CN104935555B

CN104935555B - client certificate authentication method, server, client and system

Info

Publication number: CN104935555B
Application number: CN201410104168.7A
Authority: CN
Inventors: 周立勇
Original assignee: Huawei Technologies Co Ltd
Current assignee: Guangxi Xianglan Technology Co ltd
Priority date: 2014-03-20
Filing date: 2014-03-20
Publication date: 2018-06-15
Anticipated expiration: 2034-03-20
Also published as: CN104935555A

Abstract

This application discloses a kind of client certificate authentication method, server, client and systems, belong to field of communication technology.The method includes：The certification request that client is sent is received, certification request includes：Parameters for authentication, service expired time, client current time and the first identifying code；Obtain system time when server receives certification request；Second key is generated using service expired time and parameters for authentication；Second identifying code is generated using the second key and client current time；It is whether identical with the first identifying code to compare the second identifying code；If the second identifying code is identical with the first identifying code, third identifying code is generated according to the second key and system time, the algorithm that the algorithm that the second identifying code of generation, third identifying code use generates the first identifying code with client is identical；It is whether identical with the first identifying code to compare third identifying code；If third identifying code is identical with the first identifying code, judgement client certificate result is success.

Description

Client certificate authentication method, server, client and system

Technical field

The present invention relates to field of communication technology, more particularly to a kind of client certificate authentication method, server, client and System.

Background technology

With the fast development of Internet technology, identity identifying technology is also more diversified in the Internet, applications.Wherein, number Word certificate verification is a kind of higher identity identifying technology of security performance, and digital certificate authentication passes through digital certificate (License) Complete the certification of client identity, License is by authoritative institution-certificate granting (Certificate Authority, letter Claim " CA ") center distribution.

Specifically, digital certificate authentication process is as follows：CA centers make License, are issued with client or product, And relevant information is authorized to preserve in the database License；Service before use, service user install client and License；User end to server sends out certification request, which includes License information；Server according to License information is to CA centers inquiring and authenticating client identity；Authentication result is returned to client by server.

Inventor has found that the prior art has at least the following problems：

If the inquiry at CA centers services network failure between unavailable, CA central faults or server and CA centers, meeting Because inquiring and authenticating can not be carried out, and client certificate is influenced, and then cause service can not normal use.

Invention content

In order to solve in the prior art because the inquiry at CA centers is serviced in unavailable, CA central faults or server and CA Network failure in the heart, and cause service can not normal use the problem of, an embodiment of the present invention provides a kind of client certificates to recognize Card method, server, client and system.The technical solution is as follows：

In a first aspect, an embodiment of the present invention provides a kind of client certificate authentication method, performed by server, the side Method includes：

The certification request that client is sent is received, the certification request includes：Parameters for authentication, service expired time, client Current time and the first identifying code are held, the parameters for authentication is included in customer name, sequence number, service identification, model and version It is at least one, first identifying code is the client to be generated according to first key and the client current time, The first key is to be generated by certificate authority according to the parameters for authentication and the service expired time；

Obtain the system time when server receives the certification request；

Second key is generated using the service expired time and the parameters for authentication, generates what second key used The algorithm that algorithm generates the first key with the certificate authority is identical；

Second identifying code is generated using second key and the client current time, generates second identifying code The algorithm that the algorithm of use generates first identifying code with the client is identical；

Compare second identifying code and whether first identifying code is identical；

If second identifying code is identical with first identifying code, according to second key and the system time Third identifying code is generated, generates the calculation that the algorithm that the third identifying code uses generates first identifying code with the client Method is identical；

Compare the third identifying code and whether first identifying code is identical；

If the third identifying code is identical with first identifying code, it is success to judge the client certificate result.

With reference to first aspect, it is described according to second key in the first possible realization method of first aspect The second identifying code is generated with the client current time, including：

Judge the time window where the client current time；

Determine the first time T in the time window；

Second identifying code is calculated using code=genCode (Key, T), wherein, code is second identifying code, The genCode algorithms are identifying code generating algorithm, and Key is second key.

With reference to first aspect, it in second of possible realization method of first aspect, was serviced described according to described Before time phase and the parameters for authentication generate the second key, further include：

Determine that the system time is less than the service expired time.

With reference to first aspect, in the third possible realization method of first aspect, if the third identifying code with First identifying code differs, and the method further includes：

On the basis of the time window where the system time, the time window is moved within a predetermined range；

4th identifying code is generated using the time window after second key and movement；

Compare the 4th identifying code and whether first identifying code is identical；

If the 4th identifying code is identical with first identifying code, judge the client certificate result for success.

With reference to first aspect, in the 4th kind of possible realization method of first aspect, the method further includes：

Authentication result is returned into the client.

The 4th kind of possible realization method with reference to first aspect, in the 5th kind of possible realization method of first aspect In, when the authentication result is successfully, the authentication result includes the system time and the client current time Time difference.

Second aspect, the embodiment of the present invention additionally provides a kind of client certificate authentication method, described by client executing Method includes：

First key and service expired time and parameters for authentication are obtained, the parameters for authentication includes customer name, sequence Number, at least one of service identification, model and version, the first key is to be joined by certificate authority according to the certification What number and the service expired time generated；

First identifying code is generated using the first key and the client current time；

Certification request is generated, and the certification request is sent to server, the certification request carries：The certification ginseng Several, described service expired time, the client current time and first identifying code so that the server receive it is described After certification request, system time when receiving the certification request is obtained；Using the service expired time and certification ginseng Number the second key of generation generates the algorithm that second key uses and generates the first key with the certificate authority Algorithm is identical；Second identifying code, generation second verification are generated using second key and the client current time The algorithm that the algorithm that code uses generates first identifying code with the client is identical；Compare second identifying code with it is described Whether the first identifying code is identical；If second identifying code is identical with first identifying code, according to second key and The system time generates third identifying code, generates algorithm that the third identifying code uses and client generation described the The algorithm of one identifying code is identical；Compare the third identifying code and whether first identifying code is identical；If the third is tested Card code is identical with first identifying code, and it is success to judge the client certificate result.

It is described to use the first key in the first possible realization method of second aspect with reference to second aspect The first identifying code is generated with the client current time, including：

Judge the time window where the client current time；

Determine the first time T in the time window；

First identifying code is calculated using code=genCode (Key, T), wherein, code is first identifying code, The genCode algorithms are identifying code generating algorithm, and Key is the first key.

It is described to send out the certification request in second of possible realization method of second aspect with reference to second aspect After giving server, the method further includes：

Receive the authentication result that the server is sent.

With reference to second of possible realization method of second aspect, in the third possible realization method of second aspect In, when the authentication result is successfully, when the authentication result receives the certification request including the server is The time difference for time and the client current time of uniting.

The third aspect, the embodiment of the present invention additionally provide a kind of server, and the server includes：

Receiving module, for receiving the certification request of client transmission, the certification request includes：Parameters for authentication, service Expired time, client current time and the first identifying code, the parameters for authentication include customer name, sequence number, service identification, At least one of model and version, first identifying code are that the client is current according to first key and the client Time generation, the first key is according to the parameters for authentication and the service expired time generation by certificate authority 's；

Acquisition module, for obtaining the system time when server receives the certification request；

Processing module, for generating the second key using the service expired time and the parameters for authentication, using described Second key and the client current time generate the second identifying code, generate algorithm and the card that second key uses The algorithm that book authorization center generates the first key is identical, generates algorithm and the client that second identifying code uses The algorithm for generating first identifying code is identical；

Compare second identifying code and whether first identifying code is identical, if second identifying code and described the One identifying code is identical, and third identifying code, the third identifying code are generated according to second key and the system time It is whether identical with first identifying code, if the third identifying code is identical with first identifying code, judge the client End authentication result is successfully, to generate the algorithm that the third identifying code uses and generate first identifying code with the client Algorithm is identical.

With reference to the third aspect, in the first possible realization method of the third aspect, the processing module, including：

Judging unit, for judging the time window where the client current time；

Searching unit, for determining the first time T in the time window；

Computing unit, for calculating second identifying code using code=genCode (Key, T),

Wherein, code is second identifying code, and the genCode algorithms are identifying code generating algorithm, and Key is described the Two keys.

With reference to the third aspect, in second of possible realization method of the third aspect, the processing module is additionally operable to It is described according to it is described service expired time and the parameters for authentication generate the second key before, determine that the system time does not surpass Cross the service expired time.

With reference to the third aspect, in the third possible realization method of the third aspect, the processing module is additionally operable to work as When the third identifying code is differed with first identifying code, on the basis of the time window where the system time, The mobile time window in preset range；；4th identifying code is generated using the time window after second key and movement； Compare the 4th identifying code and whether first identifying code is identical；If the 4th identifying code and first identifying code It is identical, judge the client certificate result for success.

With reference to the third aspect, in the 4th kind of possible realization method of the third aspect, the server further includes：

Sending module, for authentication result to be returned to the client.

Fourth aspect, the embodiment of the present invention additionally provide a kind of client, and the client includes：

Acquisition module includes for obtaining first key and service expired time and parameters for authentication, the parameters for authentication At least one of customer name, sequence number, service identification, model and version, the first key are by certificate authority It is generated according to the parameters for authentication and the service expired time；

Processing module, for generating the first identifying code using the first key and the client current time；

Certification request is generated, the certification request carries：The parameters for authentication, the service expired time, the client Hold current time and first identifying code；

Sending module, for will the certification request be sent to server, so that the server receives the certification After request, system time when receiving the certification request is obtained；Using the service expired time and parameters for authentication life Into the second key, the algorithm that the algorithm that second key uses generates the first key with the certificate authority is generated It is identical；Second identifying code is generated using second key and the client current time, second identifying code is generated and adopts The algorithm that algorithm generates first identifying code with the client is identical；Compare second identifying code and described first Whether identifying code is identical；If second identifying code is identical with first identifying code, according to second key and described System time generates third identifying code, generates the algorithm that the third identifying code uses and is tested with client generation described first The algorithm for demonstrate,proving code is identical；Compare the third identifying code and whether first identifying code is identical；If the third identifying code Identical with first identifying code, it is success to judge the client certificate result.

The processing module, including：

With reference to fourth aspect, in the first possible realization method of fourth aspect, judging unit is described for judging Time window where client current time；

Searching unit, for determining the first time T in the time window；

Computing unit, for calculating first identifying code using code=genCode (Key, T), wherein, code is institute The first identifying code is stated, the genCode algorithms are identifying code generating algorithm, and Key is the first key.

With reference to fourth aspect, in second of possible realization method of fourth aspect, the client further includes：

Receiving module, for receiving the authentication result that the server is sent.

5th aspect, the embodiment of the present invention additionally provide a kind of client certificate Verification System, and the client certificate is recognized Card system includes：

Certificate authority, foregoing server and foregoing client, the certificate authority are used for First key is calculated, and is sent to the client.

The advantageous effect that technical solution provided in an embodiment of the present invention is brought is：

Second identifying code is generated according to the second key and client current time, the algorithm used due to the second key of generation It is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code, illustrate client The parameters for authentication of upload is identical with CA centers；According to the second key and system time generation third identifying code, due to generation the The algorithm that the algorithm that two identifying codes use generates the first identifying code with client is identical, therefore when third identifying code and the first verification When code is identical, illustrate that the client current time that client uploads is identical with system time, it can thus be seen that in server It during being authenticated to client, does not need to obtain the parameters for authentication of server to CA centers, but is sentenced according to calculating Whether disconnected client is legal, so even if the inquiry at CA centers services unavailable, CA central faults or server and CA centers Between network failure when, server still can continue to be authenticated client, so do not interfere with client service use, Ensure that service can be used normally.

Description of the drawings

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, for For those of ordinary skill in the art, without creative efforts, other are can also be obtained according to these attached drawings Attached drawing.

Fig. 1 is application scenarios schematic diagram provided in an embodiment of the present invention；

Fig. 2 is the client certificate authentication method flow chart that the embodiment of the present invention one provides；

Fig. 3 is client certificate authentication method flow chart provided by Embodiment 2 of the present invention；

Fig. 4 is the client certificate authentication method flow chart that the embodiment of the present invention three provides；

Fig. 5 is the client certificate authentication method flow chart that the embodiment of the present invention four provides；

Fig. 6 is the structure diagram for the server that the embodiment of the present invention five provides；

Fig. 7 is the structure diagram for the server that the embodiment of the present invention six provides；

Fig. 8 is the structure diagram of server provided in an embodiment of the present invention；

Fig. 9 is the structure diagram for the client that the embodiment of the present invention seven provides；

Figure 10 is the structure diagram for the client that the embodiment of the present invention eight provides；

Figure 11 is the structure diagram of client provided in an embodiment of the present invention；

Figure 12 is the structure diagram for the client certificate Verification System that the embodiment of the present invention nine provides.

Specific embodiment

To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.

Description to the embodiment of the present application content for convenience first combines Fig. 1 and the application scenarios of the application is carried out below Explanation：Such as Fig. 1, by network connection between client 12 and CA (certificate granting) center 11, client 12 and server 13 it Between by network connection, and be different from general certification scene, be not need to be attached between CA centers 11 and server 13 's.

Client 12 before 13 certification of server, is needing that parameters for authentication first is sent to CA centers 11；It removes at CA centers 11 Outside responsible making License, it is also necessary to calculate first key according to parameters for authentication, be then sent to client 12.Client 12 generate the first identifying code according to first key, then ask 13 transmission certification requests to service.Server 13 passes through certification request The certification to client 12 is completed, specifically how certification can be described in detail in the examples below.In addition, it is necessary to explanation is Identical key algorithm (genKey algorithms), 12 middle part of server 13 and client are disposed in CA centers 11 and server 13 There is identical identifying code algorithm (genCode algorithms) in administration.

Embodiment one

An embodiment of the present invention provides a kind of client certificate authentication methods, are performed by server, referring to Fig. 2, this method Including：

Step 101：Server receives the certification request that client is sent, which includes：Parameters for authentication serviced Time phase, client current time and the first identifying code, parameters for authentication include customer name, sequence number, service identification, model and At least one of version.

Wherein, the first identifying code is that client generates before certification is asked according to first key and client current time , wherein first key is to be generated by CA centers according to parameters for authentication and service expired time, and first key is with License It is configured to client.

Step 102：Obtain system time when server receives certification request.

Step 103：Second key is generated using service expired time and parameters for authentication.

It should be noted that the algorithm for generating the use of the second key here is centrally generated the algorithm phase of first key with CA Together.

Step 104：Second identifying code is generated using the second key and client current time.

It should be noted that the algorithm for generating the use of the second identifying code here generates the algorithm of the first identifying code with client It is identical.

Step 105：It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code and the first identifying code It is identical, third identifying code is generated according to the second key and system time.

Since the algorithm that the second key of generation uses is identical with the algorithm that CA is centrally generated first key, works as second and test When card code is identical with the first identifying code, illustrate that the parameters for authentication that client uploads is identical with CA centers.Wherein, generation third is tested It is identical with the algorithm of client the first identifying code of generation to demonstrate,prove the algorithm that code uses.

Step 106：It is whether identical with the first identifying code to compare third identifying code, if third identifying code and the first identifying code Identical, judgement client certificate result is success.

It, ought the since the algorithm that algorithm and client that generation third identifying code uses generate the first identifying code is identical When three identifying codes are identical with the first identifying code, illustrate that the client current time that client uploads is identical with system time, this When judgement client certificate result be success.

The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code When, illustrate that the parameters for authentication that client uploads is identical with CA centers；According to the second key and system time generation third verification Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client Hold the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, it can thus be seen that During server is authenticated client, the parameters for authentication of server, but root are not needed to obtain to CA centers Judge whether client is legal according to calculating, so even if the inquiry at CA centers services unavailable, CA central faults or server Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client Service uses, and ensures that service can be used normally.

Embodiment two

An embodiment of the present invention provides a kind of client certificate authentication methods, are performed by server, referring to Fig. 3, this method Including：

Step 201：Server receives the certification request that client is sent, which includes：Parameters for authentication serviced Time phase, client current time and the first identifying code simultaneously obtain system time, parameters for authentication include customer name, sequence number, At least one of service identification, model and version.

Wherein, the first identifying code is that client generates before certification is asked according to first key and client current time , wherein first key is to be generated by CA centers according to parameters for authentication and service expired time, and first key is with License Client is configured to, and first key has term of validity limitation, which is also client service expired time, such as most The big term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.

Step 202：Obtain system time when server receives certification request.

Step 203：Determine whether system time has been more than service expired time, if it is determined that go out system time and be less than clothes Business expired time, performs step 204, if it is determined that it is more than service expired time to go out system time, judges client certificate result For failure and terminate flow, while authentication result is returned into client.

Server by comparing system time whether be more than service expired time, come judge client service whether mistake Phase when system time is more than service expired time, judges client certificate result for failure, but step 203 can only be judged Whether those clients for reporting service expired time strictly according to the facts are expired, for not reporting the client of service expired time strictly according to the facts It needs to continue to judge by subsequent step.

Certain step 203 is an optional step, step 204 can be performed directly after step 202, but perform step 203 can improve authentication efficiency.

Step 204：Second key is generated using service expired time and parameters for authentication.

Specifically, step 204 includes：

Second key is calculated using Key=genKey (p1, p2 ..., pn, expire),

Wherein, Key is the second key, and genKey is key schedule, and p1~pn is parameters for authentication, and expire is service Expired time.

It should be noted that the key schedule for generating the use of the second key here is centrally generated first key with CA Key schedule is identical.

Step 205：Second identifying code is generated using the second key and client current time.

Specifically, step 205 includes：

Step 1: judging the time window where client current time, time window is a period.

Step 2: determine the first time T in time window.This at the first time for calculating the second identifying code, and this One time can be previously set, and can be initial time, the knot of the time window at the first time in a time window Beam time or arbitrary setting time point.

Step 3: the second identifying code is calculated using code=genCode (Key, T),

Wherein, code is the second identifying code, and genCode is identifying code generating algorithm, and Key is the second key.

It should be noted that the algorithm for generating the use of the second identifying code here generates the algorithm of the first identifying code with client It is identical.In addition, the division for time window, can preset in client and server in advance, to ensure that time window is drawn The consistency divided.It should be noted that when dividing time window, adjacent time window cannot have overlapping.

Step 206：It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code and the first identifying code It is identical, step 207 is performed, if the second identifying code is differed with the first identifying code, judges client certificate result to fail simultaneously Terminate flow, while authentication result is returned into client.

Since the algorithm that the second key of generation uses is identical with the algorithm that CA is centrally generated first key, works as second and test When card code is identical with the first identifying code, illustrate that the parameters for authentication that client uploads is identical with CA centers.

Step 207：According to the second key and system time generation third identifying code.

Wherein, the specific calculating process of third identifying code is identical with the second identifying code.

Step 208：It is whether identical with the first identifying code to compare third identifying code, if third identifying code and the first identifying code Identical, judgement client certificate result is success, while authentication result is returned client, if third identifying code is tested with first Card code differs, and performs step 209.

Step 209：On the basis of the time window where system time, traveling time window, uses within a predetermined range Time window after second key and movement generates the 4th identifying code.

Time window refers to a period, such as is 5 points we term it a length points 05 minutes from 10 points to 10 The time window of clock.Formula from step 205 can be seen that for a time window, belong in the time window All time points calculate the second identifying code when, if Key is identical, result of calculation is identical.

Random time in this time window, when Key is identical, the identifying code of genCode generations is identical.

Step 209 and step 210 are optional step herein, in specific implementation, when third identifying code and first are verified When code differs, it can also directly judge client certificate result for failure.Due to client and the Time Inconsistency of server, Prior to server or server may be later than；In order to fault-tolerant, we can be asked by traveling time window to solve this Topic.When difference is little between client current time and server time, it can still pass through certification.Time window can move Size, the tolerance to time deviation depending on systemic presupposition.If client current time deviates system time Predetermined, server provides refusal to service.For example, client current time for 10 points 24 minutes, system time for 10 points 32 minutes (belong to 10 points of 35 minutes this time windows are assigned in 10: 30), if allowing forward or moving backward 3 time windows (i.e. from 10 Point 15 assigns at 10 points 50 minutes), 10 points of 25 minutes this windows finally are assigned to 10: 20, calculate identical third identifying code and the One identifying code is identical, then certification passes through.

Step 210：It is whether identical with the first identifying code to compare the 4th identifying code, if the 4th identifying code and the first identifying code Identical, judgement client certificate result is success, while authentication result is returned client, if the 4th identifying code is tested with first Card code differs, and judges client certificate result for failure, while authentication result is returned client or return to step 209.

It is whether identical with the first identifying code to compare the 4th identifying code, when the 4th identifying code is identical with the first identifying code, sentences Determine client certificate result be successfully, when the 4th identifying code and the first identifying code differ, the execution number of judgment step 209 Whether reach pre-determined number, if the execution number of step 209 reaches pre-determined number, judge client certificate result for failure, If the execution number of step 209 does not reach pre-determined number, step 209 is re-executed.

It should be noted that in the concrete realization, step 209 can be with Exactly-once, at this point, without judgment step 209 Execution number whether reach pre-determined number, directly judge client certificate result for failure.In another implementation, also may be used To judge whether preset time window is used up, if preset time window is used up, client certificate result is judged for failure, If preset time window is not used up, step 209 is re-executed.

Further, this method further includes：In certification success, when server calculates system time and current client Between time difference, and time difference is returned into client, authentication authorization and accounting result includes system time and client current time Time difference.Cause client when asking next time, when the client that can be reported according to the adjustment of this time difference is current Between, such server there is no need to by traveling time window come certification, so as to shorten the time of certification.

It further,, can also be different by returning if authentication result is failure when authentication result being returned to client Error code come inform client certificate failure the reason of.For example, when step 203 authentification failure, error code is returned 0x0006019A；When step 206 authentification failure, error code 0x00070190 is returned；When step 210 authentification failure, return Error code 0x000701A0.

Embodiment three

An embodiment of the present invention provides a kind of client certificate authentication method, by client executing, referring to Fig. 4, this method Including：

Step 301：Client obtains first key and service expired time and parameters for authentication, and parameters for authentication includes visitor Name in an account book claims, at least one of sequence number, service identification, model and version.

Wherein first key be by CA centers according to parameters for authentication and service expired time generate, first key with License is configured to client, and first key has term of validity limitation, when which is also that client service is expired Between, such as maximum term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.

Step 302：First identifying code is generated using first key and client current time.

It should be noted that algorithm phase of the algorithm of the first identifying code use with generating identifying code in server is generated here Together.

Step 303：Certification request is generated, and certification request is sent to server, certification request carries：Parameters for authentication, clothes Business expired time, client current time and the first identifying code, so that server is according to parameters for authentication, service expired time, visitor Whether family end current time and the first identifying code verification client are legal.

The first key that the embodiment of the present invention is issued by client according to CA centers calculates the first identifying code, and by certification Parameter, service expired time, client current time and the first identifying code are sent to server so that server may be used with The identical algorithm of algorithm that CA is centrally generated first key generates the second key, and using and client generate the first identifying code The identical algorithm of algorithm generates the second identifying code and third identifying code, so as to judge the parameters for authentication of client upload and visitor Whether family end current time is correct, so as to complete certification, it can thus be seen that the process being authenticated in server to client In, do not need to obtain the parameters for authentication of server to CA centers, but judge whether client is legal according to calculating, so i.e. When the inquiry at CA centers being made to service network failure between unavailable, CA central faults or server and CA centers, server is still It can continue to be authenticated client, and then the service for not interfering with client uses, ensure that service can be used normally.

Example IV

An embodiment of the present invention provides a kind of client certificate authentication method, by client executing, referring to Fig. 5, this method Including：

Step 401：Client obtains first key and service expired time and parameters for authentication, and parameters for authentication includes visitor Name in an account book claims, at least one of sequence number, service identification, model and version.

Step 402：First identifying code is generated using first key and client current time.

Here the algorithm for generating the use of the first identifying code is identical with the algorithm that identifying code is generated in server.It specifically can be with It is realized using following manner：

Step 1: judge the time window where client current time.

Step 2: determine the first time T in time window.This at the first time for calculating the first identifying code, and this One time can be previously set, and can be initial time, the knot of the time window at the first time in a time window Beam time or arbitrary setting time point.

Step 3: the first identifying code is calculated using code=genCode (Key, T), wherein, code is the first identifying code, GenCode algorithms are identifying code generating algorithm, and Key is first key.

Step 403：Certification request is generated, and certification request is sent to server, certification request carries：Parameters for authentication, clothes Business expired time, client current time and the first identifying code, so that server is according to parameters for authentication, service expired time, visitor Whether family end current time and the first identifying code verification client are legal.

Step 404：Receive the authentication result that server is sent.

When authentication result is failure, it is also possible that error code in the authentication result, error code, which shows client, to be recognized The reason of card failure.For example, error code 0x0006019A represents that service is expired, i.e., system time is more than expired time；Error code The authentication information that expression information errors, i.e. client are uploaded to server is different from the authentication information for being uploaded to CA centers；Mistake Code 0x000701A0 represents timing error, i.e. client current time and system time is different or more than preset deviation.

When authentication result is successfully, it is also possible that time difference in the authentication result, which refers to service System time and the time difference of client current time when device receives certification request, in next certification request, client The client current time reported can be adjusted according to this time difference, there is no need to pass through traveling time window for such server Mouth carrys out certification, so as to shorten the time of certification.

The first key that the embodiment of the present invention is issued by client according to CA centers calculates the first identifying code, and by certification Parameter, service expired time, client current time and the first identifying code are sent to server so that server may be used with The identical algorithm of algorithm that CA is centrally generated first key generates the second key, and using and client generate the first identifying code The identical algorithm of algorithm generates the second identifying code and third identifying code, so as to judge the parameters for authentication of client upload and visitor Whether family end current time correct, it can thus be seen that during server is authenticated client, do not need to CA centers obtain the parameters for authentication of server, but judge whether client is legal according to calculating, so even if CA centers are looked into When asking network failure between unavailable, the CA central faults of service or server and CA centers, server still can continue to visitor Family end is authenticated, and then the service for not interfering with client uses, and ensures that service can be used normally.

Embodiment five

An embodiment of the present invention provides a kind of servers, and referring to Fig. 6, which includes：

Receiving module 501, for receiving the certification request of client transmission, which includes：Parameters for authentication, service Expired time, client current time and the first identifying code, parameters for authentication include customer name, sequence number, service identification, model At least one of with version.

Acquisition module 502, for obtaining system time when server receives certification request.

Processing module 503, for generating the second key using service expired time and parameters for authentication, using the second key and Client current time generates the second identifying code；

It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code is identical with the first identifying code, adopts Whether with the second key and system time generation third identifying code, it is identical with the first identifying code to compare third identifying code, if the Three identifying codes are identical with the first identifying code, and judgement client certificate result is success.

It should be noted that the algorithm for generating the use of the second key here is centrally generated the algorithm phase of first key with CA Together.The algorithm for generating the use of the second identifying code is identical with the algorithm of client the first identifying code of generation.Generation third identifying code is adopted The algorithm that algorithm generates the first identifying code with client is identical.

Embodiment six

An embodiment of the present invention provides a kind of servers, and referring to Fig. 7, which includes：

Receiving module 601, for receiving the certification request of client transmission, which includes：Parameters for authentication, service Expired time, client current time and the first identifying code simultaneously obtain system time, and parameters for authentication includes customer name, sequence Number, at least one of service identification, model and version.

Acquisition module 602, for obtaining system time when server receives certification request.

Processing module 603, for generating the second key according to service expired time and parameters for authentication, according to the second key and Client current time generates the second identifying code；

It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code is identical with the first identifying code, root Whether according to the second key and system time generation third identifying code, it is identical with the first identifying code to compare third identifying code, if the Three identifying codes are identical with the first identifying code, and judgement client certificate result is success.

It should be noted that the algorithm for generating the use of the second key here is centrally generated the algorithm phase of first key with CA Together；The algorithm for generating the use of the second identifying code is identical with the algorithm of client the first identifying code of generation；Generation third identifying code is adopted The algorithm that algorithm generates the first identifying code with client is identical.

On the one hand, since the algorithm of generation the second key use is identical with the algorithm that CA is centrally generated first key, When the second identifying code is identical with the first identifying code, illustrate that the parameters for authentication that client uploads is identical with CA centers.The opposing party Face, since the algorithm that generation third identifying code uses is identical with the algorithm of client the first identifying code of generation, when third is tested When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, sentence at this time It is successfully to determine client certificate result.

In the present embodiment, processing module 603 calculates the second key using following manner：

Second key is calculated using Key=genKey (p1, p2 ..., pn, expire),

In the present embodiment, processing module 603 includes：

Judging unit, for judging the time window where client current time, time window is a period.

Searching unit, for determining the first time T in time window.This is used to calculate the second identifying code at the first time, And this can be previously set at the first time, when first time can be the starting of the time window in a time window Between, end time or arbitrary setting time point.

Computing unit, for calculating the second identifying code using code=genCode (Key, T).

It should be noted that the division for time window, can preset in client and server, in advance to ensure The consistency that time window divides.

Further, processing module 603, be additionally operable to according to service expired time and parameters for authentication generate the second key it Before, determine that system time is less than service expired time.

It is close according to service expired time and parameters for authentication generation second when system time is less than service expired time Key.

It should be noted that if processing module 603 determines that system time is more than service expired time, then client is judged Authentication result is failure, while authentication result is returned client.

Server by comparing service expired time whether be more than system time, come judge client service whether mistake Phase when system time is more than service expired time, judges client certificate result for failure, but this mode can only be judged Whether those clients for reporting service expired time strictly according to the facts are expired, for not reporting the client of service expired time strictly according to the facts It needs to continue to judge by subsequent step.This mode can improve authentication efficiency.

Specifically, processing module 603 are additionally operable to when third identifying code and the first identifying code differ, with system time On the basis of the time window at place, traveling time window within a predetermined range；Using the time window after the second key and movement Generate the 4th identifying code；It is whether identical with the first identifying code to compare the 4th identifying code, if the 4th identifying code and the first identifying code Identical, judgement client certificate result is success.

In addition, if the 4th identifying code calculated is different from the first identifying code, time window is re-moved, is calculated 4th identifying code, until the 4th identifying code that all time windows moved out calculate is differed with the first identifying code, this When judge client certificate result for failure.

Time window refers to a period, such as is 5 points we term it a length points 05 minutes from 10 points to 10 The time window of clock.Formula from step 204 can be seen that for a time window, belong in the time window All time points calculate the second identifying code when, if Key is identical, result of calculation is identical.

Due to client and the Time Inconsistency of server, prior to server or server may be later than；In order to hold Mistake, we can solve the problems, such as this by traveling time window.When poor between client current time and server time When different little, it can still pass through certification.The transportable size of time window, the appearance to time deviation depending on systemic presupposition Degree of bearing.If it is more than predetermined that client current time, which deviates system time, server provides refusal to service.Traveling time window It is in order to fault-tolerant.For example, client current time for 10 points 24 minutes, system time (belongs to 10: 30 and assigns to 10 for 10 points for 32 minutes 35 minutes this time windows of point), if allowing forward or moving backward 3 time windows and (assign to 10: 50 from 10: 15 Point), 10 points of 25 minutes this windows finally are assigned to 10: 20, it is identical with the first identifying code to calculate identical third identifying code, Then certification passes through.

Further, which further includes sending module 604, for authentication result to be returned to client.

Further, in certification success, authentication result includes system time and the time difference of client current time. So that client when asking next time, the client current time reported can be adjusted according to this time difference, is serviced in this way Device there is no need to by traveling time window come certification, so as to shorten the time of certification.

Further, in authentification failure, authentication result can also inform client by returning to different error codes The reason of authentification failure.For example, error code 0x0006019A represents that service is expired, i.e., system time is more than expired time；Mistake The authentication information that representation information errors, i.e. client are uploaded to server is different from the authentication information for being uploaded to CA centers；It is wrong Error code 0x000701A0 represents timing error, i.e. client current time and system time is different or more than preset deviation.

The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code When, illustrate that the parameters for authentication that client uploads is identical with CA centers；According to the second key and system time generation third verification Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client It holds the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, services in the process Device does not need to be verified to CA centers, so even if the inquiry at CA centers services unavailable, CA central faults or server Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client Service uses.

In a particular embodiment, the server in earlier figures 6,7 can be general server, as shown in Figure 8.Its Generally comprise the components such as memory 71, processor 72, receiver 73 and transmitter 74.It will be understood by those skilled in the art that Fig. 8 Shown in structure do not form restriction to the present apparatus, can include than illustrating more or fewer components or combination Certain components or different components arrangement.

Each component parts of server 70 is specifically introduced with reference to Fig. 8：

Memory 71 can be used for storage software program and application module, and processor 72 is stored in memory 71 by operation Software program and application module, so as to execute server 70 various function application and data processing.Memory 71 can Mainly include storing program area and storage data field, wherein, storing program area can storage program area, needed at least one function Application program (such as identifying code calculating) etc.；Storage data field can store the data created according to the processing of server 70. In addition, memory 71 can include high-speed RAM (Random Access Memory, random access memory), can also include Nonvolatile memory (non-volatile memory), for example, at least a disk memory, flush memory device or other Volatile solid-state part.

Processor 72 is the control centre of server 70, utilizes each portion of various interfaces and the entire computer of connection Point.

Specifically, processor 72 is by running or performing the software program being stored in memory 71 and/or application module, And the data being stored in memory 71 are called, processor 72 can be realized, receive what client was sent by receiver 73 Certification request, certification request include：Parameters for authentication, service expired time, client current time and the first identifying code, certification ginseng Number includes at least one of customer name, sequence number, service identification, model and version, the first identifying code be client according to What first key and client current time generated, first key is expired according to parameters for authentication and service by certificate authority Time generation；

Obtain system time when server receives certification request；

Second key is generated using service expired time and parameters for authentication, the algorithm that the second key of generation uses is awarded with certificate The algorithm that power is centrally generated first key is identical；

Second identifying code is generated using the second key and client current time, the algorithm that the second identifying code of generation uses with The algorithm that client generates the first identifying code is identical；

It is whether identical with the first identifying code to compare the second identifying code；

If the second identifying code is identical with the first identifying code, third identifying code is generated according to the second key and system time, It is identical with the algorithm of client the first identifying code of generation to generate the algorithm that third identifying code uses；

It is whether identical with the first identifying code to compare third identifying code；

If third identifying code is identical with the first identifying code, judgement client certificate result is success.

Further, processor 72 can also realize the time window judged where client current time；

Determine the first time T in time window；

Using code=genCode (Key, T) calculate the second identifying code, wherein, code be the second identifying code, genCode Algorithm is identifying code generating algorithm, and Key is the second key.

Further, processor 72 can also generate the second key now according to service expired time and parameters for authentication in fact Before, determine that system time is less than service expired time.

Further, processor 72 can also be realized on the basis of the time window where system time, in preset range Interior traveling time window；

4th identifying code is generated using the time window after the second key and movement；

It is whether identical with the first identifying code to compare the 4th identifying code；

If the 4th identifying code is identical with the first identifying code, judge client certificate result for success.

Further, processor 72 can also be realized and authentication result is returned to client by transmitter 74.

Further, when authentication result is successfully, authentication result include system time and client current time when Between difference.

The server provided in present apparatus embodiment can be applied in the attached scene shown in FIG. 1 of method, and realization wherein takes The function of business device.Other additional functions and set with other network elements that the server provided in present apparatus embodiment can be realized It is standby, such as the interactive process of client, the description to server in embodiment of the method one, two is please referred to, is repeated no more herein.

Embodiment seven

An embodiment of the present invention provides a kind of clients, and referring to Fig. 9, which includes：

Acquisition module 801, for obtaining first key and service expired time and parameters for authentication, first key is by demonstrate,proving Book authorization center generates, and parameters for authentication includes at least one of customer name, sequence number, service identification, model and version.

Wherein first key be by CA centers according to parameters for authentication and service expired time generate, first key with License is configured to client, and first key has term of validity limitation, and such as maximum term of validity is no more than 24 hours, should Limited period is also client service expired time, so before first key failure, client needs are authenticated in time.

Processing module 802, for generating the first identifying code using first key and client current time；

Certification request is generated, certification request carries：Parameters for authentication, service expired time, client current time and first Identifying code.

Sending module 803, for certification request to be sent to server so that server according to parameters for authentication, serviced Whether time phase, client current time and the first identifying code verification client are legal.

Embodiment eight

An embodiment of the present invention provides a kind of clients, and referring to Figure 10, which includes：

Acquisition module 901, for obtaining first key and service expired time and parameters for authentication, first key is by demonstrate,proving Book authorization center generates, and parameters for authentication includes at least one of customer name, sequence number, service identification, model and version.

Processing module 902, for generating the first identifying code using first key and client current time；

Here processing module 902 generates the algorithm phase of algorithm and generation identifying code in server that the first identifying code uses Together.Specifically, processing module 902, including：

Judging unit, for judging the time window where client current time.

Searching unit, for determining the first time T in time window.This is used to calculate the first identifying code at the first time, And this can be previously set at the first time, when first time can be the starting of the time window in a time window Between, end time or arbitrary setting time point.

Computing unit, for calculating the first identifying code using code=genCode (Key, T), wherein, code is tested for first Code is demonstrate,proved, genCode algorithms are identifying code generating algorithm, and Key is first key.

Sending module 903, for certification request to be sent to server so that server according to parameters for authentication, serviced Whether time phase, client current time and the first identifying code verification client are legal.

Receiving module 904, for receiving the authentication result of server transmission.

Further, when authentication result is failure, it is also possible that error code in the authentication result, error code is shown The reason of client certificate fails.For example, error code 0x0006019A represents that service is expired, i.e., when system time is more than expired Between；Mistake representation information errors, i.e. client are uploaded to the authentication information of server and are uploaded to the authentication information at CA centers It is different；Error code 0x000701A0 represents timing error, i.e. client current time is different from system time or more than preset Deviation.

In a particular embodiment, the client in earlier figures 9,10 can be computer or mobile terminal, such as Figure 11 It is shown.It generally comprises the components such as memory 1001, processor 1002, receiver 1003 and transmitter 1004.Art technology Personnel are appreciated that the structure shown in Figure 11 does not form the restriction to the present apparatus, can include more or more than illustrating Few component either combines certain components or different components arrangement.

Each component parts of computer 100 is specifically introduced with reference to Figure 11：

Memory 1001 can be used for storage software program and application module, and processor 1002 is stored in storage by operation The software program and application module of device 1001, various function application and data processing so as to execute server 1000.It deposits Reservoir 1001 can mainly include storing program area and storage data field, wherein, storing program area can storage program area, at least one Application program (such as identifying code calculating) needed for a function etc.；Storage data field can store the processing institute according to server 1000 The data of establishment.In addition, memory 1001 can include high-speed RAM (Random Access Memory, random access memory Device), nonvolatile memory (non-volatile memory) can also be included, a for example, at least disk memory is dodged Memory device or other volatile solid-state parts.

Processor 1002 is the control centre of server 1000, utilizes each of various interfaces and the entire computer of connection A part.

Specifically, processor 1002 is by running or performing the software program being stored in memory 1001 and/or application Module and calling are stored in the data in memory 1001, and processor 1002 can be realized, obtain first key and clothes Business expired time and parameters for authentication, first key generated by certificate authority, parameters for authentication include customer name, sequence number, At least one of service identification, model and version, first key are according to parameters for authentication and servicing by certificate authority The generation of time phase；

First identifying code is generated using first key and client current time；

Certification request is sent to server, so that server is current according to parameters for authentication, service expired time, client Whether time and the first identifying code verification client are legal.

Further, processor 1002 can also be realized, judge the time window T where client current time；

Determine the first time T in time window；

Using code=genCode (Key, T) calculate the first identifying code, wherein, code be the first identifying code, genCode Algorithm is identifying code generating algorithm, and Key is first key.

Further, processor 1002 can also be realized, receive the authentication result that server is sent.

Further, when authentication result is successfully, authentication result includes system when server receives certification request Time and the time difference of client current time.

The client provided in present apparatus embodiment can be applied in the attached scene shown in FIG. 1 of method, realize wherein objective The function at family end.Other additional functions and set with other network elements that the client provided in present apparatus embodiment can be realized It is standby, such as the interactive process of server, the description to client in embodiment of the method three, four is please referred to, is repeated no more herein.

Embodiment nine

An embodiment of the present invention provides a kind of client certificate Verification Systems, and referring to Figure 12, which includes：

CA (certificate granting) center 1101, client 1102 and server 1103, the client 1102 such as embodiment seven or Eight, server 1103 such as embodiment five or six.

Identical genKey algorithms are deployed in CA centers 1101 and client 1102.Server 1103 and client 1102 In be deployed with identical genCode algorithms.

CA centers 1101 are used to calculate first key, and be sent to client 1102.Specifically, CA centers 1101 can incite somebody to action First key is issued with License, i.e., CA centers 1101 issue License to client 1102, which includes the One key.

It should be noted that：Above-described embodiment provide server or client in client certificate certification, only more than The division progress of each function module is stated for example, in practical application, it can be as needed and by above-mentioned function distribution by difference Function module complete, i.e., the internal structure of equipment is divided into different function modules, with complete it is described above whole or Person's partial function.In addition, business device or client that above-described embodiment provides belong to same with client certificate authentication method embodiment One design, specific implementation process refer to embodiment of the method, and which is not described herein again.

The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.

One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment Complete, relevant hardware can also be instructed to complete by program, program can be stored in a kind of computer-readable storage In medium, storage medium mentioned above can be read-only memory, disk or CD etc..

The foregoing is merely a prefered embodiment of the invention, is not intended to limit the invention, all in the spirit and principles in the present invention Within, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.

Claims

1. a kind of client certificate authentication method, which is characterized in that it is performed by server, the method includes：

The certification request that client is sent is received, the certification request includes：Parameters for authentication, service expired time, client are worked as Preceding time and the first identifying code, the parameters for authentication are included in customer name, sequence number, service identification, model and version extremely One few, first identifying code is that the client is generated according to first key and the client current time, described First key is to be generated by certificate authority according to the parameters for authentication and the service expired time；

Obtain the system time when server receives the certification request；

Second key is generated using the service expired time and the parameters for authentication, generates the algorithm that second key uses The algorithm that the first key is generated with the certificate authority is identical；

Second identifying code is generated using second key and the client current time, second identifying code is generated and uses Algorithm and the client generate first identifying code algorithm it is identical；

If second identifying code is identical with first identifying code, generated according to second key and the system time Third identifying code generates the algorithm phase that the algorithm that the third identifying code uses generates first identifying code with the client Together；

It is 2. according to the method described in claim 1, it is characterized in that, described current according to second key and the client Time generates the second identifying code, including：

Judge the time window where the client current time；

Determine the first time T in the time window；

Second identifying code is calculated using code=genCode (Key, T), wherein, code is second identifying code, described GenCode algorithms are identifying code generating algorithm, and Key is second key.

3. according to the method described in claim 1, it is characterized in that, described according to the service expired time and the certification Before parameter generates the second key, further include：

Determine that the system time is less than the service expired time.

If 4. according to the method described in claim 1, it is characterized in that, the third identifying code and first identifying code not Identical, the method further includes：

5. according to the method described in claim 1, it is characterized in that, the method further includes：

Authentication result is returned into the client.

6. according to the method described in claim 5, it is characterized in that, when the authentication result is successfully, the authentication result Time difference including the system time Yu the client current time.

7. a kind of client certificate authentication method, which is characterized in that by client executing, the method includes：

Obtain first key and service expired time and parameters for authentication, the parameters for authentication include customer name, sequence number, At least one of service identification, model and version, the first key are according to the parameters for authentication by certificate authority With the service expired time generation；

Certification request is generated, and the certification request is sent to server, the certification request carries：The parameters for authentication, The service expired time, the client current time and first identifying code, so that the server is received and described recognized After card request, system time when receiving the certification request is obtained；Using the service expired time and the parameters for authentication The second key is generated, generates the calculation that the algorithm that second key uses generates the first key with the certificate authority Method is identical；Second identifying code is generated using second key and the client current time, generates second identifying code The algorithm that the algorithm of use generates first identifying code with the client is identical；Compare second identifying code and described the Whether one identifying code is identical；If second identifying code is identical with first identifying code, according to second key and institute System time generation third identifying code is stated, the algorithm that the third identifying code uses is generated and generates described first with the client The algorithm of identifying code is identical；Compare the third identifying code and whether first identifying code is identical；If the third verification Code is identical with first identifying code, and it is success to judge the client certificate result.

It is 8. the method according to the description of claim 7 is characterized in that described current using the first key and the client Time generates the first identifying code, including：

Judge the time window where the client current time；

Determine the first time T in the time window；

First identifying code is calculated using code=genCode (Key, T), wherein, code is first identifying code, described GenCode algorithms are identifying code generating algorithm, and Key is the first key.

9. the method according to the description of claim 7 is characterized in that it is described the certification request is sent to server after, The method further includes：

Receive the authentication result that the server is sent.

10. according to the method described in claim 9, it is characterized in that, when the authentication result is successfully, the authentication result System time and the time difference of the client current time when receiving the certification request including the server.

11. a kind of server, which is characterized in that the server includes：

Receiving module, for receiving the certification request of client transmission, the certification request includes：Parameters for authentication, service are expired Time, client current time and the first identifying code, the parameters for authentication include customer name, sequence number, service identification, model At least one of with version, first identifying code is the client according to first key and the client current time Generation, the first key is to be generated by certificate authority according to the parameters for authentication and the service expired time；

Processing module, for generating the second key using the service expired time and the parameters for authentication, using described second Key and the client current time generate the second identifying code, generate the algorithm that second key uses and are awarded with the certificate The algorithm that power is centrally generated the first key is identical, generates the algorithm that second identifying code uses and is generated with the client The algorithm of first identifying code is identical；

Compare second identifying code and whether first identifying code is identical, if second identifying code is tested with described first It is identical to demonstrate,prove code, third identifying code, the third identifying code and institute are generated according to second key and the system time It whether identical states the first identifying code, if the third identifying code is identical with first identifying code, judges that the client is recognized Card result is successfully, to generate the algorithm that the algorithm that the third identifying code uses generates first identifying code with the client It is identical.

12. server according to claim 11, which is characterized in that the processing module, including：

Judging unit, for judging the time window where the client current time；

Searching unit, for determining the first time T in the time window；

Wherein, code is second identifying code, and the genCode algorithms are identifying code generating algorithm, and Key is close for described second Key.

13. server according to claim 11, which is characterized in that the processing module is additionally operable to described according to institute Before stating service expired time and the parameters for authentication the second key of generation, determine that the system time is less than the service Expired time.

14. server according to claim 11, which is characterized in that the processing module is additionally operable to test when the third When card code is differed with first identifying code, on the basis of the time window where the system time, within a predetermined range The mobile time window；4th identifying code is generated using the time window after second key and movement；Compare described Whether four identifying codes and first identifying code are identical；If the 4th identifying code is identical with first identifying code, judge The client certificate result is successfully.

15. server according to claim 11, which is characterized in that the server further includes：

Sending module, for authentication result to be returned to the client.

16. a kind of client, which is characterized in that the client includes：

Acquisition module, for obtaining first key and service expired time and parameters for authentication, the parameters for authentication includes client At least one of title, sequence number, service identification, model and version, the first key be by certificate authority according to What the parameters for authentication and the service expired time generated；

Certification request is generated, the certification request carries：The parameters for authentication, the service expired time, the client are worked as Preceding time and first identifying code；

Sending module, for will the certification request be sent to server, so that the server receives the certification request Afterwards, system time when receiving the certification request is obtained；Using the service expired time and parameters for authentication generation the Two keys generate the algorithm phase that the algorithm that second key uses generates the first key with the certificate authority Together；Second identifying code is generated using second key and the client current time, second identifying code is generated and uses Algorithm and the client generate first identifying code algorithm it is identical；Compare second identifying code to test with described first Whether identical demonstrate,prove code；If second identifying code is identical with first identifying code, according to second key and the system System time generation third identifying code generates the algorithm that the third identifying code uses and is verified with client generation described first The algorithm of code is identical；Compare the third identifying code and whether first identifying code is identical；If the third identifying code with First identifying code is identical, and it is success to judge the client certificate result.

17. client according to claim 16, which is characterized in that the processing module, including：

Judging unit, for judging the time window where the client current time；

Searching unit, for determining the first time T in the time window；

Computing unit, for calculating first identifying code using code=genCode (Key, T), wherein, code is described the One identifying code, the genCode algorithms are identifying code generating algorithm, and Key is the first key.

18. client according to claim 16, which is characterized in that the client further includes：

19. a kind of client certificate Verification System, which is characterized in that the client certificate Verification System includes：

Certificate authority, such as claim 11~15 any one of them server and such as any one of claim 16~18 institute The client stated, the certificate authority are used to calculate first key, and be sent to the client.