CN104539620B - A kind of safe two-way SSL authentication methods and device - Google Patents
A kind of safe two-way SSL authentication methods and device Download PDFInfo
- Publication number
- CN104539620B CN104539620B CN201410848953.3A CN201410848953A CN104539620B CN 104539620 B CN104539620 B CN 104539620B CN 201410848953 A CN201410848953 A CN 201410848953A CN 104539620 B CN104539620 B CN 104539620B
- Authority
- CN
- China
- Prior art keywords
- application process
- pin code
- private key
- handle
- middleware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Stored Programmes (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a kind of safe two-way SSL authentication methods and middleware, in system applied to the hardware device being connected including main frame and with the main frame, the main frame includes middleware and application process, and application process carries out two-way SSL certifications by calling the interface of middleware.The present invention handles logic by changing the interface that middleware is predetermined when process is called, ensure to set up the PIN code input frame ejected during two-way SSL all by middleware control, and then prevent the Pin codes that user inputs in PIN code input frame to be stolen, improve the security of two-way SSL certifications.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of safe two-way SSL authentication methods and device.
Background technology
Two-way SSL (Secure Socket Layer, security socket layer) certification be used for for network service provide safely and
Data integrity is ensured, prevents transmitted data on network not to be intercepted and distort.
In the prior art, two-way SSL is created by PKCS#11 in some browsers (for example, FireFox browsers)
When, PIN code input frame is ejected by browser, is not controlled by middleware, and the PIN code that user inputs in PIN code input frame has
It may be hooked by keyboard hook and take and replicate, thus there is the risk of leakage PIN code, it is impossible to ensure the security of two-way SSL certifications.
The content of the invention
The invention provides a kind of safe two-way SSL authentication methods and device, easily let out with solving PIN code in the prior art
The risk of leakage.
The invention provides a kind of safe two-way SSL authentication methods, comprise the following steps:
S1, middleware wait are employed process and called, when C_GetTokenInfo interfaces are called by the application process,
Perform step S2;When C_Login interfaces are called by the application process, step S5 is performed;
Whether application process described in S2, the middleware judges is default process, if it is, performing step S3;Otherwise,
Perform step S4;
The value of flag in token is revised as the second preset value by S3, the middleware, by the mark in the token
The value of position is exported to the application process, and success message, and return to step S1 are sent to the application process;
S4, the middleware obtain the value of the flag in token, and the flag in token is exported to the application process
Value, send success message, and return to step S1 to the application process;
Whether application process described in S5, the middleware judges is default process, if it is, performing step S6;Otherwise,
Perform step S7;
S6, the middleware are exported the second preset value as the value of the flag in token to the application process, bullet
Go out PIN code input frame, the PIN code that user inputs is obtained by the PIN code input frame, the PIN code is sent to hardware and set
It is standby, the result that the hardware device is returned is received, the result is judged, if PIN code is correct, then will
Logging status in session information is set to log in, and success message, and return to step S1 are sent to application process;If
PIN code mistake, then send failed message, and return to step S1 to the application process;
S7, the middleware obtain the PIN code of user's input, and the PIN code is sent into hardware device, receive described hard
The result that part equipment is returned, judges the result, if PIN code is correct, then by session information
Logging status is set to log in, and success message, and return to step S1 are sent to application process;If PIN code mistake, then to
The application process sends failed message, and return to step S1.
Present invention also offers a kind of safe two-way SSL authentication devices, including:
First judge module, for when C_GetTokenInfo interfaces are employed process and called, judging that the application is entered
Whether journey is default process;
First processing module, for when it is default process that first judge module, which judges the application process, inciting somebody to action
The value of flag in token is revised as the second preset value, and the value of the flag in the token is exported to the application to enter
Journey, success message is sent to the application process;
Second processing module, for when it is not default process that first judge module, which judges the application process,
The value of the flag in token is obtained, the value of the flag in token is exported to the application process, is sent out to the application process
Send success message;
Second judge module, for when C_Login interfaces are called by the application process, judging that the application process is
No is default process;
3rd processing module, for when it is default process that second judge module, which judges the application process, inciting somebody to action
Second preset value is exported to the application process as the value of the flag in token, PIN code input frame is ejected, by described
PIN code input frame obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives the hardware device and returns
The result, the result is judged, if PIN code is correct, then set the logging status in session information
It is set to and has logged in, success message is sent to application process;If PIN code mistake, then send and unsuccessfully disappear to the application process
Breath;
Fourth processing module, for when it is not default process that second judge module, which judges the application process,
The PIN code of user's input is obtained, the PIN code is sent to hardware device, the result that the hardware device is returned is received,
The result is judged, if PIN code is correct, then is set to log in by the logging status in session information,
Success message is sent to application process;If PIN code mistake, then failed message is sent to the application process.
The beneficial effect that the present invention reaches:The interface being predetermined by changing middleware when process is called handles logic, really
Health care founds the PIN code input frame ejected during two-way SSL all by middleware control, and then prevents user defeated in PIN code input frame
The PIN code entered is stolen, and improves the security of two-way SSL certifications.
Brief description of the drawings
Fig. 1 is a kind of safe two-way SSL Verification Systems structure chart in the embodiment of the present invention;
Fig. 2 and Fig. 3 is a kind of safe two-way SSL authentication methods flow chart in the embodiment of the present invention;
Fig. 4 be the embodiment of the present invention in a kind of safe two-way SSL authentication devices structural representation.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
The embodiments of the invention provide a kind of safe two-way SSL authentication methods, applied to including main frame and with the master
In the system of the hardware device of machine connection, as shown in figure 1, the main frame includes middleware and application process, application process passes through
The interface of middleware is called, two-way SSL certifications are carried out, idiographic flow as shown in Figures 2 and 3, comprises the following steps:
Step 101, middleware waits and is employed process and calls, and is called when C_GetTokenInfo interfaces are employed process
When, perform step 102;When C_Login interfaces, which are employed process, to be called, step 106 is performed;When C_Sign interfaces be employed into
Journey adjusts the used time, performs step 118.
Step 102, middleware obtains the process name of application process.
Specifically, middleware obtains the complete trails of application process by calling GetModuleFileName functions, from complete
Process name is obtained in path.
Step 103, middleware is according to the process name got, and whether judge application process is default process, if it is,
Perform step 104;Otherwise, step 105 is performed.
Wherein, default process can be Firefox browser process, or other browser process.
Step 104, progress information is set to the first preset value by middleware, and the value of the flag in token is revised as into
Two preset values, export the second preset value as the value of the flag in token to application process, are sent successfully to application process
Message, and return to step 101.
Wherein, progress information is used to record the process type for calling middleware interface, and the progress information is the first preset value
When, the process for representing to call middleware interface is default process;When the progress information is other values, middleware interface is called in expression
Process be other processes.Whether the flag in token is used to record needs to log in token, and the value of the flag is pre- for second
If during value, expression need not log in token;When the value of the flag is other values, expression needs to log in token.In the present embodiment,
Second preset value is 0x00000100.
Step 105, middleware obtains the value of the flag in token, and the flag in token is exported to application process
Value, success message, and return to step 101 are sent to application process.
Step 106, whether middleware judges progress information is the first preset value, if it is, performing step 107;Otherwise,
Perform step 113.
Step 107, middleware is exported the second preset value as the value of the flag in token to application process.
Step 108, middleware ejection PIN code input frame, obtains the PIN code that user inputs, by this by PIN code input frame
PIN code is sent to hardware device, receives the result that hardware device is returned.
Step 109, middleware is judged the result received, if PIN code is correct, then performs step
110;If PIN code mistake, then step 111 is performed;If PIN code is locked, then step 112 is performed.
Step 110, the logging status in session information is set to log in by middleware, is sent and is successfully disappeared to application process
Breath, and return to step 101.
Step 111, middleware obtains PIN code number of retries from token information, is retried to application process output PIN code secondary
Number, and return to step 108.
Step 112, middleware sends locked message, and return to step 101 to application process.
Step 113, middleware obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives hardware and sets
The standby the result returned.
Step 114, middleware is judged the result received, if PIN code is correct, then performs step
115;If PIN code mistake, then step 116 is performed;If PIN code is locked, then step 117 is performed.
Step 115, the logging status in session information is set to log in by middleware, is sent and is successfully disappeared to application process
Breath, and return to step 101.
Step 116, middleware obtains PIN code number of retries from token information, is retried to application process output PIN code secondary
Number, failed message, and return to step 101 are sent to application process.
Step 117, middleware sends locked message, and return to step 101 to application process.
Step 118, middleware obtains session handle and signed data, and private key handle and signature machine are obtained by session handle
System, by private key handle acquiring signature key, using the signature key, according to the signature mechanism got, to the label got
Name data carry out signature operation, obtain result of signing, and to application process output signature result, send and successfully disappear to application process
Breath, and return to step 101.
It should be noted that when the C_OpenSession interfaces of middleware are employed process and called, middleware passes through meeting
Talk about handle and open session, success message, and return to step 101 are sent to application process.
When the C_FindObjectsInit interfaces of middleware, which are employed process, to be called, middleware judges progress information is
No is the first preset value;
If not the first preset value, middleware obtains session handle, and private key object template is carried out by session handle
Initialization, private key object template is recorded by session handle, and success message, and return to step 101 are sent to application process;
If the first preset value, middleware obtains the logging status in session information, and whether judge logging status is
Log in, if it is, obtaining session handle, private key object template is initialized by session handle, passes through session handle
Private key object template is recorded, success message, and return to step 101 are sent to application process;Otherwise, PIN code input frame is ejected, is led to
The PIN code that PIN code input frame obtains user's input is crossed, the PIN code is sent to hardware device, testing for hardware device return is received
Result is demonstrate,proved, the result is judged, if PIN code is correct, then is set to step on by the logging status in session information
Record, is initialized by session handle to private key object template, is recorded private key object template by session handle, is entered to application
Journey sends success message, and return to step 101;If PIN code mistake, then PIN code number of retries is obtained from token information,
PIN code number of retries is exported to application process, failed message, and return to step 101 are sent to application process;If PIN code
It is locked, then send locked message to application process.
When the C_FindObjects interfaces of middleware, which are employed process, to be called, middleware obtains session handle, passes through meeting
Handle acquiring private key object template is talked about, private key object is searched by private key object template, if found, middleware is obtained with looking into
The corresponding private key handle of private key object found, is exported the number of private key handle as private key number to application process, Xiang Ying
Success message, and return to step 101 are sent with process;Otherwise, private key number is set to zero by middleware, is exported to application process
Private key number, success message, and return to step 101 are sent to application process.
When the C_SignInit interfaces of middleware, which are employed process, to be called, whether middleware judges progress information is first
Preset value;
If not the first preset value, middleware obtains session handle, private key handle and signature mechanism, passes through session handle
Private key handle and signature mechanism are recorded, success message, and return to step 101 are sent to application process;
If the first preset value, middleware obtains the logging status in session information, and whether judge logging status is
Log in, if it is, middleware obtains session handle, private key handle and signature mechanism, by session handle record private key handle and
Signature mechanism, success message, and return to step 101 are sent to application process, wherein, signature mechanism includes signature algorithm and summary
Algorithm;Otherwise, middleware ejection PIN code input frame, obtains the PIN code that user inputs, by the PIN code by PIN code input frame
Hardware device is sent to, the result that hardware device is returned is received, the result received is judged, if
PIN code is correct, then is set to log in by the logging status in session information, obtains session handle, private key handle and signature machine
System, private key handle and signature mechanism are recorded by session handle, and success message, and return to step 101 are sent to application process;Such as
Fruit is PIN code mistake, then PIN code number of retries is obtained from token information, and PIN code number of retries is exported to application process, to
Application process sends failed message, and return to step 101;If PIN code is locked, then locked message is sent to application process,
And return to step 101.
The embodiment of the present invention handles logic by changing the interface that middleware is predetermined when process is called, it is ensured that set up two-way
The PIN code input frame ejected during SSL is all by middleware control, and then the PIN code quilt for preventing user from being inputted in PIN code input frame
Steal, improve the security of two-way SSL certifications.
Based on above-mentioned two-way SSL authentication methods, the embodiment of the present invention additionally provides a kind of safe two-way SSL certifications dress
Put, as shown in figure 4, including:
First judge module 410, for when C_GetTokenInfo interfaces are employed process and called, judging application process
Whether it is default process;
Specifically, above-mentioned first judge module 410, including:
Acquisition submodule, the process name for obtaining application process;
Judging submodule, for the process name got according to acquisition submodule, judge application process whether be preset into
Journey.
In the present embodiment, above-mentioned acquisition submodule, specifically for by calling GetModuleFileName functions, obtaining
The complete trails of application process, obtains process name from complete trails.
First processing module 420, for when it is default process that the first judge module 410, which judges application process, military order
The value of flag in board is revised as the second preset value, and the value of the flag in token is exported to application process, entered to application
Journey sends success message;
Second processing module 430, for when it is not default process that the first judge module 410, which judges application process, obtaining
The value of the flag in token is taken, the value of the flag in token is exported to application process, success message is sent to application process;
Second judge module 440, for when C_Login interfaces are employed process and called, judge application process whether be
Default process;
3rd processing module 450, for when it is default process that the second judge module 440, which judges application process, by the
Two preset values are exported to application process as the value of the flag in token, are ejected PIN code input frame, are passed through PIN code input frame
The PIN code of user's input is obtained, PIN code is sent to hardware device, the result that hardware device is returned is received, checking is tied
Fruit is judged, if PIN code is correct, is then set to log in by the logging status in session information, is sent out to application process
Send success message;If PIN code mistake, then failed message is sent to application process;
Preferably, above-mentioned 3rd processing module 450, is additionally operable to after judging that the result is PIN code mistake, from token
PIN code number of retries is obtained in information, PIN code number of retries is exported to application process;Judging that the result is PIN code lock
When dead, locked message is sent to application process.
Fourth processing module 460, for when it is not default process that the second judge module 440, which judges application process, obtaining
The PIN code of family input is taken, PIN code is sent to hardware device, the result that hardware device is returned is received, to the result
Judged, if PIN code is correct, is then set to log in by the logging status in session information, is sent to application process
Success message;If PIN code mistake, then failed message is sent to application process.
Further, said apparatus, in addition to:
Setup module, after judging application process for default process in the first judge module 410, by progress information
It is set to the first preset value;
Correspondingly, above-mentioned second judge module 440, specifically for judging whether progress information is the first preset value, if
It is, it is determined that application process is default process;Otherwise, it determines application process is not default process.
Further, said apparatus, in addition to:
5th processing module, for when C_Sign interfaces are employed process and called, obtaining session handle and signed data,
Private key handle and signature mechanism are obtained by session handle, by private key handle acquiring signature key, using signature key, according to
Signature mechanism, signature operation is carried out to signed data, obtains result of signing, and to application process output signature result, is entered to application
Journey sends success message.
6th processing module, for when C_OpenSession interfaces are employed process and called, being opened by session handle
Session, success message is sent to application process.
7th processing module, for when C_FindObjectsInit interfaces are employed process and called, judging application process
Whether it is default process, if not default process, then obtains session handle, private key object template is carried out by session handle
Initialization, private key object template is recorded by session handle, and success message is sent to application process;
If default process, then the logging status in session information is obtained, whether be logged in, such as if judging logging status
Fruit is then to obtain session handle, and private key object template is initialized by session handle, private key is recorded by session handle
Object template, success message is sent to application process;Otherwise, PIN code input frame is ejected, user is obtained by PIN code input frame
The PIN code of input, hardware device is sent to by PIN code, receives the result that hardware device is returned, the result is sentenced
It is disconnected, if PIN code is correct, then the logging status in session information is set to log in, by session handle to private key pair
As template is initialized, private key object template is recorded by session handle, success message is sent to application process;If
PIN code mistake, then send failed message to application process.
Preferably, above-mentioned 7th processing module, is additionally operable to after judging that the result is PIN code mistake, from token letter
PIN code number of retries is obtained in breath, PIN code number of retries is exported to application process;Judging that the result is locked for PIN code
When, send locked message to application process.
Further, said apparatus, in addition to:
8th processing module, for when C_FindObjects interfaces are employed process and called, obtaining session handle, leads to
Cross session handle and obtain private key object template, private key object is searched by private key object template, if found, obtains and looks into
The corresponding private key handle of private key object found, is exported the number of private key handle as private key number to application process, Xiang Ying
Success message is sent with process;Otherwise, private key number is set to zero, private key number is exported to application process, to application process
Send success message.
9th processing module, for when C_SignInit interfaces are employed process and called, judge application process whether be
Default process, if not default process, then obtains session handle, private key handle and signature mechanism, is recorded by session handle
Private key handle and signature mechanism, success message is sent to application process;
If default process, then following operate is performed:
A1, the logging status obtained in session information, whether be logged in, if it is, performing step if judging logging status
Rapid A2;Otherwise, step A3 is performed;
A2, acquisition session handle, private key handle and signature mechanism, pass through session handle and record private key handle and signature machine
System, success message is sent to application process;
A3, ejection PIN code input frame, obtain the PIN code that user inputs by PIN code input frame, PIN code are sent to firmly
Part equipment, receives the result that hardware device is returned, the result is judged, if PIN code is correct, then perform step
Rapid A4;If PIN code mistake, then step A5 is performed;
A4, the logging status in session information is set to log in, obtains session handle, private key handle and signature machine
System, private key handle and signature mechanism are recorded by session handle, and success message is sent to application process;
A5, to application process export PIN code number of retries, and return to step A3.
Preferably, above-mentioned 9th processing module, is additionally operable to after judging that the result is PIN code mistake, from token letter
PIN code number of retries is obtained in breath, PIN code number of retries is exported to application process;Judging that the result is locked for PIN code
When, send locked message to application process.
The embodiment of the present invention handles logic by changing the interface that middleware is predetermined when process is called, it is ensured that set up two-way
The PIN code input frame ejected during SSL is all by middleware control, and then the PIN code quilt for preventing user from being inputted in PIN code input frame
Steal, improve the security of two-way SSL certifications.
Hardware, computing device can be directly used with reference to the step in the method that the embodiments described herein is described
Software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only storage
(ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field
In any other form of storage medium well known to interior.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.
Claims (26)
1. a kind of safe two-way SSL authentication methods, it is characterised in that comprise the following steps:
S1, middleware wait are employed process and called, and when C_GetTokenInfo interfaces are called by the application process, perform
Step S2;When C_Login interfaces are called by the application process, step S5 is performed;
Whether application process described in S2, the middleware judges is default process, if it is, performing step S3;Otherwise, perform
Step S4;
The value of flag in token is revised as the second preset value by S3, the middleware, by the flag in the token
Value output sends success message, and return to step S1 to the application process to the application process;
S4, the middleware obtain the value of the flag in token, and the flag in the token is exported to the application process
Value, send success message, and return to step S1 to the application process;
Whether application process described in S5, the middleware judges is default process, if it is, performing step S6;Otherwise, perform
Step S7;
S6, the middleware are exported the second preset value as the value of the flag in token to the application process, eject PIN
Code input frame, obtains the PIN code that user inputs by the PIN code input frame, the PIN code is sent into hardware device, connect
The result that the hardware device is returned is received, the result is judged, if PIN code is correct, then by session
Logging status in information is set to log in, and success message, and return to step S1 are sent to the application process;If
PIN code mistake, then send failed message, and return to step S1 to the application process;
S7, the middleware obtain the PIN code of user's input, and the PIN code is sent into hardware device, receive the hardware and set
The standby the result returned, judges the result, if PIN code is correct, then by the login in session information
State is set to log in, and success message, and return to step S1 are sent to the application process;If PIN code mistake, then to
The application process sends failed message, and return to step S1.
2. the method as described in claim 1, it is characterised in that in the step S2, applied described in the middleware judges into
After journey is default process, in addition to:
Progress information is set to the first preset value by the middleware;
The step S5, be specially:
Whether progress information described in the middleware judges is the first preset value, if it is, determining that the application process is pre-
If process;Otherwise, it determines the application process is not default process.
3. the method as described in claim 1, it is characterised in that application process described in the middleware judges whether be preset into
Journey, be specially:
The middleware obtains the process name of the application process, according to the process name, judge the application process whether be
Default process.
4. method as claimed in claim 3, it is characterised in that the middleware obtains the process name of the application process, tool
Body is:
The middleware obtains the complete trails of the application process by calling GetModuleFileName functions, from described complete
The process name is obtained in path.
5. the method as described in claim 1, it is characterised in that also include:
When C_Sign interfaces, which are employed process, to be called, the middleware obtains session handle and signed data, passes through the meeting
Handle acquiring private key handle and signature mechanism are talked about, by the private key handle acquiring signature key, using the signature key, is pressed
According to the signature mechanism, signature operation is carried out to the signed data, result of signing is obtained, exports described to the application process
Signature result, success message, and return to step S1 are sent to the application process.
6. the method as described in claim 1, it is characterised in that also include:
When C_OpenSession interfaces, which are employed process, to be called, middleware opens session by session handle, to the application
Process sends success message, and return to step S1.
7. the method as described in claim 1, it is characterised in that also include:
When C_FindObjectsInit interfaces, which are employed process, to be called, whether application process described in middleware judges is default
Process, if not default process, the middleware obtains session handle, private key object template is entered by the session handle
Row initialization, the private key object template is recorded by the session handle, sends success message to the application process, and return
Return step S1;
If default process, the middleware obtains the logging status in session information, judge the logging status whether be
It has been logged in that, if it is, obtaining session handle, private key object template is initialized by the session handle, passes through institute
State session handle and record the private key object template, success message, and return to step S1 are sent to the application process;Otherwise,
PIN code input frame is ejected, the PIN code that user inputs is obtained by the PIN code input frame, the PIN code is sent to hardware
Equipment, receives the result that the hardware device is returned, the result is judged, if PIN code is correct, then
Logging status in the session information is set to log in, private key object template initialized by session handle,
The private key object template is recorded by session handle, success message, and return to step S1 are sent to the application process;If
It is PIN code mistake, then sends failed message, and return to step S1 to the application process.
8. the method as described in claim 1, it is characterised in that also include:
When C_FindObjects interfaces, which are employed process, to be called, the middleware obtains session handle, passes through session sentence
Handle obtains private key object template, and private key object is searched by the private key object template, if found, and the middleware is obtained
Private key handle corresponding with the private key object found, the number of the private key handle is exported as private key number and answered to described
With process, success message, and return to step S1 are sent to the application process;Otherwise, the middleware sets private key number
It is zero, the private key number is exported to the application process, success message, and return to step S1 is sent to the application process.
9. the method as described in claim 1, it is characterised in that also include:
When C_SignInit interfaces, which are employed process, to be called, application process described in the middleware judges whether be preset into
Journey, if not default process, the middleware obtains session handle, private key handle and signature mechanism, passes through session sentence
Handle records the private key handle and the signature mechanism, and success message, and return to step S1 are sent to the application process;
If default process, then following operate is performed:
A1, the middleware obtain the logging status in session information, and whether judge the logging status is to have logged in, if
It is then to perform step A2;Otherwise, step A3 is performed;
A2, the middleware obtain session handle, private key handle and signature mechanism, and the private key is recorded by the session handle
Handle and the signature mechanism, success message, and return to step S1 are sent to the application process;
A3, middleware ejection PIN code input frame, obtain the PIN code that user inputs, by institute by the PIN code input frame
State PIN code and be sent to hardware device, receive the result that the hardware device is returned, the result is judged,
If PIN code is correct, then step A4 is performed;If PIN code mistake, then step A5 is performed;
Logging status in the session information is set to log in by A4, the middleware, obtains session handle, private key handle
And signature mechanism, the private key handle and the signature mechanism are recorded by the session handle, sent to the application process
Success message, and return to step S1;
A5, the middleware export PIN code number of retries, and return to step A3 to the application process.
10. the method as described in claim 1,7 or 9, it is characterised in that the result described in the middleware judges is PIN
After code mistake, in addition to:
The middleware obtains PIN code number of retries from token information, is retried to the application process output PIN code secondary
Number.
11. the method as described in claim 1,7 or 9, it is characterised in that the middleware is judged the result
Afterwards, in addition to:
If PIN code is locked, the middleware sends locked message, and return to step S1 to the application process.
12. a kind of safe two-way SSL authentication devices, it is characterised in that including:
First judge module, for when C_GetTokenInfo interfaces are employed process and called, judging that the application process is
No is default process;
First processing module, for when it is default process that first judge module, which judges the application process, by token
The value of interior flag is revised as the second preset value, and the value of the flag in the token is exported to the application process, to
The application process sends success message;
Second processing module, for when it is not default process that first judge module, which judges the application process, obtaining
The value of flag in token, the value of the flag in the token is exported to the application process, is sent out to the application process
Send success message;
Second judge module, for whether when C_Login interfaces are employed process and called, it to be default to judge the application process
Process;
3rd processing module, for when it is default process that second judge module, which judges the application process, by second
Preset value is exported to the application process as the value of the flag in token, is ejected PIN code input frame, is passed through the PIN code
Input frame obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives testing for the hardware device return
Result is demonstrate,proved, the result is judged, if PIN code is correct, is then set to the logging status in session information
It has been logged in that, send success message to the application process;If PIN code mistake, then send and unsuccessfully disappear to the application process
Breath;
Fourth processing module, for when it is not default process that second judge module, which judges the application process, obtaining
The PIN code of user's input, hardware device is sent to by the PIN code, the result that the hardware device is returned is received, to institute
State the result to be judged, if PIN code is correct, then be set to log in by the logging status in session information, to institute
State application process and send success message;If PIN code mistake, then failed message is sent to the application process.
13. device as claimed in claim 12, it is characterised in that also include:
Setup module, after judging the application process for default process in first judge module, process is believed
Breath is set to the first preset value;
Second judge module, specifically for judging whether the progress information is the first preset value, if it is, determining institute
It is default process to state application process;Otherwise, it determines the application process is not default process.
14. device as claimed in claim 12, it is characterised in that first judge module, including:
Acquisition submodule, the process name for obtaining the application process;
Whether judging submodule, for the process name got according to the acquisition submodule, judge the application process
To preset process.
15. device as claimed in claim 14, it is characterised in that
The acquisition submodule, specifically for by calling GetModuleFileName functions, obtaining the complete of the application process
Path, obtains the process name from the complete trails.
16. device as claimed in claim 12, it is characterised in that also include:
5th processing module, for when C_Sign interfaces are employed process and called, obtaining session handle and signed data, passing through
The session handle obtains private key handle and signature mechanism, by the private key handle acquiring signature key, uses the signature
Key, according to the signature mechanism, signature operation is carried out to the signed data, result of signing is obtained, to the application process
The signature result is exported, success message is sent to the application process.
17. device as claimed in claim 12, it is characterised in that also include:
6th processing module, for when C_OpenSession interfaces are employed process and called, passing through session handle and opening meeting
Words, success message is sent to the application process.
18. device as claimed in claim 12, it is characterised in that also include:
7th processing module, for when C_FindObjectsInit interfaces are employed process and called, judging the application process
Whether it is default process, if not default process, then session handle is obtained, by the session handle to private key object template
Initialized, the private key object template is recorded by the session handle, success message is sent to the application process;
If default process, then the logging status in session information is obtained, whether be logged in, such as if judging the logging status
Fruit is then to obtain session handle, and private key object template is initialized by the session handle, passes through the session handle
The private key object template is recorded, success message is sent to the application process;Otherwise, PIN code input frame is ejected, by described
PIN code input frame obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives the hardware device and returns
The result, the result is judged, if PIN code is correct, then by the login shape in the session information
State is set to log in, and private key object template is initialized by session handle, and the private key is recorded by session handle
Object template, success message is sent to the application process;If PIN code mistake, then send and fail to the application process
Message.
19. device as claimed in claim 18, it is characterised in that
7th processing module, is additionally operable to after judging that the result is PIN code mistake, is obtained from token information
PIN code number of retries, the PIN code number of retries is exported to the application process.
20. device as claimed in claim 18, it is characterised in that
7th processing module, is additionally operable to, when judging that the result is locked for PIN code, send out to the application process
Send locked message.
21. device as claimed in claim 12, it is characterised in that also include:
8th processing module, for when C_FindObjects interfaces are employed process and called, obtaining session handle, passing through institute
State session handle and obtain private key object template, private key object is searched by the private key object template, if found, obtained
Private key handle corresponding with the private key object found, the number of the private key handle is exported as private key number and answered to described
With process, success message is sent to the application process;Otherwise, private key number is set to zero, exported to the application process
The private key number, success message is sent to the application process.
22. device as claimed in claim 12, it is characterised in that also include:
9th processing module, for when C_SignInit interfaces are employed process and called, judge the application process whether be
Default process, if not default process, then obtains session handle, private key handle and signature mechanism, passes through the session handle
The private key handle and the signature mechanism are recorded, success message is sent to the application process;
If default process, then following operate is performed:
A1, the logging status obtained in session information, whether be logged in, if it is, performing step if judging the logging status
Rapid A2;Otherwise, step A3 is performed;
A2, acquisition session handle, private key handle and signature mechanism, the private key handle is recorded and described by the session handle
Signature mechanism, success message is sent to the application process;
A3, ejection PIN code input frame, obtain the PIN code that user inputs by the PIN code input frame, the PIN code are sent
To hardware device, the result that the hardware device is returned is received, the result is judged, if PIN code
Correctly, then step A4 is performed;If PIN code mistake, then step A5 is performed;
A4, the logging status in the session information is set to log in, obtains session handle, private key handle and signature machine
System, the private key handle and the signature mechanism are recorded by the session handle, and success message is sent to the application process;
A5, to the application process export PIN code number of retries, and return to step A3.
23. device as claimed in claim 22, it is characterised in that
9th processing module, is additionally operable to after judging that the result is PIN code mistake, is obtained from token information
PIN code number of retries, the PIN code number of retries is exported to the application process.
24. device as claimed in claim 22, it is characterised in that
9th processing module, is additionally operable to, when judging that the result is locked for PIN code, send out to the application process
Send locked message.
25. device as claimed in claim 12, it is characterised in that
3rd processing module, is additionally operable to after judging that the result is PIN code mistake, is obtained from token information
PIN code number of retries, the PIN code number of retries is exported to the application process.
26. device as claimed in claim 12, it is characterised in that
3rd processing module, is additionally operable to, when judging that the result is locked for PIN code, send out to the application process
Send locked message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410848953.3A CN104539620B (en) | 2014-12-29 | 2014-12-29 | A kind of safe two-way SSL authentication methods and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410848953.3A CN104539620B (en) | 2014-12-29 | 2014-12-29 | A kind of safe two-way SSL authentication methods and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104539620A CN104539620A (en) | 2015-04-22 |
CN104539620B true CN104539620B (en) | 2017-09-22 |
Family
ID=52855089
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410848953.3A Active CN104539620B (en) | 2014-12-29 | 2014-12-29 | A kind of safe two-way SSL authentication methods and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104539620B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911350B (en) * | 2017-02-27 | 2022-04-08 | 黄贤杰 | Two-way matching and authentication system for electronic equipment |
CN107995026B (en) * | 2017-11-16 | 2021-07-30 | 中国银行股份有限公司 | Management and control method, management node, managed node and system based on middleware |
CN110855714B (en) * | 2019-11-29 | 2021-09-14 | 广州鲁邦通物联网科技有限公司 | Secure connection method and system for multi-tenant equipment |
CN112463828B (en) * | 2020-11-02 | 2021-07-27 | 马上消费金融股份有限公司 | Data processing method, device, equipment, system and readable storage medium |
CN112511550B (en) * | 2020-12-02 | 2022-02-22 | 迈普通信技术股份有限公司 | Communication method, communication device, electronic device and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6340116B1 (en) * | 1999-09-16 | 2002-01-22 | Kenneth B. Cecil | Proximity card with incorporated pin code protection |
CN102222179A (en) * | 2010-04-13 | 2011-10-19 | 郑勇 | Anti-keylogging technology based on Windows kernel |
CN103107883A (en) * | 2013-01-04 | 2013-05-15 | 深圳市文鼎创数据科技有限公司 | Safe protection method of personal identification number (PIN) and client |
-
2014
- 2014-12-29 CN CN201410848953.3A patent/CN104539620B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6340116B1 (en) * | 1999-09-16 | 2002-01-22 | Kenneth B. Cecil | Proximity card with incorporated pin code protection |
CN102222179A (en) * | 2010-04-13 | 2011-10-19 | 郑勇 | Anti-keylogging technology based on Windows kernel |
CN103107883A (en) * | 2013-01-04 | 2013-05-15 | 深圳市文鼎创数据科技有限公司 | Safe protection method of personal identification number (PIN) and client |
Also Published As
Publication number | Publication date |
---|---|
CN104539620A (en) | 2015-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104539620B (en) | A kind of safe two-way SSL authentication methods and device | |
CN103731272B (en) | A kind of identity identifying method, system and equipment | |
CN104700007B (en) | A kind of setting of gesture impression password and application process | |
CN106503589A (en) | The method of calibration of block chain Transaction Information correctness, apparatus and system | |
CN108881310A (en) | A kind of Accreditation System and its working method | |
CN105243314B (en) | A kind of security system and its application method based on USB key | |
CN106034123A (en) | Authentication method, application system server and client | |
CN106878319A (en) | A kind of method and system that Digital signature service is provided | |
CN104519479A (en) | Methods for terminal to lock net and unlock net | |
CN103975567B (en) | Two-factor authentication method and virtual machine facility | |
CN106790243B (en) | A kind of password remapping method of safe U disc | |
CN108023873A (en) | channel establishing method and terminal device | |
CN106127016A (en) | A kind of operating system user logs in system and the implementation method of authentic authentication | |
CN108965294A (en) | A kind of user name and cipher protection system | |
CN105743650A (en) | Mobile office identity authentication method, platform and system, and mobile terminal | |
CN107846406A (en) | A kind of account logon method and device | |
CN105224848B (en) | A kind of equipment authentication method, apparatus and system | |
CN105320868B (en) | The encryption method and mobile terminal of application program | |
CN103532979A (en) | Method for generating and verifying multi-conversation verification codes under CGI (common gateway interface) for web | |
CN109086588A (en) | A kind of authentication method and authenticating device | |
CN105205384A (en) | Method for automatically acquiring account information of user side, logging in and storing | |
CN106452845A (en) | Online unlocking implementation method and apparatus | |
CN105678149B (en) | A kind of unlocking method and terminal | |
CN107231330A (en) | A kind of password determination, login validation method and equipment | |
CN103746979B (en) | A kind of method and system that data are handled |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |