CN113328980A - TLS authentication method, device and system, electronic equipment and readable medium - Google Patents

TLS authentication method, device and system, electronic equipment and readable medium Download PDF

Info

Publication number
CN113328980A
CN113328980A CN202010132641.8A CN202010132641A CN113328980A CN 113328980 A CN113328980 A CN 113328980A CN 202010132641 A CN202010132641 A CN 202010132641A CN 113328980 A CN113328980 A CN 113328980A
Authority
CN
China
Prior art keywords
authentication
tls
client
certificate
way
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010132641.8A
Other languages
Chinese (zh)
Other versions
CN113328980B (en
Inventor
李绍辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202010132641.8A priority Critical patent/CN113328980B/en
Publication of CN113328980A publication Critical patent/CN113328980A/en
Application granted granted Critical
Publication of CN113328980B publication Critical patent/CN113328980B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The disclosure provides a TLS authentication method, device, system, electronic device and computer readable medium. The method comprises the following steps: establishing a one-way authenticated TLS connection with a client; performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication; when the client needs to perform certificate authentication, sending a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; and performing one-way and/or two-way authentication handshake again based on the TCP connection and the TLS connection structure to perform TLS authentication. The TLS authentication method, the TLS authentication device, the TLS authentication system, the electronic equipment and the computer readable medium can realize the TLS protocol authentication of the updated version on the basis of not changing the program framework flow of a developer and not increasing an additional authentication server.

Description

TLS authentication method, device and system, electronic equipment and readable medium
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a TLS authentication method, apparatus, system, electronic device, and computer readable medium.
Background
With the rapid development of the internet, people have higher and higher requirements for network transmission Security, and therefore, an HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) Protocol appears, and the HTTPS Protocol can be considered as a combination of an HTTP (Hyper Text Transfer Protocol) Protocol and an SSL/TLS (Secure Socket Layer/Transport Layer Security) Protocol. The SSL/TLS protocol acts under the HTTP protocol and is used for encrypting the transmitted data so as to ensure that the data cannot be intercepted or intercepted in the process of being transmitted on the network.
In 8 months in 2018, the IETF formally announces that TLS1.3 standard falls to the ground, and the authentication part in the characteristics of the TLS1.3 protocol includes two points: 1. forbidding renegotiation; 2. and on the premise that the client side allows, the server side authenticates the client side at any time after the handshake is finished. At present, many HTTP servers can support a standard SSL protocol, which supports authentication of a client during a handshake process and also supports authentication of the client after the handshake is completed; however, the TLS protocol, when upgraded to the tlsv1.3 version, disables the renegotiation function.
Therefore, there is a need for a new TLS authentication method, apparatus, system, electronic device, and computer readable medium.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of the above, the present disclosure provides a TLS authentication method, apparatus, system, electronic device and computer readable medium, which can implement TLS protocol authentication of an updated version without changing a program framework flow of a developer and adding an additional authentication server.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a TLS authentication method is provided, which is applicable to a server, and the method includes: establishing a one-way authenticated TLS connection with a client; performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication; when the client needs to perform certificate authentication, sending a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; and performing one-way and/or two-way authentication handshake again based on the TCP connection and the TLS connection structure to perform TLS authentication.
In an exemplary embodiment of the present disclosure, performing handshake of one-way and/or two-way authentication again based on the TCP connection and the TLS connection structure to perform TLS authentication includes: generating client authentication information based on the TCP connection and the TLS connection structure; and performing one-way and/or two-way authentication handshake with the client again through the client authentication information to perform TLS authentication.
In an exemplary embodiment of the present disclosure, performing a handshake of one-way and/or two-way authentication again with the client through the client authentication information to perform TLS authentication includes: completing two-way TLS authentication with the client in handshake through the client authentication information; or completing the two-way TLS authentication after handshaking with the client through the client authentication information.
In an exemplary embodiment of the present disclosure, completing the bidirectional TLS authentication with the client in a handshake through the client authentication information includes: performing certificate validity authentication on the client through the client authentication information; after the certificate validity authentication is passed, establishing TLS connection with the client again; acquiring certificate information of the client based on the TLS connection and the authentication address; and when the certificate information meets the matching authentication strategy, completing the two-way TLS authentication.
In an exemplary embodiment of the present disclosure, completing the bidirectional TLS authentication with the client after the handshake through the client authentication information includes: performing one-way authentication handshake with the client; reestablishing the TLS connection after the handshake of the one-way authentication is passed; acquiring a certificate and certificate information of the client based on the TLS connection and the authentication address; and verifying the certificate and the certificate information through the client authentication information, and completing the bidirectional TLS authentication when the verification is passed.
In an exemplary embodiment of the present disclosure, the verifying the certificate and the certificate information by the client authentication information, and when the verification passes, completing the bidirectional TLS authentication includes: performing certificate validity authentication on the client through the client authentication information; after the certificate validity authentication is passed, performing matching strategy authentication on the certificate information; and when the certificate information meets the matching authentication strategy, completing the two-way TLS authentication.
In an exemplary embodiment of the present disclosure, further comprising: and performing HTTPS message interaction with the client based on the authenticated TLS connection.
According to an aspect of the present disclosure, a TLS authentication method is provided, which is applicable to a client, and includes: establishing a one-way authenticated TLS connection with a server; performing HTTPS message interaction based on the TLS connection; acquiring a certificate authentication request in the HTTPS message interaction process, wherein the certificate authentication request comprises an authentication address; establishing a TCP connection with the server based on the certificate authentication request; and performing one-way and/or two-way authentication handshake again based on the TCP and the authentication address to perform TLS authentication.
In an exemplary embodiment of the present disclosure, performing handshake of one-way and/or two-way authentication again based on the TCP and the authentication address to perform TLS authentication includes: completing two-way TLS authentication in a handshake based on the TCP and the authentication address and the server; or completing the bidirectional TLS authentication after handshaking based on the TCP, the authentication address and the server side.
In an exemplary embodiment of the present disclosure, completing the bidirectional TLS authentication in a handshake based on the TCP and the authentication address and the server, includes: sending a certificate to the server side based on the TCP and the authentication address to carry out formal validity authentication; after the certificate validity authentication is passed, establishing TLS connection with the client again, and sending an authentication request, wherein the authentication request comprises certificate information; and when the certificate information meets the matching authentication strategy of the server, completing the two-way TLS authentication.
In an exemplary embodiment of the present disclosure, completing the bidirectional TLS authentication after the handshake based on the TCP and the authentication address and the server includes: regenerating a TLS structure, wherein the TLS structure supports a post _ handover _ auth protocol; establishing TLS connection with the server again based on a post _ handover _ auth protocol; sending an authentication request based on the TLS connection, wherein the authentication request comprises a certificate and certificate information; and when the certificate and the certificate information pass the authentication, completing the two-way TLS authentication.
In an exemplary embodiment of the present disclosure, further comprising: and performing HTTPS message interaction with the server based on the authenticated TLS connection.
According to an aspect of the present disclosure, a TLS authentication apparatus is provided, which is applicable to a server and includes: the service authentication module is used for establishing one-way authenticated TLS connection with the client; the message interaction module is used for carrying out HTTPS message interaction based on the TLS connection and judging whether the client side needs to carry out certificate authentication or not; the authentication request module is used for sending a certificate authentication request to the client when the client needs to perform certificate authentication, wherein the certificate authentication request comprises an authentication address; the connection structure module is used for finishing the TLS connection and generating a TLS connection structure based on the TCP connection; and the handshake authentication module is used for carrying out handshake of one-way and/or two-way authentication again based on the TCP connection and the TLS connection structure so as to carry out TLS authentication.
According to an aspect of the present disclosure, a TLS authentication apparatus is provided, which is applicable to a client, and includes: the client authentication module is used for establishing one-way authenticated TLS connection with the server; the message interaction module is used for carrying out HTTPS message interaction based on the TLS connection; a certificate request module, configured to obtain a certificate authentication request in the HTTPS packet interaction process, where the certificate authentication request includes an authentication address; the secure connection module is used for establishing TCP connection with the server side based on the certificate authentication request; and the re-authentication module is used for performing one-way and/or two-way authentication handshake again based on the TCP and the authentication address so as to perform TLS authentication.
According to an aspect of the present disclosure, a TLS authentication system is provided, the system including: the server is used for establishing one-way authenticated TLS connection with the client; performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication; when the client needs to perform certificate authentication, sending a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; performing handshake of one-way and/or two-way authentication again based on the TCP connection and the TLS connection structure to perform TLS authentication; the client is used for establishing one-way authenticated TLS connection with the server; performing HTTPS message interaction based on the TLS connection; acquiring a certificate authentication request in the HTTPS message interaction process, wherein the certificate authentication request comprises an authentication address; establishing a TCP connection with the server based on the certificate authentication request; and performing one-way and/or two-way authentication handshake again based on the TCP and the authentication address to perform TLS authentication.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the TLS authentication method, the TLS authentication device, the TLS authentication system, the electronic equipment and the computer readable medium, the server establishes a one-way authenticated TLS connection with the client; performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication; when the client needs to perform certificate authentication, the server sends a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; based on the way that the TCP connection and the TLS connection structure perform handshake of one-way and/or two-way authentication again to perform TLS authentication, the TLS protocol authentication of the updated version can be realized on the basis of not changing the program framework flow of a developer and not increasing an additional authentication server.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The disclosure may be better understood by describing exemplary embodiments thereof in conjunction with the following drawings, in which:
fig. 1 is a schematic diagram of one-way authentication and two-way authentication in a TLS authentication method in the prior art.
Fig. 2 is a schematic diagram of deployment after increasing SSL protocol load in a TLS authentication method in the prior art.
FIG. 3 is an interaction process diagram illustrating a TLS authentication method in accordance with an exemplary embodiment.
Fig. 4 is a flowchart illustrating a TLS authentication method for a server according to an example embodiment.
Fig. 5 is a flow chart illustrating a TLS authentication method for a client according to an example embodiment.
FIG. 6 is a block diagram illustrating a TLS authentication system in accordance with an exemplary embodiment.
FIG. 7 is a flow diagram illustrating a TLS authentication method in accordance with an exemplary embodiment.
Fig. 8 is a diagram illustrating a TLS authentication method, according to an example embodiment.
FIG. 9 is a flow diagram illustrating a TLS authentication method in accordance with an exemplary embodiment.
Fig. 10 is a diagram illustrating a TLS authentication method, according to an example embodiment.
Fig. 11 is a block diagram illustrating a TLS authentication apparatus according to an example embodiment.
Fig. 12 is a block diagram illustrating a TLS authentication apparatus according to another exemplary embodiment.
FIG. 13 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 14 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
SSL (Secure Sockets Layer) is a security protocol that provides security and data integrity for network communications. The SSL Protocol is between a TCP (Transmission Control Protocol) layer and an application layer, is a Protocol for securely exchanging information between a Web browser and a Web server, and provides two basic security services: and (4) authentication and confidentiality. The SSL protocol can be divided into two layers: SSL recording Protocol (SSL Record Protocol): it is built on top of reliable transmission protocol (such as TCP), and provides basic functions of data encapsulation, compression, encryption and the like for higher-layer protocol. SSL Handshake Protocol (SSL Handshake Protocol): it is established on SSL record protocol, and is used for making identity authentication, negotiation encryption algorithm and exchange encryption key, etc. by two communication parties before actual data transmission is started.
According to different authentication modes, the SSL protocol is divided into a one-way authentication mode and a two-way authentication mode. The one-way authentication is that the server needs to provide a digital certificate for the client, and the client performs identity verification on the server. The mutual authentication is that both the client and the server need to provide a digital certificate to the other side and verify the digital certificate of the other side. In the current technical scheme, one server (unique IP address and port) provides SSL service for the outside, mostly a single authentication mode is used, either one-way authentication or two-way authentication is used, and authentication systems need to be set up separately in different authentication modes, so that the utilization efficiency of resources is low.
The inventor of the present disclosure finds that many HTTP servers can support a standard SSL protocol, which supports authentication of a client during a handshake process and also supports authentication of the client after completion of the handshake; however, the TLS protocol, when upgraded to the tlsv1.3 version, disables the renegotiation function.
As shown in fig. 1, the one-way authentication and the two-way authentication are supported in two services, and in most cases, only the one-way authentication is performed, and only after the matching policy requires client authentication, the traffic is redirected to the two-way authentication service for authentication. In the scheme, two services need to be deployed, at least two ports need to be opened, service port resources are wasted, the risk of attack is increased, and meanwhile, overhead is increased for synchronization of shared information between the two services.
As shown in fig. 2, the one-way authentication and the two-way authentication are supported in the same service, and in most cases, only the one-way authentication is performed, and the SSL connection is marked with the authentication client only after the matching policy requires client authentication, and then renegotiation is initiated. In the scheme, renegotiation obviously needs to be initiated in the same connection, the risk of the attack of renegotiation exists, the renegotiation function is forbidden in the TLS1.3 version, and the scheme fails in the TLS1.3 version protocol.
The TLS authentication method provided by the disclosure can be realized based on the certificate authentication method of the TLS1.3 protocol version, and mainly solves the following aspects:
1. certificate authentication is implemented in TLS version 1.3.
2. After the HTTPS server supports the TLS1.3 version, the program framework flow of the developer is not changed.
3. No additional authentication services need to be added.
The present disclosure will be described in detail with reference to specific embodiments.
FIG. 3 is an interaction process diagram illustrating a TLS authentication method in accordance with an exemplary embodiment. The TLS1.3 protocol can completely and effectively complete the mutual identity authentication between the client and the server, and the process of the authentication related part is as follows:
firstly, a server sends a certificate request message (CertificateRequest) to a client to request for authenticating the client;
the server sends a Certificate (Certificate) of the server to the client;
thirdly, the server sends the signature value (CertificateVerify) of the certificate private key of the server to the whole handshake message to the client;
fourthly, the server sends the MAC value (Finished) of the whole handshake message to the client;
after receiving the certificate information and the authentication message of the server, the client verifies the certificate, which comprises the following steps: whether the certificate is expired or not, whether the CA issuing the server certificate is reliable or not, whether the public key of the issuer certificate can correctly unlock the 'digital signature' of the issuer of the server certificate or not, and whether the domain name on the server certificate is matched with the actual domain name of the server or not. If the validity verification is not passed, the communication is disconnected;
after receiving the certificate request sent by the server, the client sends the own certificate of the client to the server for authentication;
the client side sends a Certificate (Certificate) of the client side to the server;
the client side sends the signature value (CertificateVerify) of the certificate private key of the client side to the server;
ninthly, the client server sends the MAC value (Finished) of the whole handshake message to the server;
after receiving the certificate information and the authentication message of the client, the r service side verifies the client certificate, including: whether the certificate is expired or not, whether the CA issuing the client certificate is reliable or not, whether the public key of the issuer certificate can correctly unlock the 'digital signature' of the issuer of the client certificate or not, and whether the name on the client certificate is matched with the account name of the user or not. If the validity verification is not passed, the communication is disconnected;
this method above is a two-way authentication procedure implemented in a handshake; yet another approach is to authenticate the client after the handshake is completed:
firstly, a client sends 'post _ handshake _ auth' extension information in a ClientHello message, which indicates that the client supports authentication of the client at any time after handshake is completed;
secondly, in the handshake negotiation process, the client completes the one-way authentication of the server;
initiating a certificate request message to the client by the server at any time after finishing the handshake to request to authenticate the client
After receiving the certificate request sent by the server, the client sends the own certificate of the client to the server for authentication;
the client server sends a Certificate (Certificate) of the client server to the server;
sixthly, the client server sends the signature value (CertificateVerify) of the certificate private key of the client server to the server;
the client side server sends an MAC value (Finished) of the whole handshake message to the server;
after receiving the certificate information and the authentication information of the client, the server verifies the client certificate, which comprises the following steps: whether the certificate is expired or not, whether the CA issuing the client certificate is reliable or not, whether the public key of the issuer certificate can correctly unlock the 'digital signature' of the issuer of the client certificate or not, and whether the name on the client certificate is matched with the account name of the user or not. If the validity verification is not passed, the communication is disconnected;
fig. 4 is a flow chart illustrating a TLS authentication method according to another exemplary embodiment. The flow shown in fig. 4 is a detailed description of the service-side flow in the flow shown in fig. 3.
As shown in fig. 4, in S402, a one-way authenticated TLS connection is established with the client.
In S404, HTTPS packet interaction is performed based on the TLS connection, and it is determined whether the client needs to perform certificate authentication.
In S406, when the client needs to perform certificate authentication, a certificate authentication request is sent to the client, where the certificate authentication request includes an authentication address.
At S408, the TLS connection is terminated and a TLS connection structure is generated based on the TCP connection.
In S410, a one-way and/or two-way authentication handshake is performed again based on the TCP connection and the TLS connection structure to perform TLS authentication. Further comprising: and performing HTTPS message interaction with the client based on the authenticated TLS connection.
The specific steps can include: generating client authentication information based on the TCP connection and the TLS connection structure; and performing one-way and/or two-way authentication handshake with the client again through the client authentication information to perform TLS authentication.
In one embodiment, performing a one-way and/or two-way authentication handshake with the client again through the client authentication information to perform TLS authentication includes: completing two-way TLS authentication with the client in handshake through the client authentication information; or completing the two-way TLS authentication after handshaking with the client through the client authentication information.
In one embodiment, completing a two-way TLS authentication with the client in a handshake via the client authentication information comprises: performing certificate validity authentication on the client through the client authentication information; after the certificate validity authentication is passed, establishing TLS connection with the client again; acquiring certificate information of the client based on the TLS connection and the authentication address; and when the certificate information meets the matching authentication strategy, completing the two-way TLS authentication.
In one embodiment, completing the bidirectional TLS authentication with the client after the handshake via the client authentication information includes: performing one-way authentication handshake with the client; reestablishing the TLS connection after the handshake of the one-way authentication is passed; acquiring a certificate and certificate information of the client based on the TLS connection and the authentication address; performing certificate validity authentication on the client through the client authentication information; after the certificate validity authentication is passed, performing matching strategy authentication on the certificate information; and when the certificate information meets the matching authentication strategy, completing the two-way TLS authentication.
Fig. 5 is a flow chart illustrating a TLS authentication method according to another exemplary embodiment. The flow shown in fig. 5 is a detailed description of the client flow in the flow shown in fig. 3.
As shown in fig. 5, in S502, a unidirectional authenticated TLS connection is established with the server.
In S504, HTTPS message interaction is performed based on the TLS connection.
In S506, a certificate authentication request is obtained in the HTTPS message interaction process, where the certificate authentication request includes an authentication address.
In S508, a TCP connection is established with the server based on the certificate authentication request.
In S510, a one-way and/or two-way authentication handshake is performed again based on the TCP and the authentication address to perform TLS authentication. Further comprising: and performing HTTPS message interaction with the server based on the authenticated TLS connection.
The method specifically comprises the following steps: completing two-way TLS authentication in a handshake based on the TCP and the authentication address and the server; or completing the bidirectional TLS authentication after handshaking based on the TCP, the authentication address and the server side.
In one embodiment, completing the two-way TLS authentication in a handshake based on the TCP and the authentication address and the server, comprises: sending a certificate to the server side based on the TCP and the authentication address to carry out formal validity authentication; after the certificate validity authentication is passed, establishing TLS connection with the client again, and sending an authentication request, wherein the authentication request comprises certificate information; and when the certificate information meets the matching authentication strategy of the server, completing the two-way TLS authentication.
In one embodiment, completing the bi-directional TLS authentication after handshake based on the TCP and the authentication address and the server, comprises: regenerating a TLS structure, wherein the TLS structure supports a post _ handover _ auth protocol; establishing TLS connection with the server again based on a post _ handover _ auth protocol; sending an authentication request based on the TLS connection, wherein the authentication request comprises a certificate and certificate information; and when the certificate and the certificate information pass the authentication, completing the two-way TLS authentication.
According to the TLS authentication method disclosed by the invention, certificate authentication can be realized by matching a strategy after data interaction is carried out in the TLS1.3 protocol version. After the HTTPS server supports the TLS1.3 version, the program framework flow of the developer is not changed. When TLS1.3 protocol authentication is realized, an additional authentication service port is not required to be added.
FIG. 6 is a block diagram illustrating a TLS authentication system in accordance with an exemplary embodiment.
As shown in fig. 6, the system architecture 60 may include client devices 601, 602, 603, a network 604, and a server device 605. The network 604 serves to provide a medium for communication links between the client devices 601, 602, 603 and the server device 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use a client device 601, 602, 603 to interact with a server device 605 over a network 604 to receive or send messages, etc. Various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the client devices 601, 602, 603.
The client devices 601, 602, 603 may be a variety of electronic devices having display screens and supporting web browsing, including but not limited to servers, tablets, laptop and desktop computers, and the like.
The server device 605 may be a server that provides various services, such as a background management server that provides support for websites browsed by users using the client devices 601, 602, 603. The server device 605 firstly authenticates the TLS of the client devices 601, 602, 603, and after the authentication is passed, the server device 605 establishes a secure TLS protocol connection with the client devices 601, 602, 603, and performs data transmission based on the connection.
The server device 605 may, for example, establish a one-way authenticated TLS connection with the client device 601 (or 602 or 603); performing HTTPS message interaction based on the TLS connection, and judging whether the client device 601 needs to perform certificate authentication; when the client device 601 needs to perform certificate authentication, sending a certificate authentication request to the client device 601, where the certificate authentication request includes an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; and performing one-way and/or two-way authentication handshake again based on the TCP connection and the TLS connection structure to perform TLS authentication.
The client device 601 (or 602 or 603) may establish a one-way authenticated TLS connection, for example, with the server device 605; performing HTTPS message interaction based on the TLS connection; acquiring a certificate authentication request in the HTTPS message interaction process, wherein the certificate authentication request comprises an authentication address; establishing a TCP connection with the server device 605 based on the certificate authentication request; performing handshake of one-way and/or two-way authentication again based on the TCP and the authentication address to perform TLS authentication
It should be noted that the TLS authentication method provided in the embodiment of the present disclosure may be executed by the server device 605 and the client devices 601, 602, and 603, and accordingly, the TLS authentication apparatus may be disposed in the server device 605 and the client devices 601, 602, and 603.
Fig. 7 and 8 are detailed explanations of "two-way TLS authentication is completed in handshake". As shown, the specific steps for completing the bidirectional TLS authentication in the handshake are as follows:
firstly, carrying out one-way authentication TLS handshake between a client and a server to establish TLS connection;
when the user is matched with an authentication strategy requiring certificate authentication in HTTPS data interaction, the server side informs the client side of the fact that the current TLS connection is required to be authenticated by using an HTTPS message, the current TLS connection is required to be ended, the TLS connection is reestablished on the current TCP connection, and the HTTPS connection is redirected to an authentication URL of/UKey _ auth _ login after the TLS connection is reestablished;
the server end finishes the current TLS connection, regenerates a TLS connection structure in the current TCP connection, and waits for the client end to perform TLS bidirectional authentication handshake on the TCP connection after setting the option of the authentication client end;
if the certificate validity verification is not passed in the authentication process, the communication is disconnected, and the authentication fails;
fifthly, after the server reestablishes the TLS connection, receiving a/UKey _ auth _ login request of the client, extracting certificate information of the client by the server to further match an authentication strategy, if the user does not match the strategy, disconnecting the communication and failing the authentication;
sixthly, the TLS connection is successfully established, the HTTPS message interaction is normally carried out, and other connections are not affected.
Fig. 9 and 10 are detailed descriptions of "two-way TLS authentication is completed after handshake". As shown, the specific steps of completing the bidirectional TLS authentication after the handshake are as follows:
firstly, carrying out one-way authentication TLS handshake between a client and a server to establish TLS connection;
when the user is matched with an authentication strategy requiring certificate authentication in HTTPS data interaction, the server side informs the client side of the fact that the current TLS connection is required to be authenticated by using an HTTPS message, the current TLS connection is required to be ended, the TLS connection is reestablished on the current TCP connection, and the HTTPS connection is redirected to an authentication URL of/UKey _ auth _ login after the TLS connection is reestablished;
the client regenerates the TLS structure and supports 'post _ handoff _ auth';
the server end finishes the current TLS connection, regenerates a TLS connection structure in the current TCP connection, and waits for the client end to perform TLS double-unidirectional authentication handshake on the TCP connection after setting the option of the authentication client end;
after the server reestablishes the TLS connection, the server receives a/UKey _ auth _ login request of the client, and initiates an authentication request to the client;
sixthly, the client sends the certificate and the authentication information to the server, the server extracts the certificate information of the client to further match with the authentication strategy, if the certificate validity verification fails or the user does not match with the strategy, the communication is disconnected, and the authentication fails;
and seventhly, successfully establishing TLS connection, and normally carrying out HTTPS message interaction without influencing other connections.
In the above steps, it is worth mentioning that: after the one-way authentication server establishes TLS1.3 connection, performing HTTPS data interaction and matching authentication strategy, and then performing certificate authentication; the server side indicates the client side to restart TLS connection operation in the HTTPS message; the server and the client realize authentication in the same TCP connection.
According to the TLS authentication method disclosed by the invention, when the client needs to perform certificate authentication, a certificate authentication request is sent to the client, wherein the certificate authentication request comprises an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; based on the way that the TCP connection and the TLS connection structure perform handshake of one-way and/or two-way authentication again to perform TLS authentication, the TLS protocol authentication of the updated version can be realized on the basis of not changing the program framework flow of a developer and not increasing an additional authentication server.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Fig. 11 is a block diagram illustrating a TLS authentication apparatus according to an example embodiment. As shown in fig. 11, the TLS authentication apparatus 110 may be used for a server, and includes: a service authentication module 1102, a message interaction module 1104, an authentication request module 1106, a connection structure module 1108, and a handshake authentication module 1110.
The service authentication module 1102 is configured to establish a one-way authenticated TLS connection with the client;
the message interaction module 1104 is configured to perform HTTPS message interaction based on the TLS connection, and determine whether the client needs to perform certificate authentication;
the authentication request module 1106 is configured to send a certificate authentication request to the client when the client needs to perform certificate authentication, where the certificate authentication request includes an authentication address;
the connection structure module 1108 is configured to end the TLS connection and generate a TLS connection structure based on the TCP connection;
the handshake authentication module 1110 is configured to perform handshake of one-way and/or two-way authentication again based on the TCP connection and the TLS connection structure to perform TLS authentication.
Fig. 12 is a block diagram illustrating a TLS authentication apparatus according to another exemplary embodiment. As shown in fig. 12, the TLS authentication device 120 may be used for a client, including: a client authentication module 1202, an interaction message module 1204, a certificate request module 1206, a secure connection module 1208, and a re-authentication module 1210.
The client authentication module 1202 is configured to establish a one-way authenticated TLS connection with the server;
the interactive message module 1204 is configured to perform HTTPS message interaction based on the TLS connection;
the certificate request module 1206 is configured to obtain a certificate authentication request in the HTTPS packet interaction process, where the certificate authentication request includes an authentication address;
the secure connection module 1208 is configured to establish a TCP connection with the server based on the certificate authentication request;
the re-authentication module 1210 is configured to re-perform one-way and/or two-way authentication handshake based on the TCP and the authentication address to perform TLS authentication.
According to the TLS authentication device disclosed by the disclosure, when the client needs to perform certificate authentication, the server side sends a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; based on the way that the TCP connection and the TLS connection structure perform handshake of one-way and/or two-way authentication again to perform TLS authentication, the TLS protocol authentication of the updated version can be realized on the basis of not changing the program framework flow of a developer and not increasing an additional authentication server.
FIG. 13 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 1300 according to this embodiment of the disclosure is described below with reference to fig. 13. The electronic device 1300 shown in fig. 13 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present disclosure.
As shown in fig. 13, the electronic device 1300 is in the form of a general purpose computing device. The components of the electronic device 1300 may include, but are not limited to: at least one processing unit 1310, at least one memory unit 1320, a bus 1330 connecting different system components including the memory unit 1320 and the processing unit 1310, a display unit 1340, etc.
Wherein the storage unit stores program code executable by the processing unit 1310 to cause the processing unit 1310 to perform steps according to various exemplary embodiments of the present disclosure described in the electronic prescription flow processing method section described above in this specification. For example, the processing unit 1310 may execute the steps shown in fig. 4 and 5.
The storage 1320 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)13201 and/or a cache memory unit 13202, and may further include a read only memory unit (ROM) 13203.
The storage unit 1320 may also include a program/utility 13204 having a set (at least one) of program modules 13205, such program modules 13205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 1330 may be any bus representing one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 1300 may also communicate with one or more external devices 1300' (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1300, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1300 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 1350. Also, the electronic device 1300 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 1360. The network adapter 1360 may communicate with other modules of the electronic device 1300 via the bus 1330. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 14, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: establishing a one-way authenticated TLS connection with a client; performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication; when the client needs to perform certificate authentication, sending a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; and performing one-way and/or two-way authentication handshake again based on the TCP connection and the TLS connection structure to perform TLS authentication.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (17)

1. A TLS authentication method, which can be used for a server, is characterized by comprising the following steps:
establishing a one-way authenticated TLS connection with a client;
performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication;
when the client needs to perform certificate authentication, sending a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address;
ending the TLS connection, and generating a TLS connection structure based on the TCP connection;
and performing one-way and/or two-way authentication handshake again based on the TCP connection and the TLS connection structure to perform TLS authentication.
2. The method as recited in claim 1, wherein re-performing a one-way and/or two-way authenticated handshake based on the TCP connection and the TLS connection fabric to perform TLS authentication comprises:
generating client authentication information based on the TCP connection and the TLS connection structure;
and performing one-way and/or two-way authentication handshake with the client again through the client authentication information to perform TLS authentication.
3. The method of claim 2, wherein re-performing a one-way and/or two-way authenticated handshake with the client via the client authentication information for TLS authentication comprises:
completing two-way TLS authentication with the client in handshake through the client authentication information; or
And finishing the bidirectional TLS authentication after handshaking with the client through the client authentication information.
4. The method of claim 3, wherein completing a two-way TLS authentication with the client in a handshake via the client authentication information comprises:
performing certificate validity authentication on the client through the client authentication information;
after the certificate validity authentication is passed, establishing TLS connection with the client again;
acquiring certificate information of the client based on the TLS connection and the authentication address;
and when the certificate information meets the matching authentication strategy, completing the two-way TLS authentication.
5. The method of claim 3, wherein completing a two-way TLS authentication with the client after a handshake via the client authentication information comprises:
performing one-way authentication handshake with the client;
reestablishing the TLS connection after the handshake of the one-way authentication is passed;
acquiring a certificate and certificate information of the client based on the TLS connection and the authentication address;
and verifying the certificate and the certificate information through the client authentication information, and completing the bidirectional TLS authentication when the verification is passed.
6. The method of claim 5, wherein the certificate and the certificate information are verified by the client authentication information, and wherein upon verification, completing a two-way TLS authentication comprises:
performing certificate validity authentication on the client through the client authentication information;
after the certificate validity authentication is passed, performing matching strategy authentication on the certificate information;
and when the certificate information meets the matching authentication strategy, completing the two-way TLS authentication.
7. The method of claim 1, further comprising:
and performing HTTPS message interaction with the client based on the authenticated TLS connection.
8. A TLS authentication method, applicable to a client, is characterized by comprising the following steps:
establishing a one-way authenticated TLS connection with a server;
performing HTTPS message interaction based on the TLS connection;
acquiring a certificate authentication request in the HTTPS message interaction process, wherein the certificate authentication request comprises an authentication address;
establishing a TCP connection with the server based on the certificate authentication request;
and performing one-way and/or two-way authentication handshake again based on the TCP and the authentication address to perform TLS authentication.
9. The method of claim 1, wherein performing a one-way and/or two-way authenticated handshake again based on the TCP and the authentication address for TLS authentication comprises:
completing two-way TLS authentication in a handshake based on the TCP and the authentication address and the server; or
And finishing the bidirectional TLS authentication after handshaking based on the TCP, the authentication address and the server side.
10. The method of claim 1, wherein completing a two-way TLS authentication in a handshake based on the TCP and the authentication address and the server comprises:
sending a certificate to the server side based on the TCP and the authentication address to carry out formal validity authentication;
after the certificate validity authentication is passed, establishing TLS connection with the client again, and sending an authentication request, wherein the authentication request comprises certificate information;
and when the certificate information meets the matching authentication strategy of the server, completing the two-way TLS authentication.
11. The method of claim 1, wherein completing a two-way TLS authentication after a handshake based on the TCP and the authentication address and the server comprises:
regenerating a TLS structure, wherein the TLS structure supports a post _ handover _ auth protocol;
establishing TLS connection with the server again based on a post _ handover _ auth protocol;
sending an authentication request based on the TLS connection, wherein the authentication request comprises a certificate and certificate information;
and when the certificate and the certificate information pass the authentication, completing the two-way TLS authentication.
12. The method of claim 8, further comprising:
and performing HTTPS message interaction with the server based on the authenticated TLS connection.
13. A TLS authentication apparatus, applicable to a server, comprising:
the service authentication module is used for establishing one-way authenticated TLS connection with the client;
the message interaction module is used for carrying out HTTPS message interaction based on the TLS connection and judging whether the client side needs to carry out certificate authentication or not;
the authentication request module is used for sending a certificate authentication request to the client when the client needs to perform certificate authentication, wherein the certificate authentication request comprises an authentication address;
the connection structure module is used for finishing the TLS connection and generating a TLS connection structure based on the TCP connection;
and the handshake authentication module is used for carrying out handshake of one-way and/or two-way authentication again based on the TCP connection and the TLS connection structure so as to carry out TLS authentication.
14. A TLS authentication apparatus, usable with a client, comprising:
the client authentication module is used for establishing one-way authenticated TLS connection with the server;
the message interaction module is used for carrying out HTTPS message interaction based on the TLS connection;
a certificate request module, configured to obtain a certificate authentication request in the HTTPS packet interaction process, where the certificate authentication request includes an authentication address;
the secure connection module is used for establishing TCP connection with the server side based on the certificate authentication request;
and the re-authentication module is used for performing one-way and/or two-way authentication handshake again based on the TCP and the authentication address so as to perform TLS authentication.
15. A TLS authentication system, comprising:
the server is used for establishing one-way authenticated TLS connection with the client; performing HTTPS message interaction based on the TLS connection, and judging whether the client needs to perform certificate authentication; when the client needs to perform certificate authentication, sending a certificate authentication request to the client, wherein the certificate authentication request comprises an authentication address; ending the TLS connection, and generating a TLS connection structure based on the TCP connection; performing handshake of one-way and/or two-way authentication again based on the TCP connection and the TLS connection structure to perform TLS authentication;
the client is used for establishing one-way authenticated TLS connection with the server; performing HTTPS message interaction based on the TLS connection; acquiring a certificate authentication request in the HTTPS message interaction process, wherein the certificate authentication request comprises an authentication address; establishing a TCP connection with the server based on the certificate authentication request; and performing one-way and/or two-way authentication handshake again based on the TCP and the authentication address to perform TLS authentication.
16. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7 or 9-12.
17. A computer-readable medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of any one of claims 1-7 or 9-12.
CN202010132641.8A 2020-02-29 2020-02-29 TLS authentication method, device and system, electronic equipment and readable medium Active CN113328980B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010132641.8A CN113328980B (en) 2020-02-29 2020-02-29 TLS authentication method, device and system, electronic equipment and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010132641.8A CN113328980B (en) 2020-02-29 2020-02-29 TLS authentication method, device and system, electronic equipment and readable medium

Publications (2)

Publication Number Publication Date
CN113328980A true CN113328980A (en) 2021-08-31
CN113328980B CN113328980B (en) 2022-05-17

Family

ID=77413066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010132641.8A Active CN113328980B (en) 2020-02-29 2020-02-29 TLS authentication method, device and system, electronic equipment and readable medium

Country Status (1)

Country Link
CN (1) CN113328980B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143379A (en) * 2021-11-29 2022-03-04 杭州迪普科技股份有限公司 HTTPS redirection device and method based on Portal authentication
CN114363073A (en) * 2022-01-07 2022-04-15 中国联合网络通信集团有限公司 TLS encrypted traffic analysis method and device, terminal device and storage medium
CN114513362A (en) * 2022-02-22 2022-05-17 中国银行股份有限公司 Long connection communication processing method and device based on TLS protocol
CN114520824A (en) * 2021-12-27 2022-05-20 北京升明科技有限公司 Communication handshake method, device, electronic equipment and medium based on TLS protocol

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763395A (en) * 2010-02-17 2012-10-31 诺基亚公司 Method and apparatus for providing an authentication context-based session
CN104580172A (en) * 2014-12-24 2015-04-29 北京奇虎科技有限公司 Data communication method and device based on https (hypertext transfer protocol over secure socket layer)
CN104954315A (en) * 2014-03-24 2015-09-30 北京奇虎科技有限公司 Method and device capable of improving access security of secure socket layer
CN106533689A (en) * 2015-09-15 2017-03-22 阿里巴巴集团控股有限公司 Method and device for loading digital certificate in SSL/TLS communication
US20170223054A1 (en) * 2016-02-02 2017-08-03 Cisco Technology, Inc. Methods and Apparatus for Verifying Transport Layer Security Server by Proxy
CN109088889A (en) * 2018-10-16 2018-12-25 深信服科技股份有限公司 A kind of SSL encipher-decipher method, system and computer readable storage medium
US20190306166A1 (en) * 2018-03-29 2019-10-03 Mcafee, Llc Authenticating network services provided by a network
CN110519304A (en) * 2019-09-30 2019-11-29 四川虹微技术有限公司 HTTPS mutual authentication method based on TEE
US20200021659A1 (en) * 2018-07-10 2020-01-16 Canon Kabushiki Kaisha Information processing apparatus, method for controlling information processing apparatus, and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763395A (en) * 2010-02-17 2012-10-31 诺基亚公司 Method and apparatus for providing an authentication context-based session
CN104954315A (en) * 2014-03-24 2015-09-30 北京奇虎科技有限公司 Method and device capable of improving access security of secure socket layer
CN104580172A (en) * 2014-12-24 2015-04-29 北京奇虎科技有限公司 Data communication method and device based on https (hypertext transfer protocol over secure socket layer)
CN106533689A (en) * 2015-09-15 2017-03-22 阿里巴巴集团控股有限公司 Method and device for loading digital certificate in SSL/TLS communication
US20170223054A1 (en) * 2016-02-02 2017-08-03 Cisco Technology, Inc. Methods and Apparatus for Verifying Transport Layer Security Server by Proxy
US20190306166A1 (en) * 2018-03-29 2019-10-03 Mcafee, Llc Authenticating network services provided by a network
US20200021659A1 (en) * 2018-07-10 2020-01-16 Canon Kabushiki Kaisha Information processing apparatus, method for controlling information processing apparatus, and storage medium
CN109088889A (en) * 2018-10-16 2018-12-25 深信服科技股份有限公司 A kind of SSL encipher-decipher method, system and computer readable storage medium
CN110519304A (en) * 2019-09-30 2019-11-29 四川虹微技术有限公司 HTTPS mutual authentication method based on TEE

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143379A (en) * 2021-11-29 2022-03-04 杭州迪普科技股份有限公司 HTTPS redirection device and method based on Portal authentication
CN114520824A (en) * 2021-12-27 2022-05-20 北京升明科技有限公司 Communication handshake method, device, electronic equipment and medium based on TLS protocol
CN114363073A (en) * 2022-01-07 2022-04-15 中国联合网络通信集团有限公司 TLS encrypted traffic analysis method and device, terminal device and storage medium
CN114513362A (en) * 2022-02-22 2022-05-17 中国银行股份有限公司 Long connection communication processing method and device based on TLS protocol

Also Published As

Publication number Publication date
CN113328980B (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN113328980B (en) TLS authentication method, device and system, electronic equipment and readable medium
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
JP2020064668A (en) Network connection automatization
CN105027107B (en) Migrate the computer implemented method and computing system of computing resource
US8468582B2 (en) Method and system for securing electronic transactions
CN104618108B (en) Safe communication system
WO2016107319A1 (en) Method for loading secure key storage hardware, and browser client device
US20150326565A1 (en) Method and system for authorizing secure electronic transactions using a security device having a quick response code scanner
US8973111B2 (en) Method and system for securing electronic transactions
US9137224B2 (en) System and method for secure remote access
US20180375648A1 (en) Systems and methods for data encryption for cloud services
CA2914426A1 (en) Method for authenticating a user, corresponding server, communications terminal and programs
US20240056483A1 (en) Server-initiated secure sessions
JP3833652B2 (en) Network system, server device, and authentication method
CN113709111B (en) Connection establishment method and device
KR101572598B1 (en) Secure User Authentication Scheme against Credential Replay Attack
CN104243488A (en) Login authentication method of cross-website server
CN114124513B (en) Identity authentication method, system, device, electronic equipment and readable medium
CN108809927A (en) Identity identifying method and device
CN107046539A (en) The method to set up and device of a kind of application secure access
US11611541B2 (en) Secure method to replicate on-premise secrets in a cloud environment
WO2009066978A2 (en) Method and system for generating a proxy digital certificate to a grid portal in distributed computing infrastructure by data transfer across a public network
Antovski et al. E-Banking–Developing Future with Advanced Technologies
CN114915487B (en) Terminal authentication method, system, device, equipment and storage medium
CN114598549B (en) Customer SSL certificate verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant