WO2011075907A1 - Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities - Google Patents

Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities Download PDF

Info

Publication number
WO2011075907A1
WO2011075907A1 PCT/CN2009/076047 CN2009076047W WO2011075907A1 WO 2011075907 A1 WO2011075907 A1 WO 2011075907A1 CN 2009076047 W CN2009076047 W CN 2009076047W WO 2011075907 A1 WO2011075907 A1 WO 2011075907A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
public key
message
certificate
authentication
Prior art date
Application number
PCT/CN2009/076047
Other languages
French (fr)
Chinese (zh)
Inventor
铁满霞
曹军
赖晓龙
黄振海
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Priority to PCT/CN2009/076047 priority Critical patent/WO2011075907A1/en
Publication of WO2011075907A1 publication Critical patent/WO2011075907A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present invention relates to the field of network security, and in particular, to a method for implementing public key acquisition, certificate verification, and two-way authentication of an entity.
  • entity authentication between the user and the network must be completed before the user logs into the network for secure communication, and the entity is authenticated as one-way authentication or two-way authentication.
  • the authentication mechanisms used for entity authentication generally fall into two categories: authentication mechanisms based on symmetric key algorithms and authentication mechanisms based on public key (asymmetric key) algorithms.
  • the authentication mechanism based on the public key algorithm requires that the participant entity must have a pair of keys, that is, a public-private key pair, wherein the public key needs to be notified to other participant entities.
  • the notification methods that can be used are the out-of-band notification method and the certificate method.
  • the out-of-band notification method is less used because it is difficult to update, and the certificate method is widely used.
  • the public key algorithm based on public key algorithm generally needs to be implemented based on public key infrastructure.
  • the public key infrastructure is full infrastructure, which can provide security services such as authentication, integrity and confidentiality.
  • Two important concepts in public key infrastructure are public key certificates and certificate authorities.
  • Public key certificates are usually issued by the certificate authority.
  • the signature in the public key certificate is provided by the certificate authority.
  • the certificate authority verifies the public key certificate by providing a signature. The binding relationship between the holder and the public key held by the holder.
  • a public key certificate that has been verified by a certificate authority usually has a lifetime, and the certificate fails after the end of the lifetime. If the private key corresponding to the public key certificate is leaked, the public key certificate also fails. There are also other cases where the public key certificate is invalidated, such as a job change that causes it to fail.
  • Entities participating in authentication in network communications typically refuse to establish secure communications with entities holding expired public key certificates, so public key acquisition and certificate verification typically surround and provide services for the entity authentication process.
  • the existing authentication mechanism must have a valid public key of the claimant or know the public key certificate status of the claimant before or during the operation. Otherwise, the authentication process may be damaged or cannot be successfully completed.
  • entity A and entity B need to complete the authentication between them by performing an authentication protocol. Trusted third party trusts entity A and entity B. The third party entity, and entity A and entity B must obtain the status of the valid public key or public key certificate of the peer entity through the trusted third party TP before authentication.
  • OCSP Online Certificate Status Protocol
  • client sends a request to the server and the server returns a response.
  • the request contains a series of certificates that need to be verified.
  • the response contains the status and verification interval of the series of certificates.
  • the network structure is the access network of the user, the access point, and the server ternary structure.
  • the entity authentication mechanism is usually implemented to implement the user access control function. Before the authentication mechanism is successfully completed, the user is prohibited from accessing the network. Therefore, the user cannot use the certificate revocation list CRL or the online certificate status protocol OCSP before the authentication.
  • the method verifies the validity of the access point certificate or obtains a valid public key of the access point.
  • the user is also difficult to use the certificate revocation list CRL, the online certificate status protocol OCSP, etc. in the process of authentication.
  • the user equipment may have limited storage resources, or the user is not willing to store the certificate revocation list CRL, which may result in the periodic download certificate revocation list CRL being impossible.
  • the access network there may be problems such as policy restrictions on the access network.
  • the user uses the online query mechanism such as the online certificate status protocol OCSP, the user needs to execute a separate online certificate status protocol OSCP and other protocols through the background server. These protocols often Running on the HTTP protocol, belonging to the application layer protocol, it is very complicated to use these protocols directly before the authentication of the access network has not been completed. Even if it can be used, it needs to be completed by the structure of the user-server and the access point-server. It does not conform to the structure of the user-input-one server, and cannot be directly and conveniently applied.
  • the present invention solves the above technical problems existing in the background art, and proposes a method for realizing entity public key acquisition, certificate verification, and two-way authentication.
  • the technical solution of the present invention is:
  • the present invention is a method for realizing public key acquisition, certificate verification and two-way authentication of an entity, the method comprising the following steps:
  • Entity A sends message 1 to entity B, and message 1 includes random number R A , identity ID A and optional text Text 1;
  • the entity B After receiving the message 1, the entity B sends a message 2 to the entity A, and the message 2 includes the token TokenBA, the identity ID B , the request ReqB, and the optional text Text3;
  • the entity A After receiving the message 2, the entity A sends a message 3 to the trusted third party TP, and the message 3 includes the request ReqAT and the optional text Text4;
  • the trusted third party determines to respond to RepTA and returns a message 4 to entity A, which includes a response RepTA and an optional text Text5;
  • the entity A After receiving the message 4 from the trusted third party TP, the entity A processes the result of the entity B, and returns a message 5 to the entity B.
  • the message 5 includes the token TokenAB and the response RepB; the entity B receives the entity A.
  • processing is performed to obtain the identification result of entity A.
  • the trusted third party TP determines that the response RepTA includes:
  • the processing includes: the entity A verifies the response RepTA according to the used public key authentication protocol or the distribution protocol, and obtains the entity B public key or public if the verification succeeds.
  • the state of the key certificate verifying the signature of the entity B contained in the token TokenBA; then checking whether the identity field ID A included in the signature data of the token TokenBA is consistent with the identity of the entity A, checking the randomness in the message 1. Whether the number R A is included or not The random number R A in the token TokenBA is consistent, and the identification result of the entity B is obtained.
  • the processing includes:
  • Entity B verifies the response RepB according to the public key authentication protocol or distribution protocol used. If the verification succeeds, the state of the public key or the public key certificate of the entity A is obtained, and the signature of the entity A included in the token TokenAB is verified, and the check is included in whether the signature data token TokenAB in the identity field ID B with the identity of the entity B identify correspondingly, to check whether the message 2 of the random number R B contained a random number R B in the token TokenAB in consistent, to give entity a Identification results.
  • the ReqB and the ReqAT are respectively a request generated by the entity B and the entity A, requesting the status information of the valid public key or the public key certificate of the opposite entity, and the ReqTA includes the content of the ReqB; the RepTA and the RepB are respectively for the request ReqAT and ReqB produces a response, and RepTA contains the contents of RepB.
  • the forms and definitions of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used.
  • the public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based certificate verification protocol.
  • a system for implementing public key acquisition, certificate verification, and two-way authentication of an entity including a first entity, a second entity, and a trusted third party, wherein:
  • the first entity is configured to send a message 1 to a second entity, where the message 1 includes a random number R A , an identity ID A, and an optional text Textl;
  • the second entity After receiving the message 1, the second entity sends a message 2 to the first entity, where the message 2 includes a token TokenBA, an identity ID B , a request ReqB, and an optional text Text3;
  • the first entity After receiving the message 2, the first entity sends a message to the trusted third party TP 3, the message 3 includes the request ReqAT and the optional text Text4;
  • the trusted third party determines to respond to RepTA and returns a message 4 to the first entity.
  • the message 4 includes a response RepTA and an optional text Text5;
  • the first entity After receiving the message 4 from the trusted third party TP, the first entity performs processing to obtain the authentication result of the second entity, and returns a message 5 to the second entity, where the message 5 includes the token TokenAB and the response RepB; After the message 5 from the first entity, processing is performed to obtain the authentication result of the first entity.
  • a first checking unit configured to check validity of the public key certificates Cert A and Certs according to the identity IDs A and ID B of the first entity and the second entity;
  • a second checking unit configured to search for a valid public key of the first entity and the second entity by using the entity identifier.
  • the first entity includes:
  • a first verification unit configured to verify the response RepTA according to the public key authentication protocol or the distribution protocol used after receiving the message 4, and obtain the state of the public key or the public key certificate of the second entity if the verification succeeds;
  • a second verification unit configured to verify a signature of the second entity included in the token TokenB A
  • a third checking unit configured to check whether the identity identifier field ID A included in the signature data of the token TokenBA is related to the first entity consistent identity, whether a check message of the random number R a and the random number R a contained in the token TokenBA in the consistent results obtained authentication of the second entity.
  • the second entity includes:
  • a third verification unit configured to: after receiving the message 5 from the first entity, verify the response RepB according to the public key authentication protocol or the distribution protocol used, and obtain the state of the public key or the public key certificate of the first entity if the verification succeeds;
  • a fourth verification unit configured to verify a signature of the first entity included in the token TokenAB
  • a fourth checking unit configured to check whether the identity identifier field ID B included in the signature data of the token TokenAB is related to the second entity consistent identity, to check whether the random number message 2 comprising a random number R B and R B in the token TokenAB in the consistent results obtained authentication of the first entity.
  • the ReqB and the ReqAT are respectively a request generated by the second entity and the first entity, requesting the original public information of the valid public key or the public key certificate of the opposite entity, and the ReqTA includes the content of the ReqB; the RepTA and the RepB are respectively targeted The response generated by requesting ReqAT and ReqB, and RepTA contains the content of RepB.
  • the forms and definitions of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used.
  • the public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based certificate verification protocol.
  • the invention adopts a three-entity framework, and entity A and entity B need to obtain a trusted third party before authentication.
  • the public key or certificate and obtain the user certificate issued by the trusted third party to the user or hand over the public key to the trusted third party without prior knowledge of the status of the valid public key or public key certificate of the opposite entity.
  • the invention integrates the public key acquisition, certificate verification and authentication functions of the entity in one protocol, which is beneficial to improving the efficiency and effect of the protocol execution, and is convenient for combining with various public key acquisition and public key certificate status query protocols, and is suitable for connection.
  • the network user enters the network structure of the server and meets the authentication requirements of the access network.
  • 1 is a schematic diagram of the operation of the authentication mechanism in the prior art
  • Figure 2 is a schematic view of the method of the present invention
  • FIG. 3 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a workflow of a system according to an embodiment of the present invention.
  • the method of the present invention involves three security elements, namely, two entities A and B and a trusted third party TP, through the online trusted third party TP, entity A and B complete two-way authentication, and obtain The status of a valid public key or public key certificate for the peer entity.
  • Entity A or B is represented by entity X; then R x represents the random number generated by entity X; Certx is the public key certificate of entity X; ID X is the identity of entity X, represented by certificate Certx or entity identifier X; ReqX Represents a request generated by entity X, requesting information such as the status of a valid public key or public key certificate of the opposite entity; ReqXT indicates a request generated by entity X or forwarded to a trusted third party TP; RepX indicates to RexX to entity X The response sent, that is, information such as the status of the valid public key or public key certificate of the entity requested by the entity X; RepTX indicates the response generated by the trusted third party TP for ReqXT; Token is the token field; Text is Select the text field.
  • ID A A or CertA
  • ID B B or CertB
  • ReqB ReqAT
  • RepTA RepB
  • RepB RepB
  • online public key authentication protocols or distribution protocols include certificate status protocols (see GB/T 19713), and server-based certificate verification. Protocol (see IETF RFC5055) or other public key distribution or authentication protocol.
  • Entity A sends message 1 to entity B, and message 1 includes random number R A , identity ID A and optional text Textl;
  • the entity A After receiving the message 2, the entity A sends a message 3 to the trusted third party TP.
  • the message 3 includes the request ReqAT and the optional text Text4, wherein the ReqAT needs to contain the content of the ReqB, and the request ReqAT indicates that the entity B requests the effective public of the entity A.
  • Information such as the status of the key or public key certificate, and information such as the status of the valid public key or public key certificate of entity B requesting entity B;
  • the trusted third party TP After receiving the message 3, the trusted third party TP checks the validity of the public key certificates Cert A and Cert B according to the identity IDs A and ID B of the entity A and the entity B, or searches for entities through the entity identifiers A and B.
  • the valid public key of A and entity B determines the response RepTA, where RepTA needs to contain the content of RepB, RepTA represents the information of the valid public key or public key certificate of entity A determined by trusted third party TP, and the validity of entity B Information such as the status of the public key or the public key certificate, and performing step 5);
  • step 6.1 Verify the response RepTA according to the public key authentication protocol or distribution protocol used, and if the verification passes, proceed to step 6.2);
  • step 8.2 After entity B receives message 5 from entity A, perform the following steps: 8.1) verify the response RepB according to the public key authentication protocol or distribution protocol used, and if the verification is passed, proceed to step 8.2);
  • steps 7) and 8) may be omitted on the basis of the above-described two-way authentication process, and some fields in messages 1 through 5 may also be omitted.
  • step 1) may be omitted on the basis of the two-way authentication process, and some fields in messages 2 through 5 may also be omitted.
  • another embodiment of the present invention further provides a system for implementing public key acquisition, certificate verification, and two-way authentication of an entity, where the system includes a first entity 301, a second entity 302, and a trusted third party 303.
  • the structure of the system can be seen in Figure 3.
  • the working principle of the system can be seen in Figure 4, specifically:
  • the first entity 301 is configured to send a message 1 to a second entity, where the message 1 includes a random number R A , an identity ID A, and an optional text Textl;
  • the second entity After receiving the message 1, the second entity sends a message 2 to the first entity, where the message 2 includes a token TokenBA, an identity ID B , a request ReqB, and an optional text Text3;
  • the first entity After receiving the message 2, the first entity sends a message to the trusted third party TP 3, and the message 3 includes the request.
  • the trusted third party determines to respond to RepTA and returns a message 4 to the first entity.
  • the message 4 includes a response RepTA and an optional text Text5;
  • the first entity After receiving the message 4 from the trusted third party TP, the first entity performs processing to obtain the authentication result of the second entity, and returns a message 5 to the second entity, where the message 5 includes the token TokenAB and the response RepB; After the message 5 from the first entity, processing is performed to obtain the authentication result of the first entity.
  • the trusted third party TP 303 may include:
  • a first checking unit for identifying the ID A and ID B according to the identity of the first entity and a second entity, the subject Check the validity of the public key certificates Cert A and Certs;
  • a second checking unit configured to search for a valid public key of the first entity and the second entity by using the entity identifier.
  • the first entity 301 can include:
  • a first verification unit configured to verify the response RepTA according to the public key authentication protocol or the distribution protocol used after receiving the message 4, and obtain the state of the public key or the public key certificate of the second entity if the verification succeeds;
  • a second verification unit configured to verify a signature of the second entity included in the token TokenB A
  • a third checking unit configured to check whether the identity identifier field ID A included in the signature data of the token TokenBA is related to the first entity consistent identity, whether a check message of the random number R a and the random number R a contained in the token TokenBA in the consistent results obtained authentication of the second entity.
  • the second entity includes:
  • a third verification unit configured to: after receiving the message 5 from the first entity, verify the response RepB according to the public key authentication protocol or the distribution protocol used, and obtain the state of the public key or the public key certificate of the first entity if the verification succeeds;
  • a fourth verification unit configured to verify a signature of the first entity included in the token TokenAB
  • a fourth checking unit configured to check whether the identity identifier field ID B included in the signature data of the token TokenAB is related to the second entity consistent identity, to check whether the random number message 2 comprising a random number R B and R B in the token TokenAB in the consistent results obtained authentication of the first entity.
  • the ReqB and the ReqAT are respectively a request generated by the second entity and the first entity, requesting the original public information of the valid public key or the public key certificate of the opposite entity, and the ReqTA includes the content of the ReqB;
  • RepTA and RepB are responses generated for requesting ReqAT and ReqB, respectively, and RepTA contains the contents of RepB.
  • the forms and definitions of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used, and the public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based Certificate Verification Protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method system for implementing the public key acquirement, certificate validation and bi-directional authentication of entities, adopts a tri-entity architecture. Before an authentication, an entity A and an entity B need to acquire the public key or the certificate of a trusted third party, and to acquire their own user certificate authorized by the trusted third party issuing to themselves or submit their own public keys to the trusted third party for storing, without the need of knowing the valid public key or the public key certificate state of the opposite side entity in advance. The present invention integrates the public key acquirement, the certificate validation and the authentication function of the entities into a protocol for implement, is beneficial to improve the efficiency and effect of the protocol execution, facilitates to combine with various protocols for the public key acquirement and the public key certificate state query, adapts for the user-access point-server network structure of the access network, and satisfies the authentication requirement of the access network.

Description

一种实现实体的公钥获取、 证书验证及双向鉴别的方法 技术领域  Method for realizing public key acquisition, certificate verification and two-way authentication of an entity
本发明涉及网络安全领域, 尤其涉及一种实现实体的公钥获取、证书验证 及双向鉴别的方法。  The present invention relates to the field of network security, and in particular, to a method for implementing public key acquisition, certificate verification, and two-way authentication of an entity.
背景技术 Background technique
在目前的计算机网络和通信网络中, 当用户登录网络进行安全通信前, 必 须完成用户和网络之间的实体鉴别, 该实体鉴别为单向鉴别或双向鉴别。 实体 鉴别使用的鉴别机制一般分为两类:基于对称密钥算法的鉴别机制和基于公钥 (非对称密钥) 算法的鉴别机制。  In current computer networks and communication networks, entity authentication between the user and the network must be completed before the user logs into the network for secure communication, and the entity is authenticated as one-way authentication or two-way authentication. The authentication mechanisms used for entity authentication generally fall into two categories: authentication mechanisms based on symmetric key algorithms and authentication mechanisms based on public key (asymmetric key) algorithms.
其中,基于公钥算法的鉴别机制要求参与者实体必须具有一对密钥, 即公 私钥对, 其中公钥需被通知给其他的参与者实体。 可采用的通知方式有带外通 知方式和证书方式, 其中带外通知方式由于难于更新而较少使用,证书方式则 应用广泛。  Among them, the authentication mechanism based on the public key algorithm requires that the participant entity must have a pair of keys, that is, a public-private key pair, wherein the public key needs to be notified to other participant entities. The notification methods that can be used are the out-of-band notification method and the certificate method. The out-of-band notification method is less used because it is difficult to update, and the certificate method is widely used.
基于公钥算法的实体鉴别方法一般需要基于公钥基础设施实现,公钥基础 全基础设施, 它可以提供鉴别、 完整性、 机密性等安全服务。 公钥基础设施中 很重要的两个概念就是公钥证书和证书权威,其中公钥证书通常由证书权威颁 发,公钥证书中的签名由证书权威提供,证书权威通过提供签名来证实公钥证 书持有者和该持有者所持有的公钥的绑定关系。  The public key algorithm based on public key algorithm generally needs to be implemented based on public key infrastructure. The public key infrastructure is full infrastructure, which can provide security services such as authentication, integrity and confidentiality. Two important concepts in public key infrastructure are public key certificates and certificate authorities. Public key certificates are usually issued by the certificate authority. The signature in the public key certificate is provided by the certificate authority. The certificate authority verifies the public key certificate by providing a signature. The binding relationship between the holder and the public key held by the holder.
经过证书权威证实的公钥证书通常存在生命期, 在生命期结束后证书失 效。 如果公钥证书所对应的私钥泄漏, 则该公钥证书也失效。 此外还存在一些 其他使公钥证书失效的情况, 比如工作变动导致其失效等。  A public key certificate that has been verified by a certificate authority usually has a lifetime, and the certificate fails after the end of the lifetime. If the private key corresponding to the public key certificate is leaked, the public key certificate also fails. There are also other cases where the public key certificate is invalidated, such as a job change that causes it to fail.
在网络通信中参与鉴别的实体通常会拒绝与持有失效公钥证书的实体建 立安全通信, 因此公钥获取和证书验证通常围绕实体鉴别过程并为之提供服 务。 目前现有的鉴别机制在运行之前或运行当中,验证者必须具有声称者的有 效公开密钥或者知晓声称者的公钥证书状态,否则鉴别过程会受到损害或不能 成功完成。 如图 1所示, 其中实体 A和实体 B需要通过执行鉴别协议完成它 们之间的鉴别, 可信第三方 TP ( Trusted third Party )为实体 A和实体 B信任 的第三方实体,且实体 A和实体 B必须在鉴别之前通过可信第三方 TP获得对 端实体的有效公钥或公钥证书的状态。 Entities participating in authentication in network communications typically refuse to establish secure communications with entities holding expired public key certificates, so public key acquisition and certificate verification typically surround and provide services for the entity authentication process. Currently, the existing authentication mechanism must have a valid public key of the claimant or know the public key certificate status of the claimant before or during the operation. Otherwise, the authentication process may be damaged or cannot be successfully completed. As shown in Figure 1, entity A and entity B need to complete the authentication between them by performing an authentication protocol. Trusted third party trusts entity A and entity B. The third party entity, and entity A and entity B must obtain the status of the valid public key or public key certificate of the peer entity through the trusted third party TP before authentication.
目前获取公钥证书的状态通常使用以下两种方式:  Currently, the status of obtaining a public key certificate is usually in two ways:
1 )下载证书吊销列表( CRL, Certificate Revocation List ): 下载 CRL获 取公钥证书的状态, 包括全部的证书列表下载和增量证书列表下载。 某个实体 需要验证某个公钥证书的状态时,从服务器下载最新的证书吊销列表, 然后检 查需要验证的公钥证书是否在最新的证书吊销列表 CRL中。  1) Download Certificate Revocation List (CRL): Download the status of the CRL to obtain the public key certificate, including all certificate list downloads and incremental certificate list downloads. When an entity needs to verify the status of a public key certificate, download the latest certificate revocation list from the server and check if the public key certificate to be verified is in the latest certificate revocation list CRL.
2 )在线查询获取公钥证书的状态: 例如: 在线证书状态协议 ( OCSP , Online Certificate Status Protocol )。 OCSP主要涉及客户端和服务器两个实体, 是一种典型的客户端 /服务器结构。 客户端向服务器发送请求, 服务器返回响 应。请求中包含需要验证的系列证书,响应中包含系列证书的状态和验证间隔。  2) Online query to obtain the status of the public key certificate: For example: Online Certificate Status Protocol (OCSP). OCSP mainly involves two entities, client and server. It is a typical client/server architecture. The client sends a request to the server and the server returns a response. The request contains a series of certificates that need to be verified. The response contains the status and verification interval of the series of certificates.
事先获得对端实体的有效公钥或公钥证书状态,这一保障需求条件在很多 应用环境下都得不到满足, 比如在网络结构是用户、接入点、 服务器三元结构 的接入网络中, 包含大多数的通信网络,通常采用实体鉴别机制实现用户接入 控制功能, 在鉴别机制成功完成前, 禁止用户访问网络, 因而在鉴别之前用户 无法使用证书吊销列表 CRL、 在线证书状态协议 OCSP等方法验证接入点证 书的有效性或获得接入点的有效公钥。 因此想彻底成功地完成鉴别, 只能依赖 用户在完成鉴别、已经建立网络通信后再进行验证,例如 IEEE 802.11i和 IEEE 802.16(e)中密钥管理 PKM (Privacy Key Management)协议, 即事后获得接入点 的有效公钥或公钥证书的状态。不论是事前获得还是事后获得对端实体的有效 公钥或公钥证书的状态,均将鉴别过程与获得有效公钥和公钥证书状态的过程 分隔成两个单独的过程, 不利于提高协议执行效率, 甚至在某些应用环境中会 引入不安全的因素, 影响鉴别的真实性。  Obtaining the status of the effective public key or public key certificate of the peer entity in advance, this guarantee requirement condition cannot be satisfied in many application environments, for example, the network structure is the access network of the user, the access point, and the server ternary structure. Including most of the communication networks, the entity authentication mechanism is usually implemented to implement the user access control function. Before the authentication mechanism is successfully completed, the user is prohibited from accessing the network. Therefore, the user cannot use the certificate revocation list CRL or the online certificate status protocol OCSP before the authentication. The method verifies the validity of the access point certificate or obtains a valid public key of the access point. Therefore, if you want to complete the authentication completely successfully, you can only rely on the user to complete the authentication and establish the network communication, such as IEEE 802.11i and IEEE 802.16 (e) Key Management PKM (Privacy Key Management) protocol, that is, afterwards The status of the effective public key or public key certificate of the access point. Whether obtaining the status of a valid public key or public key certificate of the opposite entity in advance or afterwards, the process of obtaining the valid public key and the public key certificate is separated into two separate processes, which is not conducive to improving the protocol execution. Efficiency, even in some application environments, introduces unsafe factors that affect the authenticity of the authentication.
另, 在某些应用中, 用户在进行鉴别的过程中, 也难于使用证书吊销列表 CRL、 在线证书状态协议 OCSP等方式。 首先用户设备可能存储资源有限、 或 者用户根本不愿意存储证书吊销列表 CRL, 导致周期下载证书吊销列表 CRL 无法实现。接入网络虽然不存在资源限制, 然而接入网络可能存在政策限制等 问题。 其次, 当用户使用在线证书状态协议 OCSP等在线查询机制时, 用户需 要通过后台服务器执行单独的在线证书状态协议 OSCP等协议,这些协议往往 运行在 HTTP协议上, 属于应用层的协议, 在接入网络的鉴别尚未完成之前, 直接使用这些协议将非常复杂。 即使能够使用,也需要通过用户一服务器和接 入点一服务器的结构完成, 不符合用户 ~ 入点一服务器这种结构, 无法直接 的方便的应用。 In addition, in some applications, the user is also difficult to use the certificate revocation list CRL, the online certificate status protocol OCSP, etc. in the process of authentication. First, the user equipment may have limited storage resources, or the user is not willing to store the certificate revocation list CRL, which may result in the periodic download certificate revocation list CRL being impossible. Although there is no resource limitation in the access network, there may be problems such as policy restrictions on the access network. Secondly, when the user uses the online query mechanism such as the online certificate status protocol OCSP, the user needs to execute a separate online certificate status protocol OSCP and other protocols through the background server. These protocols often Running on the HTTP protocol, belonging to the application layer protocol, it is very complicated to use these protocols directly before the authentication of the access network has not been completed. Even if it can be used, it needs to be completed by the structure of the user-server and the access point-server. It does not conform to the structure of the user-input-one server, and cannot be directly and conveniently applied.
发明内容 Summary of the invention
本发明为解决背景技术中存在的上述技术问题,而提出一种实现实体的公 钥获取、 证书验证和双向鉴别为一体的方法。  The present invention solves the above technical problems existing in the background art, and proposes a method for realizing entity public key acquisition, certificate verification, and two-way authentication.
本发明的技术解决方案是: 本发明为一种实现实体的公钥获取、证书验证 及双向鉴别的方法, 该方法包括以下步骤:  The technical solution of the present invention is: The present invention is a method for realizing public key acquisition, certificate verification and two-way authentication of an entity, the method comprising the following steps:
实体 A发送消息 1给实体 B , 消息 1包括随机数 RA、 身份标识 IDA及可 选文本 Text 1 ; Entity A sends message 1 to entity B, and message 1 includes random number R A , identity ID A and optional text Text 1;
实体 B收到消息 1后, 向实体 A发送消息 2, 消息 2包括权标 TokenBA、 身份标识 IDB、 请求 ReqB及可选文本 Text3; After receiving the message 1, the entity B sends a message 2 to the entity A, and the message 2 includes the token TokenBA, the identity ID B , the request ReqB, and the optional text Text3;
实体 A收到消息 2后,向可信第三方 TP发送消息 3 ,消息 3包括请求 ReqAT 和可选文本 Text4;  After receiving the message 2, the entity A sends a message 3 to the trusted third party TP, and the message 3 includes the request ReqAT and the optional text Text4;
可信第三方 TP收到消息 3后,确定响应 RepTA,并向实体 A返回消息 4, 消息 4包括响应 RepTA和可选文本 Text5;  After receiving the message 3, the trusted third party determines to respond to RepTA and returns a message 4 to entity A, which includes a response RepTA and an optional text Text5;
实体 A收到来自可信第三方 TP的消息 4后,进行处理,得到实体 B的鉴 别结果, 并向实体 B返回消息 5 , 消息 5包括权标 TokenAB和响应 RepB; 实体 B收到来自实体 A的消息 5后,进行处理,得到实体 A的鉴别结果。 所述可信第三方 TP收到消息 3后, 确定响应 RepTA包括:  After receiving the message 4 from the trusted third party TP, the entity A processes the result of the entity B, and returns a message 5 to the entity B. The message 5 includes the token TokenAB and the response RepB; the entity B receives the entity A. After message 5, processing is performed to obtain the identification result of entity A. After receiving the message 3, the trusted third party TP determines that the response RepTA includes:
根据实体 A和实体 B的身份标识 ID A和 IDB,检查公钥证书 CertA和 CertB 的有效性; Check the validity of the public key certificates Cert A and Cert B according to the identity IDs A and ID B of entity A and entity B;
或者, 通过实体区分符 A和 B搜索实体 A和实体 B的有效公钥。  Or, search for valid public keys of entity A and entity B through entity specifiers A and B.
所述实体 A收到来自可信第三方 TP的消息 4后, 进行处理包括: 实体 A根据使用的公钥验证协议或分发协议来验证响应 RepTA, 若验证 通过则获得实体 B的公钥或公钥证书的状态, 验证包含在权标 TokenBA中的 实体 B的签名; 然后检查包含在权标 TokenBA的签名数据中的身份标识字段 IDA是否与实体 A的身份标识一致, 检查消息 1中的随机数 RA是否与包含在 权标 TokenBA中的随机数 RA相一致, 得到实体 B的鉴别结果。 After the entity A receives the message 4 from the trusted third party TP, the processing includes: the entity A verifies the response RepTA according to the used public key authentication protocol or the distribution protocol, and obtains the entity B public key or public if the verification succeeds. The state of the key certificate, verifying the signature of the entity B contained in the token TokenBA; then checking whether the identity field ID A included in the signature data of the token TokenBA is consistent with the identity of the entity A, checking the randomness in the message 1. Whether the number R A is included or not The random number R A in the token TokenBA is consistent, and the identification result of the entity B is obtained.
所述实体 B收到来自实体 A的消息 5后, 进行处理包括:  After the entity B receives the message 5 from the entity A, the processing includes:
实体 B根据使用的公钥验证协议或分发协议来验证响应 RepB, 若验证通 过则获得实体 A的公钥或公钥证书的状态, 验证包含在权标 TokenAB中的实 体 A的签名, 检查包含在权标 TokenAB的签名数据中的身份标识字段 IDB是 否与实体 B 的身份标识一致, 检查消息 2 中的随机数 RB是否与包含在权标 TokenAB中的随机数 RB相一致, 得到实体 A的鉴别结果。 Entity B verifies the response RepB according to the public key authentication protocol or distribution protocol used. If the verification succeeds, the state of the public key or the public key certificate of the entity A is obtained, and the signature of the entity A included in the token TokenAB is verified, and the check is included in whether the signature data token TokenAB in the identity field ID B with the identity of the entity B identify correspondingly, to check whether the message 2 of the random number R B contained a random number R B in the token TokenAB in consistent, to give entity a Identification results.
所述 ReqB和 ReqAT分别为实体 B和实体 A产生的请求, 请求对端实体 的有效公钥或公钥证书的状态信息,且 ReqTA包含 ReqB的内容;所述 RepTA 和 RepB分别为针对请求 ReqAT和 ReqB而产生的响应, 且 RepTA包含 RepB 的内容。  The ReqB and the ReqAT are respectively a request generated by the entity B and the entity A, requesting the status information of the valid public key or the public key certificate of the opposite entity, and the ReqTA includes the content of the ReqB; the RepTA and the RepB are respectively for the request ReqAT and ReqB produces a response, and RepTA contains the contents of RepB.
所述 ReqB、 ReqAT, RepTA和 RepB的形式和定义才艮据具体使用的公钥 验证协议或分发协议确定 ,所述公钥验证协议或分发协议是线证书状态协议或 基于服务器的证书验证协议。  The forms and definitions of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used. The public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based certificate verification protocol.
一种实现实体的公钥获取、 证书验证及双向鉴别的系统, 包括第一实体、 第二实体和可信第三方, 其中:  A system for implementing public key acquisition, certificate verification, and two-way authentication of an entity, including a first entity, a second entity, and a trusted third party, wherein:
所述第一实体, 用于发送消息 1给第二实体, 消息 1包括随机数 RA、 身 份标识 IDA及可选文本 Textl ; The first entity is configured to send a message 1 to a second entity, where the message 1 includes a random number R A , an identity ID A, and an optional text Textl;
所述第二实体收到消息 1后, 向第一实体发送消息 2, 消息 2 包括权标 TokenBA、 身份标识 IDB、 请求 ReqB及可选文本 Text3; After receiving the message 1, the second entity sends a message 2 to the first entity, where the message 2 includes a token TokenBA, an identity ID B , a request ReqB, and an optional text Text3;
第一实体收到消息 2后, 向可信第三方 TP发送消息 3 , 消息 3包括请求 ReqAT和可选文本 Text4;  After receiving the message 2, the first entity sends a message to the trusted third party TP 3, the message 3 includes the request ReqAT and the optional text Text4;
可信第三方 TP收到消息 3后, 确定响应 RepTA, 并向第一实体返回消息 4, 消息 4包括响应 RepTA和可选文本 Text5;  After receiving the message 3, the trusted third party determines to respond to RepTA and returns a message 4 to the first entity. The message 4 includes a response RepTA and an optional text Text5;
第一实体收到来自可信第三方 TP的消息 4后, 进行处理, 得到第二实体 的鉴别结果,并向第二实体返回消息 5 ,消息 5包括权标 TokenAB和响应 RepB; 第二实体收到来自第一实体的消息 5后, 进行处理,得到第一实体的鉴别 结果。 第一检查单元, 用于根据第一实体和第二实体的身份标识 IDA和 IDB, 检 查公钥证书 CertA和 Certs的有效性; After receiving the message 4 from the trusted third party TP, the first entity performs processing to obtain the authentication result of the second entity, and returns a message 5 to the second entity, where the message 5 includes the token TokenAB and the response RepB; After the message 5 from the first entity, processing is performed to obtain the authentication result of the first entity. a first checking unit, configured to check validity of the public key certificates Cert A and Certs according to the identity IDs A and ID B of the first entity and the second entity;
或者,  Or,
第二检查单元, 用于通过实体区分符搜索第一实体和第二实体的有效公 钥。  And a second checking unit, configured to search for a valid public key of the first entity and the second entity by using the entity identifier.
所述第一实体包括:  The first entity includes:
第一验证单元, 用于在收到所述消息 4后,根据使用的公钥验证协议或分 发协议来验证响应 RepTA,若验证通过则获得第二实体的公钥或公钥证书的状 态;  a first verification unit, configured to verify the response RepTA according to the public key authentication protocol or the distribution protocol used after receiving the message 4, and obtain the state of the public key or the public key certificate of the second entity if the verification succeeds;
第二验证单元, 用于验证包含在权标 TokenB A中的第二实体的签名; 第三检查单元, 用于检查包含在权标 TokenBA的签名数据中的身份标识 字段 IDA是否与第一实体的身份标识一致, 检查消息 1中的随机数 RA是否与 包含在权标 TokenBA中的随机数 RA相一致, 得到第二实体的鉴别结果。 a second verification unit, configured to verify a signature of the second entity included in the token TokenB A; a third checking unit, configured to check whether the identity identifier field ID A included in the signature data of the token TokenBA is related to the first entity consistent identity, whether a check message of the random number R a and the random number R a contained in the token TokenBA in the consistent results obtained authentication of the second entity.
所述第二实体包括:  The second entity includes:
第三验证单元,用于收到来自第一实体的消息 5后根据使用的公钥验证协 议或分发协议来验证响应 RepB, 若验证通过则获得第一实体的公钥或公钥证 书的状态;  a third verification unit, configured to: after receiving the message 5 from the first entity, verify the response RepB according to the public key authentication protocol or the distribution protocol used, and obtain the state of the public key or the public key certificate of the first entity if the verification succeeds;
第四验证单元, 用于验证包含在权标 TokenAB中的第一实体的签名; 第四检查单元, 用于检查包含在权标 TokenAB的签名数据中的身份标识 字段 IDB是否与第二实体的身份标识一致, 检查消息 2中的随机数 RB是否与 包含在权标 TokenAB中的随机数 RB相一致, 得到第一实体的鉴别结果。 a fourth verification unit, configured to verify a signature of the first entity included in the token TokenAB; a fourth checking unit, configured to check whether the identity identifier field ID B included in the signature data of the token TokenAB is related to the second entity consistent identity, to check whether the random number message 2 comprising a random number R B and R B in the token TokenAB in the consistent results obtained authentication of the first entity.
所述 ReqB和 ReqAT分别为第二实体和第一实体产生的请求,请求对端实 体的有效公钥或公钥证书的原状态信息, 且 ReqTA包含 ReqB的内容; 所述 RepTA和 RepB分别为针对请求 ReqAT和 ReqB而产生的响应, 且 RepTA包 含 RepB的内容。  The ReqB and the ReqAT are respectively a request generated by the second entity and the first entity, requesting the original public information of the valid public key or the public key certificate of the opposite entity, and the ReqTA includes the content of the ReqB; the RepTA and the RepB are respectively targeted The response generated by requesting ReqAT and ReqB, and RepTA contains the content of RepB.
所述 ReqB、 ReqAT, RepTA和 RepB的形式和定义才艮据具体使用的公钥 验证协议或分发协议确定 ,所述公钥验证协议或分发协议是线证书状态协议或 基于服务器的证书验证协议。  The forms and definitions of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used. The public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based certificate verification protocol.
本发明采用三实体构架, 实体 A和实体 B在鉴别之前需获得可信第三方 的公钥或证书,并获得可信第三方颁发给自己的用户证书或将自己的公钥交给 可信第三方保管, 而无需事先知晓对端实体的有效公钥或公钥证书的状态。本 发明将实体的公钥获取、证书验证和鉴别功能融合在一个协议中完成,有利于 提高协议执行的效率和效果,便于和各种公钥获取和公钥证书状态查询协议相 结合,适合接入网络的用户 ~¾入点一服务器的网络结构, 满足接入网络的鉴 别要求。 The invention adopts a three-entity framework, and entity A and entity B need to obtain a trusted third party before authentication. The public key or certificate, and obtain the user certificate issued by the trusted third party to the user or hand over the public key to the trusted third party without prior knowledge of the status of the valid public key or public key certificate of the opposite entity. The invention integrates the public key acquisition, certificate verification and authentication functions of the entity in one protocol, which is beneficial to improving the efficiency and effect of the protocol execution, and is convenient for combining with various public key acquisition and public key certificate status query protocols, and is suitable for connection. The network user enters the network structure of the server and meets the authentication requirements of the access network.
附图说明 DRAWINGS
图 1为现有技术中的鉴别机制工作示意图;  1 is a schematic diagram of the operation of the authentication mechanism in the prior art;
图 2为本发明的方法示意图;  Figure 2 is a schematic view of the method of the present invention;
图 3为本发明一实施例所提供的系统的结构示意图;  3 is a schematic structural diagram of a system according to an embodiment of the present invention;
图 4为本发明一实施例所提供的系统的工作流程示意图。  FIG. 4 is a schematic diagram of a workflow of a system according to an embodiment of the present invention.
具体实施方式 detailed description
参见图 2, 本发明的方法涉及三个安全元素, 即两个实体 A和 B及一个 可信第三方 TP, 通过在线的可信第三方 TP, 实体 A和 B之间完成双向鉴别, 且获取对端实体的有效公钥或公钥证书的状态。  Referring to FIG. 2, the method of the present invention involves three security elements, namely, two entities A and B and a trusted third party TP, through the online trusted third party TP, entity A and B complete two-way authentication, and obtain The status of a valid public key or public key certificate for the peer entity.
实体 A或 B以实体 X表示; 则 Rx表示实体 X产生的随机数; Certx为实 体 X的公钥证书; IDX为实体 X的身份标识, 由证书 Certx或者实体的区分符 X表示; ReqX表示由实体 X产生的请求, 请求对端实体的有效公钥或公钥证 书的状态等信息; ReqXT表示由实体 X产生的或转发给可信第三方 TP的请求; RepX表示针对 ReqX向实体 X发送的响应, 即向实体 X响应其所请求的实体 的有效公钥或公钥证书的状态等信息; RepTX表示针对 ReqXT由可信第三方 TP产生的响应; Token为权标字段; Text为可选文本字段。 各符号定义如下: IDA= A or CertA Entity A or B is represented by entity X; then R x represents the random number generated by entity X; Certx is the public key certificate of entity X; ID X is the identity of entity X, represented by certificate Certx or entity identifier X; ReqX Represents a request generated by entity X, requesting information such as the status of a valid public key or public key certificate of the opposite entity; ReqXT indicates a request generated by entity X or forwarded to a trusted third party TP; RepX indicates to RexX to entity X The response sent, that is, information such as the status of the valid public key or public key certificate of the entity requested by the entity X; RepTX indicates the response generated by the trusted third party TP for ReqXT; Token is the token field; Text is Select the text field. The symbols are defined as follows: ID A = A or CertA
IDB = B or CertB ID B = B or CertB
ReqB、 ReqAT、 RepTA、 RepB 的形式和定义根据具体使用的公钥验证协 议或分发协议确定, 这些在线公钥验证协议或分发协议包括证书状态协议(见 GB/T 19713 )、基于服务器的证书验证协议(见 IETF RFC5055 )或者其他公钥 分发或验证协议。  The forms and definitions of ReqB, ReqAT, RepTA, and RepB are determined according to the specific public key authentication protocol or distribution protocol. These online public key authentication protocols or distribution protocols include certificate status protocols (see GB/T 19713), and server-based certificate verification. Protocol (see IETF RFC5055) or other public key distribution or authentication protocol.
本发明的方法具体工作流程如下: 1 ) 实体 A发送消息 1给实体 B , 消息 1 包括随机数 RA、 身份标识 IDA 及可选文本 Textl ; The specific working process of the method of the present invention is as follows: 1) Entity A sends message 1 to entity B, and message 1 includes random number R A , identity ID A and optional text Textl;
2 ) 实体 B收到消息 1后, 向实体 A发送消息 2, 消息 2包括权标 TokenBA、 身 份标识 IDB 、 请求 ReqB及可选文本 Text3 , 其 中 TokenBA = RAI IRB I IID AI ISSB(RAI IRb I IIDB I IID Al IText2) , 请求 ReqB表示实体 B请求对端实体即 实体 A的有效公钥或公钥证书的状态等信息; 2) After receiving the message 1, entity B sends a message 2 to entity A, which includes token TokenBA, identity ID B , request ReqB, and optional text Text3, where TokenBA = R A I IR B I IID AI ISSB( R A I IR b I IID B I IID A l IText2) , request ReqB indicates that entity B requests the peer entity, that is, the status of the valid public key or public key certificate of entity A;
3 ) 实体 A收到消息 2后, 向可信第三方 TP发送消息 3 , 消息 3包括请 求 ReqAT和可选文本 Text4, 其中 ReqAT需包含 ReqB的内容, 请求 ReqAT 表示实体 B请求实体 A的有效公钥或公钥证书的状态等信息, 及实体 A请求 实体 B的有效公钥或公钥证书的状态等信息;  3) After receiving the message 2, the entity A sends a message 3 to the trusted third party TP. The message 3 includes the request ReqAT and the optional text Text4, wherein the ReqAT needs to contain the content of the ReqB, and the request ReqAT indicates that the entity B requests the effective public of the entity A. Information such as the status of the key or public key certificate, and information such as the status of the valid public key or public key certificate of entity B requesting entity B;
4 )可信第三方 TP收到消息 3后, 根据实体 A和实体 B的身份标识 IDA 和 IDB, 检查公钥证书 CertA和 CertB的有效性或通过实体区分符 A和 B搜索 实体 A和实体 B的有效公钥, 确定响应 RepTA, 其中 RepTA需包含 RepB的 内容, RepTA表示可信第三方 TP确定的实体 A的有效公钥或公钥证书的状态 等信息, 及实体 B的有效公钥或公钥证书的状态等信息, 执行步骤 5 ); 4) After receiving the message 3, the trusted third party TP checks the validity of the public key certificates Cert A and Cert B according to the identity IDs A and ID B of the entity A and the entity B, or searches for entities through the entity identifiers A and B. The valid public key of A and entity B determines the response RepTA, where RepTA needs to contain the content of RepB, RepTA represents the information of the valid public key or public key certificate of entity A determined by trusted third party TP, and the validity of entity B Information such as the status of the public key or the public key certificate, and performing step 5);
5 )可信第三方 TP向实体 A返回消息 4, 消息 4包括响应 RepTA和可选 文本 Text5;  5) Trusted third party TP returns message 4 to entity A, message 4 includes response RepTA and optional text Text5;
6 ) 实体 A收到来自可信第三方 TP的消息 4后, 完成下列步骤:  6) After entity A receives the message from the trusted third party TP 4, complete the following steps:
6.1 )根据使用的公钥验证协议或分发协议来验证响应 RepTA, 若验证通 过则进至步骤 6.2 );  6.1) Verify the response RepTA according to the public key authentication protocol or distribution protocol used, and if the verification passes, proceed to step 6.2);
6.2 )获得实体 B的公钥或公钥证书的状态, 验证包含在权标 TokenBA中 的实体 B的签名; 然后检查包含在权标 TokenBA的签名数据中的身份标识字 段 IDA是否与实体 A的身份标识一致,检查在步骤 1 )步中发送给实体 B的随 机数 RA是否与包含在权标 TokenBA中的随机数 RA相一致, 得到实体 B的鉴 别结果; 6.2) Obtaining the status of the public key or public key certificate of the entity B, verifying the signature of the entity B included in the token TokenBA; and then checking whether the identity field ID A included in the signature data of the token TokenBA is related to the entity A consistent identity check consistent whether the random number R a in step 1) to step the entity B transmits a random number R a contained in the token TokenBA, the results obtained authentication entity B;
7 )实体 A向实体 B返回消息 5 , 消息 5包括权标 TokenAB和响应 RepB , 其中 TokenAB = Text71 IsS A(RB I IIDB I IText6) , RepB表示可信第三方 TP确定的实 体 A的有效公钥或公钥证书的状态等信息; 7) Entity A returns message 5 to entity B, message 5 includes token TokenAB and response RepB, where TokenAB = Text71 IsS A(R B I IID B I IText6) , RepB indicates that the trusted third party TP determines the validity of entity A Information such as the status of the public key or public key certificate;
8 ) 实体 B收到来自实体 A的消息 5后, 执行下列步骤: 8.1 )根据使用的公钥验证协议或分发协议来验证响应 RepB , 若验证通过 则进至步骤 8.2 ); 8) After entity B receives message 5 from entity A, perform the following steps: 8.1) verify the response RepB according to the public key authentication protocol or distribution protocol used, and if the verification is passed, proceed to step 8.2);
8.2 ) 获得实体 A 的公钥或公钥证书的状态, 验证包含在权标 TokenAB 中的实体 A的签名。 然后检查包含在权标 TokenAB的签名数据中的身份标识 字段 IDB是否与实体 B的身份标识字段一致, 检查在步骤 2 )中发送给实体 A 的随机数 RB是否与包含在权标 TokenAB中的随机数 RB相一致, 得到实体 A 的鉴别结果。 至此, 实体 A和实体 B之间完成双向鉴别过程。 8.2) Obtain the status of entity A's public or public key certificate and verify the signature of entity A contained in token TokenAB. Then, it is checked whether the identity field ID B included in the signature data of the token TokenAB is consistent with the identity field of the entity B, and whether the random number R B sent to the entity A in step 2) is included in the token TokenAB The random number R B is consistent, and the identification result of the entity A is obtained. So far, the two-way authentication process is completed between entity A and entity B.
如果仅实现实体 A对实体 B的单向鉴别, 则在上述双向鉴别过程的基础 上步骤 7 )和 8 ) 可以省略, 且消息 1到消息 5中的某些字段也可以省略。 如果仅实现实体 B对实体 A的单向鉴别, 则在双向鉴别过程的基础上步骤 1 ) 可以省略, 且消息 2到消息 5中的某些字段也可以省略。  If only one-way authentication of entity A to entity B is implemented, steps 7) and 8) may be omitted on the basis of the above-described two-way authentication process, and some fields in messages 1 through 5 may also be omitted. If only one-way authentication of entity B to entity A is implemented, step 1) may be omitted on the basis of the two-way authentication process, and some fields in messages 2 through 5 may also be omitted.
参见图 3和图 4, 本发明另一实施例还提供一种实现实体的公钥获取、 证 书验证及双向鉴别的系统, 该系统包括第一实体 301、 第二实体 302和可信第 三方 303 , 该系统的结构可以参看图 3 , 该系统的工作原理可以参见图 4, 具 体地:  Referring to FIG. 3 and FIG. 4, another embodiment of the present invention further provides a system for implementing public key acquisition, certificate verification, and two-way authentication of an entity, where the system includes a first entity 301, a second entity 302, and a trusted third party 303. The structure of the system can be seen in Figure 3. The working principle of the system can be seen in Figure 4, specifically:
所述第一实体 301 , 用于发送消息 1给第二实体, 消息 1包括随机数 RA、 身份标识 IDA及可选文本 Textl ; The first entity 301 is configured to send a message 1 to a second entity, where the message 1 includes a random number R A , an identity ID A, and an optional text Textl;
所述第二实体收到消息 1后, 向第一实体发送消息 2, 消息 2 包括权标 TokenBA、 身份标识 IDB、 请求 ReqB及可选文本 Text3; After receiving the message 1, the second entity sends a message 2 to the first entity, where the message 2 includes a token TokenBA, an identity ID B , a request ReqB, and an optional text Text3;
第一实体收到消息 2后, 向可信第三方 TP发送消息 3 , 消息 3包括请求 After receiving the message 2, the first entity sends a message to the trusted third party TP 3, and the message 3 includes the request.
ReqAT和可选文本 Text4; ReqAT and optional text Text4;
可信第三方 TP收到消息 3后, 确定响应 RepTA, 并向第一实体返回消息 4, 消息 4包括响应 RepTA和可选文本 Text5;  After receiving the message 3, the trusted third party determines to respond to RepTA and returns a message 4 to the first entity. The message 4 includes a response RepTA and an optional text Text5;
第一实体收到来自可信第三方 TP的消息 4后, 进行处理, 得到第二实体 的鉴别结果,并向第二实体返回消息 5 ,消息 5包括权标 TokenAB和响应 RepB; 第二实体收到来自第一实体的消息 5后, 进行处理,得到第一实体的鉴别 结果。  After receiving the message 4 from the trusted third party TP, the first entity performs processing to obtain the authentication result of the second entity, and returns a message 5 to the second entity, where the message 5 includes the token TokenAB and the response RepB; After the message 5 from the first entity, processing is performed to obtain the authentication result of the first entity.
具体地, 所述可信第三方 TP303可以包括:  Specifically, the trusted third party TP 303 may include:
第一检查单元, 用于根据第一实体和第二实体的身份标识 IDA和 IDB, 检 查公钥证书 CertA和 Certs的有效性; A first checking unit for identifying the ID A and ID B according to the identity of the first entity and a second entity, the subject Check the validity of the public key certificates Cert A and Certs;
或者,  Or,
第二检查单元, 用于通过实体区分符搜索第一实体和第二实体的有效公 钥。  And a second checking unit, configured to search for a valid public key of the first entity and the second entity by using the entity identifier.
所述第一实体 301可以包括:  The first entity 301 can include:
第一验证单元, 用于在收到所述消息 4后,根据使用的公钥验证协议或分 发协议来验证响应 RepTA,若验证通过则获得第二实体的公钥或公钥证书的状 态;  a first verification unit, configured to verify the response RepTA according to the public key authentication protocol or the distribution protocol used after receiving the message 4, and obtain the state of the public key or the public key certificate of the second entity if the verification succeeds;
第二验证单元, 用于验证包含在权标 TokenB A中的第二实体的签名; 第三检查单元, 用于检查包含在权标 TokenBA的签名数据中的身份标识 字段 IDA是否与第一实体的身份标识一致, 检查消息 1中的随机数 RA是否与 包含在权标 TokenBA中的随机数 RA相一致, 得到第二实体的鉴别结果。 a second verification unit, configured to verify a signature of the second entity included in the token TokenB A; a third checking unit, configured to check whether the identity identifier field ID A included in the signature data of the token TokenBA is related to the first entity consistent identity, whether a check message of the random number R a and the random number R a contained in the token TokenBA in the consistent results obtained authentication of the second entity.
所述第二实体包括:  The second entity includes:
第三验证单元,用于收到来自第一实体的消息 5后根据使用的公钥验证协 议或分发协议来验证响应 RepB, 若验证通过则获得第一实体的公钥或公钥证 书的状态;  a third verification unit, configured to: after receiving the message 5 from the first entity, verify the response RepB according to the public key authentication protocol or the distribution protocol used, and obtain the state of the public key or the public key certificate of the first entity if the verification succeeds;
第四验证单元, 用于验证包含在权标 TokenAB中的第一实体的签名; 第四检查单元, 用于检查包含在权标 TokenAB的签名数据中的身份标识 字段 IDB是否与第二实体的身份标识一致, 检查消息 2中的随机数 RB是否与 包含在权标 TokenAB中的随机数 RB相一致, 得到第一实体的鉴别结果。 a fourth verification unit, configured to verify a signature of the first entity included in the token TokenAB; a fourth checking unit, configured to check whether the identity identifier field ID B included in the signature data of the token TokenAB is related to the second entity consistent identity, to check whether the random number message 2 comprising a random number R B and R B in the token TokenAB in the consistent results obtained authentication of the first entity.
本发明实施例中,所述 ReqB和 ReqAT分别为第二实体和第一实体产生的 请求,请求对端实体的有效公钥或公钥证书的原状态信息,且 ReqTA包含 ReqB 的内容; 所述 RepTA和 RepB分别为针对请求 ReqAT和 ReqB而产生的响应, 且 RepTA包含 RepB的内容。  In the embodiment of the present invention, the ReqB and the ReqAT are respectively a request generated by the second entity and the first entity, requesting the original public information of the valid public key or the public key certificate of the opposite entity, and the ReqTA includes the content of the ReqB; RepTA and RepB are responses generated for requesting ReqAT and ReqB, respectively, and RepTA contains the contents of RepB.
本发明实施例中, 所述 ReqB、 ReqAT, RepTA和 RepB的形式和定义根 据具体使用的公钥验证协议或分发协议确定,所述公钥验证协议或分发协议是 线证书状态协议或基于服务器的证书验证协议。  In the embodiment of the present invention, the forms and definitions of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used, and the public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based Certificate Verification Protocol.
虽然通过实施例描绘了本申请, 本领域普通技术人员知道, 本申请有许多 变形和变化而不脱离本申请的精神,希望所附的权利要求包括这些变形和变化 而不脱离本申请的^ ^申 ( While the present invention has been described by the embodiments of the present invention, it will be understood by those skilled in the art Without departing from the application of ^ ^ (

Claims

权 利 要 求 Rights request
1、 一种实现实体的公钥获取、 证书验证及双向鉴别的方法, 其特征在于: 该方法包括以下步骤:  A method for realizing public key acquisition, certificate verification, and two-way authentication of an entity, the method comprising the following steps:
实体 A发送消息 1给实体 B , 消息 1包括随机数 RA、 身份标识 IDA及可 选文本 Text 1 ; Entity A sends message 1 to entity B, and message 1 includes random number R A , identity ID A and optional text Text 1;
实体 B收到消息 1后, 向实体 A发送消息 2, 消息 2包括权标 TokenBA、 身份标识 IDB、 请求 ReqB及可选文本 Text3; After receiving the message 1, the entity B sends a message 2 to the entity A, and the message 2 includes the token TokenBA, the identity ID B , the request ReqB, and the optional text Text3;
实体 A收到消息 2后,向可信第三方 TP发送消息 3 ,消息 3包括请求 ReqAT 和可选文本 Text4;  After receiving the message 2, the entity A sends a message 3 to the trusted third party TP, and the message 3 includes the request ReqAT and the optional text Text4;
可信第三方 TP收到消息 3后,确定响应 RepTA,并向实体 A返回消息 4, 消息 4包括响应 RepTA和可选文本 Text5;  After receiving the message 3, the trusted third party determines to respond to RepTA and returns a message 4 to entity A, which includes a response RepTA and an optional text Text5;
实体 A收到来自可信第三方 TP的消息 4后,进行处理,得到实体 B的鉴 别结果, 并向实体 B返回消息 5 , 消息 5包括权标 TokenAB和响应 RepB; 实体 B收到来自实体 A的消息 5后,进行处理,得到实体 A的鉴别结果。  After receiving the message 4 from the trusted third party TP, the entity A processes the result of the entity B, and returns a message 5 to the entity B. The message 5 includes the token TokenAB and the response RepB; the entity B receives the entity A. After message 5, processing is performed to obtain the identification result of entity A.
2、 根据权利要求 1所述的实现实体的公钥获取、 证书验证及双向鉴别的 方法,其特征在于:所述可信第三方 TP收到消息 3后,确定响应 RepTA包括: 根据实体 A和实体 B的身份标识 ID A和 IDB,检查公钥证书 CertA和 CertB 的有效性; The method for realizing public key acquisition, certificate verification and two-way authentication of an entity according to claim 1, wherein after the trusted third party TP receives the message 3, determining that the response RepTA comprises: according to the entity A and Entity B's identity ID A and ID B , check the validity of the public key certificates Cert A and Cert B ;
或者, 通过实体区分符 A和 B搜索实体 A和实体 B的有效公钥。  Or, search for valid public keys of entity A and entity B through entity specifiers A and B.
3、 根据权利要求 1所述的实现实体的公钥获取、 证书验证及双向鉴别的 方法, 其特征在于:  3. The method for realizing public key acquisition, certificate verification and two-way authentication of an entity according to claim 1, wherein:
所述实体 A收到来自可信第三方 TP的消息 4后, 进行处理包括: 实体 A根据使用的公钥验证协议或分发协议来验证响应 RepTA, 若验证 通过则获得实体 B的公钥或公钥证书的状态, 验证包含在权标 TokenBA中的 实体 B的签名; 然后检查包含在权标 TokenBA的签名数据中的身份标识字段 After the entity A receives the message 4 from the trusted third party TP, the processing includes: the entity A verifies the response RepTA according to the used public key authentication protocol or the distribution protocol, and obtains the entity B public key or public if the verification succeeds. The status of the key certificate, verifying the signature of the entity B contained in the token TokenBA; then checking the identity field contained in the signature data of the token TokenBA
IDA是否与实体 A的身份标识一致, 检查消息 1中的随机数 RA是否与包含在 权标 TokenBA中的随机数 RA相一致, 得到实体 B的鉴别结果。 Whether the entity identity ID A and A coincide identification, checks whether a message in the random number R A and the random number R A contained in the token TokenBA in the consistent results obtained authentication entity B.
4、根据权利要求 1所述的实现实体的公钥获取、证书验证及双向鉴别的方 法, 其特征在于: 所述实体 B收到来自实体 A的消息 5后, 进行处理包括: 4. The method for realizing public key acquisition, certificate verification and two-way authentication of an entity according to claim 1, wherein: After the entity B receives the message 5 from the entity A, the processing includes:
实体 B根据使用的公钥验证协议或分发协议来验证响应 RepB, 若验证通 过则获得实体 A的公钥或公钥证书的状态, 验证包含在权标 TokenAB中的实 体 A的签名, 检查包含在权标 TokenAB的签名数据中的身份标识字段 IDB是 否与实体 B 的身份标识一致, 检查消息 2 中的随机数 RB是否与包含在权标 TokenAB中的随机数 RB相一致, 得到实体 A的鉴别结果。 Entity B verifies the response RepB according to the public key authentication protocol or distribution protocol used. If the verification succeeds, the state of the public key or the public key certificate of the entity A is obtained, and the signature of the entity A included in the token TokenAB is verified, and the check is included in whether the signature data token TokenAB in the identity field ID B with the identity of the entity B identify correspondingly, to check whether the message 2 of the random number R B contained a random number R B in the token TokenAB in consistent, to give entity a Identification results.
5、 根据权利要求 1或 2或 3或 4所述的实现实体的公钥获取、 证书验证 及双向鉴别的方法, 其特征在于: 所述 ReqB和 ReqAT分别为实体 B和实体 A产生的请求, 请求对端实体的有效公钥或公钥证书的状态信息, 且 ReqTA 包含 ReqB的内容;所述 RepTA和 RepB分别为针对请求 ReqAT和 ReqB而产 生的响应, 且 RepTA包含 RepB的内容。  The method for realizing public key acquisition, certificate verification and two-way authentication of an entity according to claim 1 or 2 or 3 or 4, wherein: said ReqB and ReqAT are requests generated by entity B and entity A, respectively. Requesting status information of a valid public key or public key certificate of the peer entity, and ReqTA includes the content of ReqB; the RepTA and RepB are responses generated for requesting ReqAT and ReqB, respectively, and RepTA includes the content of RepB.
6、 根据权利要求 1~4任意一项所述的实现实体的公钥获取、 证书验证及 双向鉴别的方法, 其特征在于: 所述 ReqB、 ReqAT、 RepTA和 RepB的形式 和定义根据具体使用的公钥验证协议或分发协议确定,所述公钥验证协议或分 发协议是线证书状态协议或基于服务器的证书验证协议。  The method for realizing public key acquisition, certificate verification and bidirectional authentication of an entity according to any one of claims 1 to 4, characterized in that: the forms and definitions of the ReqB, ReqAT, RepTA and RepB are according to specific use. The public key authentication protocol or distribution protocol determines that the public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based certificate verification protocol.
7、 一种实现实体的公钥获取、 证书验证及双向鉴别的系统, 其特征在于, 包括第一实体、 第二实体和可信第三方, 其中:  7. A system for implementing public key acquisition, certificate verification, and two-way authentication of an entity, comprising: a first entity, a second entity, and a trusted third party, wherein:
所述第一实体, 用于发送消息 1给第二实体, 消息 1包括随机数 RA、 身 份标识 IDA及可选文本 Textl ; The first entity is configured to send a message 1 to a second entity, where the message 1 includes a random number R A , an identity ID A, and an optional text Textl;
所述第二实体收到消息 1后, 向第一实体发送消息 2, 消息 2 包括权标 After receiving the message 1, the second entity sends a message 2 to the first entity, and the message 2 includes the token
TokenBA、 身份标识 IDB、 请求 ReqB及可选文本 Text3; TokenBA, identity ID B , request ReqB, and optional text Text3;
第一实体收到消息 2后, 向可信第三方 TP发送消息 3 , 消息 3包括请求 ReqAT和可选文本 Text4;  After receiving the message 2, the first entity sends a message to the trusted third party TP 3, the message 3 includes the request ReqAT and the optional text Text4;
可信第三方 TP收到消息 3后, 确定响应 RepTA, 并向第一实体返回消息 4, 消息 4包括响应 RepTA和可选文本 Text5;  After receiving the message 3, the trusted third party determines to respond to RepTA and returns a message 4 to the first entity. The message 4 includes a response RepTA and an optional text Text5;
第一实体收到来自可信第三方 TP的消息 4后, 进行处理, 得到第二实体 的鉴别结果,并向第二实体返回消息 5 ,消息 5包括权标 TokenAB和响应 RepB; 第二实体收到来自第一实体的消息 5后, 进行处理,得到第一实体的鉴别 结果。 After receiving the message 4 from the trusted third party TP, the first entity performs processing to obtain the authentication result of the second entity, and returns a message 5 to the second entity, where the message 5 includes the token TokenAB and the response RepB; After the message 5 from the first entity, processing is performed to obtain the authentication result of the first entity.
8、 根据权利要求 7所述的实现实体的公钥获取、 证书验证及双向鉴别的 系统, 其特征在于, 所述可信第三方 TP包括: The system for implementing public key acquisition, certificate verification, and two-way authentication of an entity according to claim 7, wherein the trusted third party TP includes:
第一检查单元, 用于根据第一实体和第二实体的身份标识 IDA和 IDB, 检 查公钥证书 CertA和 Certs的有效性; a first checking unit, configured to check validity of the public key certificates Cert A and Certs according to the identity IDs A and ID B of the first entity and the second entity;
或者,  Or,
第二检查单元, 用于通过实体区分符搜索第一实体和第二实体的有效公 钥。  And a second checking unit, configured to search for a valid public key of the first entity and the second entity by using the entity identifier.
9、 根据权利要求 7所述的实现实体的公钥获取、 证书验证及双向鉴别的 系统, 其特征在于:  9. The system for implementing public key acquisition, certificate verification and two-way authentication of an entity according to claim 7, wherein:
所述第一实体包括:  The first entity includes:
第一验证单元, 用于在收到所述消息 4后,根据使用的公钥验证协议或分 发协议来验证响应 RepTA,若验证通过则获得第二实体的公钥或公钥证书的状 态;  a first verification unit, configured to verify the response RepTA according to the public key authentication protocol or the distribution protocol used after receiving the message 4, and obtain the state of the public key or the public key certificate of the second entity if the verification succeeds;
第二验证单元, 用于验证包含在权标 TokenB A中的第二实体的签名; 第三检查单元, 用于检查包含在权标 TokenBA的签名数据中的身份标识 字段 IDA是否与第一实体的身份标识一致, 检查消息 1中的随机数 RA是否与 包含在权标 TokenBA中的随机数 RA相一致, 得到第二实体的鉴别结果。 a second verification unit, configured to verify a signature of the second entity included in the token TokenB A; a third checking unit, configured to check whether the identity identifier field ID A included in the signature data of the token TokenBA is related to the first entity consistent identity, whether a check message of the random number R a and the random number R a contained in the token TokenBA in the consistent results obtained authentication of the second entity.
10、 根据权利要求 7所述的实现实体的公钥获取、 证书验证及双向鉴别的 系统, 其特征在于:  10. The system for implementing public key acquisition, certificate verification and two-way authentication of an entity according to claim 7, wherein:
所述第二实体包括:  The second entity includes:
第三验证单元,用于收到来自第一实体的消息 5后根据使用的公钥验证协 议或分发协议来验证响应 RepB, 若验证通过则获得第一实体的公钥或公钥证 书的状态;  a third verification unit, configured to: after receiving the message 5 from the first entity, verify the response RepB according to the public key authentication protocol or the distribution protocol used, and obtain the state of the public key or the public key certificate of the first entity if the verification succeeds;
第四验证单元, 用于验证包含在权标 TokenAB中的第一实体的签名; 第四检查单元, 用于检查包含在权标 TokenAB的签名数据中的身份标识 字段 IDB是否与第二实体的身份标识一致, 检查消息 2中的随机数 RB是否与 包含在权标 TokenAB中的随机数 RB相一致, 得到第一实体的鉴别结果。 a fourth verification unit, configured to verify a signature of the first entity included in the token TokenAB; a fourth checking unit, configured to check whether the identity identifier field ID B included in the signature data of the token TokenAB is related to the second entity consistent identity, to check whether the random number message 2 comprising a random number R B and R B in the token TokenAB in the consistent results obtained authentication of the first entity.
11、 根据权利要求 7~10任意一项所述的实现实体的公钥获取、 证书验证 及双向鉴别的系统,其特征在于: 所述 ReqB和 ReqAT分别为第二实体和第一 实体产生的请求, 请求对端实体的有效公钥或公钥证书的原状态信息, 且 ReqTA包含 ReqB的内容;所述 RepTA和 RepB分别为针对请求 ReqAT和 ReqB 而产生的响应, 且 RepTA包含 RepB的内容。 The system for realizing public key acquisition, certificate verification and two-way authentication of an entity according to any one of claims 7 to 10, wherein: the ReqB and the ReqAT are a second entity and a first The request generated by the entity requests the original public information of the valid public key or public key certificate of the opposite entity, and ReqTA includes the content of ReqB; the RepTA and RepB are respectively responses for requesting ReqAT and ReqB, and RepTA includes RepB Content.
12、 根据权利要求 7~10任意一项所述的实现实体的公钥获取、 证书验证 及双向鉴别的系统, 其特征在于: 所述 ReqB、 ReqAT、 RepTA和 RepB的形 式和定义根据具体使用的公钥验证协议或分发协议确定,所述公钥验证协议或 分发协议是线证书状态协议或基于服务器的证书验证协议。  The system for realizing public key acquisition, certificate verification and two-way authentication of an entity according to any one of claims 7 to 10, characterized in that: the forms and definitions of the ReqB, ReqAT, RepTA and RepB are according to specific use. The public key authentication protocol or distribution protocol determines that the public key authentication protocol or distribution protocol is a line certificate status protocol or a server-based certificate verification protocol.
PCT/CN2009/076047 2009-12-25 2009-12-25 Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities WO2011075907A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/076047 WO2011075907A1 (en) 2009-12-25 2009-12-25 Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/076047 WO2011075907A1 (en) 2009-12-25 2009-12-25 Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities

Publications (1)

Publication Number Publication Date
WO2011075907A1 true WO2011075907A1 (en) 2011-06-30

Family

ID=44194923

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/076047 WO2011075907A1 (en) 2009-12-25 2009-12-25 Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities

Country Status (1)

Country Link
WO (1) WO2011075907A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364875A (en) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 Method realizing public key acquiring, certificater verification and bidirectional identification of entity
CN101364876A (en) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 Method realizing public key acquiring, certificater verification and bidirectional identification of entity

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364875A (en) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 Method realizing public key acquiring, certificater verification and bidirectional identification of entity
CN101364876A (en) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 Method realizing public key acquiring, certificater verification and bidirectional identification of entity

Similar Documents

Publication Publication Date Title
KR100953095B1 (en) Super peer based peer-to-peer network system and peer authentication method therefor
US8340283B2 (en) Method and system for a PKI-based delegation process
US11095635B2 (en) Server authentication using multiple authentication chains
US7496755B2 (en) Method and system for a single-sign-on operation providing grid access and network access
US8510565B2 (en) Bidirectional entity authentication method based on the credible third party
TWI429256B (en) Authentication delegation based on re-verification of cryptographic evidence
EP2472772B1 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
CN101364876B (en) Method realizing public key acquiring, certificater verification and bidirectional identification of entity
CN101364875B (en) Method realizing public key acquiring, certificater verification and bidirectional identification of entity
US20100262832A1 (en) Entity bidirectional authentication method and system
WO2011026296A1 (en) Method for authenticating entities by introducing an on-line trusted third party
JP2015026391A (en) Http-based authentication
WO2011022918A1 (en) Entity bidirectional authentication method by introducing an online third party
WO2009056049A1 (en) Entity bi-directional identificator method and system based on trustable third party
JP2001229078A (en) Authorization infrastructure based on public key cryptography
WO2009143778A1 (en) Entity bidirectional-identification method for supporting fast handoff
WO2011022919A1 (en) Entity authentication method by introducing online third party
EP4312399A2 (en) Methods and devices for public key management using a blockchain
WO2007115495A1 (en) Cpk-based gateway authenticating apparatus and method
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
WO2011075907A1 (en) Method for implementing public key acquirement, certificate validation and bi-directional authentication of entities
WO2011075906A1 (en) Method for achieving public key acquisition, certificate validation and authentication of entity
Oo et al. Access control system for grid security infrastructure
Saito et al. A privacy‐enhanced access control
Chun-Kan A Client Puzzle Based Public-key Authentication and Key Establishment Protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09852457

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09852457

Country of ref document: EP

Kind code of ref document: A1