CN104539620A - Safe bidirectional SSL authentication method and middleware - Google Patents
Safe bidirectional SSL authentication method and middleware Download PDFInfo
- Publication number
- CN104539620A CN104539620A CN201410848953.3A CN201410848953A CN104539620A CN 104539620 A CN104539620 A CN 104539620A CN 201410848953 A CN201410848953 A CN 201410848953A CN 104539620 A CN104539620 A CN 104539620A
- Authority
- CN
- China
- Prior art keywords
- application process
- pin code
- middleware
- private key
- handle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Abstract
The invention discloses a safe bidirectional SSL authentication method and middleware. The safe bidirectional SSL authentication method and the middleware are applied to a system which comprises a host computer and hardware devices connected with the host computer. The host computer comprises the middleware and application processes, and the application processes carry out bidirectional SSL authentication by calling the interface of the middleware. According to the safe bidirectional SSL authentication method and the middleware, it is guaranteed that PIN code input boxes popped out when the bidirectional SSL is established are all controlled through the middleware by modifying the interface processing logic when the middleware is called by preset processes, the Pin codes input in the PIN code input boxes by a user can be prevented from being stolen, and the safety of the bidirectional SSL authentication is improved.
Description
Technical field
The present invention relates to information security field, particularly relate to a kind of safe two-way SSL authentication method and middleware.
Background technology
Two-way SSL (Secure Socket Layer, security socket layer) certification is used for providing safety and data integrity guarantee for network service, prevents transmitted data on network from can not be intercepted and distort.
In prior art, at some browser (such as, FireFox browser) in when creating two-way SSL by PKCS#11, PIN code input frame is ejected by browser, not by the control of middleware, the PIN code that user inputs in PIN code input frame is likely hooked by keyboard hook and gets and copy, and thus there is the risk of leaking PIN code, cannot ensure the fail safe of two-way SSL certification.
Summary of the invention
The invention provides a kind of safe two-way SSL authentication method and middleware, to solve the risk that PIN code in prior art is easily leaked.
The invention provides a kind of safe two-way SSL authentication method, comprise the following steps:
S1, middleware are waited for and are employed process transfer, when C_GetTokenInfo interface is called by described application process, perform step S2; When C_Login interface is called by described application process, perform step S5;
Whether application process described in S2, described middleware judges is default process, if so, then performs step S3; Otherwise, perform step S4;
The value of the flag in S3, described middleware token is revised as the second preset value, and the value of the flag in described token is exported to described application process, sends success message, and return step S1 to described application process;
S4, described middleware obtain the value of the flag in token, export the value of the flag in token to described application process, send success message, and return step S1 to described application process;
Whether application process described in S5, described middleware judges is default process, if so, then performs step S6; Otherwise, perform step S7;
Second preset value is exported to described application process as the value of the flag in token by S6, described middleware, eject PIN code input frame, the PIN code of user's input is obtained by described PIN code input frame, described PIN code is sent to hardware device, receives the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to application process, and return step S1; If PIN code mistake, then send failed message to described application process, and return step S1;
S7, described middleware obtain the PIN code of user's input, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to application process, and return step S1; If PIN code mistake, then send failed message to described application process, and return step S1.
Present invention also offers a kind of middleware, comprising:
First judge module, for when C_GetTokenInfo interface is employed process transfer, judges whether described application process is default process;
First processing module, during for judging described application process at described first judge module for presetting process, the value of the flag in token is revised as the second preset value, and the value of the flag in described token is exported to described application process, sends success message to described application process;
Second processing module, for when described first judge module judges that described application process is not default process, obtains the value of the flag in token, exports the value of the flag in token to described application process, send success message to described application process;
Second judge module, for when C_Login interface is called by described application process, judges whether described application process is default process;
3rd processing module, during for judging described application process at described second judge module for presetting process, second preset value is exported to described application process as the value of the flag in token, eject PIN code input frame, the PIN code of user's input is obtained by described PIN code input frame, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to application process; If PIN code mistake, then send failed message to described application process;
4th processing module, for when described second judge module judges that described application process is not default process, obtain the PIN code of user's input, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to application process; If PIN code mistake, then send failed message to described application process.
The beneficial effect that the present invention reaches: interface processing logic when being preset process transfer by amendment middleware, the PIN code input frame ejected when guaranteeing to set up two-way SSL is all controlled by middleware, and then the PIN code preventing user from inputting in PIN code input frame is stolen, improve the fail safe of two-way SSL certification.
Accompanying drawing explanation
Fig. 1 is a kind of safe two-way SSL Verification System structure chart in the embodiment of the present invention;
Fig. 2 and Fig. 3 is a kind of safe two-way SSL authentication method flow chart in the embodiment of the present invention;
Fig. 4 is the structural representation of a kind of middleware in the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiments provide a kind of safe two-way SSL authentication method, be applied in the system of the hardware device comprising main frame and be connected with this main frame, as shown in Figure 1, this main frame comprises middleware and application process, application process is by calling the interface of middleware, carry out two-way SSL certification, idiographic flow as shown in Figures 2 and 3, comprises the following steps:
Step 101, middleware is waited for and is employed process transfer, when C_GetTokenInfo interface is employed process transfer, performs step 102; When C_Login interface is employed process transfer, perform step 106; When C_Sign interface is employed process transfer, perform step 118.
Step 102, middleware obtains the process name of application process.
Particularly, middleware, by calling GetModuleFileName function, obtains the complete trails of application process, from complete trails, obtains process name.
Step 103, middleware, according to the process name got, judges whether application process is default process, if so, then performs step 104; Otherwise, perform step 105.
Wherein, default process can be Firefox browser process, also can be other browser process.
Step 104, progress information is set to the first preset value by middleware, and the value of the flag in token is revised as the second preset value, and the second preset value is exported to application process as the value of the flag in token, send success message to application process, and return step 101.
Wherein, progress information calls the process type of middleware interface for recording, and when this progress information is the first preset value, represents that the process calling middleware interface is for presetting process; When this progress information is other values, represent that the process calling middleware interface is other processes.Flag in token is used for record the need of login token, when the value of this flag is the second preset value, represents and does not need to log in token; When the value of this flag is other values, represents and need to log in token.In the present embodiment, the second preset value is 0x00000100.
Step 105, middleware obtains the value of the flag in token, exports the value of the flag in token to application process, sends success message, and return step 101 to application process.
Step 106, whether middleware judges progress information is the first preset value, if so, then performs step 107; Otherwise, perform step 113.
Step 107, the second preset value is exported to application process as the value of the flag in token by middleware.
Step 108, middleware ejects PIN code input frame, is obtained the PIN code of user's input, this PIN code is sent to hardware device by PIN code input frame, receives the result that hardware device returns.
Step 109, middleware judges the result received, if PIN code is correct, then performs step 110; If PIN code mistake, then perform step 111; If PIN code is locked, then perform step 112.
Step 110, the logging status in session information is set to log in by middleware, sends success message, and return step 101 to application process.
Step 111, middleware obtains PIN code number of retries from token information, exports PIN code number of retries, and return step 108 to application process.
Step 112, middleware sends locked message to application process, and returns step 101.
Step 113, middleware obtains the PIN code of user's input, and this PIN code is sent to hardware device, receives the result that hardware device returns.
Step 114, middleware judges the result received, if PIN code is correct, then performs step 115; If PIN code mistake, then perform step 116; If PIN code is locked, then perform step 117.
Step 115, the logging status in session information is set to log in by middleware, sends success message, and return step 101 to application process.
Step 116, middleware obtains PIN code number of retries from token information, exports PIN code number of retries to application process, sends failed message, and return step 101 to application process.
Step 117, middleware sends locked message to application process, and returns step 101.
Step 118, middleware obtains session handle and signed data, obtain private key handle and signature mechanism by session handle, by private key handle acquiring signature key, use this signature key, according to the signature mechanism got, signature operation is carried out to the signed data got, obtains result of signing, export signature result to application process, send success message to application process, and return step 101.
It should be noted that, when the C_OpenSession interface of middleware is employed process transfer, middleware opens session by session handle, sends success message, and return step 101 to application process.
When the C_FindObjectsInit interface of middleware is employed process transfer, whether middleware judges progress information is the first preset value;
If not the first preset value, middleware obtains session handle, carries out initialization by session handle to private key object template, by session handle record private object template, sends success message, and return step 101 to application process;
If the first preset value, middleware obtains the logging status in session information, judge whether logging status is log in, if, then obtain session handle, by session handle, initialization is carried out to private key object template, by session handle record private object template, send success message to application process, and return step 101; Otherwise, eject PIN code input frame, obtained the PIN code of user's input by PIN code input frame, this PIN code is sent to hardware device, receive the result that hardware device returns, the result is judged, if PIN code is correct, then the logging status in session information is set to log in, by session handle, initialization is carried out to private key object template, by session handle record private object template, send success message to application process, and return step 101; If PIN code mistake, then from token information, obtain PIN code number of retries, export PIN code number of retries to application process, send failed message to application process, and return step 101; If PIN code is locked, then send locked message to application process.
When the C_FindObjects interface of middleware is employed process transfer, middleware obtains session handle, private key object template is obtained by session handle, private key object is searched by private key object template, if found, middleware obtains the private key handle corresponding with the private key object found, and the number of private key handle is exported to application process as private key number, send success message to application process, and return step 101; Otherwise private key number is set to zero by middleware, export private key number to application process, send success message to application process, and return step 101.
When the C_SignInit interface of middleware is employed process transfer, whether middleware judges progress information is the first preset value;
If not the first preset value, middleware obtains session handle, private key handle and signature mechanism, by session handle record private key handle and signature mechanism, sends success message, and return step 101 to application process;
If the first preset value, middleware obtains the logging status in session information, judge whether logging status is log in, if so, middleware obtains session handle, private key handle and signature mechanism, by session handle record private key handle and signature mechanism, success message is sent to application process, and return step 101, wherein, signature mechanism comprises signature algorithm and digest algorithm; Otherwise, middleware ejects PIN code input frame, is obtained the PIN code of user's input, this PIN code is sent to hardware device by PIN code input frame, receive the result that hardware device returns, the result received is judged, if PIN code is correct, then the logging status in session information is set to log in, obtain session handle, private key handle and signature mechanism, by session handle record private key handle and signature mechanism, send success message to application process, and return step 101; If PIN code mistake, then from token information, obtain PIN code number of retries, export PIN code number of retries to application process, send failed message to application process, and return step 101; If PIN code is locked, then sends locked message to application process, and return step 101.
Interface processing logic when the embodiment of the present invention is preset process transfer by amendment middleware, the PIN code input frame ejected when guaranteeing to set up two-way SSL is all controlled by middleware, and then the PIN code preventing user from inputting in PIN code input frame is stolen, improve the fail safe of two-way SSL certification.
Based on above-mentioned two-way SSL authentication method, the embodiment of the present invention additionally provides a kind of middleware, as shown in Figure 4, comprising:
First judge module 410, for when C_GetTokenInfo interface is employed process transfer, judges whether application process is default process;
Particularly, above-mentioned first judge module 410, comprising:
Obtain submodule, for obtaining the process name of application process;
Judge submodule, for the process name got according to acquisition submodule, judge whether application process is default process.
In the present embodiment, above-mentioned acquisition submodule, specifically for by calling GetModuleFileName function, obtaining the complete trails of application process, from complete trails, obtaining process name.
First processing module 420, for when the first judge module 410 judges that application process is default process, the value of the flag in token is revised as the second preset value, and the value of the flag in token exports to application process, sends success message to application process;
Second processing module 430, for when the first judge module 410 judges that application process is not default process, obtains the value of the flag in token, exports the value of the flag in token to application process, send success message to application process;
Second judge module 440, for when C_Login interface is employed process transfer, judges whether application process is default process;
3rd processing module 450, for when the second judge module 440 judges that application process is default process, second preset value is exported to application process as the value of the flag in token, eject PIN code input frame, the PIN code of user's input is obtained by PIN code input frame, PIN code is sent to hardware device, receive the result that hardware device returns, the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to application process; If PIN code mistake, then send failed message to application process;
Preferably, above-mentioned 3rd processing module 450, also for after judging that the result is PIN code mistake, obtains PIN code number of retries from token information, exports PIN code number of retries to application process; Judge the result be PIN code locked time, send locked message to application process.
4th processing module 460, for when the second judge module 440 judges that application process is not default process, obtain the PIN code of user's input, PIN code is sent to hardware device, receive the result that hardware device returns, the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to application process; If PIN code mistake, then send failed message to application process.
Further, above-mentioned middleware, also comprises:
Module is set, after judging that application process is default process at the first judge module 410, progress information is set to the first preset value;
Correspondingly, above-mentioned second judge module 440, specifically for judging whether progress information is the first preset value, if so, then determines that application process is default process; Otherwise, determine that application process is not default process.
Further, above-mentioned middleware, also comprises:
5th processing module, for when C_Sign interface is employed process transfer, obtain session handle and signed data, obtain private key handle and signature mechanism, by private key handle acquiring signature key by session handle, use signature key, according to signature mechanism, signature operation is carried out to signed data, obtain result of signing, export signature result to application process, send success message to application process.
6th processing module, for when C_OpenSession interface is employed process transfer, opens session by session handle, sends success message to application process.
7th processing module, for when C_FindObjectsInit interface is employed process transfer, judge whether application process is default process, if not default process, then obtain session handle, by session handle, initialization is carried out to private key object template, by session handle record private object template, send success message to application process;
If the process of presetting, then obtain the logging status in session information, judge whether logging status is log in, if so, then obtain session handle, by session handle, initialization is carried out to private key object template, by session handle record private object template, send success message to application process; Otherwise, eject PIN code input frame, obtained the PIN code of user's input by PIN code input frame, PIN code is sent to hardware device, receive the result that hardware device returns, the result is judged, if PIN code is correct, then the logging status in session information is set to log in, by session handle, initialization is carried out to private key object template, by session handle record private object template, send success message to application process; If PIN code mistake, then send failed message to application process.
Preferably, above-mentioned 7th processing module, also for after judging that the result is PIN code mistake, obtains PIN code number of retries from token information, exports PIN code number of retries to application process; Judge the result be PIN code locked time, send locked message to application process.
Further, above-mentioned middleware, also comprises:
8th processing module, for when C_FindObjects interface is employed process transfer, obtain session handle, private key object template is obtained by session handle, search private key object by private key object template, if found, then obtain the private key handle corresponding with the private key object found, the number of private key handle is exported to application process as private key number, sends success message to application process; Otherwise, private key number is set to zero, exports private key number to application process, send success message to application process.
9th processing module, for when C_SignInit interface is employed process transfer, judge whether application process is default process, if not default process, then obtain session handle, private key handle and signature mechanism, by session handle record private key handle and signature mechanism, send success message to application process;
If the process of presetting, then perform following operation:
A1, the logging status obtained in session information, judge whether logging status is log in, and if so, then performs steps A 2; Otherwise, perform steps A 3;
A2, acquisition session handle, private key handle and signature mechanism, by session handle record private key handle and signature mechanism, send success message to application process;
A3, ejection PIN code input frame, obtained the PIN code of user's input, PIN code sent to hardware device, receive the result that hardware device returns, judge the result by PIN code input frame, if PIN code is correct, then and execution steps A 4; If PIN code mistake, then perform steps A 5;
A4, the logging status in session information is set to log in, obtains session handle, private key handle and signature mechanism, by session handle record private key handle and signature mechanism, send success message to application process;
A5, export PIN code number of retries to application process, and return steps A 3.
Preferably, above-mentioned 9th processing module, also for after judging that the result is PIN code mistake, obtains PIN code number of retries from token information, exports PIN code number of retries to application process; Judge the result be PIN code locked time, send locked message to application process.
Interface processing logic when the embodiment of the present invention is preset process transfer by amendment middleware, the PIN code input frame ejected when guaranteeing to set up two-way SSL is all controlled by middleware, and then the PIN code preventing user from inputting in PIN code input frame is stolen, improve the fail safe of two-way SSL certification.
In conjunction with the software module that the step in the method that embodiment disclosed herein describes can directly use hardware, processor to perform, or the combination of the two is implemented.Software module can be placed in the storage medium of other form any known in random asccess memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should described be as the criterion with the protection range of claim.
Claims (26)
1. a two-way SSL authentication method for safety, is characterized in that, comprise the following steps:
S1, middleware are waited for and are employed process transfer, when C_GetTokenInfo interface is called by described application process, perform step S2; When C_Login interface is called by described application process, perform step S5;
Whether application process described in S2, described middleware judges is default process, if so, then performs step S3; Otherwise, perform step S4;
The value of the flag in S3, described middleware token is revised as the second preset value, and the value of the flag in described token is exported to described application process, sends success message, and return step S1 to described application process;
S4, described middleware obtain the value of the flag in token, export the value of the flag in described token to described application process, send success message, and return step S1 to described application process;
Whether application process described in S5, described middleware judges is default process, if so, then performs step S6; Otherwise, perform step S7;
Second preset value is exported to described application process as the value of the flag in token by S6, described middleware, eject PIN code input frame, the PIN code of user's input is obtained by described PIN code input frame, described PIN code is sent to hardware device, receives the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to described application process, and return step S1; If PIN code mistake, then send failed message to described application process, and return step S1;
S7, described middleware obtain the PIN code of user's input, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to described application process, and return step S1; If PIN code mistake, then send failed message to described application process, and return step S1.
2. the method for claim 1, is characterized in that, in described step S2, application process described in described middleware judges, for after default process, also comprises:
Progress information is set to the first preset value by described middleware;
Described step S5, is specially:
Whether progress information described in described middleware judges is the first preset value, if so, then determines that described application process is for presetting process; Otherwise, determine that described application process is not default process.
3. the method for claim 1, is characterized in that, whether application process described in described middleware judges is default process, is specially:
Described middleware obtains the process name of described application process, according to described process name, judges whether described application process is default process.
4. method as claimed in claim 3, it is characterized in that, described middleware obtains the process name of described application process, is specially:
Described middleware, by calling GetModuleFileName function, obtains the complete trails of described application process, from described complete trails, obtain described process name.
5. the method for claim 1, is characterized in that, also comprises:
When C_Sign interface is employed process transfer, described middleware obtains session handle and signed data, obtain private key handle and signature mechanism by described session handle, by described private key handle acquiring signature key, use described signature key, according to described signature mechanism, signature operation is carried out to described signed data, obtains result of signing, export described signature result to described application process, send success message to described application process, and return step S1.
6. the method for claim 1, is characterized in that, also comprises:
When C_OpenSession interface is employed process transfer, middleware opens session by session handle, sends success message, and return step S1 to described application process.
7. the method for claim 1, is characterized in that, also comprises:
When C_FindObjectsInit interface is employed process transfer, whether application process described in middleware judges is default process, if not default process, described middleware obtains session handle, by described session handle, initialization is carried out to private key object template, by private object template described in described session handle record, send success message to described application process, and return step S1;
If the process of presetting, described middleware obtains the logging status in session information, judge whether described logging status is log in, if, then obtain session handle, by described session handle, initialization is carried out to private key object template, by private object template described in described session handle record, send success message to described application process, and return step S1; Otherwise, eject PIN code input frame, the PIN code of user's input is obtained by described PIN code input frame, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in described session information is set to log in, by session handle, initialization is carried out to private key object template, by private object template described in session handle record, send success message to described application process, and return step S1; If PIN code mistake, then send failed message to described application process, and return step S1.
8. the method for claim 1, is characterized in that, also comprises:
When C_FindObjects interface is employed process transfer, described middleware obtains session handle, private key object template is obtained by described session handle, private key object is searched by described private key object template, if found, described middleware obtains the private key handle corresponding with the private key object found, and the number of described private key handle is exported to described application process as private key number, send success message to described application process, and return step S1; Otherwise private key number is set to zero by described middleware, export described private key number to described application process, send success message to described application process, and return step S1.
9. the method for claim 1, is characterized in that, also comprises:
When C_SignInit interface is employed process transfer, whether application process described in described middleware judges is default process, if not default process, described middleware obtains session handle, private key handle and signature mechanism, by private key handle and described signature mechanism described in described session handle record, send success message to described application process, and return step S1;
If the process of presetting, then perform following operation:
A1, described middleware obtain the logging status in session information, judge whether described logging status is log in, and if so, then perform steps A 2; Otherwise, perform steps A 3;
A2, described middleware obtain session handle, private key handle and signature mechanism, by private key handle and described signature mechanism described in described session handle record, send success message, and return step S1 to described application process;
A3, described middleware eject PIN code input frame, obtained the PIN code of user's input, described PIN code is sent to hardware device by described PIN code input frame, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then performs steps A 4; If PIN code mistake, then perform steps A 5;
Logging status in described session information is set to log in by A4, described middleware, obtain session handle, private key handle and signature mechanism, by private key handle and described signature mechanism described in described session handle record, send success message to described application process, and return step S1;
A5, described middleware export PIN code number of retries to described application process, and return steps A 3.
10. the method as described in claim 1,7 or 9, is characterized in that, after described in described middleware judges, the result is PIN code mistake, also comprises:
Described middleware obtains PIN code number of retries from token information, exports described PIN code number of retries to described application process.
11. methods as described in claim 1,7 or 9, it is characterized in that, described middleware also comprises after judging described the result:
If PIN code is locked, described middleware sends locked message to described application process, and returns step S1.
12. 1 kinds of middlewares, is characterized in that, comprising:
First judge module, for when C_GetTokenInfo interface is employed process transfer, judges whether described application process is default process;
First processing module, during for judging described application process at described first judge module for presetting process, the value of the flag in token is revised as the second preset value, and the value of the flag in described token is exported to described application process, sends success message to described application process;
Second processing module, for when described first judge module judges that described application process is not default process, obtain the value of the flag in token, export the value of the flag in described token to described application process, send success message to described application process;
Second judge module, for when C_Login interface is employed process transfer, judges whether described application process is default process;
3rd processing module, during for judging described application process at described second judge module for presetting process, second preset value is exported to described application process as the value of the flag in token, eject PIN code input frame, the PIN code of user's input is obtained by described PIN code input frame, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to described application process; If PIN code mistake, then send failed message to described application process;
4th processing module, for when described second judge module judges that described application process is not default process, obtain the PIN code of user's input, described PIN code is sent to hardware device, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in session information is set to log in, sends success message to described application process; If PIN code mistake, then send failed message to described application process.
13. middlewares as claimed in claim 12, is characterized in that, also comprise:
Module is set, for judging that at described first judge module described application process is for after default process, is set to the first preset value by progress information;
Described second judge module, specifically for judging whether described progress information is the first preset value, if so, then determines that described application process is for presetting process; Otherwise, determine that described application process is not default process.
14. middlewares as claimed in claim 12, it is characterized in that, described first judge module, comprising:
Obtain submodule, for obtaining the process name of described application process;
Judge submodule, for the described process name got according to described acquisition submodule, judge whether described application process is default process.
15. middlewares as claimed in claim 14, is characterized in that,
Described acquisition submodule, specifically for by calling GetModuleFileName function, obtaining the complete trails of described application process, from described complete trails, obtaining described process name.
16. middlewares as claimed in claim 12, is characterized in that, also comprise:
5th processing module, for when C_Sign interface is employed process transfer, obtain session handle and signed data, obtain private key handle and signature mechanism, by described private key handle acquiring signature key by described session handle, use described signature key, according to described signature mechanism, signature operation is carried out to described signed data, obtain result of signing, export described signature result to described application process, send success message to described application process.
17. middlewares as claimed in claim 12, is characterized in that, also comprise:
6th processing module, for when C_OpenSession interface is employed process transfer, opens session by session handle, sends success message to described application process.
18. middlewares as claimed in claim 12, is characterized in that, also comprise:
7th processing module, for when C_FindObjectsInit interface is employed process transfer, judge whether described application process is default process, if not default process, then obtain session handle, by described session handle, initialization is carried out to private key object template, by private object template described in described session handle record, send success message to described application process;
If the process of presetting, then obtain the logging status in session information, judge whether described logging status is log in, if, then obtain session handle, by described session handle, initialization is carried out to private key object template, by private object template described in described session handle record, send success message to described application process; Otherwise, eject PIN code input frame, obtained the PIN code of user's input by described PIN code input frame, described PIN code is sent to hardware device, receives the result that described hardware device returns, described the result is judged, if PIN code is correct, then the logging status in described session information is set to log in, by session handle, initialization is carried out to private key object template, by private object template described in session handle record, send success message to described application process; If PIN code mistake, then send failed message to described application process.
19. middlewares as claimed in claim 18, is characterized in that,
Described 7th processing module, also for after judging that described the result is PIN code mistake, obtains PIN code number of retries from token information, exports described PIN code number of retries to described application process.
20. middlewares as claimed in claim 18, is characterized in that,
Described 7th processing module, also for judge described the result be PIN code locked time, send locked message to described application process.
21. middlewares as claimed in claim 12, is characterized in that, also comprise:
8th processing module, for when C_FindObjects interface is employed process transfer, obtain session handle, private key object template is obtained by described session handle, search private key object by described private key object template, if found, then obtain the private key handle corresponding with the private key object found, the number of described private key handle is exported to described application process as private key number, sends success message to described application process; Otherwise, private key number is set to zero, exports described private key number to described application process, send success message to described application process.
22. middlewares as claimed in claim 12, is characterized in that, also comprise:
9th processing module, for when C_SignInit interface is employed process transfer, judge whether described application process is default process, if not default process, then obtain session handle, private key handle and signature mechanism, by private key handle and described signature mechanism described in described session handle record, send success message to described application process;
If the process of presetting, then perform following operation:
A1, the logging status obtained in session information, judge whether described logging status is log in, and if so, then performs steps A 2; Otherwise, perform steps A 3;
A2, acquisition session handle, private key handle and signature mechanism, by private key handle and described signature mechanism described in described session handle record, send success message to described application process;
A3, ejection PIN code input frame, obtained the PIN code of user's input, described PIN code sent to hardware device by described PIN code input frame, receive the result that described hardware device returns, described the result is judged, if PIN code is correct, then performs steps A 4; If PIN code mistake, then perform steps A 5;
A4, the logging status in described session information is set to log in, obtains session handle, private key handle and signature mechanism, by private key handle and described signature mechanism described in described session handle record, send success message to described application process;
A5, export PIN code number of retries to described application process, and return steps A 3.
23. middlewares as claimed in claim 22, is characterized in that,
Described 9th processing module, also for after judging that described the result is PIN code mistake, obtains PIN code number of retries from token information, exports described PIN code number of retries to described application process.
24. middlewares as claimed in claim 22, is characterized in that,
Described 9th processing module, also for judge described the result be PIN code locked time, send locked message to described application process.
25. middlewares as claimed in claim 12, is characterized in that,
Described 3rd processing module, also for after judging that described the result is PIN code mistake, obtains PIN code number of retries from token information, exports described PIN code number of retries to described application process.
26. middlewares as claimed in claim 12, is characterized in that,
Described 3rd processing module, also for judge described the result be PIN code locked time, send locked message to described application process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410848953.3A CN104539620B (en) | 2014-12-29 | 2014-12-29 | A kind of safe two-way SSL authentication methods and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410848953.3A CN104539620B (en) | 2014-12-29 | 2014-12-29 | A kind of safe two-way SSL authentication methods and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104539620A true CN104539620A (en) | 2015-04-22 |
| CN104539620B CN104539620B (en) | 2017-09-22 |
Family
ID=52855089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410848953.3A Active CN104539620B (en) | 2014-12-29 | 2014-12-29 | A kind of safe two-way SSL authentication methods and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104539620B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911350A (en) * | 2017-02-27 | 2018-04-13 | 黄贤杰 | A kind of electronic equipment bi-directional matching and Verification System |
| CN107995026A (en) * | 2017-11-16 | 2018-05-04 | 中国银行股份有限公司 | Management-control method, management node based on middleware, by pipe node and system |
| CN110855714A (en) * | 2019-11-29 | 2020-02-28 | 广州鲁邦通物联网科技有限公司 | Secure connection method and system for multi-tenant equipment |
| CN112463828A (en) * | 2020-11-02 | 2021-03-09 | 马上消费金融股份有限公司 | Data processing method, device, equipment, system and readable storage medium |
| CN112511550A (en) * | 2020-12-02 | 2021-03-16 | 迈普通信技术股份有限公司 | Communication method, communication device, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6340116B1 (en) * | 1999-09-16 | 2002-01-22 | Kenneth B. Cecil | Proximity card with incorporated pin code protection |
| CN102222179A (en) * | 2010-04-13 | 2011-10-19 | 郑勇 | Anti-keylogging technology based on Windows kernel |
| CN103107883A (en) * | 2013-01-04 | 2013-05-15 | 深圳市文鼎创数据科技有限公司 | Safe protection method of personal identification number (PIN) and client |
-
2014
- 2014-12-29 CN CN201410848953.3A patent/CN104539620B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6340116B1 (en) * | 1999-09-16 | 2002-01-22 | Kenneth B. Cecil | Proximity card with incorporated pin code protection |
| CN102222179A (en) * | 2010-04-13 | 2011-10-19 | 郑勇 | Anti-keylogging technology based on Windows kernel |
| CN103107883A (en) * | 2013-01-04 | 2013-05-15 | 深圳市文鼎创数据科技有限公司 | Safe protection method of personal identification number (PIN) and client |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911350A (en) * | 2017-02-27 | 2018-04-13 | 黄贤杰 | A kind of electronic equipment bi-directional matching and Verification System |
| CN107911350B (en) * | 2017-02-27 | 2022-04-08 | 黄贤杰 | Two-way matching and authentication system for electronic equipment |
| CN107995026A (en) * | 2017-11-16 | 2018-05-04 | 中国银行股份有限公司 | Management-control method, management node based on middleware, by pipe node and system |
| CN107995026B (en) * | 2017-11-16 | 2021-07-30 | 中国银行股份有限公司 | Management and control method, management node, managed node and system based on middleware |
| CN110855714A (en) * | 2019-11-29 | 2020-02-28 | 广州鲁邦通物联网科技有限公司 | Secure connection method and system for multi-tenant equipment |
| CN110855714B (en) * | 2019-11-29 | 2021-09-14 | 广州鲁邦通物联网科技有限公司 | Secure connection method and system for multi-tenant equipment |
| CN112463828A (en) * | 2020-11-02 | 2021-03-09 | 马上消费金融股份有限公司 | Data processing method, device, equipment, system and readable storage medium |
| CN112511550A (en) * | 2020-12-02 | 2021-03-16 | 迈普通信技术股份有限公司 | Communication method, communication device, electronic device and storage medium |
| CN112511550B (en) * | 2020-12-02 | 2022-02-22 | 迈普通信技术股份有限公司 | Communication method, communication device, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104539620B (en) | 2017-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104539620A (en) | Safe bidirectional SSL authentication method and middleware | |
| CN107430658B (en) | Security software certification and verifying | |
| US9690941B2 (en) | Policy bound key creation and re-wrap service | |
| CN107111717B (en) | Upgrading secure boot policies on virtual machines | |
| US9461995B2 (en) | Terminal, network locking and network unlocking method for same, and storage medium | |
| CN110084599B (en) | Key processing method, device, equipment and storage medium | |
| CN103500202A (en) | Security protection method and system for light-weight database | |
| CN106790243B (en) | A kind of password remapping method of safe U disc | |
| CN113434853A (en) | Method for burning firmware to storage device and controller | |
| US11550480B2 (en) | Method of identifying errors in or manipulations of data or software stored in a device | |
| CN103607281A (en) | Safety device unlocking method and system | |
| US9210134B2 (en) | Cryptographic processing method and system using a sensitive data item | |
| CN109214221A (en) | A kind of identity card reader verification method, host computer and identity card reader | |
| CN109522683A (en) | Software source tracing method, system, computer equipment and storage medium | |
| CN111104655B (en) | BMC login method and related device | |
| US20230115187A1 (en) | Remote hardware execution service with customer consented debugging | |
| CN113055340A (en) | Authentication method and device | |
| KR20160109891A (en) | Apparatus and Method for Generating Cryptographic Key based on PUF | |
| CN114329522A (en) | Private key protection method, device, system and storage medium | |
| CN112396424B (en) | Transaction method and system integrating instant messaging system | |
| CN114817956A (en) | USB communication object verification method, system, device and storage medium | |
| CN110855446A (en) | Password verification method and device | |
| JP2017511921A (en) | How to boot a production computer system | |
| CN114650175B (en) | Verification method and device | |
| CN116737596B (en) | Application program testing method and device for android |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |