KR101741672B1 - Apprapatus and method for distributing certificate - Google Patents

Apprapatus and method for distributing certificate Download PDF

Info

Publication number
KR101741672B1
KR101741672B1 KR1020150182088A KR20150182088A KR101741672B1 KR 101741672 B1 KR101741672 B1 KR 101741672B1 KR 1020150182088 A KR1020150182088 A KR 1020150182088A KR 20150182088 A KR20150182088 A KR 20150182088A KR 101741672 B1 KR101741672 B1 KR 101741672B1
Authority
KR
South Korea
Prior art keywords
certificate
user terminal
test
module
page
Prior art date
Application number
KR1020150182088A
Other languages
Korean (ko)
Inventor
양철웅
양우석
오혁
이재혁
Original Assignee
주식회사 아라기술
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 아라기술 filed Critical 주식회사 아라기술
Priority to KR1020150182088A priority Critical patent/KR101741672B1/en
Application granted granted Critical
Publication of KR101741672B1 publication Critical patent/KR101741672B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed is a method for distributing an authentication certificate performed by an apparatus for distributing an authentication certificate. The method for distributing an authentication certificate performed by an apparatus for distributing an authentication certificate comprises: a step of detecting a server connection request of a user terminal in a first communication interface; a step of allowing a traffic analysis module to determine whether the user terminal is a user terminal required to perform an authentication test; a step of transmitting a message for redirecting the user terminal to an authentication test module to the user terminal from the first communication interface if the user terminal is a user terminal required to perform an authentication test; a step of allowing the authentication test module to provide the user terminal with a test page to determine whether to install an authentication certificate if the user terminal connects to the authentication test module; and a step of allowing the authentication test module to determine whether to provide the user terminal with the authentication certificate depending on whether the user terminal connects to the test page.

Description

[0001] APPARATUS AND METHOD FOR DISTRIBUTING CERTIFICATE [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to cryptographic communication, and more particularly, to a method for distributing a certificate necessary for cryptographic communication.

A secure sockets layer (SSL) can mean a cryptographic technique to protect TCP / IP communications. SSL encrypted communication was initially used to protect important content and messages transmitted via the web, such as banking, e-commerce, and corporate data. Recently, however, SSL encryption has been widely applied to transmission of various web contents such as social media, entertainment, And is steadily increasing. For example, Twitter, Google Facebook and others are also using SSL encrypted transmissions. Certificates are required for SSL encrypted communications using public and private keys and symmetric keys.

A certificate is data of an entity that has been tampered with using a certificate authority's unique key or secret key, and the encryption system uses the file as an identity card. The certificate contains the user's name and public key. The certificate guarantees that the server to which the client is connected is the server that the client intended. There are private companies that perform this role, which are called CA (certificate authority) or Root Certificate. It is also possible to purchase and use a certificate from a CA for encrypted communication.

The SSL encryption transmission introduced for content protection prevents the security firewalls used by corporations, educational institutions, public agencies, and telecommunication carriers to prevent the spread of malicious software and malware, and to prevent intrusion and access to harmful sites There is a problem that it is caused. Thus, there may be a need in the art for a solution for monitoring SSL encrypted packets.

For security and caching purposes, a device that monitors SSL encrypted packets between a user and a server may use a private CA certificate for SSL communication with the user for SSL decryption. The user browser may use the private CA certificate used by the decryption device It may generate a warning or it may not be possible to connect to the server. To solve this problem, you may need a certificate distribution system that can automatically or manually store Private CA certificates in your browser's trusted CA certificate repository.

Korean Patent Laid-Open Publication No. 10-2015-0053520 (May 2015, May 18, 201) discloses a method of authenticating a server by receiving a certificate from a server.

The present invention is devised in correspondence with the background art described above, and is intended to distribute a certificate for use in encrypted communication.

The present invention is for distributing a certificate to a user terminal that does not hold a certificate by checking whether a certificate for use in encrypted communication exists in the user terminal.

In order to solve the above-described problems, a certificate distribution method performed in a certificate distribution apparatus according to an embodiment of the present invention is disclosed. The certificate distribution method performed by the certificate distribution apparatus includes a step of detecting a server connection request of a user terminal in a first communication interface, a step of determining whether the user terminal is a user terminal requiring a certificate test, Transmitting a message for redirecting the user terminal to a certificate test module from the first communication interface to a user terminal if the terminal is a user terminal requiring a certificate test; The certificate test module provides a test page for determining whether a certificate is installed in the user terminal, and the certificate test module transmits the test page to the user terminal according to whether the user terminal is connected to the test page It can include determining whether the certificate provided.

Alternatively, the certificate may be a certificate used to monitor encrypted communication, and may be a private CA certificate for re-signing the server's certificate.

Alternatively, the test page may be a page accessible only when a certificate is installed.

Alternatively, the step of the traffic analysis module determining whether the user terminal is a user terminal requiring a test may include: determining whether the ID of the user terminal exists in a certificate installation user list; Determining whether a connection request of the user terminal has passed a predetermined first period when the ID of the user terminal exists in the certificate installation user list, and if the ID of the user terminal does not exist in the certificate installation user list , And determining whether a connection request of the user terminal has passed a predetermined second period.

Alternatively, the step of the certificate test module determining whether to provide a certificate to the user terminal, depending on whether the user terminal is connected to the test page, determines whether the certificate test module accesses the test page And adding the ID of the user terminal to the certificate installation user list when the user terminal has accessed the test page.

Alternatively, the ID of the user terminal may include at least one of an IP address of the user terminal, user information of the user terminal, and subscriber information of the user terminal.

Alternatively, the step of the certificate test module determining whether to provide a certificate to the user terminal, depending on whether the user terminal accesses the test page, includes determining whether the certificate test module accesses the test page Wherein the certificate test module determines to provide the certificate to the user terminal and redirects the user terminal to the certificate distribution module when the user terminal fails to access the test page, And providing a certificate distribution page to the user terminal.

Further, a certificate distribution apparatus according to another embodiment of the present invention is disclosed. The certificate distribution apparatus includes a first communication interface for detecting a server connection request of a user terminal and transmitting a message for redirecting the user terminal to the certificate test module to the user terminal, And a test page for determining whether or not a certificate has been installed in the user terminal, and further comprising: detecting whether the user terminal is connected to the test page and checking whether the user terminal is connected to the test page And to determine whether to provide the user terminal with a certificate according to whether the user terminal is provided with a certificate.

Also disclosed is a computer program stored on a computer-readable medium, comprising a plurality of instructions executed by one or more processors in accordance with an embodiment of the present invention. The computer program includes a command for detecting a server connection request of a user terminal in a first communication interface, a command for a traffic analysis module to determine whether the user terminal is a user terminal requiring a certificate test, A command for transmitting a message for redirecting the user terminal to the certificate test module from the first communication interface to the user terminal when the user terminal is connected to the certificate test module, The certificate test module sends a certificate to the user terminal according to a command for providing a test page for determining whether or not a certificate is installed in the user terminal and whether the user terminal is connected to the test page Or < / RTI >

The present invention can distribute a certificate for use in encrypted communication.

The present invention can check whether a certificate for use in encrypted communication exists in a user terminal and distribute the certificate to a user terminal that does not have a certificate.

1 is a block diagram of a certificate distribution apparatus according to an embodiment of the present invention.
2 is a schematic diagram of a communication system including a certificate distribution device according to an embodiment of the present invention.
3 is an exemplary view illustrating an operation of a certificate distribution system according to an embodiment of the present invention.
4 is a flowchart of a certificate distribution method according to an embodiment of the present invention.

Various embodiments are now described with reference to the drawings, wherein like reference numerals are used throughout the drawings to refer to like elements. In this specification, various explanations are given in order to provide an understanding of the present invention. It will be apparent, however, that such embodiments may be practiced without these specific details. In other instances, well-known structures and devices are provided in block diagram form in order to facilitate describing the embodiments.

The terms "component," "module," system, "and the like, as used herein, refer to a computer-related entity, hardware, firmware, software, combination of software and hardware, or execution of software. For example, a component may be, but is not limited to, a process executing on a processor, a processor, an object, an executing thread, a program, and / or a computer. For example, both an application running on a computing device and a computing device may be a component. One or more components may reside within a processor and / or thread of execution, one component may be localized within one computer, or it may be distributed between two or more computers. Further, such components may execute from various computer readable media having various data structures stored therein. The components may be, for example, a signal (e.g., a local system, data from one component interacting with another component in a distributed system, and / or data over a network, such as the Internet, Lt; RTI ID = 0.0 > and / or < / RTI >

The description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features presented herein.

1 is a block diagram of a certificate distribution apparatus according to an embodiment of the present invention.

The certificate distribution apparatus 100 according to an embodiment of the present invention includes a first communication interface 110, a second communication interface 120, a traffic analysis module 130, a certificate testing module 140, a certificate distribution module 150 ), And a memory 160. [

The certificate distribution apparatus 100 according to an embodiment of the present invention may include a security device, a firewall, a relay device, and the like located on a communication path between the user terminal 20 and the server 10. [

The user terminal 20 may include a personal computer (PC), a note book, a mobile terminal, a smart phone, a tablet PC, And may include any type of terminal capable of being connected to the Internet. In addition, the user terminal 20 may be a web browser such as Microsoft Internet Explorer, google chrome, firefox, Microsoft edge, opera, safari, etc. Of web browsers.

The first communication interface 110 may include a communication interface for the certificate distribution device 100 to communicate with the user terminal 20. [ The first communication interface 110 performs the function of communicating with the user terminal 20. The first communication interface 110 may include a wired / wireless Internet module for communicating with the user terminal 20. WLAN (Wi-Fi), Wibro (Wireless broadband), Wimax (World Interoperability for Microwave Access), HSDPA (High Speed Downlink Packet Access), LTE (Long Term Evolution) . Wired Internet technologies include XDSL (Digital Subscriber Line), FTTH (Fiber to the home), and PLC (Power Line Communication).

The first communication interface 110 may detect a server connection request of the user terminal 20 and send a message to the user terminal 20 to redirect the user terminal 20. [ The first communication interface 110 may send a message to the user terminal 20 to redirect the user terminal 20 to the certificate testing module 140 and the certificate distribution module 150.

The certificate is a certificate used to monitor encrypted communication, and may include a private CA certificate of the certificate distribution device for re-signing the certificate of the server.

The second communication interface 120 may include a communication interface for communicating with the server 10. The second communication interface 120 performs a function of communicating with the server 10. The second communication interface 120 may include a wired / wireless Internet module for communicating with the server 10.

The second communication interface 120 may transmit the server connection request of the user terminal 20 to the server 10 and receive the content from the server 10. [ In addition, the second communication interface 120 may receive the original certificate from the server 10.

The certificate distribution apparatus 100 can relay the communication between the user terminal 20 and the server 10 by the first communication interface 110 and the second communication interface 120. [ The certificate distribution apparatus 100 can communicate with the server 10 on behalf of the user terminal 20 in encrypted communication.

The traffic analysis module 130 may determine whether the user terminal 20 is a user terminal requiring a certificate test. The traffic analysis module 130 may determine whether the ID of the user terminal exists in the certificate installation user list. If the traffic analysis module 130 determines that the user terminal 20 does not need to perform the certificate test, the traffic analysis module 130 determines whether the server connection request of the user terminal received by the first communication interface 110 is' 2 communication interface 120 so that the server connection request can be transmitted to the server 10.

If the ID of the user terminal exists in the certificate installation user list, the traffic analysis module 130 may determine whether the connection request of the user terminal 20 has passed the predetermined first period. If the ID of the user terminal is present in the certificate installation user list and the predetermined first period of the connection request of the user terminal has not elapsed, the traffic analysis module 130 checks the user terminal 20 for a certificate test It can be determined that the user terminal does not. However, if the ID of the user terminal is present in the certificate installation user list but the connection request of the user terminal has passed the predetermined first period, the traffic analysis module 130 transmits the certificate test to the user terminal 20 It can be determined to be a necessary user terminal.

If the ID of the user terminal does not exist in the certificate installation user list, the traffic analysis module 130 may determine whether a connection request of the user terminal 20 has passed a predetermined second period.

If the ID of the user terminal does not exist in the certificate installation user list and the connection request of the user terminal does not pass the predetermined second period, the traffic analysis module 130 checks the user terminal 20 for the certificate test It can be determined that the user terminal is not needed. However, if the ID of the user terminal does not exist in the certificate installation user list and the connection request of the user terminal has passed the second predetermined period, the traffic analysis module 130 may notify the user terminal 20 of the certificate test It can be determined that the user terminal is a necessary user terminal. Alternatively, the traffic analysis module 130 may determine that the user terminal 20 is a user terminal requiring a certificate test only by the fact that the ID of the user terminal does not exist in the certificate installation user list.

The predetermined second period may be shorter than the predetermined first period.

The traffic analysis module 130 allows the user with the certificate installed to periodically (for example, a predetermined first period) perform a certificate test to maintain the certificate installation state or to maintain the certificate installation state even if the private certificate is changed . In addition, the traffic analysis module 130 may immediately perform a certificate test for installing a certificate to a user who does not have a certificate installed, or may perform a certificate test every predetermined second cycle. Thus, even a user who does not have a certificate installed can be allowed to use the network for a certain period of time (for example, a predetermined second cycle).

The certificate test module 140 provides a test page for determining whether or not a certificate is installed to the user terminal 20 when the user terminal 20 is a user terminal 20 requiring a certificate test, It is possible to detect whether or not the test page is accessed. The test page may be a page accessible only when a certificate is installed. The test page may be a page provided by the certificate distribution apparatus 100 or a page provided by a web server physically separated from the certificate distribution apparatus 100. The certificate testing module 140 may determine whether to provide the user terminal with a certificate according to whether the user terminal 20 accesses the test page. The certificate test module 140 may provide a test page to the user terminal 20 determined to be the user terminal 20 that requires a certificate test by the traffic analysis module 130. [ The certificate testing module 140 may provide the test page to the user terminal 20 by causing the first communication interface 110 to send a message to the user terminal to redirect the user terminal 20 to the test page.

Therefore, when the user terminal 20 accesses the test page, the certificate testing module 140 can determine that the user terminal 20 is a user terminal having a certificate installed therein. The certificate test module 140 may determine the user terminal 20 as a user terminal having a certificate when the user terminal 20 accesses a test page. In this case, the certificate testing module 140 may add the identity of the user terminal to the certificate installation user list on the memory 160. The ID of the user terminal may include at least one of the IP address of the user terminal, user information of the user terminal, and subscriber information of the user terminal, but is not limited thereto.

Also, when the user terminal 20 can not access the test page, the certificate testing module 140 may determine that the user terminal is a user terminal without a certificate installed therein. In this case, the certificate testing module 140 may decide to provide the certificate to the user terminal 20 and decide to redirect the user terminal 20 to the certificate distribution module 150. The certificate testing module 140 allows the first communication interface 110 to send a message to the user terminal to redirect the user terminal 20 to the certificate distribution module 150, (Not shown).

The certificate testing module 140 may be part of the certificate distribution apparatus 100 or may be a device that is physically separated from the certificate distribution apparatus 100 and communicably connected thereto.

The certificate distribution module 150 may provide the user terminal with a certificate distribution page that allows the user terminal 20 to download the certificate. The certificate distribution page may provide a certificate file or provide an automatic certificate installer. The user terminal 20 can download the certificate file via the certificate distribution page and the user can manually store it in the trusted root CA repository. In addition, the user terminal 20 can automatically install the certificate into a trusted root CA repository through download and execution of an automatic certificate installer.

The certificate distribution module 150 may be part of the certificate distribution apparatus 100 or may be a device that is physically separated from the certificate distribution apparatus 100 and communicably connected thereto.

The memory 160 may store programs including instructions for operation of the certificate distribution device 100. [ The commands stored in the memory 160 may be read by the processor of the certificate distribution apparatus, each module, and executed in the certificate distribution apparatus 100. [

The memory 160 may be a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (for example, SD or XD memory), a RAM (Random Access Memory), SRAM (Static Random Access Memory), ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM A disk, and / or an optical disk. The certificate distribution apparatus 100 may operate in association with a web storage that performs a storage function of the memory 160 on the Internet.

The various embodiments described herein may be embodied in a recording medium readable by a computer or similar device using, for example, software, hardware, or a combination thereof.

According to a hardware implementation, the embodiments described herein may be implemented as application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays May be implemented using at least one of a processor, controllers, micro-controllers, microprocessors, and other electronic units for performing other functions. In some cases, The described embodiments may be implemented by the processor or each module itself.

According to a software implementation, embodiments such as the procedures and functions described herein may be implemented with separate software modules. Each of the software modules may perform one or more of the functions and operations described herein. Software code can be implemented in a software application written in a suitable programming language. The software code may be stored in memory 160 and executed by a processor or module.

The certificate distribution apparatus 100 is located on the communication path between the user terminal 20 and the server 10 and can perform a security function through packet inspection in the encrypted communication between the user terminal 20 and the server 10. [ To this end, the certificate distribution apparatus 100 may decrypt and inspect the packet received from the server 10, and may transmit the decrypted packet to the user terminal 20. Equipment for decrypting and monitoring encrypted data between a user and a server for security and caching purposes may use a private CA certificate when decrypting the encrypted data with a user and the user browser may use a private CA It may generate a warning about the certificate or it may not be able to connect to the server. However, the certificate distribution apparatus 100 according to the embodiment of the present invention can solve this problem by allowing the private CA certificate of the certificate distribution apparatus 100 to be stored in the trusted CA certificate storage of the user's browser. The encrypted communication may include, but is not limited to, SSL communication or TLS communication.

2 is a schematic diagram of a communication system including a certificate distribution device according to an embodiment of the present invention.

The certificate distribution apparatus 100 is located on the communication path between the user terminal 20 and the server 10 and can perform a security function through packet inspection in the encrypted communication between the user terminal 20 and the server 10 have.

The certificate distribution apparatus 100 may decrypt the encrypted data transmitted from the server 10 to check whether the data includes malware, data of a harmful site, and the like. The certificate distribution apparatus 100 may operate as a security firewall by being located on the communication path between the user terminal 20 and the server 10. [

Equipment for decrypting and monitoring encrypted data between a user and a server for security and caching purposes may use a private CA certificate when decrypting the encrypted data with a user and the user browser may use a private CA It may generate a warning about the certificate or it may not be able to connect to the server. However, the certificate distribution apparatus 100 according to the embodiment of the present invention can solve this problem by allowing the private CA certificate of the certificate distribution apparatus 100 to be stored in the trusted CA certificate storage of the user's browser. The encrypted communication may include, but is not limited to, SSL communication or TLS communication.

When the first communication interface 110 of the certificate distribution apparatus 100 detects a server connection request of the user terminal 20, the traffic analysis module 130 determines whether the user terminal 20 is a user terminal .

The traffic analysis module 130 determines whether the user terminal 20 has the ID of the user terminal in the certificate installation user list and / or whether the server connection request of the user terminal has passed the preset first or second period. It is possible to judge whether or not the certificate test is necessary for the user terminal.

When the traffic analysis module 130 determines that the user terminal 20 is a user terminal requiring a certificate test, the traffic analysis module 130 determines to redirect the user terminal 20 to the certificate test module 140 . The first communication interface 110 sends a message to the user terminal 20 to redirect the user terminal 20 to the certificate test module 140 based on the determination.

When the user terminal 20 accesses the certificate test module 140, the certificate test module 140 provides the user terminal 20 with a certificate test page for determining whether or not the certificate is installed. The certificate test page may be a page accessible only when a certificate is installed.

The certificate testing module 140 may determine whether to provide a certificate to the user terminal 20, depending on whether the user terminal 20 is accessing a test page.

When the user terminal 20 accesses the certificate test page, the certificate test module 140 determines not to provide the certificate to the user terminal 20, and transmits the server access request of the user terminal 20 to the server 10). The server connection request of the user terminal 20 may be transmitted to the server 10 by the second communication interface 120. [ In addition, the certificate testing module 140 may allow the user terminal 20 to resume the server connection request and connect to the server 10.

If the user terminal 20 fails to access the certificate test page, the certificate testing module 140 may decide to provide the user terminal 20 with a certificate. The certificate testing module 140 determines to redirect the user terminal 20 to the certificate distribution module 150 based on the determination and the first communication interface 110 determines whether to redirect the user terminal 20 to the user terminal 20 based on the determination, To the certificate distribution module 150, to the user terminal 20. [

The certificate distribution module 150 may provide the user terminal with a certificate distribution page that allows the user terminal 20 to download the certificate. The certificate distribution page may provide a certificate file or provide an automatic certificate installer. The user terminal 20 can download the certificate file via the certificate distribution page and the user can manually store it in the trusted root CA repository. In addition, the user terminal 20 can automatically install the certificate into a trusted root CA repository through download and execution of an automatic certificate installer.

3 is an exemplary view illustrating an operation of a certificate distribution system according to an embodiment of the present invention.

When the user terminal 20 makes a specific web request to the server 10, the first communication interface 110 of the certificate distribution apparatus 100 senses this. In this case, the certificate distribution apparatus 100 can impersonate the user terminal 20 as the server 10. The traffic analysis module 130 may determine whether the user terminal 20 is a user terminal requiring a certificate test.

When the traffic analysis module 130 determines that the user terminal is a user terminal requiring a certificate test, the certificate test module 140 may provide a test page to the user terminal 20. [

When the user terminal 20 accesses the test page, the certificate testing module 140 determines the user terminal 20 as the certificate installing user terminal 20 and the certificate distribution apparatus 100 The user terminal 20 can transmit the request of the user terminal 20 to the server 10 so that the user terminal 20 can access the requested web 11. [

When the user terminal 20 can not access the test page, the certificate test module 140 determines that the user terminal 20 is a certificate-uninstalled user terminal 20, To provide the certificate distribution page 13 to the user. The user terminal 20 can download the certificate file via the certificate distribution page 13 and the user can manually store it in the trusted root CA repository. In addition, the user terminal 20 can automatically install the certificate into a trusted root CA repository through download and execution of an automatic certificate installer.

4 is a flowchart of a certificate distribution method according to an embodiment of the present invention.

The first communication interface 110 may sense a server connection request of the user terminal 20 (310). The first communication interface 110 may comprise a communication interface for communicating with the user terminal 20. The first communication interface 110 and the user terminal 20 can perform encrypted communication.

The traffic analysis module 130 may determine whether the user terminal 20 is a user terminal that requires a certificate test (320). The traffic analysis module 130 determines whether or not the user terminal ID is present in the certificate installation user list and / or whether the server connection request of the user terminal has passed the predetermined first or second predetermined period. ) Is a user terminal requiring a certificate test.

If the user terminal is a user terminal requiring a certificate test, the traffic analysis module 130 may decide to provide the user terminal 20 with a certificate test page. The first communication interface 110 may send a message to the user terminal to redirect the user terminal 20 to the certificate test module 140.

If the user terminal 20 accesses the certificate testing module 140, the certificate testing module 130 may provide a test page for determining whether the certificate is installed in the user terminal (340). The test page is a page accessible only when a certificate is installed.

The certificate testing module 140 may determine 350 whether to provide a certificate to the user terminal 20, depending on whether the user terminal 20 is accessing a test page.

When the user terminal 20 accesses the certificate test page, the certificate test module 140 determines not to provide the certificate to the user terminal 20, and transmits the server access request of the user terminal 20 to the server 10).

If the user terminal 20 fails to access the certificate test page, the certificate testing module 140 may decide to provide the user terminal 20 with a certificate.

The certificate testing module 140 determines to redirect the user terminal 20 to the certificate distribution module 150 based on the determination and the first communication interface 110 determines whether to redirect the user terminal 20 to the user terminal 20 based on the determination, To the user terminal 20, a message for redirecting the certificate to the certificate distribution module 150.

The certificate distribution module 150 may provide the user terminal with a certificate distribution page that allows the user terminal 20 to download the certificate. The certificate distribution page may provide a certificate file or provide an automatic certificate installer. The user terminal 20 can download the certificate file via the certificate distribution page and the user can manually store it in the trusted root CA repository. In addition, the user terminal 20 can automatically install the certificate into a trusted root CA repository through download and execution of an automatic certificate installer.

Those of ordinary skill in the art will understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced in the above description may include voltages, currents, electromagnetic waves, magnetic fields or particles, Particles or particles, or any combination thereof.

Those skilled in the art will appreciate that the various illustrative logical blocks, modules, processors, means, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be embodied directly in electronic hardware, (Which may be referred to herein as "software") or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the design constraints imposed on the particular application and the overall system. Those skilled in the art may implement the described functionality in various ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The various embodiments presented herein may be implemented as a method, apparatus, or article of manufacture using standard programming and / or engineering techniques. The term "article of manufacture" includes a computer program, carrier, or media accessible from any computer-readable device. For example, the computer-readable medium can be a magnetic storage device (e.g., a hard disk, a floppy disk, a magnetic strip, etc.), an optical disk (e.g., CD, DVD, etc.), a smart card, But are not limited to, devices (e. G., EEPROM, cards, sticks, key drives, etc.). The various storage media presented herein also include one or more devices and / or other machine-readable media for storing information. The term "machine-readable medium" includes, but is not limited to, other media capable of storing and / or retaining command (s) and / or data.

It will be appreciated that the particular order or hierarchy of steps in the presented processes is an example of exemplary approaches. It will be appreciated that, based on design priorities, certain orders or hierarchies of steps in processes may be rearranged within the scope of the present invention. The appended method claims provide elements of the various steps in a sample order, but are not meant to be limited to the specific order or hierarchy presented.

The description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features presented herein.

Claims (9)

A certificate distribution method performed on a certificate distribution device,
Detecting a server access request of a user terminal at a first communication interface;
The traffic analysis module determining whether the user terminal is a user terminal requiring a certificate test;
Transmitting a message for redirecting the user terminal to the certificate test module from the first communication interface to the user terminal if the user terminal is a user terminal requiring a certificate test;
If the user terminal accesses a certificate test module, the certificate test module provides a test page for determining whether a certificate is installed in the user terminal; And
Determining whether the certificate test module provides a certificate to the user terminal according to whether the user terminal is connected to the test page;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device. The method according to claim 1,
The certificate includes:
A certificate used for monitoring encrypted communication, which is a private CA certificate for re-signing a certificate of a server,
Certificate distribution method The certificate distribution method performed on the device. The method according to claim 1,
The test page is a page accessible only when a certificate is installed,
Certificate distribution method The certificate distribution method performed on the device. The method according to claim 1,
Wherein the step of the traffic analysis module determining whether the user terminal is a user terminal requiring a test,
The traffic analysis module determining whether an ID of the user terminal is present in a certificate installation user list;
Determining whether a connection request of the user terminal has passed a predetermined first period when the ID of the user terminal is present in the certificate installation user list; And
Determining whether a connection request of the user terminal has passed a predetermined second period when the ID of the user terminal is not present in the certificate installation user list;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device. The method according to claim 1,
Wherein the step of determining whether the certificate test module provides a certificate to the user terminal according to whether the user terminal accesses the test page comprises:
The certificate test module detecting whether the user terminal accesses the test page; And
Adding an ID of the user terminal to a certificate installation user list when the user terminal accesses the test page;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device. 6. The method of claim 5,
Wherein the ID of the user terminal comprises:
An IP address of the user terminal, user information of the user terminal, and subscriber information of the user terminal.
Certificate distribution method The certificate distribution method performed on the device. The method according to claim 1,
Wherein the step of determining whether the certificate test module provides a certificate to the user terminal according to whether the user terminal accesses the test page comprises:
The certificate test module detecting whether the user terminal accesses the test page;
If the user terminal fails to access the test page, the certificate test module decides to provide the certificate to the user terminal and redirects the user terminal to the certificate distribution module; And
Providing a certificate distribution page to a user terminal;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device. As a certificate distribution apparatus,
A first communication interface for detecting a server connection request of the user terminal and transmitting a message for redirecting the user terminal to the certificate test module to the user terminal;
A traffic analysis module for determining whether the user terminal is a user terminal requiring a certificate test; And
The method comprising: providing a test page for determining whether or not a certificate is installed in the user terminal, detecting whether the user terminal is connected to the test page, A certificate testing module that decides to provide a certificate;
/ RTI >
Certificate distribution device. 21. A computer program stored in a computer-readable medium comprising a plurality of instructions executed by one or more processors,
The computer program comprising:
Instructions for detecting a server access request of a user terminal at a first communication interface;
A traffic analysis module for determining whether the user terminal is a user terminal requiring a certificate test;
Transmitting a message for redirecting the user terminal to the certificate test module from the first communication interface to the user terminal if the user terminal is a user terminal requiring a certificate test;
If the user terminal accesses a certificate test module, the certificate test module provides a test page for determining whether a certificate is installed in the user terminal; And
A command for the certificate test module to determine whether to provide a certificate to the user terminal according to whether the user terminal is connected to the test page;
/ RTI >
A computer program stored on a computer-readable medium.

KR1020150182088A 2015-12-18 2015-12-18 Apprapatus and method for distributing certificate KR101741672B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150182088A KR101741672B1 (en) 2015-12-18 2015-12-18 Apprapatus and method for distributing certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150182088A KR101741672B1 (en) 2015-12-18 2015-12-18 Apprapatus and method for distributing certificate

Publications (1)

Publication Number Publication Date
KR101741672B1 true KR101741672B1 (en) 2017-05-31

Family

ID=59052262

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150182088A KR101741672B1 (en) 2015-12-18 2015-12-18 Apprapatus and method for distributing certificate

Country Status (1)

Country Link
KR (1) KR101741672B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220021522A1 (en) * 2020-07-20 2022-01-20 Fujitsu Limited Storage medium, relay device, and communication method
KR20220051130A (en) * 2020-10-12 2022-04-26 쿠팡 주식회사 System and Method for Local Randomized Distribution of Test Dataset

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7051206B1 (en) 2000-11-07 2006-05-23 Unisys Corporation Self-authentication of value documents using digital signatures

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7051206B1 (en) 2000-11-07 2006-05-23 Unisys Corporation Self-authentication of value documents using digital signatures

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220021522A1 (en) * 2020-07-20 2022-01-20 Fujitsu Limited Storage medium, relay device, and communication method
KR20220051130A (en) * 2020-10-12 2022-04-26 쿠팡 주식회사 System and Method for Local Randomized Distribution of Test Dataset
KR102515591B1 (en) 2020-10-12 2023-03-29 쿠팡 주식회사 Systems and methods for local randomization distribution of test datasets
US11620210B2 (en) 2020-10-12 2023-04-04 Coupang Corp. Systems and methods for local randomization distribution of test datasets

Similar Documents

Publication Publication Date Title
US10341321B2 (en) System and method for policy based adaptive application capability management and device attestation
US9514317B2 (en) Policy-based trusted inspection of rights managed content
EP3453136B1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
EP3275159B1 (en) Technologies for secure server access using a trusted license agent
US9112854B1 (en) Secure communication between applications on untrusted platforms
US9071600B2 (en) Phishing and online fraud prevention
CN106899571B (en) Information interaction method and device
US10341350B2 (en) Actively identifying and neutralizing network hot spots
US20190068568A1 (en) Distributed profile and key management
CN105516066B (en) A kind of method and device that internuncial presence is recognized
US11770415B2 (en) Header replay for endpoint-based security
CN105187426B (en) For realizing the method and system of cross-domain access based on authentication information
US20150033299A1 (en) System and methods for ensuring confidentiality of information used during authentication and authorization operations
Eustis The Mirai Botnet and the importance of IoT device security
US10897458B1 (en) Enhancing secure client experience through selective encryption of cookies
KR101847637B1 (en) Method and apprapatus for processing encrypted communication session
KR101741672B1 (en) Apprapatus and method for distributing certificate
CN109960935B (en) Method, device and storage medium for determining trusted state of TPM (trusted platform Module)
US11443023B2 (en) Distributed profile and key management
KR101847636B1 (en) Method and apprapatus for watching encrypted traffic
KR102468823B1 (en) Applet package sending method and device, electronic apparatus, and computer readable medium
Chatterjee et al. A comprehensive study on security issues in android mobile phone—scope and challenges
CN112769731B (en) Process control method, device, server and storage medium
KR20180031435A (en) Apparatus and method for inspecting the packet communications using the Secure Sockets Layer
CN113261254A (en) Private key cloud storage

Legal Events

Date Code Title Description
GRNT Written decision to grant