CN102611707A - Credible website identity installation and identification method - Google Patents
Credible website identity installation and identification method Download PDFInfo
- Publication number
- CN102611707A CN102611707A CN201210076612XA CN201210076612A CN102611707A CN 102611707 A CN102611707 A CN 102611707A CN 201210076612X A CN201210076612X A CN 201210076612XA CN 201210076612 A CN201210076612 A CN 201210076612A CN 102611707 A CN102611707 A CN 102611707A
- Authority
- CN
- China
- Prior art keywords
- website
- credible
- sign
- address
- document
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a credible website identity installation and identification method which comprises the following steps that: website management equipment sends the information of a website on which a credible identity needs to be installed and the basic information of an enterprise to a third party website authentication institution to authenticate the credibility; if the credibility authentication is passed, the website management equipment uploads a generated credible identity document with a signature to a root directory of the website or to a website server to configure; when the browser of client terminal equipment accesses a website, the client terminal equipment fist judges whether the website has the credible identification document or not; if yes, the composition of the credible identity document is judged and authorization is carried out; and if the authentication is passed, the credible authentication identity of the website is displayed through the client terminal equipment. The invention can solve the installation problem of the credible identities of existing websites and the safety identification problems that domain name system (dns) hijacking cannot be prevented and the like, and provides the method which is simpler, safer, easier to identify and has better compatibility.
Description
Technical field
The present invention relates to credible identification technology field in the network, relate in particular to the credible sign in a kind of website and install and recognition methods.
Background technology
According to the internet development research report, since the ecommerce fast development second half year in 2009.Data show that the shopping at network user in the first half of the year in 2010 has increased by 4,000 ten thousand, and number of users increases very soon, shows the great potential of E-commerce market.But with ecommerce flourish corresponding be that numerous netizens are not high to the network trading degree of belief, honesty issues such as phishing network fraud are more and more serious." Chinese netizen's network information security status investigation report in 2009 " shows had ninety percent netizen of surpassing to run into phishing in 2009, and in the netizen who met with the phishing incident, 4,500 ten thousand netizens have suffered economic loss, account for netizen's sum 11.9%.The loss that phishing causes to the netizen has reached 7,600,000,000 yuan.Find that to ecommerce user's investigation it is initial 1% that the netizen has only the user who gets into substantial bargain link to the distrust of site information, this is a very important bottleneck to e-commerce development.
For fear of the generation of above-mentioned incident, some companies have released different Information Authentication systems, and the industrial and commercial information through showing the website relevant enterprise to the user, domain-name information etc. help the true and false of User Recognition website or relevant enterprise.External mainly is the verisign trust seal of verisign issue, and domestic similarly have the checking of credible website, itrust, a credit site certificate etc.
The website service for checking credentials need increase credible sign to the website usually after checking website identity and credibility, come label web authentic authentication situation.This just relates to the installation and the mark of the credible sign in website.The credible sign of current web mainly contains 3 kinds of installation methods, first kind, page icon installation method; Second kind, message file installation method; The third, the server certificate installation method.
1, for first kind of page icon installation method:
The advantage of this scheme is to install simply; As long as the web page is arranged just can be installed; And owing to be dynamically embedded into credible sign; So can carry out verification to validity, authenticity that the website is installed at server end, and can dynamically update the timestamp of installing on the sign, have certain antifalsification.Because sign is to be kept on the server, be dynamically embedded in the web page in addition, so when identification renewal or pattern adjustment, than being easier to unified the replacing.
The shortcoming of this scheme is a client when at every turn refreshing credible sign, all need arrive server end and dynamically obtain code and sign, needs extra network to connect, and can influence credible being identified at by the opening speed of checking Website page.To the website that certain page open rate request is arranged and the website of very strict security requirement, possibly limit this extra visit behavior.In addition because the pressure of server end is all summations that credible marked net website access amount is installed, so this scheme is very big to server end pressure.
2, for second kind of message file installation method:
Credible sign mount scheme based on PKI (Public Key Infrastructure, PKIX) system has been proposed in fact.This scheme principle is:
The basic technology of PKI comprises encryption, digital signature, data integrity mechanism, digital envelope, dual digital signature
1) the digital certificate private key through certifying organization is to by the essential information of checking website: network address, IP address, web site name, company information etc. are signed;
2) will be kept at jointly in the file by essential information, the signing messages of checking website, upload to by checking website root ad-hoc location.
3) client is when the website is verified in visit, and the root ad-hoc location obtains signature file to the website.Utilize the built-in PKI of client that signing messages is carried out verification,, prove that the site information file is real, the website essential information that then comprises in the browser resolves site information file if through signature check.
4) client is compared according to network address, the IP address of the network address in the essential information of website, IP address and access site, if information matches then shows the credible sign in website on the client address hurdle.Otherwise can not show.
The shortcoming of this scheme is to solve dynamic IP or CDN situation, also can't dynamically change the checking situation of website.Large-scale website has basically all adopted CDN to quicken or a plurality of nodes has worldwide been arranged, and the IP address is unfixed, and the IP address is placed in the site information file, can cause the website of CDN can't be through client validation.Second shortcoming is if banned because of hanging horse or other reasons by the checking website, because authenticating documents is kept at the website root, so client can think that still the website is believable, can show credible sign.
3, for the third server certificate installation method:
Server certificate is based on the PKI system, by internationally recognized CA mechanism at the digital certificate of having confirmed to sign and issue after the identity of website.This certificate file need load in the application server of website web server, and in application server, is configured.
Its shortcoming is: the content of 1) verifying in the server certificate is fairly simple, can not increase self-defined contents such as company information, industrial and commercial information.2) server certificate can't solve the problem that install the fictitious host computer website in present stage.Most domestic medium-sized and small enterprises websites all is to use empty machine that external service is provided, so application is bad.3) server certificate can't be used in the big-and-middle-sized website of using CDN to quicken.Because the principle of CDN service and the security requirement of server certificate have determined CDN that the acceleration service of https can't be provided.4) use server certificate to authentication demand in website is only arranged, do not have the website of transfer of data encryption requirements, increasing extra transmission encryption function can bring very big load to server, increases the website operation cost.5) server certificate for ordinary enterprises webmaster installation process more complicated, needs configuration web server according to certain technical threshold is arranged, and service has certain influence to web in the installation process.
Summary of the invention
Technical problem to be solved by this invention provides the credible sign in a kind of website and installs and recognition methods, with the installation question that solves the credible sign of website using and can't prevent security identification problem such as dns abduction.
For solving the problems of the technologies described above, the invention provides the credible sign in a kind of website and install and recognition methods, it is characterized in that, comprising:
Portal management equipment carries out site information that credible sign installs and enterprise's essential information with needs and gives third party website certifying organization and carry out credible checking;
Pass through like credible checking, the credible identification document with signature that said portal management equipment will generate uploads to this website root or is configured by this Website server;
During the browser access website of client device; Said client device judges at first whether this website has said credible identification document; Formation if any then judging this credible identification document is verified, passes through then said client device like checking and shows the credible checking sign in this website.
Further, wherein, also comprise:
Pass through like credible checking, the CA of said third party website certifying organization gives portal management equipment grant a certificate;
Said portal management equipment is accomplished certificate and is downloaded, and signs and issues the safe appended document of credible sign; Said portal management equipment generates credible identification document with the PKI and the safe appended document of said credible sign of said certificate.
Further, wherein, also comprise:
Pass through like credible checking, said third party website certifying organization directly generates the said credible identification document with signature and gives said portal management equipment.
Further, wherein, comprise in the safe appended document of said credible sign:
DNSSEC verification switch is used for mark and whether need carries out the DNSSEC verification.
Further, wherein, also comprise in the safe appended document of said credible sign:
The IP Address Velocity switch is used for the said client device of mark and whether carries out IP Address Velocity.
Further, wherein, also comprise in the safe appended document of said credible sign:
The signature of the safe appended document of credible sign is used to use certificate private key that the safe appended document of said credible sign that generates is done digital signature.
Further, wherein, also comprise:
Before this site information variation or certificate expiration, said portal management equipment need arrive said third party website certifying organization and upgrade verifying data, verifies again.After through checking, said third party website certifying organization signs and issues new credible identification document can for said portal management equipment again, and said portal management equipment is installed to this website with new credible identification document.
Further, wherein, also comprise:
When the dns of this website information or IP address change; And when said credible identification document is to use the CA of said third party website certifying organization to sign and issue; The IP address is kept in the safe appended document of said credible sign; In validity period of certificate, this portal management equipment can use certificate private key to sign and issue new safe appended document of credible sign and replacing voluntarily at any time at any time.
Further, wherein, also comprise:
When the dns of this website information or IP address change; And when said credible identification document is to use the certificate signature of said third party website certifying organization; Said third party website certifying organization regenerates the new credible identification document with signature, and said portal management equipment is installed to this new credible identification document with signature on this website.
Further, wherein, the safe appended document of said credible sign also comprises:
The website icon is used to has the website thumbnail icon that customized justice is showed on the credible sign of client device;
The website IP address list when being used for the website and being static IP, with said IP Address Velocity switch opens, and adds the IP address list of trusting;
The dns server address tabulation that the DNSSEC verification is used; Being used for working as the website is that CDN quickens or the dynamic IP configuration; Can't use static IP to be DNS and kidnap verification; And when this website has disposed DNSSEC, open said DNSSEC verification switch, and the dns server address tabulation that said DNSSEC verification is used is set.
Further, wherein, comprise in the said credible identification document:
The IP Address Velocity switch, whether the mark client carries out IP Address Velocity, DNSSEC verification switch and/or mark client whether carries out the DNSSEC verification.
Further, wherein, also comprise in the said credible identification document:
City, province, the state at website domain name, site name, website institutional affiliation or owned enterprise's title, website affiliated function, place, website in its enterprise; City, province, the state at classification, institutional affiliation or the enterprise place of the license of the organization mechanism code of website institutional affiliation card number or owned enterprise number, institutional affiliation or enterprise; The state online query address of the credible coding of third party website certifying organization registration, checking rank, third party website certifying organization's information and/or credible sign.
Further, wherein, said website domain name further comprises: single domain name, multiple domain name, asterisk wildcard domain name and/or Chinese domain name;
Further include third party website certifying organization details checking address in the said third party website certifying organization information.
Compared with prior art; Sign that a kind of website of the present invention is credible is installed and recognition methods; Can solve the installation question of the credible sign of website using and can't prevent security identification problems such as dns abduction, and provide a kind of simpler, safer, be easier to identification, the method for better compatibility arranged.
Description of drawings
Fig. 1 is that the credible sign in the described a kind of website of the embodiment of the invention is installed and the recognition methods flow chart;
Fig. 2 is the concrete flowchart of step 102 to step 103 in credible sign installation in the described a kind of website of the embodiment of the invention and the recognition methods.
Fig. 3 is the concrete flowchart of step 2021 to step 203 in credible sign installation in the described a kind of website of the embodiment of the invention and the recognition methods.
Fig. 4 is the concrete flowchart of step 2022 to step 203 in credible sign installation in the described a kind of website of the embodiment of the invention and the recognition methods.
Fig. 5 be the credible sign in the described a kind of website of the embodiment of the invention install and recognition methods in step e in the step 2022) and concrete flowchart F).
Fig. 6 be the credible sign in the described a kind of website of the embodiment of the invention install and recognition methods in structured flowchart between each installs when carrying out according to step 1021.
Fig. 7 be the credible sign in the described a kind of website of the embodiment of the invention install and recognition methods in structured flowchart between each installs when carrying out according to step 1022.
Embodiment
Below in conjunction with accompanying drawing the present invention is done further explain, but not as to qualification of the present invention.
As shown in Figure 1, install and recognition methods for the credible sign in the described a kind of website of the embodiment of the invention, comprising:
Step 102 is passed through like credible checking, and the credible identification document with signature that said portal management equipment will generate uploads under this website root.
Particularly, it is that 1021 mode is carried out down set by step that this step 102 can be divided into the dual mode execution a kind of, and another kind is that 1022 mode is carried out down set by step.Shown in Fig. 2 and 6.
Wherein, website certificate described here can be the public and private key certificate of similar EV certificate or server certificate, increases extraneous information among the DN of website certificate (Distinct Name is to adopt a plurality of fields to identify the sign of an entity) simultaneously.
Wherein, increase extraneous information among the said DN, comprising: website domain name (further comprising single domain name, multiple domain name, asterisk wildcard domain name, Chinese domain name etc.); Web site name; Website institutional affiliation or owned enterprise's title; The website is affiliated function in its enterprise; City, province, the state at place, website; The license of the organization mechanism code of website institutional affiliation card number or owned enterprise number; The classification of institutional affiliation or enterprise; City, province, the state at institutional affiliation or enterprise place; The credible coding of third party website certifying organization registration; The checking rank; Third party website certifying organization information (comprising Verify Point (third party website certifying organization details checking address)).
Said third party website certifying organization details verification system address (Verify Point), for being used for mark when the user clicks the website credible sign of client, can the through third party website certifying organization details verification system address of redirect.
Step 1031, said portal management equipment is accomplished certificate and is downloaded, and signs and issues the safe appended document of credible sign; Said portal management equipment is with the PKI and the safe appended document of said credible sign (present embodiment adopts site.security, can certainly in the webserver of website (Website server), dispose) of said certificate, down with generating credible identification document.
In addition, step 1031 can also be: said portal management equipment is accomplished certificate and is downloaded, and the public and private key of certificate is kept in the certifying organization of said third party website, generates the safe appended document of credible sign by the backstage of said third party's verifying website information mechanism; Said then portal management equipment generates credible identification document with the PKI and the safe appended document of said credible sign of said certificate.
Wherein, Backstage by said third party's verifying website information mechanism generates the safe appended document of credible sign; Specifically, the backstage by said third party's verifying website information mechanism provides the page and assists said portal management equipment to generate the safe appended document of credible sign.
Particularly, the safe appended document of said credible sign comprises:
1) IP Address Velocity switch, it is used for the mark client device and whether carries out IP Address Velocity.
2) DNSSEC (Domain Name System Security Extensions, domain name system security extension) verification switch, whether it is used for mark need carry out the DNSSEC verification.
3) signature of the safe appended document of credible sign, it is to use certificate private key that the safe appended document of said credible sign that generates is done digital signature.Purpose is to guarantee that file is authentic and valid.
The safe appended document of said credible sign both, can also comprise following content except above-mentioned:
1) website icon (optional), it is to have the website thumbnail icon that customized justice is showed on the credible sign of client device.
2) website IP address list (optional), it is in order to be static IP when the website, with said IP Address Velocity switch opens, and the IP address list of add trusting, guarantees that the website do not kidnapped by DNS.
3) DNS (domain name system of DNSSEC verification use; Domain Name System) list of server addresses (optional); If it is for the website is that CDN quickens or the dynamic IP configuration, can't use static IP to be DNS and kidnap verification, and the website has disposed DNSSEC; Then can open said DNSSEC verification switch, and the dns server address tabulation that said DNSSEC verification is used is set.
As shown in Figure 7, another kind of executive mode:
Wherein, said credible identification document comprises: website domain name (comprising single domain name, multiple domain name, asterisk wildcard domain name or Chinese domain name etc.); Site name; Website institutional affiliation or owned enterprise's title; The website is affiliated function in its enterprise; City, province, the state at place, website; The license of the organization mechanism code of website institutional affiliation card number or owned enterprise number; The classification of institutional affiliation or enterprise; City, province, the state at institutional affiliation or enterprise place; The credible coding of third party website certifying organization registration; The checking rank; Third party website certifying organization information (comprising Verify Point (third party website certifying organization details checking address)); The state online query address of credible sign; The IP Address Velocity switch, whether the mark client carries out IP Address Velocity; DNSSEC verification switch, whether the mark client carries out the DNSSEC verification.
Further can also comprise: website icon (optional), the website thumbnail icon that the customized justice of user is showed on the credible sign of client; Website IP address list (optional), if user website is a static IP, can be with when the IP Address Velocity switch opens, and add the IP address list of trusting, guarantee that the website do not kidnapped by dns; The dns server address tabulation (optional) that the DNSSEC verification is used; If being CDN, the website quickens or the dynamic IP configuration; Can't use static IP to be dns and kidnap verification; And the website has disposed DNSSEC, then can open DNSSEC verification switch, and the dns server address tabulation that the DNSSEC verification is used is set.
Wherein, the said credible identification document that generates in step 1031 and the step 1022 also can be expanded other appended documents, and these all are referred to as credible identification document; Another kind of situation is that these credible identification documents can be files independently, also can be attached to together with other existing files.
For aforesaid way, be to adopt step 1021 and 1031 these flow performing or this flow performing of employing step 1022 to select as the case may be by said third party website certifying organization.Corresponding effect; Use the CA mode (promptly adopting step 1021 and 1031) of said third party website certifying organization safe; Qualification requirement and managerial skills to third party website certifying organization require also than higher, also can be higher to user's technical merit requirement.And use signature mode (promptly adopting step 1022), will be simple relatively, but fail safe is more lower slightly than certificate mode.
Wherein, the PKI of said certificate is in the present embodiment with site.cert file designation.
Further, for guaranteeing the client versatility, the PKI of said certificate and the safe appended document of credible sign all must use fixed name, and be placed under the fixed path in step 103.Certainly if use the webserver configuration of website, with regard to unnecessary fixed name and path.
Wherein, the safe appended document of credible sign in step 103 not necessarily, if the user does not have extra security requirement, also can be only in the website root place site.cert file (PKI of certificate).
Step 103 further comprises: in the configuration file of this website webserver, increase the said credible identification document configuration section in this website, the filename of the identification document that install the configuration website in the webserver of this website, the path of file.Make browser have access to correct website logo file according to configuration information.This step is for fear of the filename of artificial regulation upload file and path
The embodiment of the invention can be accomplished the installation process of the credible sign in website through top four steps.
The browser of client device is described below, and (what present embodiment adopted is the browser of client; Certainly can also adopt other type such as search engine etc.; The result is not only with in browser-presented yet, can also show at Search Results) to the identification and the proof procedure of the credible sign in website:
When step 201, the browser access website of client device, said client device judges at first whether this website has credible identification document, withdraws from as not existing then, then carries out next step as existing.
Step 202, said client device is judged the formation of said credible identification document, the said credible identification document that the CA of said in this way third party website certifying organization signs and issues, then execution in step 2021; Said in this way third party website certifying organization directly generates the said credible identification document with signature, and then execution in step 2022.
Step 2021; Said client device is verified the certificate file of this website; After passing through like checking, and include the safe appended document of credible sign in the said credible identification document of this website, then the safe appended document of said credible sign is verified; After checking was passed through, said client device showed that this website is credible website.
This step 2021 is as shown in Figure 3 further, is specially:
The first step, said client device is verified the certificate file of this website.Its treatment step specifically comprises:
11) said client device judges at first whether the root of this website has the site.cert file; If any then judging according to certificate chain whether the PKI of this certificate is credible to the certificate file of this website; Then carry out next step as credible, then withdraw from as insincere, checking is not passed through.
12) said client device basis judges that to the term of validity of the certificate file of this website as effectively then carrying out next step, then withdraw from as invalid, checking is not passed through.
13) said client device judges whether it is the domain name of being visited according to the certificate subject of the certificate file of this website or the domain name field in the subsequent use theme; Then carry out next step in this way, as not being then to withdraw from, checking is not passed through.
14) said client device is according to (CRL:Certificate Revocation List accuses of the book revocation list to the crl of the certificate file of this website or ocsp inquire address.Be used for inquiring about certificate status; OCSP:Online Certificate Status Protocol, online certificate status protocol is the agreement of another kind of online query certificate status.These two all is that the file of international standard and this paper is different) inquire about this certificate file and whether revoked, do not passed through as revoking then checking, do not passed through as revoking then checking.
Annotate: above step must be all through could being that validation verification passes through.
Second step after if the certificate file validity check of this website passes through, and included the safe appended document of credible sign (site.Security file) in the said credible identification document of this website, then the safe appended document of said credible sign is verified.Its treatment step specifically comprises:
21) said client device uses a last step to demonstrate,prove the certificate file that passes through the signature with the safe appended document of said credible sign is carried out verification; If through verification; Then read the information in the safe appended document of said credible sign, do safe additional identification and promptly carry out next step; Otherwise think that the safe appended document of said credible sign is illegal, no longer handle the safe appended document of this credible sign, checking is not passed through.
22) if be provided with the website icon in the safe appended document of said credible sign, then said client device need be showed in the bullet window in the credible sign in this website, shows this icon, carries out next step.
23) if be provided with IP Address Velocity in the safe appended document of said credible sign; Then client need verification current accessed Website server the IP address whether in the IP address list section that the safe appended document of this credible sign is provided with; Otherwise verification is not passed through, through then carrying out next step.
24) if be provided with the dnssec verification in the safe appended document of said credible sign; Then client device does not use the dnssec inquiry when this website of visit; Then need replenish and do the dnssec verification, the name server of the support dnssec that sets to client device is done the dnssec inquiry of the domain name;
If client device is not set specific dnssec name server, then use name server inquiry acquiescence or system default;
If the result of client query does not meet dnssec result, then point out dnssec inquiry failure, proposed arrangement dnssec;
If the record result that dnssec returns is correct, but inconsistent with the IP address, website of client device current accessed, then client device is done prompting: domain name possibly is held as a hostage, and has security risk.
If the record result that dnssec returns is correct, but consistent with the IP address, website of client current accessed, then through the dnssec verification.
Step 2022, when said in this way third party website certifying organization directly generated the said credible identification document with signature, client device only needed the credible identification document of verification to get final product.As shown in Figure 4, its treatment step comprises:
A) client device uses the certificate PKI of this third party website certifying organization; The signature of this credible identification document of verification; If verification is passed through, prove that then credible identification document is that third party website certifying organization signs and issues really, client device can be trusted this credible identification document; Otherwise verification is not passed through, and client device then stops verification;
B) client device checks according to the term of validity in the credible identification document whether this credible identification document is effective, as effectively, then judges whether consistently according to said credible identification document and current accessed domain name, then carries out next step like unanimity;
C) through after the term of validity inspection, client device checks according to the credible identification-state online query address (crl address) in the credible identification document whether this credible sign is revoked; After credible sign has been revoked because of certain reason in this website, client device will can not pass through when this step of verification.This step has been guaranteed the authority and the validity of credible sign.
D) if be provided with the website icon in the credible identification document, then client device also need be showed in the bullet window in the credible sign in website, shows this icon.
Following step e) and F) can be as shown in Figure 5.
E) if be provided with IP Address Velocity in the credible identification document, then client device also need this Website server of verification current accessed the IP address whether in the IP address list section that file is provided with, otherwise verification is not passed through.
F) if be provided with the dnssec verification in the credible identification document; And client device does not use the dnssec inquiry when this website of visit; Then need replenish and do the dnssec verification, the name server of the support dnssec that sets to client device is done the dnssec inquiry of the domain name;
If client device is not set specific dnssec name server, then use client device name server inquiry acquiescence or system default;
If the result of client device inquiry does not meet dnssec result, then point out dnssec inquiry failure, proposed arrangement dnssec.
If the record result that dnssec returns is correct, but inconsistent with the IP address, website of client device current accessed, then client device is pointed out: domain name possibly is held as a hostage, and has security risk;
If the record result that dnssec returns is correct, but consistent with the IP address, website of client device current accessed, then through the dnssec verification.
For step 203; The user can be through incidents such as click or mouse-over; Trigger client device and show the essential information that this website is detailed, be included in and define in the credible identification document: information such as website domain name, site name, website institutional affiliation or owned enterprise's title, checking rank, third party website certifying organization.In addition; Client device can also provide more details click query function simultaneously; When the netizen clicks this function; Client device jumps to the more detailed information in this website of examination, third party website certifying organization details verification system address according to Verify Point address in the said credible identification document and the credible coding in this website.
The renewal process of said client device to the credible sign in website is described below.
Step 301, before site information variation or certificate expiration, portal management equipment need arrive third party website certifying organization and upgrade the website verifying data, verifies again.After through checking, third party website certifying organization signs and issues new credible identification document can for portal management equipment again, and portal management equipment is installed to this website with new credible identification document then.
Step 302; When the dns of website information or IP address change; And when said credible identification document was to use CA to sign and issue, the IP address was kept in the safe appended document of said credible sign, so in validity period of certificate; Portal management equipment can use certificate private key to sign and issue the new safe appended document of credible sign at any time at any time, changes file on the website voluntarily;
When website dns information or IP address change; And when credible identification document is to use the certificate signature of said third party website certifying organization; Dns and IP address are to be kept in the credible identification document; And passed through said third party website certifying organization signature, so the IP address change needs to third-party institution's submit applications; Regenerate the new credible identification document with signature by said third party website certifying organization, portal management equipment is installed to this new credible identification document with signature on this website.
Use this programme can reach following effect:
At first, use two kinds of optional modes in the scheme of the present invention: CA certificate mode and file signature mode, solve the credible sign in website and install and identification; This scheme is based on the encrypted authentication mode of PKI system, has very strong fail safe, and this has guaranteed that the site information file can not be replicated and distort, and satisfies the solution security demand.
Secondly, prevent duplicating the aspect, client device carries out the secondary verification according to information such as website domain name, IP again after the site information file is carried out the authenticity verification, reaches anti-function of duplicating checking.
The 3rd, aspect anti-dns abduction, scheme of the present invention provides bigger flexibility, and portal management equipment can select whether to increase IP Address Velocity or dnssec verification dual mode according to the security requirement of own website.To the website of having used CDN to quicken; Because its IP address dynamic change; Can't use the IP Address Velocity mode, can on dns, dispose dnssec, and in the site information file, increase the dnssec checking; Client device can use the dnssec mode to carry out the dns inquiry when checking dns information, prevents that client device from being kidnapped by dns.To government class website, used stationary IP address, then directly in the site information file, increasing the IP information checking can be more prone to and make things convenient for.For solving website IP address change problem, portal management equipment can be logined the background system of this website at any time and revise site information, and credible identification document is regenerated.
Install, the portal management device just will have the site file upload function, can accomplish installation.Whether the website is fictitious host computer, vps, exclusively enjoys main frame and do not require, also do not need the user that web page coding is had technical foundation, really accomplished to be simple and easy to usefulness, be easy to install.
Another kind of mode of texturing also can reach identical effect for using dnscurve replacement dnssec mode in the foregoing description, also belongs to one of them implementation of this programme.Wherein, Dnscurve is the same with dnssec, is the another kind of standard of dns security extension.Its method for using and dnssec are similar, and just the place of all dnssec can use the dnscurve method to substitute in the literary composition.Here be in order to protect, to prevent that the someone from using dnscurve replacement dnssec, walks around the protection range of scheme.
Compared with prior art; Sign that a kind of website of the present invention is credible is installed and recognition methods; Can solve the installation question of the credible sign of website using and can't prevent security identification problems such as dns abduction, and provide a kind of simpler, safer, be easier to identification, the method for better compatibility arranged.
In sum, the present invention has realized following purpose:
1) easy for installation, be applicable to the various environment of building a station, such as situation such as fictitious host computer, vps, unique host, be easy to install.
2) higher fail safe, sign has uniqueness and antifalsification, can solve fishing website and illegal website to the duplicating of sign content, and forges, and distorts, and situation such as dns abductions avoid the netizen to cause extraneoas loss because of the sign of forgery.
3) verifiability is the credible sign safety that guarantees to install, and scheme has realized the checking of client to website logo.
4) be easy to identification, credible sign is very obvious, makes things convenient for netizen's identification marking, and the essential information of identification website.
5) stronger compatibility, compatible various client case are such as browser, mobile phone browser, search engine reptile, IM client etc.
Certainly; The present invention also can have other various embodiments; Under the situation that does not deviate from spirit of the present invention and essence thereof; Those of ordinary skill in the art can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (13)
1. the credible sign in website is installed and recognition methods, it is characterized in that, comprising:
Portal management equipment carries out site information that credible sign installs and enterprise's essential information with needs and gives third party website certifying organization and carry out credible checking;
Pass through like credible checking, the credible identification document with signature that said portal management equipment will generate uploads to this website root or is configured by this Website server;
During the browser access website of client device; Said client device judges at first whether this website has said credible identification document; Formation if any then judging this credible identification document is verified, passes through then said client device like checking and shows the credible checking sign in this website.
2. sign that website as claimed in claim 1 is credible is installed and recognition methods, it is characterized in that, further comprises:
Pass through like credible checking, the CA of said third party website certifying organization gives portal management equipment grant a certificate;
Said portal management equipment is accomplished certificate and is downloaded, and signs and issues the safe appended document of credible sign; Said portal management equipment generates credible identification document with the PKI and the safe appended document of said credible sign of said certificate.
3. sign that website as claimed in claim 1 is credible is installed and recognition methods, it is characterized in that, further comprises:
Pass through like credible checking, said third party website certifying organization directly generates the said credible identification document with signature and gives said portal management equipment.
4. sign that website as claimed in claim 2 is credible is installed and recognition methods, it is characterized in that, comprises in the safe appended document of said credible sign:
DNSSEC verification switch is used for mark and whether need carries out the DNSSEC verification.
5. sign that website as claimed in claim 4 is credible is installed and recognition methods, it is characterized in that, also comprises in the safe appended document of said credible sign:
The IP Address Velocity switch is used for the said client device of mark and whether carries out IP Address Velocity.
6. sign that website as claimed in claim 5 is credible is installed and recognition methods, it is characterized in that, also comprises in the safe appended document of said credible sign:
The signature of the safe appended document of credible sign is used to use certificate private key that the safe appended document of said credible sign that generates is done digital signature.
7. sign that website as claimed in claim 1 is credible is installed and recognition methods, it is characterized in that, further comprises:
Before this site information variation or certificate expiration, said portal management equipment need arrive said third party website certifying organization and upgrade verifying data, verifies again.After through checking, said third party website certifying organization signs and issues new credible identification document can for said portal management equipment again, and said portal management equipment is installed to this website with new credible identification document.
8. sign that website as claimed in claim 6 is credible is installed and recognition methods, it is characterized in that, further comprises:
When the dns of this website information or IP address change; And when said credible identification document is to use the CA of said third party website certifying organization to sign and issue; The IP address is kept in the safe appended document of said credible sign; In validity period of certificate, this portal management equipment can use certificate private key to sign and issue new safe appended document of credible sign and replacing voluntarily at any time at any time.
9. sign that website as claimed in claim 3 is credible is installed and recognition methods, it is characterized in that, further comprises:
When the dns of this website information or IP address change; And when said credible identification document is to use the certificate signature of said third party website certifying organization; Said third party website certifying organization regenerates the new credible identification document with signature, and said portal management equipment is installed to this new credible identification document with signature on this website.
10. sign that website as claimed in claim 6 is credible is installed and recognition methods, it is characterized in that the safe appended document of said credible sign also comprises:
The website icon is used to has the website thumbnail icon that customized justice is showed on the credible sign of client device;
The website IP address list when being used for the website and being static IP, with said IP Address Velocity switch opens, and adds the IP address list of trusting;
The dns server address tabulation that the DNSSEC verification is used; Being used for working as the website is that CDN quickens or the dynamic IP configuration; Can't use static IP to be DNS and kidnap verification; And when this website has disposed DNSSEC, open said DNSSEC verification switch, and the dns server address tabulation that said DNSSEC verification is used is set.
11. sign that website as claimed in claim 3 is credible is installed and recognition methods, it is characterized in that, comprises in the said credible identification document:
The IP Address Velocity switch, whether the mark client carries out IP Address Velocity, DNSSEC verification switch and/or mark client whether carries out the DNSSEC verification.
12. sign that website as claimed in claim 11 is credible is installed and recognition methods, it is characterized in that, also comprises in the said credible identification document:
City, province, the state at website domain name, site name, website institutional affiliation or owned enterprise's title, website affiliated function, place, website in its enterprise; City, province, the state at classification, institutional affiliation or the enterprise place of the license of the organization mechanism code of website institutional affiliation card number or owned enterprise number, institutional affiliation or enterprise; The state online query address of the credible coding of third party website certifying organization registration, checking rank, third party website certifying organization's information and/or credible sign.
13. sign that website as claimed in claim 9 is credible is installed and recognition methods, it is characterized in that,
Said website domain name further comprises: single domain name, multiple domain name, asterisk wildcard domain name and/or Chinese domain name;
Further include third party website certifying organization details checking address in the said third party website certifying organization information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210076612.XA CN102611707B (en) | 2012-03-21 | 2012-03-21 | A kind of credible website identity is installed and recognition methods |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210076612.XA CN102611707B (en) | 2012-03-21 | 2012-03-21 | A kind of credible website identity is installed and recognition methods |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102611707A true CN102611707A (en) | 2012-07-25 |
| CN102611707B CN102611707B (en) | 2015-10-21 |
Family
ID=46528860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210076612.XA Active CN102611707B (en) | 2012-03-21 | 2012-03-21 | A kind of credible website identity is installed and recognition methods |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102611707B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857496A (en) * | 2012-08-10 | 2013-01-02 | 四川长虹电器股份有限公司 | Network information verifying method |
| CN103414688A (en) * | 2013-07-09 | 2013-11-27 | 百度在线网络技术(北京)有限公司 | Method for loading user security seal in visited page and device thereof |
| CN103856438A (en) * | 2012-11-28 | 2014-06-11 | 卡巴斯克 | Automatic translation and network identity verification method provided with security protection |
| CN104468763A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for uploading files to website root directory |
| CN104580172A (en) * | 2014-12-24 | 2015-04-29 | 北京奇虎科技有限公司 | Data communication method and device based on https (hypertext transfer protocol over secure socket layer) |
| CN104572837A (en) * | 2014-12-10 | 2015-04-29 | 百度在线网络技术(北京)有限公司 | Method and device for providing authentication information on webpage |
| CN104639534A (en) * | 2014-12-30 | 2015-05-20 | 北京奇虎科技有限公司 | Website safety information uploading method and browser device |
| WO2015169095A1 (en) * | 2014-05-05 | 2015-11-12 | 中国科学院计算机网络信息中心 | Dnssec and dane protocols based trustful verification method |
| CN106254325A (en) * | 2013-03-25 | 2016-12-21 | 北京奇虎科技有限公司 | The display packing of website authentication information and browser |
| CN108964892A (en) * | 2018-06-25 | 2018-12-07 | 北京迪曼森科技有限公司 | Generation method, application method, management system and the application system of trusted application mark |
| CN113660274A (en) * | 2021-08-18 | 2021-11-16 | 中国电信股份有限公司 | Website information processing method and device, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645821A (en) * | 2005-01-31 | 2005-07-27 | 深圳市沃通通信服务有限公司 | Web site identify identifying and realizing method for binding domain name and domain certificater identification |
| CN101310502A (en) * | 2005-09-30 | 2008-11-19 | 趋势科技股份有限公司 | Security management device, communication system and access control method |
| CN102105920A (en) * | 2008-07-29 | 2011-06-22 | 摩托罗拉移动公司 | Method and system for securing communication sessions |
| CN102355469A (en) * | 2011-10-31 | 2012-02-15 | 北龙中网(北京)科技有限责任公司 | Method for displaying credibility certification for website in address bar of browser |
-
2012
- 2012-03-21 CN CN201210076612.XA patent/CN102611707B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645821A (en) * | 2005-01-31 | 2005-07-27 | 深圳市沃通通信服务有限公司 | Web site identify identifying and realizing method for binding domain name and domain certificater identification |
| CN101310502A (en) * | 2005-09-30 | 2008-11-19 | 趋势科技股份有限公司 | Security management device, communication system and access control method |
| CN102105920A (en) * | 2008-07-29 | 2011-06-22 | 摩托罗拉移动公司 | Method and system for securing communication sessions |
| CN102355469A (en) * | 2011-10-31 | 2012-02-15 | 北龙中网(北京)科技有限责任公司 | Method for displaying credibility certification for website in address bar of browser |
Non-Patent Citations (1)
| Title |
|---|
| 无: "应对DNS安全威胁", 《微电脑信息》, 10 July 2011 (2011-07-10), pages 11 * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857496A (en) * | 2012-08-10 | 2013-01-02 | 四川长虹电器股份有限公司 | Network information verifying method |
| CN103856438A (en) * | 2012-11-28 | 2014-06-11 | 卡巴斯克 | Automatic translation and network identity verification method provided with security protection |
| CN103856438B (en) * | 2012-11-28 | 2018-03-06 | 卡巴斯克 | Have security protection from turn location and network identity validation method |
| CN106254325A (en) * | 2013-03-25 | 2016-12-21 | 北京奇虎科技有限公司 | The display packing of website authentication information and browser |
| CN103414688B (en) * | 2013-07-09 | 2016-09-28 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for loading user security seal on accession page |
| CN103414688A (en) * | 2013-07-09 | 2013-11-27 | 百度在线网络技术(北京)有限公司 | Method for loading user security seal in visited page and device thereof |
| WO2015169095A1 (en) * | 2014-05-05 | 2015-11-12 | 中国科学院计算机网络信息中心 | Dnssec and dane protocols based trustful verification method |
| CN104468763A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for uploading files to website root directory |
| CN104468763B (en) * | 2014-11-28 | 2018-09-04 | 北京奇安信科技有限公司 | A kind of method and apparatus that file is uploaded to website root |
| WO2016091002A1 (en) * | 2014-12-10 | 2016-06-16 | 百度在线网络技术(北京)有限公司 | Method and device for providing authentication information on web page |
| CN104572837A (en) * | 2014-12-10 | 2015-04-29 | 百度在线网络技术(北京)有限公司 | Method and device for providing authentication information on webpage |
| CN104572837B (en) * | 2014-12-10 | 2019-07-26 | 百度在线网络技术(北京)有限公司 | The method and device of authentication information is provided on webpage |
| US10686835B2 (en) | 2014-12-10 | 2020-06-16 | Baidu Online Network Technology (Beijing) Co., Ltd. | Method and device for providing authentication information on web page |
| CN104580172B (en) * | 2014-12-24 | 2017-12-12 | 北京奇虎科技有限公司 | A kind of data communications method and device based on https agreements |
| CN104580172A (en) * | 2014-12-24 | 2015-04-29 | 北京奇虎科技有限公司 | Data communication method and device based on https (hypertext transfer protocol over secure socket layer) |
| CN104639534A (en) * | 2014-12-30 | 2015-05-20 | 北京奇虎科技有限公司 | Website safety information uploading method and browser device |
| CN108964892A (en) * | 2018-06-25 | 2018-12-07 | 北京迪曼森科技有限公司 | Generation method, application method, management system and the application system of trusted application mark |
| CN108964892B (en) * | 2018-06-25 | 2019-07-26 | 北京迪曼森科技有限公司 | Generation method, application method, management system and the application system of trusted application mark |
| CN113660274A (en) * | 2021-08-18 | 2021-11-16 | 中国电信股份有限公司 | Website information processing method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102611707B (en) | 2015-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102611707B (en) | A kind of credible website identity is installed and recognition methods | |
| CN102629923B (en) | Installation and identification method of website credible identity based on domain name system technology | |
| US10642969B2 (en) | Automating internet of things security provisioning | |
| US11757641B2 (en) | Decentralized data authentication | |
| US10516662B2 (en) | System and method for authenticating the legitimacy of a request for a resource by a user | |
| Chen et al. | Oauth demystified for mobile application developers | |
| US9038196B2 (en) | Method for authenticating a user requesting a transaction with a service provider | |
| JP4681554B2 (en) | How to use reliable hardware-based identity credentials in runtime package signing for secure mobile communications and expensive transaction execution | |
| CN101645900B (en) | Cross-domain rights management system and method | |
| CN105162602A (en) | Trusted network identity management and verification system and method | |
| CN101546407B (en) | Electronic commerce system and management method thereof based on digital certificate | |
| CN102834830A (en) | Method for reading an attribute from an id token | |
| CN111049835B (en) | Unified identity management system of distributed public certificate service network | |
| CN1855814A (en) | Safety uniform certificate verification design | |
| CN102355469A (en) | Method for displaying credibility certification for website in address bar of browser | |
| CN102761529A (en) | Website authentication method based on picture identification digital signatures | |
| CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
| CN102255894A (en) | Website information verification method, system and resolution server | |
| CN115021989B (en) | Mutual trust and mutual recognition method and system for industrial internet heterogeneous identification analysis system | |
| CN103001936A (en) | Method and system for third party application interface authorization | |
| CN101582876A (en) | Method, device and system for registering user generated content (UGC) | |
| CN104394166B (en) | The certificate false proof Verification System and method of facing moving terminal under a kind of cloud environment | |
| CN107566393A (en) | A kind of dynamic rights checking system and method based on trust certificate | |
| Bhargavan et al. | Formal modeling and verification for domain validation and acme | |
| Syverson et al. | Attacks on onion discovery and remedies via self-authenticating traditional addresses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |