CN104539620B - A kind of safe two-way SSL authentication methods and device - Google Patents

A kind of safe two-way SSL authentication methods and device Download PDF

Info

Publication number
CN104539620B
CN104539620B CN201410848953.3A CN201410848953A CN104539620B CN 104539620 B CN104539620 B CN 104539620B CN 201410848953 A CN201410848953 A CN 201410848953A CN 104539620 B CN104539620 B CN 104539620B
Authority
CN
China
Prior art keywords
application process
pin code
private key
handle
middleware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410848953.3A
Other languages
Chinese (zh)
Other versions
CN104539620A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201410848953.3A priority Critical patent/CN104539620B/en
Publication of CN104539620A publication Critical patent/CN104539620A/en
Application granted granted Critical
Publication of CN104539620B publication Critical patent/CN104539620B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Stored Programmes (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention discloses a kind of safe two-way SSL authentication methods and middleware, in system applied to the hardware device being connected including main frame and with the main frame, the main frame includes middleware and application process, and application process carries out two-way SSL certifications by calling the interface of middleware.The present invention handles logic by changing the interface that middleware is predetermined when process is called, ensure to set up the PIN code input frame ejected during two-way SSL all by middleware control, and then prevent the Pin codes that user inputs in PIN code input frame to be stolen, improve the security of two-way SSL certifications.

Description

A kind of safe two-way SSL authentication methods and device
Technical field
The present invention relates to information security field, more particularly to a kind of safe two-way SSL authentication methods and device.
Background technology
Two-way SSL (Secure Socket Layer, security socket layer) certification be used for for network service provide safely and Data integrity is ensured, prevents transmitted data on network not to be intercepted and distort.
In the prior art, two-way SSL is created by PKCS#11 in some browsers (for example, FireFox browsers) When, PIN code input frame is ejected by browser, is not controlled by middleware, and the PIN code that user inputs in PIN code input frame has It may be hooked by keyboard hook and take and replicate, thus there is the risk of leakage PIN code, it is impossible to ensure the security of two-way SSL certifications.
The content of the invention
The invention provides a kind of safe two-way SSL authentication methods and device, easily let out with solving PIN code in the prior art The risk of leakage.
The invention provides a kind of safe two-way SSL authentication methods, comprise the following steps:
S1, middleware wait are employed process and called, when C_GetTokenInfo interfaces are called by the application process, Perform step S2;When C_Login interfaces are called by the application process, step S5 is performed;
Whether application process described in S2, the middleware judges is default process, if it is, performing step S3;Otherwise, Perform step S4;
The value of flag in token is revised as the second preset value by S3, the middleware, by the mark in the token The value of position is exported to the application process, and success message, and return to step S1 are sent to the application process;
S4, the middleware obtain the value of the flag in token, and the flag in token is exported to the application process Value, send success message, and return to step S1 to the application process;
Whether application process described in S5, the middleware judges is default process, if it is, performing step S6;Otherwise, Perform step S7;
S6, the middleware are exported the second preset value as the value of the flag in token to the application process, bullet Go out PIN code input frame, the PIN code that user inputs is obtained by the PIN code input frame, the PIN code is sent to hardware and set It is standby, the result that the hardware device is returned is received, the result is judged, if PIN code is correct, then will Logging status in session information is set to log in, and success message, and return to step S1 are sent to application process;If PIN code mistake, then send failed message, and return to step S1 to the application process;
S7, the middleware obtain the PIN code of user's input, and the PIN code is sent into hardware device, receive described hard The result that part equipment is returned, judges the result, if PIN code is correct, then by session information Logging status is set to log in, and success message, and return to step S1 are sent to application process;If PIN code mistake, then to The application process sends failed message, and return to step S1.
Present invention also offers a kind of safe two-way SSL authentication devices, including:
First judge module, for when C_GetTokenInfo interfaces are employed process and called, judging that the application is entered Whether journey is default process;
First processing module, for when it is default process that first judge module, which judges the application process, inciting somebody to action The value of flag in token is revised as the second preset value, and the value of the flag in the token is exported to the application to enter Journey, success message is sent to the application process;
Second processing module, for when it is not default process that first judge module, which judges the application process, The value of the flag in token is obtained, the value of the flag in token is exported to the application process, is sent out to the application process Send success message;
Second judge module, for when C_Login interfaces are called by the application process, judging that the application process is No is default process;
3rd processing module, for when it is default process that second judge module, which judges the application process, inciting somebody to action Second preset value is exported to the application process as the value of the flag in token, PIN code input frame is ejected, by described PIN code input frame obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives the hardware device and returns The result, the result is judged, if PIN code is correct, then set the logging status in session information It is set to and has logged in, success message is sent to application process;If PIN code mistake, then send and unsuccessfully disappear to the application process Breath;
Fourth processing module, for when it is not default process that second judge module, which judges the application process, The PIN code of user's input is obtained, the PIN code is sent to hardware device, the result that the hardware device is returned is received, The result is judged, if PIN code is correct, then is set to log in by the logging status in session information, Success message is sent to application process;If PIN code mistake, then failed message is sent to the application process.
The beneficial effect that the present invention reaches:The interface being predetermined by changing middleware when process is called handles logic, really Health care founds the PIN code input frame ejected during two-way SSL all by middleware control, and then prevents user defeated in PIN code input frame The PIN code entered is stolen, and improves the security of two-way SSL certifications.
Brief description of the drawings
Fig. 1 is a kind of safe two-way SSL Verification Systems structure chart in the embodiment of the present invention;
Fig. 2 and Fig. 3 is a kind of safe two-way SSL authentication methods flow chart in the embodiment of the present invention;
Fig. 4 be the embodiment of the present invention in a kind of safe two-way SSL authentication devices structural representation.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
The embodiments of the invention provide a kind of safe two-way SSL authentication methods, applied to including main frame and with the master In the system of the hardware device of machine connection, as shown in figure 1, the main frame includes middleware and application process, application process passes through The interface of middleware is called, two-way SSL certifications are carried out, idiographic flow as shown in Figures 2 and 3, comprises the following steps:
Step 101, middleware waits and is employed process and calls, and is called when C_GetTokenInfo interfaces are employed process When, perform step 102;When C_Login interfaces, which are employed process, to be called, step 106 is performed;When C_Sign interfaces be employed into Journey adjusts the used time, performs step 118.
Step 102, middleware obtains the process name of application process.
Specifically, middleware obtains the complete trails of application process by calling GetModuleFileName functions, from complete Process name is obtained in path.
Step 103, middleware is according to the process name got, and whether judge application process is default process, if it is, Perform step 104;Otherwise, step 105 is performed.
Wherein, default process can be Firefox browser process, or other browser process.
Step 104, progress information is set to the first preset value by middleware, and the value of the flag in token is revised as into Two preset values, export the second preset value as the value of the flag in token to application process, are sent successfully to application process Message, and return to step 101.
Wherein, progress information is used to record the process type for calling middleware interface, and the progress information is the first preset value When, the process for representing to call middleware interface is default process;When the progress information is other values, middleware interface is called in expression Process be other processes.Whether the flag in token is used to record needs to log in token, and the value of the flag is pre- for second If during value, expression need not log in token;When the value of the flag is other values, expression needs to log in token.In the present embodiment, Second preset value is 0x00000100.
Step 105, middleware obtains the value of the flag in token, and the flag in token is exported to application process Value, success message, and return to step 101 are sent to application process.
Step 106, whether middleware judges progress information is the first preset value, if it is, performing step 107;Otherwise, Perform step 113.
Step 107, middleware is exported the second preset value as the value of the flag in token to application process.
Step 108, middleware ejection PIN code input frame, obtains the PIN code that user inputs, by this by PIN code input frame PIN code is sent to hardware device, receives the result that hardware device is returned.
Step 109, middleware is judged the result received, if PIN code is correct, then performs step 110;If PIN code mistake, then step 111 is performed;If PIN code is locked, then step 112 is performed.
Step 110, the logging status in session information is set to log in by middleware, is sent and is successfully disappeared to application process Breath, and return to step 101.
Step 111, middleware obtains PIN code number of retries from token information, is retried to application process output PIN code secondary Number, and return to step 108.
Step 112, middleware sends locked message, and return to step 101 to application process.
Step 113, middleware obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives hardware and sets The standby the result returned.
Step 114, middleware is judged the result received, if PIN code is correct, then performs step 115;If PIN code mistake, then step 116 is performed;If PIN code is locked, then step 117 is performed.
Step 115, the logging status in session information is set to log in by middleware, is sent and is successfully disappeared to application process Breath, and return to step 101.
Step 116, middleware obtains PIN code number of retries from token information, is retried to application process output PIN code secondary Number, failed message, and return to step 101 are sent to application process.
Step 117, middleware sends locked message, and return to step 101 to application process.
Step 118, middleware obtains session handle and signed data, and private key handle and signature machine are obtained by session handle System, by private key handle acquiring signature key, using the signature key, according to the signature mechanism got, to the label got Name data carry out signature operation, obtain result of signing, and to application process output signature result, send and successfully disappear to application process Breath, and return to step 101.
It should be noted that when the C_OpenSession interfaces of middleware are employed process and called, middleware passes through meeting Talk about handle and open session, success message, and return to step 101 are sent to application process.
When the C_FindObjectsInit interfaces of middleware, which are employed process, to be called, middleware judges progress information is No is the first preset value;
If not the first preset value, middleware obtains session handle, and private key object template is carried out by session handle Initialization, private key object template is recorded by session handle, and success message, and return to step 101 are sent to application process;
If the first preset value, middleware obtains the logging status in session information, and whether judge logging status is Log in, if it is, obtaining session handle, private key object template is initialized by session handle, passes through session handle Private key object template is recorded, success message, and return to step 101 are sent to application process;Otherwise, PIN code input frame is ejected, is led to The PIN code that PIN code input frame obtains user's input is crossed, the PIN code is sent to hardware device, testing for hardware device return is received Result is demonstrate,proved, the result is judged, if PIN code is correct, then is set to step on by the logging status in session information Record, is initialized by session handle to private key object template, is recorded private key object template by session handle, is entered to application Journey sends success message, and return to step 101;If PIN code mistake, then PIN code number of retries is obtained from token information, PIN code number of retries is exported to application process, failed message, and return to step 101 are sent to application process;If PIN code It is locked, then send locked message to application process.
When the C_FindObjects interfaces of middleware, which are employed process, to be called, middleware obtains session handle, passes through meeting Handle acquiring private key object template is talked about, private key object is searched by private key object template, if found, middleware is obtained with looking into The corresponding private key handle of private key object found, is exported the number of private key handle as private key number to application process, Xiang Ying Success message, and return to step 101 are sent with process;Otherwise, private key number is set to zero by middleware, is exported to application process Private key number, success message, and return to step 101 are sent to application process.
When the C_SignInit interfaces of middleware, which are employed process, to be called, whether middleware judges progress information is first Preset value;
If not the first preset value, middleware obtains session handle, private key handle and signature mechanism, passes through session handle Private key handle and signature mechanism are recorded, success message, and return to step 101 are sent to application process;
If the first preset value, middleware obtains the logging status in session information, and whether judge logging status is Log in, if it is, middleware obtains session handle, private key handle and signature mechanism, by session handle record private key handle and Signature mechanism, success message, and return to step 101 are sent to application process, wherein, signature mechanism includes signature algorithm and summary Algorithm;Otherwise, middleware ejection PIN code input frame, obtains the PIN code that user inputs, by the PIN code by PIN code input frame Hardware device is sent to, the result that hardware device is returned is received, the result received is judged, if PIN code is correct, then is set to log in by the logging status in session information, obtains session handle, private key handle and signature machine System, private key handle and signature mechanism are recorded by session handle, and success message, and return to step 101 are sent to application process;Such as Fruit is PIN code mistake, then PIN code number of retries is obtained from token information, and PIN code number of retries is exported to application process, to Application process sends failed message, and return to step 101;If PIN code is locked, then locked message is sent to application process, And return to step 101.
The embodiment of the present invention handles logic by changing the interface that middleware is predetermined when process is called, it is ensured that set up two-way The PIN code input frame ejected during SSL is all by middleware control, and then the PIN code quilt for preventing user from being inputted in PIN code input frame Steal, improve the security of two-way SSL certifications.
Based on above-mentioned two-way SSL authentication methods, the embodiment of the present invention additionally provides a kind of safe two-way SSL certifications dress Put, as shown in figure 4, including:
First judge module 410, for when C_GetTokenInfo interfaces are employed process and called, judging application process Whether it is default process;
Specifically, above-mentioned first judge module 410, including:
Acquisition submodule, the process name for obtaining application process;
Judging submodule, for the process name got according to acquisition submodule, judge application process whether be preset into Journey.
In the present embodiment, above-mentioned acquisition submodule, specifically for by calling GetModuleFileName functions, obtaining The complete trails of application process, obtains process name from complete trails.
First processing module 420, for when it is default process that the first judge module 410, which judges application process, military order The value of flag in board is revised as the second preset value, and the value of the flag in token is exported to application process, entered to application Journey sends success message;
Second processing module 430, for when it is not default process that the first judge module 410, which judges application process, obtaining The value of the flag in token is taken, the value of the flag in token is exported to application process, success message is sent to application process;
Second judge module 440, for when C_Login interfaces are employed process and called, judge application process whether be Default process;
3rd processing module 450, for when it is default process that the second judge module 440, which judges application process, by the Two preset values are exported to application process as the value of the flag in token, are ejected PIN code input frame, are passed through PIN code input frame The PIN code of user's input is obtained, PIN code is sent to hardware device, the result that hardware device is returned is received, checking is tied Fruit is judged, if PIN code is correct, is then set to log in by the logging status in session information, is sent out to application process Send success message;If PIN code mistake, then failed message is sent to application process;
Preferably, above-mentioned 3rd processing module 450, is additionally operable to after judging that the result is PIN code mistake, from token PIN code number of retries is obtained in information, PIN code number of retries is exported to application process;Judging that the result is PIN code lock When dead, locked message is sent to application process.
Fourth processing module 460, for when it is not default process that the second judge module 440, which judges application process, obtaining The PIN code of family input is taken, PIN code is sent to hardware device, the result that hardware device is returned is received, to the result Judged, if PIN code is correct, is then set to log in by the logging status in session information, is sent to application process Success message;If PIN code mistake, then failed message is sent to application process.
Further, said apparatus, in addition to:
Setup module, after judging application process for default process in the first judge module 410, by progress information It is set to the first preset value;
Correspondingly, above-mentioned second judge module 440, specifically for judging whether progress information is the first preset value, if It is, it is determined that application process is default process;Otherwise, it determines application process is not default process.
Further, said apparatus, in addition to:
5th processing module, for when C_Sign interfaces are employed process and called, obtaining session handle and signed data, Private key handle and signature mechanism are obtained by session handle, by private key handle acquiring signature key, using signature key, according to Signature mechanism, signature operation is carried out to signed data, obtains result of signing, and to application process output signature result, is entered to application Journey sends success message.
6th processing module, for when C_OpenSession interfaces are employed process and called, being opened by session handle Session, success message is sent to application process.
7th processing module, for when C_FindObjectsInit interfaces are employed process and called, judging application process Whether it is default process, if not default process, then obtains session handle, private key object template is carried out by session handle Initialization, private key object template is recorded by session handle, and success message is sent to application process;
If default process, then the logging status in session information is obtained, whether be logged in, such as if judging logging status Fruit is then to obtain session handle, and private key object template is initialized by session handle, private key is recorded by session handle Object template, success message is sent to application process;Otherwise, PIN code input frame is ejected, user is obtained by PIN code input frame The PIN code of input, hardware device is sent to by PIN code, receives the result that hardware device is returned, the result is sentenced It is disconnected, if PIN code is correct, then the logging status in session information is set to log in, by session handle to private key pair As template is initialized, private key object template is recorded by session handle, success message is sent to application process;If PIN code mistake, then send failed message to application process.
Preferably, above-mentioned 7th processing module, is additionally operable to after judging that the result is PIN code mistake, from token letter PIN code number of retries is obtained in breath, PIN code number of retries is exported to application process;Judging that the result is locked for PIN code When, send locked message to application process.
Further, said apparatus, in addition to:
8th processing module, for when C_FindObjects interfaces are employed process and called, obtaining session handle, leads to Cross session handle and obtain private key object template, private key object is searched by private key object template, if found, obtains and looks into The corresponding private key handle of private key object found, is exported the number of private key handle as private key number to application process, Xiang Ying Success message is sent with process;Otherwise, private key number is set to zero, private key number is exported to application process, to application process Send success message.
9th processing module, for when C_SignInit interfaces are employed process and called, judge application process whether be Default process, if not default process, then obtains session handle, private key handle and signature mechanism, is recorded by session handle Private key handle and signature mechanism, success message is sent to application process;
If default process, then following operate is performed:
A1, the logging status obtained in session information, whether be logged in, if it is, performing step if judging logging status Rapid A2;Otherwise, step A3 is performed;
A2, acquisition session handle, private key handle and signature mechanism, pass through session handle and record private key handle and signature machine System, success message is sent to application process;
A3, ejection PIN code input frame, obtain the PIN code that user inputs by PIN code input frame, PIN code are sent to firmly Part equipment, receives the result that hardware device is returned, the result is judged, if PIN code is correct, then perform step Rapid A4;If PIN code mistake, then step A5 is performed;
A4, the logging status in session information is set to log in, obtains session handle, private key handle and signature machine System, private key handle and signature mechanism are recorded by session handle, and success message is sent to application process;
A5, to application process export PIN code number of retries, and return to step A3.
Preferably, above-mentioned 9th processing module, is additionally operable to after judging that the result is PIN code mistake, from token letter PIN code number of retries is obtained in breath, PIN code number of retries is exported to application process;Judging that the result is locked for PIN code When, send locked message to application process.
The embodiment of the present invention handles logic by changing the interface that middleware is predetermined when process is called, it is ensured that set up two-way The PIN code input frame ejected during SSL is all by middleware control, and then the PIN code quilt for preventing user from being inputted in PIN code input frame Steal, improve the security of two-way SSL certifications.
Hardware, computing device can be directly used with reference to the step in the method that the embodiments described herein is described Software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only storage (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field In any other form of storage medium well known to interior.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (26)

1. a kind of safe two-way SSL authentication methods, it is characterised in that comprise the following steps:
S1, middleware wait are employed process and called, and when C_GetTokenInfo interfaces are called by the application process, perform Step S2;When C_Login interfaces are called by the application process, step S5 is performed;
Whether application process described in S2, the middleware judges is default process, if it is, performing step S3;Otherwise, perform Step S4;
The value of flag in token is revised as the second preset value by S3, the middleware, by the flag in the token Value output sends success message, and return to step S1 to the application process to the application process;
S4, the middleware obtain the value of the flag in token, and the flag in the token is exported to the application process Value, send success message, and return to step S1 to the application process;
Whether application process described in S5, the middleware judges is default process, if it is, performing step S6;Otherwise, perform Step S7;
S6, the middleware are exported the second preset value as the value of the flag in token to the application process, eject PIN Code input frame, obtains the PIN code that user inputs by the PIN code input frame, the PIN code is sent into hardware device, connect The result that the hardware device is returned is received, the result is judged, if PIN code is correct, then by session Logging status in information is set to log in, and success message, and return to step S1 are sent to the application process;If PIN code mistake, then send failed message, and return to step S1 to the application process;
S7, the middleware obtain the PIN code of user's input, and the PIN code is sent into hardware device, receive the hardware and set The standby the result returned, judges the result, if PIN code is correct, then by the login in session information State is set to log in, and success message, and return to step S1 are sent to the application process;If PIN code mistake, then to The application process sends failed message, and return to step S1.
2. the method as described in claim 1, it is characterised in that in the step S2, applied described in the middleware judges into After journey is default process, in addition to:
Progress information is set to the first preset value by the middleware;
The step S5, be specially:
Whether progress information described in the middleware judges is the first preset value, if it is, determining that the application process is pre- If process;Otherwise, it determines the application process is not default process.
3. the method as described in claim 1, it is characterised in that application process described in the middleware judges whether be preset into Journey, be specially:
The middleware obtains the process name of the application process, according to the process name, judge the application process whether be Default process.
4. method as claimed in claim 3, it is characterised in that the middleware obtains the process name of the application process, tool Body is:
The middleware obtains the complete trails of the application process by calling GetModuleFileName functions, from described complete The process name is obtained in path.
5. the method as described in claim 1, it is characterised in that also include:
When C_Sign interfaces, which are employed process, to be called, the middleware obtains session handle and signed data, passes through the meeting Handle acquiring private key handle and signature mechanism are talked about, by the private key handle acquiring signature key, using the signature key, is pressed According to the signature mechanism, signature operation is carried out to the signed data, result of signing is obtained, exports described to the application process Signature result, success message, and return to step S1 are sent to the application process.
6. the method as described in claim 1, it is characterised in that also include:
When C_OpenSession interfaces, which are employed process, to be called, middleware opens session by session handle, to the application Process sends success message, and return to step S1.
7. the method as described in claim 1, it is characterised in that also include:
When C_FindObjectsInit interfaces, which are employed process, to be called, whether application process described in middleware judges is default Process, if not default process, the middleware obtains session handle, private key object template is entered by the session handle Row initialization, the private key object template is recorded by the session handle, sends success message to the application process, and return Return step S1;
If default process, the middleware obtains the logging status in session information, judge the logging status whether be It has been logged in that, if it is, obtaining session handle, private key object template is initialized by the session handle, passes through institute State session handle and record the private key object template, success message, and return to step S1 are sent to the application process;Otherwise, PIN code input frame is ejected, the PIN code that user inputs is obtained by the PIN code input frame, the PIN code is sent to hardware Equipment, receives the result that the hardware device is returned, the result is judged, if PIN code is correct, then Logging status in the session information is set to log in, private key object template initialized by session handle, The private key object template is recorded by session handle, success message, and return to step S1 are sent to the application process;If It is PIN code mistake, then sends failed message, and return to step S1 to the application process.
8. the method as described in claim 1, it is characterised in that also include:
When C_FindObjects interfaces, which are employed process, to be called, the middleware obtains session handle, passes through session sentence Handle obtains private key object template, and private key object is searched by the private key object template, if found, and the middleware is obtained Private key handle corresponding with the private key object found, the number of the private key handle is exported as private key number and answered to described With process, success message, and return to step S1 are sent to the application process;Otherwise, the middleware sets private key number It is zero, the private key number is exported to the application process, success message, and return to step S1 is sent to the application process.
9. the method as described in claim 1, it is characterised in that also include:
When C_SignInit interfaces, which are employed process, to be called, application process described in the middleware judges whether be preset into Journey, if not default process, the middleware obtains session handle, private key handle and signature mechanism, passes through session sentence Handle records the private key handle and the signature mechanism, and success message, and return to step S1 are sent to the application process;
If default process, then following operate is performed:
A1, the middleware obtain the logging status in session information, and whether judge the logging status is to have logged in, if It is then to perform step A2;Otherwise, step A3 is performed;
A2, the middleware obtain session handle, private key handle and signature mechanism, and the private key is recorded by the session handle Handle and the signature mechanism, success message, and return to step S1 are sent to the application process;
A3, middleware ejection PIN code input frame, obtain the PIN code that user inputs, by institute by the PIN code input frame State PIN code and be sent to hardware device, receive the result that the hardware device is returned, the result is judged, If PIN code is correct, then step A4 is performed;If PIN code mistake, then step A5 is performed;
Logging status in the session information is set to log in by A4, the middleware, obtains session handle, private key handle And signature mechanism, the private key handle and the signature mechanism are recorded by the session handle, sent to the application process Success message, and return to step S1;
A5, the middleware export PIN code number of retries, and return to step A3 to the application process.
10. the method as described in claim 1,7 or 9, it is characterised in that the result described in the middleware judges is PIN After code mistake, in addition to:
The middleware obtains PIN code number of retries from token information, is retried to the application process output PIN code secondary Number.
11. the method as described in claim 1,7 or 9, it is characterised in that the middleware is judged the result Afterwards, in addition to:
If PIN code is locked, the middleware sends locked message, and return to step S1 to the application process.
12. a kind of safe two-way SSL authentication devices, it is characterised in that including:
First judge module, for when C_GetTokenInfo interfaces are employed process and called, judging that the application process is No is default process;
First processing module, for when it is default process that first judge module, which judges the application process, by token The value of interior flag is revised as the second preset value, and the value of the flag in the token is exported to the application process, to The application process sends success message;
Second processing module, for when it is not default process that first judge module, which judges the application process, obtaining The value of flag in token, the value of the flag in the token is exported to the application process, is sent out to the application process Send success message;
Second judge module, for whether when C_Login interfaces are employed process and called, it to be default to judge the application process Process;
3rd processing module, for when it is default process that second judge module, which judges the application process, by second Preset value is exported to the application process as the value of the flag in token, is ejected PIN code input frame, is passed through the PIN code Input frame obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives testing for the hardware device return Result is demonstrate,proved, the result is judged, if PIN code is correct, is then set to the logging status in session information It has been logged in that, send success message to the application process;If PIN code mistake, then send and unsuccessfully disappear to the application process Breath;
Fourth processing module, for when it is not default process that second judge module, which judges the application process, obtaining The PIN code of user's input, hardware device is sent to by the PIN code, the result that the hardware device is returned is received, to institute State the result to be judged, if PIN code is correct, then be set to log in by the logging status in session information, to institute State application process and send success message;If PIN code mistake, then failed message is sent to the application process.
13. device as claimed in claim 12, it is characterised in that also include:
Setup module, after judging the application process for default process in first judge module, process is believed Breath is set to the first preset value;
Second judge module, specifically for judging whether the progress information is the first preset value, if it is, determining institute It is default process to state application process;Otherwise, it determines the application process is not default process.
14. device as claimed in claim 12, it is characterised in that first judge module, including:
Acquisition submodule, the process name for obtaining the application process;
Whether judging submodule, for the process name got according to the acquisition submodule, judge the application process To preset process.
15. device as claimed in claim 14, it is characterised in that
The acquisition submodule, specifically for by calling GetModuleFileName functions, obtaining the complete of the application process Path, obtains the process name from the complete trails.
16. device as claimed in claim 12, it is characterised in that also include:
5th processing module, for when C_Sign interfaces are employed process and called, obtaining session handle and signed data, passing through The session handle obtains private key handle and signature mechanism, by the private key handle acquiring signature key, uses the signature Key, according to the signature mechanism, signature operation is carried out to the signed data, result of signing is obtained, to the application process The signature result is exported, success message is sent to the application process.
17. device as claimed in claim 12, it is characterised in that also include:
6th processing module, for when C_OpenSession interfaces are employed process and called, passing through session handle and opening meeting Words, success message is sent to the application process.
18. device as claimed in claim 12, it is characterised in that also include:
7th processing module, for when C_FindObjectsInit interfaces are employed process and called, judging the application process Whether it is default process, if not default process, then session handle is obtained, by the session handle to private key object template Initialized, the private key object template is recorded by the session handle, success message is sent to the application process;
If default process, then the logging status in session information is obtained, whether be logged in, such as if judging the logging status Fruit is then to obtain session handle, and private key object template is initialized by the session handle, passes through the session handle The private key object template is recorded, success message is sent to the application process;Otherwise, PIN code input frame is ejected, by described PIN code input frame obtains the PIN code of user's input, and the PIN code is sent into hardware device, receives the hardware device and returns The result, the result is judged, if PIN code is correct, then by the login shape in the session information State is set to log in, and private key object template is initialized by session handle, and the private key is recorded by session handle Object template, success message is sent to the application process;If PIN code mistake, then send and fail to the application process Message.
19. device as claimed in claim 18, it is characterised in that
7th processing module, is additionally operable to after judging that the result is PIN code mistake, is obtained from token information PIN code number of retries, the PIN code number of retries is exported to the application process.
20. device as claimed in claim 18, it is characterised in that
7th processing module, is additionally operable to, when judging that the result is locked for PIN code, send out to the application process Send locked message.
21. device as claimed in claim 12, it is characterised in that also include:
8th processing module, for when C_FindObjects interfaces are employed process and called, obtaining session handle, passing through institute State session handle and obtain private key object template, private key object is searched by the private key object template, if found, obtained Private key handle corresponding with the private key object found, the number of the private key handle is exported as private key number and answered to described With process, success message is sent to the application process;Otherwise, private key number is set to zero, exported to the application process The private key number, success message is sent to the application process.
22. device as claimed in claim 12, it is characterised in that also include:
9th processing module, for when C_SignInit interfaces are employed process and called, judge the application process whether be Default process, if not default process, then obtains session handle, private key handle and signature mechanism, passes through the session handle The private key handle and the signature mechanism are recorded, success message is sent to the application process;
If default process, then following operate is performed:
A1, the logging status obtained in session information, whether be logged in, if it is, performing step if judging the logging status Rapid A2;Otherwise, step A3 is performed;
A2, acquisition session handle, private key handle and signature mechanism, the private key handle is recorded and described by the session handle Signature mechanism, success message is sent to the application process;
A3, ejection PIN code input frame, obtain the PIN code that user inputs by the PIN code input frame, the PIN code are sent To hardware device, the result that the hardware device is returned is received, the result is judged, if PIN code Correctly, then step A4 is performed;If PIN code mistake, then step A5 is performed;
A4, the logging status in the session information is set to log in, obtains session handle, private key handle and signature machine System, the private key handle and the signature mechanism are recorded by the session handle, and success message is sent to the application process;
A5, to the application process export PIN code number of retries, and return to step A3.
23. device as claimed in claim 22, it is characterised in that
9th processing module, is additionally operable to after judging that the result is PIN code mistake, is obtained from token information PIN code number of retries, the PIN code number of retries is exported to the application process.
24. device as claimed in claim 22, it is characterised in that
9th processing module, is additionally operable to, when judging that the result is locked for PIN code, send out to the application process Send locked message.
25. device as claimed in claim 12, it is characterised in that
3rd processing module, is additionally operable to after judging that the result is PIN code mistake, is obtained from token information PIN code number of retries, the PIN code number of retries is exported to the application process.
26. device as claimed in claim 12, it is characterised in that
3rd processing module, is additionally operable to, when judging that the result is locked for PIN code, send out to the application process Send locked message.
CN201410848953.3A 2014-12-29 2014-12-29 A kind of safe two-way SSL authentication methods and device Active CN104539620B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410848953.3A CN104539620B (en) 2014-12-29 2014-12-29 A kind of safe two-way SSL authentication methods and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410848953.3A CN104539620B (en) 2014-12-29 2014-12-29 A kind of safe two-way SSL authentication methods and device

Publications (2)

Publication Number Publication Date
CN104539620A CN104539620A (en) 2015-04-22
CN104539620B true CN104539620B (en) 2017-09-22

Family

ID=52855089

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410848953.3A Active CN104539620B (en) 2014-12-29 2014-12-29 A kind of safe two-way SSL authentication methods and device

Country Status (1)

Country Link
CN (1) CN104539620B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911350B (en) * 2017-02-27 2022-04-08 黄贤杰 Two-way matching and authentication system for electronic equipment
CN107995026B (en) * 2017-11-16 2021-07-30 中国银行股份有限公司 Management and control method, management node, managed node and system based on middleware
CN110855714B (en) * 2019-11-29 2021-09-14 广州鲁邦通物联网科技有限公司 Secure connection method and system for multi-tenant equipment
CN112463828B (en) * 2020-11-02 2021-07-27 马上消费金融股份有限公司 Data processing method, device, equipment, system and readable storage medium
CN112511550B (en) * 2020-12-02 2022-02-22 迈普通信技术股份有限公司 Communication method, communication device, electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6340116B1 (en) * 1999-09-16 2002-01-22 Kenneth B. Cecil Proximity card with incorporated pin code protection
CN102222179A (en) * 2010-04-13 2011-10-19 郑勇 Anti-keylogging technology based on Windows kernel
CN103107883A (en) * 2013-01-04 2013-05-15 深圳市文鼎创数据科技有限公司 Safe protection method of personal identification number (PIN) and client

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6340116B1 (en) * 1999-09-16 2002-01-22 Kenneth B. Cecil Proximity card with incorporated pin code protection
CN102222179A (en) * 2010-04-13 2011-10-19 郑勇 Anti-keylogging technology based on Windows kernel
CN103107883A (en) * 2013-01-04 2013-05-15 深圳市文鼎创数据科技有限公司 Safe protection method of personal identification number (PIN) and client

Also Published As

Publication number Publication date
CN104539620A (en) 2015-04-22

Similar Documents

Publication Publication Date Title
CN104539620B (en) A kind of safe two-way SSL authentication methods and device
CN103731272B (en) A kind of identity identifying method, system and equipment
CN104700007B (en) A kind of setting of gesture impression password and application process
CN106503589A (en) The method of calibration of block chain Transaction Information correctness, apparatus and system
CN108881310A (en) A kind of Accreditation System and its working method
CN105243314B (en) A kind of security system and its application method based on USB key
CN106034123A (en) Authentication method, application system server and client
CN106878319A (en) A kind of method and system that Digital signature service is provided
CN104519479A (en) Methods for terminal to lock net and unlock net
CN103975567B (en) Two-factor authentication method and virtual machine facility
CN106790243B (en) A kind of password remapping method of safe U disc
CN108023873A (en) channel establishing method and terminal device
CN106127016A (en) A kind of operating system user logs in system and the implementation method of authentic authentication
CN108965294A (en) A kind of user name and cipher protection system
CN105743650A (en) Mobile office identity authentication method, platform and system, and mobile terminal
CN107846406A (en) A kind of account logon method and device
CN105224848B (en) A kind of equipment authentication method, apparatus and system
CN105320868B (en) The encryption method and mobile terminal of application program
CN103532979A (en) Method for generating and verifying multi-conversation verification codes under CGI (common gateway interface) for web
CN109086588A (en) A kind of authentication method and authenticating device
CN105205384A (en) Method for automatically acquiring account information of user side, logging in and storing
CN106452845A (en) Online unlocking implementation method and apparatus
CN105678149B (en) A kind of unlocking method and terminal
CN107231330A (en) A kind of password determination, login validation method and equipment
CN103746979B (en) A kind of method and system that data are handled

Legal Events

Date Code Title Description
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant