KR101741672B1 - Apprapatus and method for distributing certificate - Google Patents
Apprapatus and method for distributing certificate Download PDFInfo
- Publication number
- KR101741672B1 KR101741672B1 KR1020150182088A KR20150182088A KR101741672B1 KR 101741672 B1 KR101741672 B1 KR 101741672B1 KR 1020150182088 A KR1020150182088 A KR 1020150182088A KR 20150182088 A KR20150182088 A KR 20150182088A KR 101741672 B1 KR101741672 B1 KR 101741672B1
- Authority
- KR
- South Korea
- Prior art keywords
- certificate
- user terminal
- test
- module
- page
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to cryptographic communication, and more particularly, to a method for distributing a certificate necessary for cryptographic communication.
A secure sockets layer (SSL) can mean a cryptographic technique to protect TCP / IP communications. SSL encrypted communication was initially used to protect important content and messages transmitted via the web, such as banking, e-commerce, and corporate data. Recently, however, SSL encryption has been widely applied to transmission of various web contents such as social media, entertainment, And is steadily increasing. For example, Twitter, Google Facebook and others are also using SSL encrypted transmissions. Certificates are required for SSL encrypted communications using public and private keys and symmetric keys.
A certificate is data of an entity that has been tampered with using a certificate authority's unique key or secret key, and the encryption system uses the file as an identity card. The certificate contains the user's name and public key. The certificate guarantees that the server to which the client is connected is the server that the client intended. There are private companies that perform this role, which are called CA (certificate authority) or Root Certificate. It is also possible to purchase and use a certificate from a CA for encrypted communication.
The SSL encryption transmission introduced for content protection prevents the security firewalls used by corporations, educational institutions, public agencies, and telecommunication carriers to prevent the spread of malicious software and malware, and to prevent intrusion and access to harmful sites There is a problem that it is caused. Thus, there may be a need in the art for a solution for monitoring SSL encrypted packets.
For security and caching purposes, a device that monitors SSL encrypted packets between a user and a server may use a private CA certificate for SSL communication with the user for SSL decryption. The user browser may use the private CA certificate used by the decryption device It may generate a warning or it may not be possible to connect to the server. To solve this problem, you may need a certificate distribution system that can automatically or manually store Private CA certificates in your browser's trusted CA certificate repository.
Korean Patent Laid-Open Publication No. 10-2015-0053520 (May 2015, May 18, 201) discloses a method of authenticating a server by receiving a certificate from a server.
The present invention is devised in correspondence with the background art described above, and is intended to distribute a certificate for use in encrypted communication.
The present invention is for distributing a certificate to a user terminal that does not hold a certificate by checking whether a certificate for use in encrypted communication exists in the user terminal.
In order to solve the above-described problems, a certificate distribution method performed in a certificate distribution apparatus according to an embodiment of the present invention is disclosed. The certificate distribution method performed by the certificate distribution apparatus includes a step of detecting a server connection request of a user terminal in a first communication interface, a step of determining whether the user terminal is a user terminal requiring a certificate test, Transmitting a message for redirecting the user terminal to a certificate test module from the first communication interface to a user terminal if the terminal is a user terminal requiring a certificate test; The certificate test module provides a test page for determining whether a certificate is installed in the user terminal, and the certificate test module transmits the test page to the user terminal according to whether the user terminal is connected to the test page It can include determining whether the certificate provided.
Alternatively, the certificate may be a certificate used to monitor encrypted communication, and may be a private CA certificate for re-signing the server's certificate.
Alternatively, the test page may be a page accessible only when a certificate is installed.
Alternatively, the step of the traffic analysis module determining whether the user terminal is a user terminal requiring a test may include: determining whether the ID of the user terminal exists in a certificate installation user list; Determining whether a connection request of the user terminal has passed a predetermined first period when the ID of the user terminal exists in the certificate installation user list, and if the ID of the user terminal does not exist in the certificate installation user list , And determining whether a connection request of the user terminal has passed a predetermined second period.
Alternatively, the step of the certificate test module determining whether to provide a certificate to the user terminal, depending on whether the user terminal is connected to the test page, determines whether the certificate test module accesses the test page And adding the ID of the user terminal to the certificate installation user list when the user terminal has accessed the test page.
Alternatively, the ID of the user terminal may include at least one of an IP address of the user terminal, user information of the user terminal, and subscriber information of the user terminal.
Alternatively, the step of the certificate test module determining whether to provide a certificate to the user terminal, depending on whether the user terminal accesses the test page, includes determining whether the certificate test module accesses the test page Wherein the certificate test module determines to provide the certificate to the user terminal and redirects the user terminal to the certificate distribution module when the user terminal fails to access the test page, And providing a certificate distribution page to the user terminal.
Further, a certificate distribution apparatus according to another embodiment of the present invention is disclosed. The certificate distribution apparatus includes a first communication interface for detecting a server connection request of a user terminal and transmitting a message for redirecting the user terminal to the certificate test module to the user terminal, And a test page for determining whether or not a certificate has been installed in the user terminal, and further comprising: detecting whether the user terminal is connected to the test page and checking whether the user terminal is connected to the test page And to determine whether to provide the user terminal with a certificate according to whether the user terminal is provided with a certificate.
Also disclosed is a computer program stored on a computer-readable medium, comprising a plurality of instructions executed by one or more processors in accordance with an embodiment of the present invention. The computer program includes a command for detecting a server connection request of a user terminal in a first communication interface, a command for a traffic analysis module to determine whether the user terminal is a user terminal requiring a certificate test, A command for transmitting a message for redirecting the user terminal to the certificate test module from the first communication interface to the user terminal when the user terminal is connected to the certificate test module, The certificate test module sends a certificate to the user terminal according to a command for providing a test page for determining whether or not a certificate is installed in the user terminal and whether the user terminal is connected to the test page Or < / RTI >
The present invention can distribute a certificate for use in encrypted communication.
The present invention can check whether a certificate for use in encrypted communication exists in a user terminal and distribute the certificate to a user terminal that does not have a certificate.
1 is a block diagram of a certificate distribution apparatus according to an embodiment of the present invention.
2 is a schematic diagram of a communication system including a certificate distribution device according to an embodiment of the present invention.
3 is an exemplary view illustrating an operation of a certificate distribution system according to an embodiment of the present invention.
4 is a flowchart of a certificate distribution method according to an embodiment of the present invention.
Various embodiments are now described with reference to the drawings, wherein like reference numerals are used throughout the drawings to refer to like elements. In this specification, various explanations are given in order to provide an understanding of the present invention. It will be apparent, however, that such embodiments may be practiced without these specific details. In other instances, well-known structures and devices are provided in block diagram form in order to facilitate describing the embodiments.
The terms "component," "module," system, "and the like, as used herein, refer to a computer-related entity, hardware, firmware, software, combination of software and hardware, or execution of software. For example, a component may be, but is not limited to, a process executing on a processor, a processor, an object, an executing thread, a program, and / or a computer. For example, both an application running on a computing device and a computing device may be a component. One or more components may reside within a processor and / or thread of execution, one component may be localized within one computer, or it may be distributed between two or more computers. Further, such components may execute from various computer readable media having various data structures stored therein. The components may be, for example, a signal (e.g., a local system, data from one component interacting with another component in a distributed system, and / or data over a network, such as the Internet, Lt; RTI ID = 0.0 > and / or < / RTI >
The description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features presented herein.
1 is a block diagram of a certificate distribution apparatus according to an embodiment of the present invention.
The
The
The
The
The
The certificate is a certificate used to monitor encrypted communication, and may include a private CA certificate of the certificate distribution device for re-signing the certificate of the server.
The
The
The
The
If the ID of the user terminal exists in the certificate installation user list, the
If the ID of the user terminal does not exist in the certificate installation user list, the
If the ID of the user terminal does not exist in the certificate installation user list and the connection request of the user terminal does not pass the predetermined second period, the
The predetermined second period may be shorter than the predetermined first period.
The
The
Therefore, when the
Also, when the
The
The
The
The
The
The various embodiments described herein may be embodied in a recording medium readable by a computer or similar device using, for example, software, hardware, or a combination thereof.
According to a hardware implementation, the embodiments described herein may be implemented as application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays May be implemented using at least one of a processor, controllers, micro-controllers, microprocessors, and other electronic units for performing other functions. In some cases, The described embodiments may be implemented by the processor or each module itself.
According to a software implementation, embodiments such as the procedures and functions described herein may be implemented with separate software modules. Each of the software modules may perform one or more of the functions and operations described herein. Software code can be implemented in a software application written in a suitable programming language. The software code may be stored in
The
2 is a schematic diagram of a communication system including a certificate distribution device according to an embodiment of the present invention.
The
The
Equipment for decrypting and monitoring encrypted data between a user and a server for security and caching purposes may use a private CA certificate when decrypting the encrypted data with a user and the user browser may use a private CA It may generate a warning about the certificate or it may not be able to connect to the server. However, the
When the
The
When the
When the
The
When the
If the
The
3 is an exemplary view illustrating an operation of a certificate distribution system according to an embodiment of the present invention.
When the
When the
When the
When the
4 is a flowchart of a certificate distribution method according to an embodiment of the present invention.
The
The
If the user terminal is a user terminal requiring a certificate test, the
If the
The
When the
If the
The
The
Those of ordinary skill in the art will understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced in the above description may include voltages, currents, electromagnetic waves, magnetic fields or particles, Particles or particles, or any combination thereof.
Those skilled in the art will appreciate that the various illustrative logical blocks, modules, processors, means, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be embodied directly in electronic hardware, (Which may be referred to herein as "software") or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the design constraints imposed on the particular application and the overall system. Those skilled in the art may implement the described functionality in various ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The various embodiments presented herein may be implemented as a method, apparatus, or article of manufacture using standard programming and / or engineering techniques. The term "article of manufacture" includes a computer program, carrier, or media accessible from any computer-readable device. For example, the computer-readable medium can be a magnetic storage device (e.g., a hard disk, a floppy disk, a magnetic strip, etc.), an optical disk (e.g., CD, DVD, etc.), a smart card, But are not limited to, devices (e. G., EEPROM, cards, sticks, key drives, etc.). The various storage media presented herein also include one or more devices and / or other machine-readable media for storing information. The term "machine-readable medium" includes, but is not limited to, other media capable of storing and / or retaining command (s) and / or data.
It will be appreciated that the particular order or hierarchy of steps in the presented processes is an example of exemplary approaches. It will be appreciated that, based on design priorities, certain orders or hierarchies of steps in processes may be rearranged within the scope of the present invention. The appended method claims provide elements of the various steps in a sample order, but are not meant to be limited to the specific order or hierarchy presented.
The description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features presented herein.
Claims (9)
Detecting a server access request of a user terminal at a first communication interface;
The traffic analysis module determining whether the user terminal is a user terminal requiring a certificate test;
Transmitting a message for redirecting the user terminal to the certificate test module from the first communication interface to the user terminal if the user terminal is a user terminal requiring a certificate test;
If the user terminal accesses a certificate test module, the certificate test module provides a test page for determining whether a certificate is installed in the user terminal; And
Determining whether the certificate test module provides a certificate to the user terminal according to whether the user terminal is connected to the test page;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device.
The certificate includes:
A certificate used for monitoring encrypted communication, which is a private CA certificate for re-signing a certificate of a server,
Certificate distribution method The certificate distribution method performed on the device.
The test page is a page accessible only when a certificate is installed,
Certificate distribution method The certificate distribution method performed on the device.
Wherein the step of the traffic analysis module determining whether the user terminal is a user terminal requiring a test,
The traffic analysis module determining whether an ID of the user terminal is present in a certificate installation user list;
Determining whether a connection request of the user terminal has passed a predetermined first period when the ID of the user terminal is present in the certificate installation user list; And
Determining whether a connection request of the user terminal has passed a predetermined second period when the ID of the user terminal is not present in the certificate installation user list;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device.
Wherein the step of determining whether the certificate test module provides a certificate to the user terminal according to whether the user terminal accesses the test page comprises:
The certificate test module detecting whether the user terminal accesses the test page; And
Adding an ID of the user terminal to a certificate installation user list when the user terminal accesses the test page;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device.
Wherein the ID of the user terminal comprises:
An IP address of the user terminal, user information of the user terminal, and subscriber information of the user terminal.
Certificate distribution method The certificate distribution method performed on the device.
Wherein the step of determining whether the certificate test module provides a certificate to the user terminal according to whether the user terminal accesses the test page comprises:
The certificate test module detecting whether the user terminal accesses the test page;
If the user terminal fails to access the test page, the certificate test module decides to provide the certificate to the user terminal and redirects the user terminal to the certificate distribution module; And
Providing a certificate distribution page to a user terminal;
/ RTI >
Certificate distribution method The certificate distribution method performed on the device.
A first communication interface for detecting a server connection request of the user terminal and transmitting a message for redirecting the user terminal to the certificate test module to the user terminal;
A traffic analysis module for determining whether the user terminal is a user terminal requiring a certificate test; And
The method comprising: providing a test page for determining whether or not a certificate is installed in the user terminal, detecting whether the user terminal is connected to the test page, A certificate testing module that decides to provide a certificate;
/ RTI >
Certificate distribution device.
The computer program comprising:
Instructions for detecting a server access request of a user terminal at a first communication interface;
A traffic analysis module for determining whether the user terminal is a user terminal requiring a certificate test;
Transmitting a message for redirecting the user terminal to the certificate test module from the first communication interface to the user terminal if the user terminal is a user terminal requiring a certificate test;
If the user terminal accesses a certificate test module, the certificate test module provides a test page for determining whether a certificate is installed in the user terminal; And
A command for the certificate test module to determine whether to provide a certificate to the user terminal according to whether the user terminal is connected to the test page;
/ RTI >
A computer program stored on a computer-readable medium.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150182088A KR101741672B1 (en) | 2015-12-18 | 2015-12-18 | Apprapatus and method for distributing certificate |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150182088A KR101741672B1 (en) | 2015-12-18 | 2015-12-18 | Apprapatus and method for distributing certificate |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101741672B1 true KR101741672B1 (en) | 2017-05-31 |
Family
ID=59052262
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150182088A KR101741672B1 (en) | 2015-12-18 | 2015-12-18 | Apprapatus and method for distributing certificate |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101741672B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220021522A1 (en) * | 2020-07-20 | 2022-01-20 | Fujitsu Limited | Storage medium, relay device, and communication method |
KR20220051130A (en) * | 2020-10-12 | 2022-04-26 | 쿠팡 주식회사 | System and Method for Local Randomized Distribution of Test Dataset |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7051206B1 (en) | 2000-11-07 | 2006-05-23 | Unisys Corporation | Self-authentication of value documents using digital signatures |
-
2015
- 2015-12-18 KR KR1020150182088A patent/KR101741672B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7051206B1 (en) | 2000-11-07 | 2006-05-23 | Unisys Corporation | Self-authentication of value documents using digital signatures |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220021522A1 (en) * | 2020-07-20 | 2022-01-20 | Fujitsu Limited | Storage medium, relay device, and communication method |
KR20220051130A (en) * | 2020-10-12 | 2022-04-26 | 쿠팡 주식회사 | System and Method for Local Randomized Distribution of Test Dataset |
KR102515591B1 (en) | 2020-10-12 | 2023-03-29 | 쿠팡 주식회사 | Systems and methods for local randomization distribution of test datasets |
US11620210B2 (en) | 2020-10-12 | 2023-04-04 | Coupang Corp. | Systems and methods for local randomization distribution of test datasets |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10341321B2 (en) | System and method for policy based adaptive application capability management and device attestation | |
US9514317B2 (en) | Policy-based trusted inspection of rights managed content | |
EP3453136B1 (en) | Methods and apparatus for device authentication and secure data exchange between a server application and a device | |
EP3275159B1 (en) | Technologies for secure server access using a trusted license agent | |
US9112854B1 (en) | Secure communication between applications on untrusted platforms | |
US9071600B2 (en) | Phishing and online fraud prevention | |
CN106899571B (en) | Information interaction method and device | |
US10341350B2 (en) | Actively identifying and neutralizing network hot spots | |
US20190068568A1 (en) | Distributed profile and key management | |
CN105516066B (en) | A kind of method and device that internuncial presence is recognized | |
US11770415B2 (en) | Header replay for endpoint-based security | |
CN105187426B (en) | For realizing the method and system of cross-domain access based on authentication information | |
US20150033299A1 (en) | System and methods for ensuring confidentiality of information used during authentication and authorization operations | |
Eustis | The Mirai Botnet and the importance of IoT device security | |
US10897458B1 (en) | Enhancing secure client experience through selective encryption of cookies | |
KR101847637B1 (en) | Method and apprapatus for processing encrypted communication session | |
KR101741672B1 (en) | Apprapatus and method for distributing certificate | |
CN109960935B (en) | Method, device and storage medium for determining trusted state of TPM (trusted platform Module) | |
US11443023B2 (en) | Distributed profile and key management | |
KR101847636B1 (en) | Method and apprapatus for watching encrypted traffic | |
KR102468823B1 (en) | Applet package sending method and device, electronic apparatus, and computer readable medium | |
Chatterjee et al. | A comprehensive study on security issues in android mobile phone—scope and challenges | |
CN112769731B (en) | Process control method, device, server and storage medium | |
KR20180031435A (en) | Apparatus and method for inspecting the packet communications using the Secure Sockets Layer | |
CN113261254A (en) | Private key cloud storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GRNT | Written decision to grant |