the SS L/T L S protocol, the first device and the second device may be clients or servers, the second device being a server when the first device is a client, and the second device being a client when the first device is a server.
When the secure communication protocol of the present invention is the IPSec protocol, the first device and the second device may be an Initiator (Initiator) or a Responder (Responder), and when the first device is the Initiator, the second device is the Responder, and when the first device is the Responder, the second device is the Initiator.
In the present invention, the certificate is a signed certificate, or a signed certificate and an encrypted certificate.
(2) And the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
The process of constructing the storage list is to store the digest value of the certificate and the certificate signature value validity verification result in a form of key-value pairs in a table.
In particular, other attributes of a certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, key usage of the certificate, and the like.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (5) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, continues handshaking/negotiation by using the result, and ends the process;
(5) and the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
As a further preferred, after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and handshake/negotiation continues using the result, and the process is ended, otherwise, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is ended.
For example, if the serial number of the Certificate or the user verifies the Certificate, the serial number or the user information is sent to a Certificate Authority (CA), which gives a verification result, or the Certificate is searched for a locally stored CA Certificate.
As shown in fig. 2, according to another aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) the first equipment builds a cache list and checks whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended;
(3) the first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) the first device calculates the difference between the current timestamp and the duration of a preset timer, and judges whether the difference is greater than or equal to the corresponding storage time of the certificate in the cache list, if so, the step (6) is carried out, otherwise, the validity verification result of the certificate signature value obtained in the step (4) is utilized to continue handshake/negotiation, and the process is ended;
specifically, the duration of the preset timer is between 1 minute and 60 minutes.
The purpose of this step is to dynamically update the cache list by using a timer mechanism, after a configured timing duration elapses from a certain time point, the timer mechanism will check each entry in the cache list that contains the time when the certificate is added to the cache list, use the storage time when the certificate is added to the cache list plus the timing duration to be less than the current timestamp, if so, re-check the certificate, and update the digest value and the certificate signature value validity verification result of the certificate to the cache list, otherwise, do nothing to the cache list.
(6) And the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added/updated into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
As a further preferred, when the difference value is smaller than the storage time of the certificate corresponding to the cache list in step (5), the first device checks whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the certificate signature value of the certificate is used to update the certificate signature value corresponding to the certificate in the cache list, and the current timestamp is used to replace the storage time of the certificate corresponding to the cache list, and the process is ended, otherwise, the method sends alarm information to the second device, disconnects handshake/negotiation with the second device, and ends the process.
As a further preferred, after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation continues using the result, and the process is ended, otherwise, an alarm message is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (5) is carried out;
(4) and the first equipment acquires the certificate signature value validity verification result from the cache list according to the digest value of the certificate, continues handshaking/negotiation by using the result, and ends the process.
(5) And the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
2. The method according to claim 1, wherein after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes of the certificate except the certificate signature value are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation is continued using the result, and the process is ended, otherwise, an alarm message is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
3. The method of improving the efficiency of certificate verification in a secure communication protocol according to claim 1,
the secure communication protocol can be SS L/T L S protocol or IPSec protocol;
when the secure communication protocol is the SS L/T L S protocol, the first device and the second device can be a client or a server, when the first device is the client, the second device is the server, and when the first device is the server, the second device is the client;
the first device and the second device may be an initiator or a responder when the secure communication protocol is an IPSec protocol, the second device is a responder when the first device is an initiator, and the second device is an initiator when the first device is a responder.
4. The method according to claim 1, wherein the step of constructing the storage list includes storing the digest value of the certificate and the validity verification result of the signature value of the certificate in a table in a key-value pair manner.
5. The method of claim 2, wherein the other attributes of the certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, key usage of the certificate, etc.
6. A system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
A third module, which is arranged in the first device and is used for calculating the digest value of the certificate received by the first module, and judging whether the digest value of the certificate exists in the cache list, if so, entering the fourth module, otherwise, entering the fifth module;
and the fourth module is arranged in the first device and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate, continuing handshaking/negotiation by using the result and ending the process.
And a fifth module, which is arranged in the first device, and is used for verifying whether the certificate signature value is legal or not, if so, adding the digest value of the certificate and the certificate signature value validity verification result into the cache list, continuing handshaking/negotiating by using the result, and ending the process, otherwise, sending alarm information to the second device, disconnecting the handshaking/negotiating with the second device, and ending the process.
7. A method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
(1) the first equipment receives the certificate from the second equipment, judges whether a cache list exists in the first equipment, if not, enters the step (2), and if so, enters the step (3);
(2) and the first equipment establishes a cache list, checks whether the certificate signature value is legal or not, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, continues handshake/negotiation by using the certificate signature value validity verification result, and ends the process, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiation with the second equipment, and ends the process.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list or not, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the first equipment acquires a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) the first device calculates the difference between the current timestamp and the duration of a preset timer, and judges whether the difference is greater than or equal to the corresponding storage time of the certificate in the cache list, if so, the step (6) is carried out, otherwise, the validity verification result of the certificate signature value obtained in the step (4) is utilized to continue handshake/negotiation, and the process is ended;
(6) and the first equipment checks whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added/updated into a cache list, and the handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
8. The method according to claim 7, wherein when the difference is smaller than the storage time of the certificate in the cache list in step (5), the first device checks whether other attributes of the certificate except the certificate signature value are legal, if so, the certificate signature value of the certificate is used to update the certificate signature value corresponding to the certificate in the cache list, and the current timestamp is used to replace the storage time of the certificate in the cache list, and the process is ended, otherwise, the second device sends alarm information, and disconnects handshake/negotiation with the second device, and the process is ended.
9. The method according to claim 7, wherein after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes of the certificate except the certificate signature value are legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added to the cache list, and the handshake/negotiation is continued using the result, and the process is ended, otherwise, an alarm message is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
10. A system for improving the efficiency of certificate verification in a secure communication protocol, comprising:
the first module is arranged in the first equipment and used for receiving the certificate from the second equipment and judging whether a cache list exists in the first equipment, if not, the first module enters the second module, and if so, the first module enters the third module;
and the second module is arranged in the first equipment and used for constructing a cache list and verifying whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and the handshake/negotiation is continued by using the certificate signature value validity verification result, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
The third module is arranged in the first equipment and used for calculating the digest value of the certificate received by the first module and judging whether the digest value of the certificate exists in the cache list or not, if so, the fourth module is accessed, and if not, the sixth module is accessed;
the fourth module is arranged in the first device and used for acquiring a certificate signature value validity verification result from the cache list according to the digest value of the certificate and then entering the fifth module;
a fifth module, which is arranged in the first device, and is configured to calculate a difference between the current timestamp and a duration of a preset timer, and determine whether the difference is greater than or equal to a corresponding storage time of the certificate in the cache list, if so, enter the sixth module, otherwise, continue handshake/negotiation by using a certificate signature value validity verification result obtained in the fourth module, and the process is ended;
and a sixth module, which is arranged in the first device, and is configured to check whether the certificate signature value is legal, if so, add the digest value of the certificate and the certificate signature value validity verification result to the cache list, and continue handshaking/negotiating using the result, and the process is ended, otherwise, send alarm information to the second device, disconnect the handshaking/negotiating with the second device, and end the process.
CN202010291613.0A 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol Active CN111510302B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010291613.0A CN111510302B (en) 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010291613.0A CN111510302B (en) 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol

Publications (2)

Publication Number Publication Date
CN111510302A true CN111510302A (en) 2020-08-07
CN111510302B CN111510302B (en) 2023-11-14

Family

ID=71864016

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010291613.0A Active CN111510302B (en) 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol

Country Status (1)

Country Link
CN (1) CN111510302B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556738A (en) * 2021-07-23 2021-10-26 广州鲁邦通物联网科技有限公司 Key negotiation method between DTU (data transfer unit) equipment and node equipment, DTU equipment, node equipment and key negotiation system
CN117176347A (en) * 2023-11-02 2023-12-05 深圳市亲邻科技有限公司 Mobile application certificate verification method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279880A (en) * 2011-07-28 2011-12-14 深圳市五巨科技有限公司 Method and system for updating cache in real time
CN106603229A (en) * 2016-12-26 2017-04-26 北京小米移动软件有限公司 Method and device for generating signature information
CN106911477A (en) * 2015-12-23 2017-06-30 上海格尔软件股份有限公司 The accelerated method of its result is cached for digital certificate authentication equipment at a slow speed
CN107026738A (en) * 2016-02-01 2017-08-08 阿里巴巴集团控股有限公司 Digital certificate updating method, digital signature verification method and digital authentication device
US20190253444A1 (en) * 2017-05-26 2019-08-15 Shenyang Institute Of Automation, Chinese Academy Of Sciences Dynamic security method and system based on multi-fusion linkage response

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279880A (en) * 2011-07-28 2011-12-14 深圳市五巨科技有限公司 Method and system for updating cache in real time
CN106911477A (en) * 2015-12-23 2017-06-30 上海格尔软件股份有限公司 The accelerated method of its result is cached for digital certificate authentication equipment at a slow speed
CN107026738A (en) * 2016-02-01 2017-08-08 阿里巴巴集团控股有限公司 Digital certificate updating method, digital signature verification method and digital authentication device
CN106603229A (en) * 2016-12-26 2017-04-26 北京小米移动软件有限公司 Method and device for generating signature information
US20190253444A1 (en) * 2017-05-26 2019-08-15 Shenyang Institute Of Automation, Chinese Academy Of Sciences Dynamic security method and system based on multi-fusion linkage response

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556738A (en) * 2021-07-23 2021-10-26 广州鲁邦通物联网科技有限公司 Key negotiation method between DTU (data transfer unit) equipment and node equipment, DTU equipment, node equipment and key negotiation system
CN117176347A (en) * 2023-11-02 2023-12-05 深圳市亲邻科技有限公司 Mobile application certificate verification method and system
CN117176347B (en) * 2023-11-02 2024-02-06 深圳市亲邻科技有限公司 Mobile application certificate verification method and system

Also Published As

Publication number Publication date
CN111510302B (en) 2023-11-14

Similar Documents

Publication Publication Date Title
CN109561066B (en) Data processing method and device, terminal and access point computer
CN111314056B (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
KR100953095B1 (en) Super peer based peer-to-peer network system and peer authentication method therefor
US20060236091A1 (en) Encryption method for SIP message and encrypted SIP communication system
CN100512201C (en) Method for dealing inserted-requested message of business in groups
US8274401B2 (en) Secure data transfer in a communication system including portable meters
CN103503408A (en) System and method for providing access credentials
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN113612610B (en) Session key negotiation method
WO2011026296A1 (en) Method for authenticating entities by introducing an on-line trusted third party
CN110808829A (en) SSH authentication method based on key distribution center
CN112968910B (en) Replay attack prevention method and device
CN109729000B (en) Instant messaging method and device
CN111510302A (en) Method and system for improving certificate verification efficiency in secure communication protocol
CN112769854A (en) Security protocol authentication method and system supporting multiple kinds of digital identity information
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN113539523B (en) Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm
CN113596147B (en) Message pushing method, device, equipment and storage medium
CN213938340U (en) 5G application access authentication network architecture
CN111598558B (en) Billing method, billing node server and payer node server
CN105681364B (en) A kind of IPv6 mobile terminal attack resistance method based on enhancing binding
CN110532741B (en) Personal information authorization method, authentication center and service provider
CN115296847B (en) Flow control method, flow control device, computer equipment and storage medium
KR20130036523A (en) Apparatus and method for transmitting/receiving remote authentication dial in user service packets in a network system
JP5118834B2 (en) Fraud check system for time authentication service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant