CN104579662B - Mobile terminal authentication method and system based on WPKI and timestamp - Google Patents
Mobile terminal authentication method and system based on WPKI and timestamp Download PDFInfo
- Publication number
- CN104579662B CN104579662B CN201310496089.0A CN201310496089A CN104579662B CN 104579662 B CN104579662 B CN 104579662B CN 201310496089 A CN201310496089 A CN 201310496089A CN 104579662 B CN104579662 B CN 104579662B
- Authority
- CN
- China
- Prior art keywords
- wpki
- timestamp
- user terminal
- application service
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
An embodiment of the present invention provides a kind of mobile terminal authentication method and system based on WPKI and timestamp.This method includes mainly:User terminal is stabbed from Time Stamping Authority system acquisition time, and user terminal establishes safe data channel using WPKI with application service end;Application service end receives the timestamp that user terminal is sent by safe data channel, and timestamp is verified by Time Stamping Authority system in application service end;After being verified of timestamp, carried out data transmission using safe data channel between application service end and user terminal.The embodiment of the present invention is communicated using WPKI technologies with application service end by mobile intelligent terminal, using the SSL traffic agreement based on ECC algorithm, ensures the safety of entire link;By using trusted third party's time-stamping service, the various attacks to group key exchange agreement can be resisted.Effective authentication is carried out to mobile terminal to realize, ensure that the data safety of the wireless traffic of mobile terminal.
Description
Technical field
The present invention relates to media communication technical fields, more particularly to one kind being based on WPKI(Wireless Public Key
Infrastructure, Wireless Public Key Infrastructure)With the mobile terminal authentication method and system of timestamp.
Background technology
Mobile intelligent terminal, mainly there is three classes now, be respectively the android mobile phones of Google, the iphone of apple and
The Windows Phone of Microsoft.Wherein, the operating system of Android intelligent is based on linux kernel, is Google companies
The mobile phone operating system of announcement, is developed by Google in early days, after by open handheld device alliance exploitation.The platform is by operation system
System, middleware, user interface and application software composition are the first real openings made for mobile terminal and are completely moved soft
Part.
WPKI is the PKI in network(Public Key Infrastructure, Public Key Infrastructure)Safe practice is drawn
Enter a set of key for following written standards and certificate management platform system into wireless network environment, WPKI is used for managing moving
The public-key cryptography and digital certificate used in dynamic network environment, effectively sets up safe wireless network environment.WPKI conducts
The optimization extension of PKI technologies in the wireless network, the X.509 digital certificate and ECC elliptic curves for using the compression of optimization add
Secret skill art.It passes through third-party trusted authorities CA(Certificate authority, authentication center)To verify user's
Identity realizes the safe transmission of information.
Currently, lack the method for carrying out effective authentication to mobile terminal, the wireless traffic of mobile terminal there is
The problem of data safety.In the server end for providing data, since external interface all uses HTTP substantially(Hypertext
Transfer Protocol, hypertext transfer protocol)Agreement, encryption and the use of signature are less, and there are prodigious super hidden
Suffer from.In financial field, for the external interface of core, 1024 RSA are also accomplished nothing but in application service end for the ultimate attainment of safety
The use of algorithm, RSA Algorithm also receive great security threat at present.
Therefore, a kind of method carrying out effective authentication to mobile terminal of exploitation is a urgent problem to be solved.
Invention content
The embodiment provides a kind of mobile terminal authentication method and system based on WPKI and timestamp,
Effective authentication is carried out to mobile terminal to realize.
The present invention provides following schemes:
A kind of mobile terminal authentication method based on WPKI and timestamp, including:
User terminal is stabbed from Time Stamping Authority system acquisition time, and the user terminal uses Wireless Public Key Infrastructure
WPKI establishes safe data channel with application service end;
The application service end receives the timestamp that the user terminal is sent by the safe data channel, institute
Application service end is stated to verify the timestamp by the Time Stamping Authority system;
After being verified of the timestamp, the safety is utilized between the application service end and the user terminal
Data channel carries out data transmission.
The user terminal is stabbed from Time Stamping Authority system acquisition time, including:
Time Stamping Authority system receives the connection request of the WPKI digital certificates of the carrying user of user terminal transmission, institute
It states Time Stamping Authority system and obtains the WPKI digital certificates carried in the connection request, taken to online certificate status protocol OCSP
Business device sends the certification verification request for carrying the WPKI digital certificates;
After the OCSP servers receive the certification verification request, unique mark of the WPKI digital certificates is obtained
Whether the term of validity of knowledge, the term of validity, scaling option, WPKI certificates described in the OCSP server authentications is expired, described in verification
Whether WPKI certificates are issued by specified authentication center CA, and whether unique mark, the scaling option for verifying the WPKI certificates are effective;
The OCSP servers are after all verifications of the WPKI digital certificates all pass through, to the Time Stamping Authority system
System sends the qualified notice of verification, between the Time Stamping Authority system and the user terminal, is built using the WPKI certificates
The vertical Secure Socket Layer SSL safe data channels for being used for transmission data;
The user terminal generates digest value using digest algorithm to the data that needs upload, and digest value is followed timestamp
Application specification is transferred to Time Stamping Authority system by the SSL safe data channels;The Time Stamping Authority system is to described
The digest value that user terminal sends over is capped timestamp, and timestamp is signed with the digital certificate of timestamp train of mechanism
Name, user terminal is returned to by the timestamp information after signature.
The user terminal establishes safe data channel using WPKI Wireless Public Key Infrastructure with application service end, wraps
It includes:
Application service termination receives the connection request of the WPKI digital certificates of the carrying user of user terminal transmission, described to answer
The WPKI digital certificates carried in the connection request are obtained with server-side, are sent to OCSP servers and are carried the WPKI numbers
The certification verification request of certificate;
After the OCSP servers receive the certification verification request, unique mark of the WPKI digital certificates is obtained
Whether the term of validity of knowledge, the term of validity, scaling option, WPKI certificates described in the OCSP server authentications is expired, described in verification
Whether WPKI certificates are issued by specified authentication center CA, and whether unique mark, the scaling option for verifying the WPKI certificates are effective;
The OCSP servers are sent out after all verifications of the WPKI digital certificates all pass through to the application service end
It send verification qualified notice, after the application service termination receives that the verification is qualified and notifies, uses WPKI certificates and described
The SSL escape ways for being used for transmission data are established between user terminal.
The timestamp is verified by the Time Stamping Authority system in the application service end, including:
The application service end obtains the digital certificate for the Time Stamping Authority system signed on timestamp, to OCSP servers
The certification verification request for the digital certificate for carrying the Time Stamping Authority system is sent, OCSP is to the Time Stamping Authority system
Digital certificate is verified;
The OCSP servers are after all verifications of the digital certificate of the Time Stamping Authority system all pass through, to described
Application service end sends the qualified notice of verification, and the timestamp information is sent to the Time Stamping Authority by the application service end
System;
The Time Stamping Authority system verifies the timestamp information sent using server-side, which includes the time
Whether stamp is that this TSA is signed and issued, can timestamp information sign test pass through, and the Time Stamping Authority system is in the timestamp information institute
After thering is verification all to pass through, to application service end sending time stamp Information Authentication qualification notice;In the timestamp information
All verifications are not to stab the unqualified notice of Information Authentication to application service end sending time after all passing through.
After being verified of the timestamp, the safety is utilized between the application service end and the user terminal
Data channel carries out data transmission, including:
After the application service termination receives the qualified notice of timestamp information verification that the Time Stamping Authority system returns,
Judge that the authentication of user terminal passes through, receive the connection request of user terminal, leads between user terminal and application service end
The SSL safe data channels are crossed to be communicated.
The application service termination receives the timestamp information that the Time Stamping Authority system returns and verifies unqualified notice
Afterwards, judge that the authentication of the user terminal does not pass through, refuse the connection request of the user terminal.
A kind of mobile terminal authentication system based on WPKI and timestamp, including user terminal, application service end and
Time Stamping Authority system:
The user terminal, for being stabbed from Time Stamping Authority system acquisition time, using Wireless Public Key Infrastructure
WPKI establishes safe data channel with application service end;
The application service end, for receive the user terminal by the safe data channel send it is described when
Between stab, the timestamp is verified by the Time Stamping Authority system in the application service end;In the timestamp
Carried out data transmission using the safe data channel between the user terminal after being verified;
The Time Stamping Authority system, for being stabbed to the user terminal sending time, to the application service end
The timestamp sended over is verified.
The system further includes:OCSP servers,
The Time Stamping Authority system, the Wireless Public base of the carrying user specifically for receiving user terminal transmission
The connection request of Infrastructure WPKI digital certificates obtains the WPKI digital certificates carried in the connection request, is serviced to OCSP
Device sends the certification verification request for carrying the WPKI digital certificates;
The OCSP servers obtain the WPKI digital certificates after receiving the certification verification request
Unique mark, the term of validity, scaling option, whether the term of validity for verifying the WPKI certificates is expired, and verifying the WPKI certificates is
No to be issued by specified authentication center CA, whether unique mark, the scaling option for verifying the WPKI certificates are effective;In the WPKI
After all verifications of digital certificate all pass through, the qualified notice of verification is sent to the Time Stamping Authority system;
The user terminal will make a summary specifically for generating digest value to the data that needs upload using digest algorithm
Value follows timestamp application specification and is transferred to Time Stamping Authority system by the SSL safe data channels;
The Time Stamping Authority system, after being specifically used for reception with the qualified notice of the verification, in the timestamp machine
Between construction system and the user terminal, the SSL safe data channels for being used for transmission data are established using the WPKI certificates;It is right
The digest value that the user terminal sends over is capped timestamp, and timestamp is carried out with the digital certificate of timestamp train of mechanism
Signature, user terminal is returned to by the timestamp information after signature.
The application service end, the WPKI digital certificates of the carrying user specifically for receiving user terminal transmission
Connection request obtains the WPKI digital certificates carried in the connection request, is sent to OCSP servers and carries the WPKI numbers
The certification verification request of word certificate;
The OCSP servers obtain the WPKI numbers card after receiving the certification verification request
The unique mark of book, the term of validity, scaling option, whether the term of validity for verifying the WPKI certificates is expired, verifies the WPKI cards
Whether book is issued by specified authentication center CA, and whether unique mark, the scaling option for verifying the WPKI certificates are effective;Described
After all verifications of WPKI digital certificates all pass through, the qualified notice of verification is sent to the application service end;
The application service end uses the WPKI certificates and institute after receiving the qualified notice of the verification
State the Secure Socket Layer SSL escape ways established between user terminal and be used for transmission data.
The application service end, specifically for obtaining the digital certificate for the Time Stamping Authority system signed on timestamp,
The certification verification request that the digital certificate for carrying the Time Stamping Authority system is sent to OCSP servers receives OCSP services
After the verification qualification notice that device is sent, the timestamp information is sent to the Time Stamping Authority system;
The OCSP servers are verified specifically for the digital certificate to the Time Stamping Authority system;Institute
State the digital certificate of Time Stamping Authority system all verifications all pass through after, it is qualified logical to send verification to the application service end
Know;
The Time Stamping Authority system is carried out specifically for the timestamp information after the signature to being sent using server-side
Verification, which includes whether timestamp is that this TSA is signed and issued, can timestamp information sign test pass through, in the timestamp information
After all verifications all pass through, to application service end sending time stamp Information Authentication qualification notice;In the timestamp information
All verifications be not to stab the unqualified notice of Information Authentication to application service end sending time after all passing through.
The application service end is verified specifically for receiving the timestamp information that the Time Stamping Authority system returns
After qualification notice, judge that the authentication of user terminal passes through, receives the connection request of user terminal, user terminal and application clothes
Business is communicated between end by SSL safe data channels.
After receiving the unqualified notice of timestamp information verification that the Time Stamping Authority system returns, the user is judged
The authentication of terminal does not pass through, and refuses the connection request of the user terminal.
The embodiment of the present invention passes through intelligent movable end it can be seen from the technical solution that embodiments of the invention described above provide
End is communicated using WPKI technologies with application service end, using the SSL traffic agreement based on ECC algorithm, ensures entire link
Safety;By using trusted third party's time-stamping service, the mobile intelligent terminal of user obtains the label of timestamp ECC algorithm
Name information is simultaneously sent, and server interface is stabbed to verify the calling data of user in application service end by allocating time, records simultaneously
Put on record, the playback of message can be prevented, the various attacks to group key exchange agreement can be resisted.To realize to mobile whole
End carries out effective authentication, ensure that the data safety of the wireless traffic of mobile terminal.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill of field, without having to pay creative labor, other are can also be obtained according to these attached drawings
Attached drawing.
Fig. 1 is a kind of mobile terminal authentication method based on WPKI and timestamp that the embodiment of the present invention one provides
Realization principle schematic diagram;
Fig. 2 is a kind of mobile terminal authentication method based on WPKI and timestamp that the embodiment of the present invention one provides
Specific process chart;
Fig. 3 is that second embodiment of the present invention provides a kind of mobile terminal authentication systems based on WPKI and timestamp
Structure chart, in figure, user terminal 310, application service end 320, Time Stamping Authority system 330 and OCSP servers 340.
Specific implementation mode
For ease of the understanding to the embodiment of the present invention, done further by taking several specific embodiments as an example below in conjunction with attached drawing
Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
In embodiments of the present invention, user terminal is stabbed from Time Stamping Authority system acquisition time, is taken using WPKI and application
Safe data channel is established at business end.The application service end receives what the user terminal was sent by the safe data channel
The timestamp is verified by the Time Stamping Authority system in the timestamp, the application service end;When described
Between stab be verified after, between the application service end and the user terminal utilize the safe data channel carry out data
Transmission.
This embodiment offers a kind of realization principles of the mobile terminal authentication method based on WPKI and timestamp to show
It is intended to as shown in Figure 1, specific process flow is as shown in Fig. 2, include following processing step:
Step S210, timestamp is by national time service central authority, and by the credible TSA of authority(Time Stamp
Authority, Time Stamping Authority)One signed and issued can prove that electronic message (electronic document with legal effect)At one
Between point it is already existing, complete, can verify that have the electronic certificate of legal effect.Any mechanism include TSA oneself not
It can modify to the time to ensure the authority of time.Timestamp is mainly used for the anti-tamper and subsequent denial of electronic document, determines
The correct time that electronic document generates.Timestamp is now extensively using e-commerce, electronic government documents, intellectual property, health care
Equal fields, the legal effect problem for ensureing electronic data file.
User passes through mobile intelligent terminal(That is user terminal)The WPKI digital certificates of carrying user are initiated to TSA systems
Connection request carries certificate DN in above-mentioned WPKI digital certificates(Distinct Name, unique mark), the term of validity, scaling option
Etc. contents.
Step S220, TSA systems obtain the WPKI digital certificates of the user terminal carried in above-mentioned connection request, to OCSP
(Online Certificate Status Protocol, online certificate status protocol)Server initiates the WPKI of user terminal
The checking request of digital certificate.
Step S230, the function of OCSP servers is mainly to receive the certificate retraction request of client, utilizes agreement
Certificate retraction request in standard analysis request, by parsing obtained certificate serial number, system database is signed and issued in inquiry
In certificate status, then recycle interface specification encapsulation certificate retraction response, return to client.System service pair
Particular port is monitored, and receives the certificate request that client is sent by unsecured connections.It, will after analyzing request
Client-side information is sent to the distributor on backstage together with solicited message, submits to each service module.When user attempts to access that one
When a server, online certificate status protocol sends a request for certificate status information.Server, which replys one, " to be had
The response of effect ", " expired " or " unknown ".Agreement defines the communication grammer of server and client side's application program.Online certificate
Status protocol has given one grace period of overdue certificate of user, in this way they can update in pervious a period of time after
It is continuous to access server.
After OCSP servers receive the checking request, the WPKI digital certificates carried in the checking request are obtained,
Above-mentioned WPKI digital certificates are verified, which includes verifying whether the WPKI certificates are issued by specified CA, verifies institute
Whether unique mark, the scaling option for stating WPKI certificates are effective,
The OCSP servers are sent after all verifications of the WPKI digital certificates all pass through to the TSA systems
The qualified notice of verification;After all verifications of the WPKI digital certificates are not all to pass through, verification is sent not to the TSA systems
Qualification notice.
Step S240, after TSA systems receive above-mentioned verification qualification notice, in the TSA systems and the user terminal
Between, it is established using the WPKI certificates and is based on ECC(Error Correcting Code, error checking and correction)Algorithm
It is used for transmission the SSL of data(Secure Socket Layer, Secure Socket Layer)Safe data channel.
After TSA systems receive the unqualified notice of above-mentioned verification, refuse the connection request of above-mentioned user terminal.
Step S250, after SSL safe data channels are established, above-mentioned user terminal uses the number that digest algorithm uploads needs
According to digest value is generated, digest value is followed into timestamp application specification, TSA systems are transferred to by SSL safe data channels.
Step S260, above-mentioned TSA systems are capped timestamp to the digest value that above-mentioned user terminal sends over, by timestamp
It is signed with the digital certificate of TSA, the timestamp information after signature is returned into user terminal.
Step S270, user initiates to carry the connection of the WPKI digital certificates of user to application service end by user terminal
It asks, the contents such as certificate DN, the term of validity, scaling option is carried in above-mentioned WPKI digital certificates.
Step S280, after application service termination receives above-mentioned connection request, the user carried in above-mentioned connection request is obtained
The WPKI digital certificates of terminal initiate the checking request of the WPKI digital certificates of user terminal to OCSP servers.
Step S290, after OCSP servers receive the checking request, the WPKI carried in the checking request is obtained
Digital certificate verifies above-mentioned WPKI digital certificates, which includes verifying whether the WPKI certificates are issued by specified CA
Hair, whether unique mark, the scaling option for verifying the WPKI certificates are effective,
The OCSP servers are sent out after all verifications of the WPKI digital certificates all pass through to the application service end
Send verification qualified notice;After all verifications of the WPKI digital certificates are not all to pass through, sent to the application service end
Verify unqualified notice.
Step S2100, after application service termination receives above-mentioned verification qualification notice, in the application service end and the use
Between the terminal of family, the SSL safe data channels for being used for transmission data are established using the WPKI certificates.
After application service termination receives the unqualified notice of above-mentioned verification, refuse the connection request of above-mentioned user terminal.
Step S2110, the data that user terminal transmits the TSA timestamp informations returned and needs pass through the safe numbers of SSL
According to channel transfer to application service end.
Step S2120, after application service termination receives the timestamp information that above-mentioned user terminal sends over, the time is obtained
The digital certificate of the TSA to sign on stamp.Application service end calling OCSP verifies the validity of the digital certificate of above-mentioned TSA, OCSP
The digital certificate of above-mentioned TSA is verified, whether which includes verifying the digital certificate of the TSA to be issued by specified CA,
Whether unique mark, the scaling option for verifying the digital certificate of the TSA are effective.
Step S2130, after all verifications of digital certificate of the described OCSP servers in the TSA all pass through, to described
Application service end sends the qualified notice of verification;After all verifications of the digital certificate of the TSA are not all to pass through, answered to described
It is sent with server-side and verifies unqualified notice.
Step S2140, after application service termination receives the unqualified notice of verification that OCSP servers return, then it is assumed that the time
Signature on stamp is illegal, refuses the connection request of user terminal.The verification that application service termination receives the return of OCSP servers is closed
After lattice notice, then it is assumed that the signature on timestamp is legal, then the timestamp information after above-mentioned signature is sent to TSA, for testing
Demonstrate,prove the timestamp information of user.
Step S2150, the timestamp information after the signature that TSA sends application server-side is verified, when verification includes
Between whether stab be that this TSA is signed and issued, can timestamp information sign test pass through.
TSA is tested after all verifications of the timestamp information all pass through to application service end sending time stamp information
The qualified notice of card;After all verifications of the timestamp information are not all to pass through, stabbed to application service end sending time
The unqualified notice of Information Authentication.
Step S2160, it is qualified to receive the timestamp information verification that the Time Stamping Authority system returns for application service termination
After notice, judge that the authentication of user terminal passes through, receives the connection request of user terminal, user terminal and application service end
Between can be communicated by SSL safe data channels.
After application service termination receives the unqualified notice of timestamp information verification that the Time Stamping Authority system returns, sentence
The authentication of disconnected user terminal does not pass through, and refuses the connection request of user terminal.
Embodiment two
This embodiment offers the kinds mobile terminal authentication system based on WPKI and timestamp, concrete structure
As shown in figure 3, including:User terminal, application service end, Time Stamping Authority system and OCSP servers.
The user terminal, for being stabbed from Time Stamping Authority system acquisition time, using Wireless Public Key Infrastructure
WPKI establishes safe data channel with application service end;
The application service end, for receive the user terminal by the safe data channel send it is described when
Between stab, the timestamp is verified by the Time Stamping Authority system in the application service end;In the timestamp
Carried out data transmission using the safe data channel between the user terminal after being verified;
The Time Stamping Authority system, for being stabbed to the user terminal sending time, to the application service end
The timestamp sended over is verified.
Specifically, the Time Stamping Authority system, the nothing of the carrying user specifically for receiving user terminal transmission
The connection request of line Public Key Infrastructure WPKI digital certificates, obtains the WPKI digital certificates carried in the connection request, to
OCSP servers send the certification verification request for carrying the WPKI digital certificates;
Specifically, the OCSP servers obtain the WPKI numbers after receiving the certification verification request
The unique mark of certificate, the term of validity, scaling option, whether the term of validity for verifying the WPKI certificates is expired, verifies the WPKI
Whether certificate is issued by specified authentication center CA, and whether unique mark, the scaling option for verifying the WPKI certificates are effective;Institute
State WPKI digital certificates all verifications all pass through after, send the qualified notice of verification to the Time Stamping Authority system;
Specifically, the user terminal, specifically for generating digest value to the data that needs upload using digest algorithm,
Digest value is followed into timestamp application specification, Time Stamping Authority system is transferred to by the SSL safe data channels;
Further, the Time Stamping Authority system, after being specifically used for reception with the qualified notice of the verification, described
Between Time Stamping Authority system and the user terminal, the safe numbers of SSL for being used for transmission data are established using the WPKI certificates
According to channel;Timestamp is capped to the digest value that the user terminal sends over, by the timestamp number of timestamp train of mechanism
Word certificate is signed, and the timestamp information after signature is returned to user terminal.
Further, the application service end, the WPKI of the carrying user specifically for receiving user terminal transmission
The connection request of digital certificate obtains the WPKI digital certificates carried in the connection request, sends and carries to OCSP servers
The certification verification request of the WPKI digital certificates;
Further, the OCSP servers, after receiving the certification verification request, described in acquisition
The unique mark of WPKI digital certificates, the term of validity, scaling option, whether the term of validity for verifying the WPKI certificates is expired, verification
Whether the WPKI certificates are issued by specified authentication center CA, whether verify the unique marks of the WPKI certificates, scaling option
Effectively;After all verifications of the WPKI digital certificates all pass through, the qualified notice of verification is sent to the application service end;
Further, the application service end uses the WPKI after receiving the qualified notice of the verification
The Secure Socket Layer SSL escape ways for being used for transmission data are established between certificate and the user terminal.
Further, the application service end, specifically for obtaining the Time Stamping Authority system signed on timestamp
Digital certificate sends the certification verification request for the digital certificate for carrying the Time Stamping Authority system to OCSP servers, receives
After the verification qualification notice sent to OCSP servers, the timestamp information is sent to the Time Stamping Authority system;
Further, the OCSP servers are specifically used for carrying out the digital certificate of the Time Stamping Authority system
Verification;After all verifications of the digital certificate of the Time Stamping Authority system all pass through, sends and test to the application service end
The qualified notice of card;
Further, the Time Stamping Authority system, specifically for the time after the signature to being sent using server-side
Stamp information is verified, which includes whether timestamp is that this TSA is signed and issued, can timestamp information sign test pass through, described
After all verifications of timestamp information all pass through, to application service end sending time stamp Information Authentication qualification notice;Described
All verifications of timestamp information are led to sending time stamp Information Authentication in the application service end is unqualified after all passing through
Know.
Further, the application service end, the time returned specifically for receiving the Time Stamping Authority system
After stabbing Information Authentication qualification notice, judge that the authentication of user terminal passes through, receive the connection request of user terminal, user is whole
It is communicated by SSL safe data channels between end and application service end.
After receiving the unqualified notice of timestamp information verification that the Time Stamping Authority system returns, the user is judged
The authentication of terminal does not pass through, and refuses the connection request of the user terminal.
The detailed process of the authentication based on WPKI and timestamp and aforementioned side are carried out with the system of the embodiment of the present invention
Method embodiment is similar, and details are not described herein again.
In conclusion the embodiment of the present invention is led to using WPKI technologies with application service end by mobile intelligent terminal
Letter, using the SSL traffic agreement based on ECC algorithm, ensures the safety of entire link;By using trusted third party's timestamp
The mobile intelligent terminal of service, user obtains signing messages and the transmission of timestamp ECC algorithm, when application service end passes through calling
Between stamp server interface verify the calling data of user, while record is put on record, the playback of message can be prevented, and can resist pair
The various attacks of group key exchange agreement.Effective authentication is carried out to mobile terminal to realize, ensure that mobile whole
The data safety of the wireless traffic at end.
The embodiment of the present invention calls OCSP systems come the legitimacy of verification time stamp mechanism by application service end, can also
The legitimacy of user certificate is verified, rigid authentication further is carried out to user identity.
The embodiment of the present invention makees the calling record of the mobile intelligent terminal of user with the record of third party's trusted timestamp
For credible electronic evidence, foundation can be provided for the subsequent audit of operating service, safety inspection and information tracing, while stringent
Certificate identity is verified and encrypted communication link so that the safety of server-side key interface discrepancy information further increases.
One of ordinary skill in the art will appreciate that:Attached drawing is the schematic diagram of one embodiment, module in attached drawing or
Flow is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
It is realized by the mode of software plus required general hardware platform.Based on this understanding, technical scheme of the present invention essence
On in other words the part that contributes to existing technology can be expressed in the form of software products, the computer software product
It can be stored in a storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used so that a computer equipment
(Can be personal computer, server or the network equipment etc.)Execute the certain of each embodiment or embodiment of the invention
Method described in part.
Each embodiment in this specification is described in a progressive manner, identical similar portion between each embodiment
Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for system or
For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method
The part of embodiment illustrates.System and system embodiment described above is only schematical, wherein the conduct
The unit that separating component illustrates may or may not be physically separated, the component shown as unit can be or
Person may not be physical unit, you can be located at a place, or may be distributed over multiple network units.It can root
According to actual need that some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill
Personnel are without creative efforts, you can to understand and implement.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto,
Any one skilled in the art in the technical scope disclosed by the present invention, the change or replacement that can be readily occurred in,
It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
Subject to.
Claims (10)
1. a kind of mobile terminal authentication method based on WPKI and timestamp, which is characterized in that including:
Time Stamping Authority system receives the connection request of the WPKI digital certificates of the carrying user of user terminal transmission, when described
Between stamp train of mechanism obtain the WPKI digital certificates carried in the connection request, to online certificate status protocol OCSP servers
Send the certification verification request for carrying the WPKI digital certificates;
The OCSP servers are sent out after all verifications of the WPKI digital certificates all pass through to the Time Stamping Authority system
It send verification qualified notice, between the Time Stamping Authority system and the user terminal, is established and used using the WPKI certificates
In the Secure Socket Layer SSL safe data channels of transmission data;
User terminal is stabbed by the SSL safe data channels from Time Stamping Authority system acquisition time;
The user terminal sends the connection request for carrying the WPKI digital certificates of user to application service end, and application service end is logical
It crosses OCSP servers to verify the WPKI digital certificates, is verified rear user terminal and establishes safety with application service end
Data channel;
The application service end receives the timestamp that the user terminal is sent by the safe data channel, using clothes
Business end obtains the digital certificate for the Time Stamping Authority system signed on timestamp, is sent to OCSP servers and carries the timestamp
The certification verification request of the digital certificate of train of mechanism, OCSP verify the digital certificate of the Time Stamping Authority system;
The OCSP servers are after all verifications of the digital certificate of the Time Stamping Authority system all pass through, to the application
Server-side sends the qualified notice of verification, and the timestamp information is sent to the Time Stamping Authority system by the application service end
System;
The Time Stamping Authority system verifies the timestamp information sent using server-side, after being verified, to described
Application service end sending time stamp Information Authentication qualification notice;
After being verified of the timestamp, the secure data is utilized between the application service end and the user terminal
Channel carries out data transmission.
2. the mobile terminal authentication method according to claim 1 based on WPKI and timestamp, which is characterized in that institute
User terminal is stated to stab from Time Stamping Authority system acquisition time, including:
After the OCSP servers receive the certification verification request, obtains the unique mark of the WPKI digital certificates, has
Whether the term of validity of effect phase, scaling option, WPKI certificates described in the OCSP server authentications is expired, verifies the WPKI certificates
Whether issued by specified authentication center CA, whether unique mark, the scaling option for verifying the WPKI certificates are effective;
The user terminal generates digest value using digest algorithm to the data that needs upload, and digest value is followed timestamp application
Specification is transferred to Time Stamping Authority system by the SSL safe data channels;The Time Stamping Authority system is to the user
The digest value that terminal sends over is capped timestamp, and timestamp is signed with the digital certificate of timestamp train of mechanism, will
Timestamp information after signature returns to user terminal.
3. the mobile terminal authentication method according to claim 1 based on WPKI and timestamp, it is characterised in that:
After the OCSP servers receive the certification verification request, obtains the unique mark of the WPKI digital certificates, has
Whether the term of validity of effect phase, scaling option, WPKI certificates described in the OCSP server authentications is expired, verifies the WPKI certificates
Whether issued by specified authentication center CA, whether unique mark, the scaling option for verifying the WPKI certificates are effective;
The OCSP servers send to the application service end and test after all verifications of the WPKI digital certificates all pass through
Card qualified notice uses the WPKI certificates and the user after the application service termination receives the qualified notice of the verification
The SSL escape ways for being used for transmission data are established between terminal.
4. the mobile terminal authentication method according to claim 1 based on WPKI and timestamp, it is characterised in that institute
It states Time Stamping Authority system to verify the timestamp information sent using server-side, which includes whether timestamp is this
TSA is signed and issued, can timestamp information sign test pass through, and the Time Stamping Authority system is all logical in all verifications of the timestamp information
Later, to application service end sending time stamp Information Authentication qualification notice;The timestamp information all verifications not
It is to stab the unqualified notice of Information Authentication to application service end sending time after all passing through.
5. the mobile terminal authentication method according to any one of claims 1 to 4 based on WPKI and timestamp, special
Sign is, after being verified of the timestamp, the safety is utilized between the application service end and the user terminal
Data channel carries out data transmission, including:
After the application service termination receives the qualified notice of timestamp information verification that the Time Stamping Authority system returns, judge
The authentication of user terminal passes through, and receives the connection request of user terminal, passes through institute between user terminal and application service end
SSL safe data channels are stated to be communicated;
After the application service termination receives the unqualified notice of timestamp information verification that the Time Stamping Authority system returns, sentence
The authentication of the disconnected user terminal does not pass through, and refuses the connection request of the user terminal.
6. a kind of mobile terminal authentication system based on WPKI and timestamp, which is characterized in that including:User terminal is answered
With server-side, Time Stamping Authority system and OCSP servers,
The user terminal, for from Time Stamping Authority system acquisition time stab, using Wireless Public Key Infrastructure WPKI with
Safe data channel is established at application service end;
The application service end is asked for receiving the connection of WPKI digital certificates for the carrying user that the user terminal is sent
It asks, sign on timestamp for receiving the timestamp that the user terminal is sent by the safe data channel and obtaining
Time Stamping Authority system digital certificate;The application service end is by the OCSP servers to the WPKI digital certificates
It is verified, after the WPKI digital certificate authentications pass through, the secure data established between user terminal and user service end is logical
Road;The certificate of the Time Stamping Authority system is verified by the OCSP servers in the application service end, described
After the certification authentication of Time Stamping Authority system passes through, the application service end is by the Time Stamping Authority system to the time
Stamp is verified;After being verified of the timestamp between the user terminal using the safe data channel into
Row data transmission;
The Time Stamping Authority system sends the application service end for being stabbed to the user terminal sending time
The timestamp to come over is verified;The Time Stamping Authority system, the carrying specifically for receiving user terminal transmission are used
The connection request of the Wireless Public Key Infrastructure WPKI digital certificates at family obtains the WPKI numbers card carried in the connection request
Book sends the certification verification request for carrying the WPKI digital certificates to OCSP servers;The Time Stamping Authority system is used
After receiving with the qualified notice of the verification, between the Time Stamping Authority system and the user terminal, using described
WPKI certificates establish the SSL safe data channels for being used for transmission data;
The OCSP servers, the WPKI certificates for being sended over to the application service end and Time Stamping Authority system
Digital certificate verified.
7. the mobile terminal authentication system according to claim 6 based on WPKI and timestamp, it is characterised in that:
The OCSP servers obtain the unique of the WPKI digital certificates after receiving the certification verification request
Mark, the term of validity, scaling option, whether the term of validity for verifying the WPKI certificates expired, verify the WPKI certificates whether by
Specified authentication center CA is issued, and whether unique mark, the scaling option for verifying the WPKI certificates are effective;In WPKI numbers
After all verifications of certificate all pass through, the qualified notice of verification is sent to the Time Stamping Authority system;
The user terminal abides by digest value specifically for generating digest value to the data that needs upload using digest algorithm
It follows timestamp application specification and Time Stamping Authority system is transferred to by the SSL safe data channels;
The Time Stamping Authority system is capped timestamp specifically for the digest value sended over to the user terminal, will
Timestamp is signed with the digital certificate of timestamp train of mechanism, and the timestamp information after signature is returned to user terminal.
8. the mobile terminal authentication system according to claim 6 based on WPKI and timestamp, it is characterised in that:
The OCSP servers obtain the WPKI digital certificates after receiving the request of WPKI digital certificate authentications
Unique mark, the term of validity, scaling option, whether the term of validity for verifying the WPKI certificates is expired, and verifying the WPKI certificates is
No to be issued by specified authentication center CA, whether unique mark, the scaling option for verifying the WPKI certificates are effective;In the WPKI
After all verifications of digital certificate all pass through, the qualified notice of verification is sent to the application service end;
The application service end uses the WPKI certificates and the use after receiving the qualified notice of the verification
The Secure Socket Layer SSL escape ways for being used for transmission data are established between the terminal of family.
9. the mobile terminal authentication system according to claim 6 based on WPKI and timestamp, it is characterised in that:
Timestamp information of the Time Stamping Authority system for after the signature to being sent using server-side is verified, this is tested
Card include whether timestamp is that this TSA is signed and issued, can timestamp information sign test pass through, the timestamp information it is all verify all
By rear, to application service end sending time stamp Information Authentication qualification notice;In all verifications of the timestamp information
It is not to stab the unqualified notice of Information Authentication to application service end sending time after all passing through.
10. according to mobile terminal authentication system of claim 6 to 9 any one of them based on WPKI and timestamp,
It is characterized in that:
Qualification is verified in the application service end specifically for receiving the timestamp information that the Time Stamping Authority system returns
After notice, judge that the authentication of user terminal passes through, receives the connection request of user terminal, user terminal and application service end
Between communicated by SSL safe data channels;
After receiving the unqualified notice of timestamp information verification that the Time Stamping Authority system returns, the user terminal is judged
Authentication do not pass through, refuse the connection request of the user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310496089.0A CN104579662B (en) | 2013-10-21 | 2013-10-21 | Mobile terminal authentication method and system based on WPKI and timestamp |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310496089.0A CN104579662B (en) | 2013-10-21 | 2013-10-21 | Mobile terminal authentication method and system based on WPKI and timestamp |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104579662A CN104579662A (en) | 2015-04-29 |
| CN104579662B true CN104579662B (en) | 2018-11-13 |
Family
ID=53094946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310496089.0A Active CN104579662B (en) | 2013-10-21 | 2013-10-21 | Mobile terminal authentication method and system based on WPKI and timestamp |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104579662B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653940B (en) * | 2015-07-14 | 2019-02-26 | 哈尔滨安天科技股份有限公司 | A kind of method and system based on PE file analysis attacker source |
| US10243955B2 (en) * | 2016-07-14 | 2019-03-26 | GM Global Technology Operations LLC | Securely establishing time values at connected devices |
| CN109474432B (en) | 2017-09-07 | 2021-11-02 | 西安西电捷通无线网络通信股份有限公司 | Digital certificate management method and device |
| CN109347897B (en) * | 2018-08-16 | 2019-11-26 | 朱小军 | A kind of center architected bionic data Transmission system |
| CN109492371B (en) * | 2018-10-26 | 2021-01-26 | 中国联合网络通信集团有限公司 | Digital certificate null sending method and device |
| CN111274031B (en) * | 2020-01-16 | 2023-07-25 | 国家电网有限公司信息通信分公司 | Method and device for dynamic migration authentication of end-cloud cooperative edge service |
| CN112395620B (en) * | 2020-11-19 | 2024-01-30 | 四川泰富地面北斗科技股份有限公司 | Trusted time stamp implementation method based on trusted time |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1615632A (en) * | 2002-01-12 | 2005-05-11 | 英特尔公司 | Mechanism for supporting wired and wireless methods for client and server side authentication |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7114175B2 (en) * | 2001-08-03 | 2006-09-26 | Nokia Corporation | System and method for managing network service access and enrollment |
| FR2912578B1 (en) * | 2007-02-13 | 2009-05-22 | Airbus France Sas | METHOD OF AUTHENTICATING AN ELECTRONIC DOCUMENT AND METHOD OF VERIFYING A DOCUMENT THUS AUTHENTICATED. |
| CN100566460C (en) * | 2007-07-13 | 2009-12-02 | 北京工业大学 | Utilize authentication and cryptographic key negotiation method between the mobile entity that short message realizes |
| US8635442B2 (en) * | 2009-04-28 | 2014-01-21 | Adobe Systems Incorporated | System and method for long-term digital signature verification utilizing light weight digital signatures |
| CN101969427A (en) * | 2010-08-24 | 2011-02-09 | 吉林大学 | Set of core equipment for realizing gas station online payment system based on WPKI (Wireless Public Key Infrastructure) |
-
2013
- 2013-10-21 CN CN201310496089.0A patent/CN104579662B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1615632A (en) * | 2002-01-12 | 2005-05-11 | 英特尔公司 | Mechanism for supporting wired and wireless methods for client and server side authentication |
Non-Patent Citations (2)
| Title |
|---|
| 《电力时间戳系统的设计》;余勇 等;《电力信息化》;20040930;第2卷(第9期);第38-40页 * |
| 《证书撤销方法研究》;李昊 等;《计算机与信息技术》;20060630;第18-20页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104579662A (en) | 2015-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104579662B (en) | Mobile terminal authentication method and system based on WPKI and timestamp | |
| CN107171794B (en) | A kind of electronic document signature method based on block chain and intelligent contract | |
| KR101814300B1 (en) | Securing method for lawful interception | |
| CN106256111B (en) | Method for verifying message | |
| US8107623B2 (en) | Method for verifying a first identity and a second identity of an entity | |
| CN109347635A (en) | A kind of Internet of Things security certification system and authentication method based on national secret algorithm | |
| CN102722931B (en) | Voting system and voting method based on intelligent mobile communication devices | |
| US7610056B2 (en) | Method and system for phone-number discovery and phone-number authentication for mobile communications devices | |
| CN100566460C (en) | Utilize authentication and cryptographic key negotiation method between the mobile entity that short message realizes | |
| CN102546532B (en) | Capacity calling method, request unit, platform and system | |
| CN109189962A (en) | A kind of license service realization system based on block chain | |
| CN106899410A (en) | A kind of method and device of equipment identities certification | |
| CN109194641A (en) | A kind of transmission method of business datum, device, equipment and storage medium | |
| CN105578461A (en) | Method and device for establishing communication mobile terminals, communication answering method and device, communication calling method and devices, and system | |
| CN101547095A (en) | Application service management system and management method based on digital certificate | |
| CN109345245A (en) | Short-message verification method, equipment, network and storage medium based on block chain | |
| CN110365662B (en) | Business approval method and device | |
| CN101163003A (en) | System and method for authenticating network for terminal when SIM card use UMTS terminal and UMTS system | |
| CN110475249A (en) | A kind of authentication method, relevant device and system | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| CN112035896B (en) | Electronic contract evidence-storing system based on transaction mode | |
| CN115345618B (en) | Block chain transaction verification method and system based on mixed quantum digital signature | |
| CN106713236A (en) | End-to-end identity authentication and encryption method based on CPK identifier authentication | |
| CN108599944A (en) | A kind of identifying code short message transparent encryption method based on handset identities | |
| CN102546523B (en) | Security certification method, system and equipment for internet access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |