CN101299667A - Authentication method, system, client equipment and server - Google Patents
Authentication method, system, client equipment and server Download PDFInfo
- Publication number
- CN101299667A CN101299667A CNA2008101144300A CN200810114430A CN101299667A CN 101299667 A CN101299667 A CN 101299667A CN A2008101144300 A CNA2008101144300 A CN A2008101144300A CN 200810114430 A CN200810114430 A CN 200810114430A CN 101299667 A CN101299667 A CN 101299667A
- Authority
- CN
- China
- Prior art keywords
- communication
- authentication information
- module
- pki
- shared secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an authentication method, system, customer terminal equipment and server, which pertains to the communication field. The method includes that: the second communication side receiving the connection request of the first communication side, and transmitting the self public key to the first communication side; receiving the user information transmitted by the first communication side, wherein the user information includes the first authentication information generated by the first communication side according to the shared secret and the public key with the second communication side; looking for the pre-stored shared secret of the first communication side locally, and generating a second authentication information according to the shared secret and self public key; judging whether the second authentication information is identical with the first authentication information, if so, confirming the legality of the first communication side. The system includes a first communication side and a second communication side. The invention confirms the identification legality of the first communication side by comparing the authentication information, thereby effectively preventing the attack from intermediators.
Description
Technical field
The present invention relates to the communications field, particularly a kind of authentication method, system, client device and server.
Background technology
SSL (Secure Socket Layer; SSL) agreement is between TCP (Transmission Control Protocol; transmission control protocol)/IP (Internet Protocal; Internet protocol) a kind of security protocol between transport layer and the application layer; initial ssl protocol mainly is used in and protects HTTP (HyperText Transfer Protocol in the web browser; HTTP) mutual; along with the increase gradually of network security requirement, TLS (Transport Layer Security Transport Layer Security) agreement has been proposed.Most of function of tls protocol is based on SSL 3 versions.
A kind of communication means based on the SSL/TLS agreement is arranged in the prior art, simply introduces the process that client is communicated by letter with service end below:
Client is at first set up SSL with service end and is connected, and consults the encryption suite and the compression algorithm of use;
Then, service end is to the digital certificate of client transmission oneself, and this certificate has two effects, and one is exactly to allow client that the identity of service end is authenticated, it two is exactly the PKI that includes service end in the certificate, allows client that the information of data encryption key after being used for producing is encrypted;
At this moment, service end has proved oneself identity to client, and both sides have decided through consultation data encryption external member and data compression algorithm, and client has also obtained the information of data encryption key after being used for producing is carried out encrypted secret key;
The information of client data encryption key after service end produces, and send DEA and the hash message authentication code algorithm of confirming to service end, notification service end are just encrypted data with new key that produces and the various algorithms that consult later on;
At last, client and service end send application data mutually, may comprise that wherein client issues the username and password of service end; Data are closed connection after transmitting and finishing, and play the effect that prevents that terminal from attacking simultaneously.
In realizing process of the present invention, the inventor finds that there is following problem at least in prior art:
Service end is not done the authentication that authenticates or only do the usemame/password mode to client in the above-mentioned communication process, suffers man-in-the-middle attack easily.The go-between obtains the service end PKI by intercepting and capturing the digital certificate of service end, forges the service end PKI then, serves as the dual identity of client and service end, obtains the Content of Communication of service end and client.
Summary of the invention
The embodiment of the invention provides a kind of authentication method, system, client device and server, to increase the fail safe of communication.
Described technical scheme is as follows:
The embodiment of the invention provides a kind of authentication method, and described method comprises:
Second communication side receives first communication party's connection request, and self PKI is sent to described first communication party;
Receive the user profile that described first communication party sends, described user profile comprises first authentication information that described first communication party generates according to shared secret and described PKI with described second communication side;
Obtain the shared secret with described first communication party in this locality, according to generating second authentication information with described first communication party's shared secret and the PKI of self;
Judge whether described second authentication information is consistent with described first authentication information, if confirm that described first communication party is legal.
A kind of Verification System, described system comprises first communication party and the second communication side; Wherein,
Described first communication party, be used for initiating connection request to second communication side, receive the PKI of described second communication side, generate first authentication information, send the user profile of carrying described first authentication information to described second communication side according to shared secret and PKI with described second communication side;
Described second communication side is used to receive described first communication party's connection request, and self PKI is sent to described first communication party; And the user profile that receives described first communication party, obtain shared secret with described first communication party in this locality, generate second authentication information according to the shared secret that is obtained and self PKI, judge whether second authentication information is consistent with described first authentication information, if confirm that described first communication party is legal.
A kind of client device, described equipment comprises:
Connect initiation module, be used for sending connection request to server;
Receiver module is used to receive the PKI that described server returns;
The authentication information generation module is used for generating authentication information according to the PKI of receiving with the shared secret and the described receiver module of described server;
Sending module is used for sending user profile to described server, and described user profile comprises the authentication information that described authentication information generation module generates.
A kind of server, described server comprises:
Receive and sending module, be used to receive the connection request of client, self PKI is sent to described client; And receiving the user profile that described client sends, described user profile comprises first authentication information that described client generates according to shared secret and described PKI with described server;
The second authentication information generation module after being used for described reception and sending module and receiving the user profile of described client, obtains the shared secret with described client in this locality, generate second authentication information according to the shared secret that is obtained and self PKI;
Authentication module is used to judge whether second authentication information of described second authentication information generation module generation is consistent with first authentication information that sending module receives with described reception, if confirm that described client is legal.
First communication party in the embodiment of the invention and second communication square tube are crossed the PKI and the shared secret of the two that use second communication side and are generated authentication information, make second communication enough confirm according to authentication information whether the identity of client is legal, defend man-in-the-middle attack effectively, strengthened the fail safe of system.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of authentication method flow chart that the embodiment of the invention 1 provides;
Fig. 2 is a kind of improved SSL/TLS protocol signaling interaction figure that the embodiment of the invention 1 provides;
Fig. 3 is a kind of Verification System structure chart that the embodiment of the invention 2 provides;
Fig. 4 is a kind of client device structure chart that the embodiment of the invention 3 provides;
Fig. 5 is a kind of server architecture figure that the embodiment of the invention 4 provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Whether the embodiment of the invention is consistent with first communication party's of reception first authentication information by second authentication information of judging the generation of second communication side, confirms first communication party's legitimacy, thereby defends man-in-the-middle attack effectively.
Embodiment 1
Referring to Fig. 1, present embodiment provides a kind of authentication method, and as first communication party, as second communication side, carry out content auditing with content auditing equipment is that example describes to this method with service end with client, and this method comprises:
201: service end receives the connection request of client, and self PKI is sent to this client;
202: receive the user profile that this client sends, this user profile comprises first authentication information that this client generates according to shared secret and this PKI with service end;
203: obtain the shared secret with this client in this locality, generate second authentication information according to this shared secret and the PKI of self;
204: judge whether this second authentication information is consistent with this first authentication information, if confirm that this client is legal.
Wherein, the log-in password that shared secret uses in the time of can being client enrollment also can be the secret information in the physical entities such as the service end password card that is handed down to this client, smart card.
Wherein, the PKI in 201 can send to client by following manner:
Service end generates digital certificate according to the PKI of self, and this digital certificate is sent to this client.
Generation first authentication information in the said method adopts during with second authentication information identical algorithm to generate, and this algorithm can be consulted to determine in advance, also can use fixing a certain algorithm, for example hash algorithm.
This user profile can also comprise the user ID (for example user name) of this client, in order to this user profile correspondence of notification service end be which concrete client, make service end obtain corresponding shared secret in this locality according to this user ID.
After confirming that client is validated user, the key information that uses in the time of can transmitting with this user's negotiation data communicates according to consulting determined key information and client.
Above-mentioned authentication method can also be applied in the SSL/TLS security protocol, can defend man-in-the-middle attack effectively.Referring to Fig. 2, concrete steps are as follows:
301: client sends ClientHello message, and the notification service end requires to set up SSL and connects, SSL version of its support of notification service end simultaneously and encryption suite and the compression algorithm that it can use;
302: after service end is received ClientHello message, return ServerHello message, which kind of has respectively been selected its encryption suite supported from client of notice client and the compression algorithm to client;
303: service end sends the digital certificate of oneself to client, this certificate has three effects, one is exactly to allow client that the identity of service end is authenticated, it two is exactly to include the service end PKI in the certificate, allow client that the information of data encryption key after being used for producing is encrypted, it three is exactly to make client can use this PKI and do cryptographic Hash with the shared secret of service end, realizes the authentication to client;
304: service end sends ServerHelloDone message to client, the end of expression service end response message;
At this moment, service end has proved oneself identity to client, and both sides have decided through consultation data encryption external member and data compression algorithm, and client has also obtained the information of data encryption key after being used for producing is carried out encrypted secret key;
305: client receives the digital certificate that service end is returned, and the PKI in the digital certificate is set up the global variable storage, and client sends ClientKeyExchange message, the information of data encryption key after this message is carried and is used for producing to service end simultaneously;
306: client sends ChangeCipherSpec message to service end, and this message is carried the DEA and the hash message authentication code algorithm of affirmation, and the notification service end is just encrypted data with the key of new generation and the various algorithms that consult later on;
307: client sends Finished message to service end, the end that expression client one side shakes hands;
308: after service end was received Finished message, the ChangeCipherSpec message of response was confirmed the various algorithms of consulting;
309: service end sends Finished message, and the end that expression service end one side shakes hands is confirmed;
310: client is to the above-mentioned service end PKI of setting up global variable storage and carry out Hash operation with the shared secret of service end and generate first authentication information, and the user profile that will contain this first authentication information and self user ID sends to service end;
This service end receives the user profile that this client sends, utilize user ID in this user profile to obtain shared secret with client in this locality, PKI and this shared secret according to self carries out Hash operation and generates second authentication information again, judge whether first authentication information in this user profile of this second authentication information and reception is consistent, if, confirm that then client is legal, carry out transfer of data again;
When shared secret was log-in password when registering of the user of client, the password that uses when service end can be registered each user was kept in the database in advance, found corresponding log-in password, i.e. Dui Ying shared secret according to user's sign;
When shared secret is secret information in the physical entities such as the service end password card that is handed down to this client, smart card, service end will be when issuing physical entities such as password card, smart card, the corresponding relation of secret information on it and client is kept in the database, so that when needing, from database, obtain corresponding shared secret.
311: service end sends confirmation to authentication result;
312: after both sides finished and shake hands, client and service end sent application data, and promptly client and service end send application data mutually;
313: after data transmitted and finish, both sides sent CloseNotify message mutually, close connection, played the effect that prevents that terminal from attacking simultaneously.
Whether present embodiment is consistent with client first authentication information of reception by second authentication information of judging the service end generation, confirms the legitimacy of client, can defend man-in-the-middle attack effectively.Because even the go-between is inserted in the communication process of client and service end, because will containing the pseudo-digital certificate of self PKI, the go-between issued client, client is carried out Hash operation to the PKI in the pseudo-digital certificate with the shared secret of service end, first authentication information that generates is sent to service end, because the go-between does not know this shared secret, therefore can't forge this first authentication information, service end according to self PKI and local that obtain carry out Hash operation with shared secret client, generate second authentication information, if this second authentication information is inconsistent with first authentication information that receives, the digital certificate that then sends to this client was modified, also promptly this communication process has met with man-in-the-middle attack, and this server will interrupt subsequent data transmission.Such improvement is simple, and client and service end have only been done Hash operation one time more, under the very little situation of expense, has just reached and authenticates effect preferably, has defendd man-in-the-middle attack effectively.
Embodiment 2
Referring to Fig. 3, the embodiment of the invention also provides a kind of Verification System, and this system comprises first communication party 401 and second communication side 402; Wherein,
Further, first communication party 401 comprises:
The negotiating algorithm module is used for also determining hash algorithm through consultation with second communication side 402;
Connect initiation module, be used for sending connection request, receive the PKI of second communication side 402 to second communication side 402;
Information generating module is used to use hash algorithm that the negotiating algorithm module determines to carry out computing to the PKI of second communication side 402 with the shared secret of second communication side 402, generates first authentication information;
Sending module is used for the user profile of carrying first authentication information of information generating module generation to 402 transmissions of second communication side;
The information reconciliation module is used for consulting and definite protocol version, encryption suite, compression algorithm and DEA with first communication party 401;
Communication module is used to use protocol version, encryption suite, compression algorithm and DEA and first communication party 401 after the information reconciliation module is determined to communicate.
Wherein, first communication party in the present embodiment can be client, and second communication can be thought service end.
Whether the system that present embodiment provides is consistent with first authentication information that first communication party 401 generates by second authentication information of judging 402 generations of second communication side, just can confirm whether the PKI that sends to first communication party 401 is modified, if it is consistent, then this PKI is not modified, first communication party 401 is legal, and then prevent man-in-the-middle attack, strengthened the fail safe of system.
Embodiment 3
Referring to Fig. 4, the embodiment of the invention also provides a kind of client device, and this equipment comprises:
Authentication information generation module 503 is used for the PKI received according to receiver module 502 and generates authentication information with the shared secret of above-mentioned server;
Sending module 504 is used for sending user profile to server, and user profile comprises the authentication information that authentication information generation module 503 generates.
Further, this client device also comprises:
The negotiating algorithm module is used for and server negotiate and definite hash algorithm;
Correspondingly, authentication information generation module 503 PKI that specifically is used to use hash algorithm that the negotiating algorithm module determines pair and the shared secret and the receiver module of server to receive carries out computing, the generation authentication information.
In order to strengthen the fail safe of communication, this client device also comprises:
Communication information determination module is used for and server negotiate and definite protocol version, encryption suite, compression algorithm and DEA;
Communication module is used to use protocol version, encryption suite, compression algorithm and DEA and server after communication information determination module is determined to communicate.
The client device that present embodiment provides is by the PKI of reception server, and send to server according to this PKI with authentication information that the shared secret of server generates, make server generate new authentication information according to its PKI and local shared secret that obtain and this client device, whether contrast two authentication informations consistent, realization is to the authentication of this client, prevent internuncial attack, strengthened the fail safe of system.
Embodiment 4
Referring to Fig. 5, the embodiment of the invention also provides a kind of server, comprising:
Receive and sending module 601, be used to receive the connection request of client, self PKI is sent to client; And receiving the user profile that client sends, user profile comprises first authentication information that client generates according to shared secret and PKI with this server;
The second authentication information generation module 602, be used to receive receive the user profile of client with sending module 601 after, obtain the shared secret with this client in this locality, generate second authentication information according to the shared secret that obtains and self PKI;
Further, this server also comprises:
The negotiating algorithm module is used for consulting with client and determining hash algorithm;
Correspondingly, the second authentication information generation module 602 specifically comprises:
Acquiring unit, be used to receive receive the user profile of client with sending module 601 after, obtain shared secret with this client in this locality;
The second authentication information generation unit, the hash algorithm that is used to use the negotiating algorithm module to determine carries out computing to shared secret and self PKI that acquiring unit obtains, and generates second authentication information.
In order to strengthen the fail safe of communication, this server also comprises:
Communication information determination module is used for consulting with client and determining protocol version, encryption suite, compression algorithm and DEA;
Communication module is used to use protocol version, encryption suite, compression algorithm and DEA and client after communication information determination module is determined to communicate.
After the server that this enforcement provides receives the user profile (comprising first authentication information) of client device, obtain shared secret with this client in this locality, generate second authentication information according to this shared secret and self PKI, judge whether second authentication information is consistent with first authentication information, if, confirm that client is legal, and then prevented internuncial attack, strengthened the fail safe of system.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. an authentication method is characterized in that, described method comprises:
Second communication side receives first communication party's connection request, and self PKI is sent to described first communication party;
Receive the user profile that described first communication party sends, described user profile comprises first authentication information that described first communication party generates according to shared secret and described PKI with described second communication side;
Obtain the shared secret with described first communication party in this locality, according to generating second authentication information with described first communication party's shared secret and the PKI of self;
Judge whether described second authentication information is consistent with described first authentication information, if confirm that described first communication party is legal.
2. authentication method as claimed in claim 1 is characterized in that, describedly self PKI is sent to described first communication party comprises:
Described second communication root sends to described first communication party according to self PKI generation digital certificate with described digital certificate.
3. authentication method as claimed in claim 1 is characterized in that, described user profile also comprises: described first communication party's user ID;
Correspondingly, described second communication root obtains shared secret with described first communication party according to described user ID in this locality.
4. authentication method as claimed in claim 1 is characterized in that, comprises before the user profile that described first communication party of described reception sends:
Described first communication party and described second communication square tube are crossed and are consulted and definite hash algorithm;
Described first communication party uses definite hash algorithm to carry out computing to the PKI of described second communication side with the shared secret of described second communication side, generate first authentication information, send the user profile of carrying described first authentication information to described second communication side;
Correspondingly, described basis and described first communication party's shared secret and self PKI generate second authentication information and comprise:
Described second communication side uses the hash algorithm of determining that described shared secret and self PKI are carried out computing, generates second authentication information.
5. authentication method as claimed in claim 1 is characterized in that, also comprises after described first communication party of described affirmation is legal:
Described second communication side is with described first communication party negotiation and determine protocol version, encryption suite, compression algorithm and DEA;
Described second communication side and described first communication party use protocol version, encryption suite, compression algorithm and the DEA after determining to communicate.
6. a Verification System is characterized in that, described system comprises first communication party and the second communication side; Wherein,
Described first communication party, be used for initiating connection request to second communication side, receive the PKI of described second communication side, generate first authentication information, send the user profile of carrying described first authentication information to described second communication side according to shared secret and PKI with described second communication side;
Described second communication side is used to receive described first communication party's connection request, and self PKI is sent to described first communication party; And the user profile that receives described first communication party, obtain shared secret with described first communication party in this locality, generate second authentication information according to the shared secret that is obtained and self PKI, judge whether second authentication information is consistent with described first authentication information, if confirm that described first communication party is legal.
7. Verification System as claimed in claim 6 is characterized in that, described first communication party comprises:
The negotiating algorithm module is used for crossing negotiation and definite hash algorithm with described second communication square tube;
Connect initiation module, be used for sending connection request, receive the PKI of described second communication side to described second communication side;
Information generating module is used to use hash algorithm that described negotiating algorithm module determines to carry out computing to the PKI of described second communication side with the shared secret of described second communication side, generates first authentication information;
Sending module is used for sending the user profile of carrying first authentication information that described information generating module generates to described second communication side;
Described second communication side also is used to use definite hash algorithm that described shared secret and self PKI are carried out computing, generates second authentication information.
8. Verification System as claimed in claim 6 is characterized in that, described second communication side also comprises:
The information reconciliation module is used for consulting with described first communication party and determining protocol version, encryption suite, compression algorithm and DEA;
Communication module is used to use protocol version, encryption suite, compression algorithm and DEA and described first communication party after described information reconciliation module is determined to communicate.
9. a client device is characterized in that, described equipment comprises:
Connect initiation module, be used for sending connection request to server;
Receiver module is used to receive the PKI that described server returns;
The authentication information generation module is used for generating authentication information according to the PKI of receiving with the shared secret and the described receiver module of described server;
Sending module is used for sending user profile to described server, and described user profile comprises the authentication information that described authentication information generation module generates.
10. client device as claimed in claim 9 is characterized in that, described client device also comprises:
The negotiating algorithm module is used for and described server negotiate and definite hash algorithm;
Correspondingly, the PKI that described authentication information generation module specifically is used to use hash algorithm that described negotiating algorithm module determines that described shared secret and described receiver module are received carries out computing, generates authentication information.
11. client device as claimed in claim 9 is characterized in that, described client device also comprises:
Communication information determination module is used for and described server negotiate and definite protocol version, encryption suite, compression algorithm and DEA;
Communication module is used to use protocol version, encryption suite, compression algorithm and DEA and described server after described communication information determination module is determined to communicate.
12. a server is characterized in that, described server comprises:
Receive and sending module, be used to receive the connection request of client, self PKI is sent to described client; And receiving the user profile that described client sends, described user profile comprises first authentication information that described client generates according to shared secret and described PKI with described server;
The second authentication information generation module after being used for described reception and sending module and receiving the user profile of described client, obtains the shared secret with described client in this locality, generate second authentication information according to the shared secret that is obtained and self PKI;
Authentication module is used to judge whether second authentication information of described second authentication information generation module generation is consistent with first authentication information that sending module receives with described reception, if confirm that described client is legal.
13. server as claimed in claim 12 is characterized in that, described server also comprises:
The negotiating algorithm module is used for consulting with described client and determining hash algorithm;
Correspondingly, the described second authentication information generation module specifically comprises:
Acquiring unit after being used for described reception and sending module and receiving the user profile of described client, obtains the shared secret with described client in this locality;
The second authentication information generation unit, the hash algorithm that is used to use described negotiating algorithm module to determine carries out computing to shared secret and self PKI that described acquiring unit obtains, and generates second authentication information.
14. server as claimed in claim 12 is characterized in that, described server also comprises:
Communication information determination module is used for consulting with described client and determining protocol version, encryption suite, compression algorithm and DEA;
Communication module is used to use protocol version, encryption suite, compression algorithm and DEA and described client after described communication information determination module is determined to communicate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101144300A CN101299667A (en) | 2008-06-05 | 2008-06-05 | Authentication method, system, client equipment and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101144300A CN101299667A (en) | 2008-06-05 | 2008-06-05 | Authentication method, system, client equipment and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101299667A true CN101299667A (en) | 2008-11-05 |
Family
ID=40079364
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101144300A Pending CN101299667A (en) | 2008-06-05 | 2008-06-05 | Authentication method, system, client equipment and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101299667A (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011038620A1 (en) * | 2009-09-29 | 2011-04-07 | 中兴通讯股份有限公司 | Access authentication method, apparatus and system in mobile communication network |
| CN102137100A (en) * | 2011-03-01 | 2011-07-27 | 汉柏科技有限公司 | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel |
| CN101783792B (en) * | 2009-01-16 | 2012-07-25 | 深圳市维信联合科技有限公司 | Encrypted communication method and system based on internet |
| CN102984115A (en) * | 2011-09-02 | 2013-03-20 | 中国长城计算机深圳股份有限公司 | A method, a client and a server for network security |
| WO2015114645A1 (en) * | 2014-01-30 | 2015-08-06 | Hewlett-Packard Development Company, L.P. | Trust framework for secured digital interactions between entities |
| CN105025057A (en) * | 2014-04-25 | 2015-11-04 | 中兴通讯股份有限公司 | Method, device and system for realizing user data distribution |
| CN105471845A (en) * | 2015-11-16 | 2016-04-06 | 数据通信科学技术研究所 | Communication method and communication system for preventing man-in-the-middle attack |
| CN105516978A (en) * | 2015-12-04 | 2016-04-20 | 上海斐讯数据通信技术有限公司 | Wireless protected setup negotiation method and system |
| CN106161366A (en) * | 2015-04-03 | 2016-11-23 | 上海庆科信息技术有限公司 | The method and system that a kind of SSL of minimizing takes up room |
| CN106572076A (en) * | 2016-09-27 | 2017-04-19 | 山东浪潮商用系统有限公司 | Web service access method, client side and server side |
| CN107534555A (en) * | 2015-04-21 | 2018-01-02 | 诺基亚技术有限公司 | Certification authentication |
| CN108667914A (en) * | 2018-04-24 | 2018-10-16 | 梅泰诺(北京)物联科技有限公司 | A kind of information-pushing method, device, system and electronic equipment |
| CN110166226A (en) * | 2018-02-12 | 2019-08-23 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus generating code key |
| CN112511550A (en) * | 2020-12-02 | 2021-03-16 | 迈普通信技术股份有限公司 | Communication method, communication device, electronic device and storage medium |
| CN112713943A (en) * | 2020-11-30 | 2021-04-27 | 安徽澄小光智能科技有限公司 | Quantum secure communication system |
| CN112753203A (en) * | 2020-10-30 | 2021-05-04 | 华为技术有限公司 | Secure communication method and device |
| WO2023082578A1 (en) * | 2021-11-12 | 2023-05-19 | 华为技术有限公司 | Verification method, communication node and system |
| WO2023236617A1 (en) * | 2022-06-07 | 2023-12-14 | 华为技术有限公司 | Meeting data transmission method and apparatus, and device |
-
2008
- 2008-06-05 CN CNA2008101144300A patent/CN101299667A/en active Pending
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101783792B (en) * | 2009-01-16 | 2012-07-25 | 深圳市维信联合科技有限公司 | Encrypted communication method and system based on internet |
| CN102036242A (en) * | 2009-09-29 | 2011-04-27 | 中兴通讯股份有限公司 | Access authentication method and system in mobile communication network |
| CN102036242B (en) * | 2009-09-29 | 2014-11-05 | 中兴通讯股份有限公司 | Access authentication method and system in mobile communication network |
| WO2011038620A1 (en) * | 2009-09-29 | 2011-04-07 | 中兴通讯股份有限公司 | Access authentication method, apparatus and system in mobile communication network |
| CN102137100A (en) * | 2011-03-01 | 2011-07-27 | 汉柏科技有限公司 | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel |
| CN102137100B (en) * | 2011-03-01 | 2013-12-11 | 汉柏科技有限公司 | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel |
| CN102984115A (en) * | 2011-09-02 | 2013-03-20 | 中国长城计算机深圳股份有限公司 | A method, a client and a server for network security |
| CN102984115B (en) * | 2011-09-02 | 2016-03-16 | 中国长城计算机深圳股份有限公司 | A kind of network security method and client-server |
| WO2015114645A1 (en) * | 2014-01-30 | 2015-08-06 | Hewlett-Packard Development Company, L.P. | Trust framework for secured digital interactions between entities |
| CN105025057A (en) * | 2014-04-25 | 2015-11-04 | 中兴通讯股份有限公司 | Method, device and system for realizing user data distribution |
| CN106161366A (en) * | 2015-04-03 | 2016-11-23 | 上海庆科信息技术有限公司 | The method and system that a kind of SSL of minimizing takes up room |
| CN106161366B (en) * | 2015-04-03 | 2020-02-14 | 阿里云计算有限公司 | Method and system for reducing SSL (secure socket layer) occupied space |
| CN107534555A (en) * | 2015-04-21 | 2018-01-02 | 诺基亚技术有限公司 | Certification authentication |
| CN107534555B (en) * | 2015-04-21 | 2021-04-06 | 诺基亚技术有限公司 | Method and device for certificate verification |
| CN105471845A (en) * | 2015-11-16 | 2016-04-06 | 数据通信科学技术研究所 | Communication method and communication system for preventing man-in-the-middle attack |
| CN105471845B (en) * | 2015-11-16 | 2018-10-19 | 数据通信科学技术研究所 | Prevent the communication means and system of man-in-the-middle attack |
| CN105516978B (en) * | 2015-12-04 | 2019-06-28 | 上海斐讯数据通信技术有限公司 | Machinery of consultation and system is arranged in wireless protection |
| CN105516978A (en) * | 2015-12-04 | 2016-04-20 | 上海斐讯数据通信技术有限公司 | Wireless protected setup negotiation method and system |
| CN106572076A (en) * | 2016-09-27 | 2017-04-19 | 山东浪潮商用系统有限公司 | Web service access method, client side and server side |
| CN110166226A (en) * | 2018-02-12 | 2019-08-23 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus generating code key |
| CN110166226B (en) * | 2018-02-12 | 2023-06-27 | 北京京东尚科信息技术有限公司 | Method and device for generating secret key |
| CN108667914A (en) * | 2018-04-24 | 2018-10-16 | 梅泰诺(北京)物联科技有限公司 | A kind of information-pushing method, device, system and electronic equipment |
| CN112753203A (en) * | 2020-10-30 | 2021-05-04 | 华为技术有限公司 | Secure communication method and device |
| CN112713943A (en) * | 2020-11-30 | 2021-04-27 | 安徽澄小光智能科技有限公司 | Quantum secure communication system |
| CN112713943B (en) * | 2020-11-30 | 2024-03-12 | 安徽澄小光智能科技有限公司 | Quantum secret communication system |
| CN112511550A (en) * | 2020-12-02 | 2021-03-16 | 迈普通信技术股份有限公司 | Communication method, communication device, electronic device and storage medium |
| WO2023082578A1 (en) * | 2021-11-12 | 2023-05-19 | 华为技术有限公司 | Verification method, communication node and system |
| WO2023236617A1 (en) * | 2022-06-07 | 2023-12-14 | 华为技术有限公司 | Meeting data transmission method and apparatus, and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101299667A (en) | Authentication method, system, client equipment and server | |
| EP1782324B1 (en) | A personal token and a method for controlled authentication | |
| US9055107B2 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| US8532620B2 (en) | Trusted mobile device based security | |
| US10541991B2 (en) | Method for OAuth service through blockchain network, and terminal and server using the same | |
| EP2929671B1 (en) | Method and system for authenticating a user using a mobile device and by means of certificates | |
| CN106452782A (en) | Method and system for producing a secure communication channel for terminals | |
| CA2914426C (en) | Method for authenticating a user, corresponding server, communications terminal and programs | |
| EP2106093A1 (en) | Devolved authentication | |
| CN106161475B (en) | Method and device for realizing user authentication | |
| KR20210095093A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| CN111275419A (en) | Block chain wallet signature right confirming method, device and system | |
| JP6465426B1 (en) | Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| WO2020207517A1 (en) | Method of authenticating a user to a relying party in federated electronic identity systems | |
| US20060265586A1 (en) | Method and system for double secured authenication of a user during access to a service by means of a data transmission network | |
| WO2007030517A2 (en) | Systems and methods for third-party authentication | |
| EP3732852B1 (en) | Method for authentication by means of a mobile terminal using a key and a certificate stored on an external medium | |
| CN114666076A (en) | Cloud service cross-terminal authentication method and service system | |
| CN114500074B (en) | Single-point system security access method and device and related equipment | |
| KR101060659B1 (en) | Network security method | |
| NO326555B1 (en) | Procedure and system for common strong authentication of web services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20081105 |