Client certificate authentication method, server, client and system
Technical field
The present invention relates to field of communication technology, more particularly to a kind of client certificate authentication method, server, client and
System.
Background technology
With the fast development of Internet technology, identity identifying technology is also more diversified in the Internet, applications.Wherein, number
Word certificate verification is a kind of higher identity identifying technology of security performance, and digital certificate authentication passes through digital certificate (License)
Complete the certification of client identity, License is by authoritative institution-certificate granting (Certificate Authority, letter
Claim " CA ") center distribution.
Specifically, digital certificate authentication process is as follows:CA centers make License, are issued with client or product,
And relevant information is authorized to preserve in the database License;Service before use, service user install client and
License;User end to server sends out certification request, which includes License information;Server according to
License information is to CA centers inquiring and authenticating client identity;Authentication result is returned to client by server.
Inventor has found that the prior art has at least the following problems:
If the inquiry at CA centers services network failure between unavailable, CA central faults or server and CA centers, meeting
Because inquiring and authenticating can not be carried out, and client certificate is influenced, and then cause service can not normal use.
Invention content
In order to solve in the prior art because the inquiry at CA centers is serviced in unavailable, CA central faults or server and CA
Network failure in the heart, and cause service can not normal use the problem of, an embodiment of the present invention provides a kind of client certificates to recognize
Card method, server, client and system.The technical solution is as follows:
In a first aspect, an embodiment of the present invention provides a kind of client certificate authentication method, performed by server, the side
Method includes:
The certification request that client is sent is received, the certification request includes:Parameters for authentication, service expired time, client
Current time and the first identifying code are held, the parameters for authentication is included in customer name, sequence number, service identification, model and version
It is at least one, first identifying code is the client to be generated according to first key and the client current time,
The first key is to be generated by certificate authority according to the parameters for authentication and the service expired time;
Obtain the system time when server receives the certification request;
Second key is generated using the service expired time and the parameters for authentication, generates what second key used
The algorithm that algorithm generates the first key with the certificate authority is identical;
Second identifying code is generated using second key and the client current time, generates second identifying code
The algorithm that the algorithm of use generates first identifying code with the client is identical;
Compare second identifying code and whether first identifying code is identical;
If second identifying code is identical with first identifying code, according to second key and the system time
Third identifying code is generated, generates the calculation that the algorithm that the third identifying code uses generates first identifying code with the client
Method is identical;
Compare the third identifying code and whether first identifying code is identical;
If the third identifying code is identical with first identifying code, it is success to judge the client certificate result.
With reference to first aspect, it is described according to second key in the first possible realization method of first aspect
The second identifying code is generated with the client current time, including:
Judge the time window where the client current time;
Determine the first time T in the time window;
Second identifying code is calculated using code=genCode (Key, T), wherein, code is second identifying code,
The genCode algorithms are identifying code generating algorithm, and Key is second key.
With reference to first aspect, it in second of possible realization method of first aspect, was serviced described according to described
Before time phase and the parameters for authentication generate the second key, further include:
Determine that the system time is less than the service expired time.
With reference to first aspect, in the third possible realization method of first aspect, if the third identifying code with
First identifying code differs, and the method further includes:
On the basis of the time window where the system time, the time window is moved within a predetermined range;
4th identifying code is generated using the time window after second key and movement;
Compare the 4th identifying code and whether first identifying code is identical;
If the 4th identifying code is identical with first identifying code, judge the client certificate result for success.
With reference to first aspect, in the 4th kind of possible realization method of first aspect, the method further includes:
Authentication result is returned into the client.
The 4th kind of possible realization method with reference to first aspect, in the 5th kind of possible realization method of first aspect
In, when the authentication result is successfully, the authentication result includes the system time and the client current time
Time difference.
Second aspect, the embodiment of the present invention additionally provides a kind of client certificate authentication method, described by client executing
Method includes:
First key and service expired time and parameters for authentication are obtained, the parameters for authentication includes customer name, sequence
Number, at least one of service identification, model and version, the first key is to be joined by certificate authority according to the certification
What number and the service expired time generated;
First identifying code is generated using the first key and the client current time;
Certification request is generated, and the certification request is sent to server, the certification request carries:The certification ginseng
Several, described service expired time, the client current time and first identifying code so that the server receive it is described
After certification request, system time when receiving the certification request is obtained;Using the service expired time and certification ginseng
Number the second key of generation generates the algorithm that second key uses and generates the first key with the certificate authority
Algorithm is identical;Second identifying code, generation second verification are generated using second key and the client current time
The algorithm that the algorithm that code uses generates first identifying code with the client is identical;Compare second identifying code with it is described
Whether the first identifying code is identical;If second identifying code is identical with first identifying code, according to second key and
The system time generates third identifying code, generates algorithm that the third identifying code uses and client generation described the
The algorithm of one identifying code is identical;Compare the third identifying code and whether first identifying code is identical;If the third is tested
Card code is identical with first identifying code, and it is success to judge the client certificate result.
It is described to use the first key in the first possible realization method of second aspect with reference to second aspect
The first identifying code is generated with the client current time, including:
Judge the time window where the client current time;
Determine the first time T in the time window;
First identifying code is calculated using code=genCode (Key, T), wherein, code is first identifying code,
The genCode algorithms are identifying code generating algorithm, and Key is the first key.
It is described to send out the certification request in second of possible realization method of second aspect with reference to second aspect
After giving server, the method further includes:
Receive the authentication result that the server is sent.
With reference to second of possible realization method of second aspect, in the third possible realization method of second aspect
In, when the authentication result is successfully, when the authentication result receives the certification request including the server is
The time difference for time and the client current time of uniting.
The third aspect, the embodiment of the present invention additionally provide a kind of server, and the server includes:
Receiving module, for receiving the certification request of client transmission, the certification request includes:Parameters for authentication, service
Expired time, client current time and the first identifying code, the parameters for authentication include customer name, sequence number, service identification,
At least one of model and version, first identifying code are that the client is current according to first key and the client
Time generation, the first key is according to the parameters for authentication and the service expired time generation by certificate authority
's;
Acquisition module, for obtaining the system time when server receives the certification request;
Processing module, for generating the second key using the service expired time and the parameters for authentication, using described
Second key and the client current time generate the second identifying code, generate algorithm and the card that second key uses
The algorithm that book authorization center generates the first key is identical, generates algorithm and the client that second identifying code uses
The algorithm for generating first identifying code is identical;
Compare second identifying code and whether first identifying code is identical, if second identifying code and described the
One identifying code is identical, and third identifying code, the third identifying code are generated according to second key and the system time
It is whether identical with first identifying code, if the third identifying code is identical with first identifying code, judge the client
End authentication result is successfully, to generate the algorithm that the third identifying code uses and generate first identifying code with the client
Algorithm is identical.
With reference to the third aspect, in the first possible realization method of the third aspect, the processing module, including:
Judging unit, for judging the time window where the client current time;
Searching unit, for determining the first time T in the time window;
Computing unit, for calculating second identifying code using code=genCode (Key, T),
Wherein, code is second identifying code, and the genCode algorithms are identifying code generating algorithm, and Key is described the
Two keys.
With reference to the third aspect, in second of possible realization method of the third aspect, the processing module is additionally operable to
It is described according to it is described service expired time and the parameters for authentication generate the second key before, determine that the system time does not surpass
Cross the service expired time.
With reference to the third aspect, in the third possible realization method of the third aspect, the processing module is additionally operable to work as
When the third identifying code is differed with first identifying code, on the basis of the time window where the system time,
The mobile time window in preset range;;4th identifying code is generated using the time window after second key and movement;
Compare the 4th identifying code and whether first identifying code is identical;If the 4th identifying code and first identifying code
It is identical, judge the client certificate result for success.
With reference to the third aspect, in the 4th kind of possible realization method of the third aspect, the server further includes:
Sending module, for authentication result to be returned to the client.
Fourth aspect, the embodiment of the present invention additionally provide a kind of client, and the client includes:
Acquisition module includes for obtaining first key and service expired time and parameters for authentication, the parameters for authentication
At least one of customer name, sequence number, service identification, model and version, the first key are by certificate authority
It is generated according to the parameters for authentication and the service expired time;
Processing module, for generating the first identifying code using the first key and the client current time;
Certification request is generated, the certification request carries:The parameters for authentication, the service expired time, the client
Hold current time and first identifying code;
Sending module, for will the certification request be sent to server, so that the server receives the certification
After request, system time when receiving the certification request is obtained;Using the service expired time and parameters for authentication life
Into the second key, the algorithm that the algorithm that second key uses generates the first key with the certificate authority is generated
It is identical;Second identifying code is generated using second key and the client current time, second identifying code is generated and adopts
The algorithm that algorithm generates first identifying code with the client is identical;Compare second identifying code and described first
Whether identifying code is identical;If second identifying code is identical with first identifying code, according to second key and described
System time generates third identifying code, generates the algorithm that the third identifying code uses and is tested with client generation described first
The algorithm for demonstrate,proving code is identical;Compare the third identifying code and whether first identifying code is identical;If the third identifying code
Identical with first identifying code, it is success to judge the client certificate result.
The processing module, including:
With reference to fourth aspect, in the first possible realization method of fourth aspect, judging unit is described for judging
Time window where client current time;
Searching unit, for determining the first time T in the time window;
Computing unit, for calculating first identifying code using code=genCode (Key, T), wherein, code is institute
The first identifying code is stated, the genCode algorithms are identifying code generating algorithm, and Key is the first key.
With reference to fourth aspect, in second of possible realization method of fourth aspect, the client further includes:
Receiving module, for receiving the authentication result that the server is sent.
5th aspect, the embodiment of the present invention additionally provide a kind of client certificate Verification System, and the client certificate is recognized
Card system includes:
Certificate authority, foregoing server and foregoing client, the certificate authority are used for
First key is calculated, and is sent to the client.
The advantageous effect that technical solution provided in an embodiment of the present invention is brought is:
Second identifying code is generated according to the second key and client current time, the algorithm used due to the second key of generation
It is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code, illustrate client
The parameters for authentication of upload is identical with CA centers;According to the second key and system time generation third identifying code, due to generation the
The algorithm that the algorithm that two identifying codes use generates the first identifying code with client is identical, therefore when third identifying code and the first verification
When code is identical, illustrate that the client current time that client uploads is identical with system time, it can thus be seen that in server
It during being authenticated to client, does not need to obtain the parameters for authentication of server to CA centers, but is sentenced according to calculating
Whether disconnected client is legal, so even if the inquiry at CA centers services unavailable, CA central faults or server and CA centers
Between network failure when, server still can continue to be authenticated client, so do not interfere with client service use,
Ensure that service can be used normally.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, for
For those of ordinary skill in the art, without creative efforts, other are can also be obtained according to these attached drawings
Attached drawing.
Fig. 1 is application scenarios schematic diagram provided in an embodiment of the present invention;
Fig. 2 is the client certificate authentication method flow chart that the embodiment of the present invention one provides;
Fig. 3 is client certificate authentication method flow chart provided by Embodiment 2 of the present invention;
Fig. 4 is the client certificate authentication method flow chart that the embodiment of the present invention three provides;
Fig. 5 is the client certificate authentication method flow chart that the embodiment of the present invention four provides;
Fig. 6 is the structure diagram for the server that the embodiment of the present invention five provides;
Fig. 7 is the structure diagram for the server that the embodiment of the present invention six provides;
Fig. 8 is the structure diagram of server provided in an embodiment of the present invention;
Fig. 9 is the structure diagram for the client that the embodiment of the present invention seven provides;
Figure 10 is the structure diagram for the client that the embodiment of the present invention eight provides;
Figure 11 is the structure diagram of client provided in an embodiment of the present invention;
Figure 12 is the structure diagram for the client certificate Verification System that the embodiment of the present invention nine provides.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Description to the embodiment of the present application content for convenience first combines Fig. 1 and the application scenarios of the application is carried out below
Explanation:Such as Fig. 1, by network connection between client 12 and CA (certificate granting) center 11, client 12 and server 13 it
Between by network connection, and be different from general certification scene, be not need to be attached between CA centers 11 and server 13
's.
Client 12 before 13 certification of server, is needing that parameters for authentication first is sent to CA centers 11;It removes at CA centers 11
Outside responsible making License, it is also necessary to calculate first key according to parameters for authentication, be then sent to client 12.Client
12 generate the first identifying code according to first key, then ask 13 transmission certification requests to service.Server 13 passes through certification request
The certification to client 12 is completed, specifically how certification can be described in detail in the examples below.In addition, it is necessary to explanation is
Identical key algorithm (genKey algorithms), 12 middle part of server 13 and client are disposed in CA centers 11 and server 13
There is identical identifying code algorithm (genCode algorithms) in administration.
Embodiment one
An embodiment of the present invention provides a kind of client certificate authentication methods, are performed by server, referring to Fig. 2, this method
Including:
Step 101:Server receives the certification request that client is sent, which includes:Parameters for authentication serviced
Time phase, client current time and the first identifying code, parameters for authentication include customer name, sequence number, service identification, model and
At least one of version.
Wherein, the first identifying code is that client generates before certification is asked according to first key and client current time
, wherein first key is to be generated by CA centers according to parameters for authentication and service expired time, and first key is with License
It is configured to client.
Step 102:Obtain system time when server receives certification request.
Step 103:Second key is generated using service expired time and parameters for authentication.
It should be noted that the algorithm for generating the use of the second key here is centrally generated the algorithm phase of first key with CA
Together.
Step 104:Second identifying code is generated using the second key and client current time.
It should be noted that the algorithm for generating the use of the second identifying code here generates the algorithm of the first identifying code with client
It is identical.
Step 105:It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code and the first identifying code
It is identical, third identifying code is generated according to the second key and system time.
Since the algorithm that the second key of generation uses is identical with the algorithm that CA is centrally generated first key, works as second and test
When card code is identical with the first identifying code, illustrate that the parameters for authentication that client uploads is identical with CA centers.Wherein, generation third is tested
It is identical with the algorithm of client the first identifying code of generation to demonstrate,prove the algorithm that code uses.
Step 106:It is whether identical with the first identifying code to compare third identifying code, if third identifying code and the first identifying code
Identical, judgement client certificate result is success.
It, ought the since the algorithm that algorithm and client that generation third identifying code uses generate the first identifying code is identical
When three identifying codes are identical with the first identifying code, illustrate that the client current time that client uploads is identical with system time, this
When judgement client certificate result be success.
The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close
The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code
When, illustrate that the parameters for authentication that client uploads is identical with CA centers;According to the second key and system time generation third verification
Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested
When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client
Hold the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, it can thus be seen that
During server is authenticated client, the parameters for authentication of server, but root are not needed to obtain to CA centers
Judge whether client is legal according to calculating, so even if the inquiry at CA centers services unavailable, CA central faults or server
Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client
Service uses, and ensures that service can be used normally.
Embodiment two
An embodiment of the present invention provides a kind of client certificate authentication methods, are performed by server, referring to Fig. 3, this method
Including:
Step 201:Server receives the certification request that client is sent, which includes:Parameters for authentication serviced
Time phase, client current time and the first identifying code simultaneously obtain system time, parameters for authentication include customer name, sequence number,
At least one of service identification, model and version.
Wherein, the first identifying code is that client generates before certification is asked according to first key and client current time
, wherein first key is to be generated by CA centers according to parameters for authentication and service expired time, and first key is with License
Client is configured to, and first key has term of validity limitation, which is also client service expired time, such as most
The big term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.
Step 202:Obtain system time when server receives certification request.
Step 203:Determine whether system time has been more than service expired time, if it is determined that go out system time and be less than clothes
Business expired time, performs step 204, if it is determined that it is more than service expired time to go out system time, judges client certificate result
For failure and terminate flow, while authentication result is returned into client.
Server by comparing system time whether be more than service expired time, come judge client service whether mistake
Phase when system time is more than service expired time, judges client certificate result for failure, but step 203 can only be judged
Whether those clients for reporting service expired time strictly according to the facts are expired, for not reporting the client of service expired time strictly according to the facts
It needs to continue to judge by subsequent step.
Certain step 203 is an optional step, step 204 can be performed directly after step 202, but perform step
203 can improve authentication efficiency.
Step 204:Second key is generated using service expired time and parameters for authentication.
Specifically, step 204 includes:
Second key is calculated using Key=genKey (p1, p2 ..., pn, expire),
Wherein, Key is the second key, and genKey is key schedule, and p1~pn is parameters for authentication, and expire is service
Expired time.
It should be noted that the key schedule for generating the use of the second key here is centrally generated first key with CA
Key schedule is identical.
Step 205:Second identifying code is generated using the second key and client current time.
Specifically, step 205 includes:
Step 1: judging the time window where client current time, time window is a period.
Step 2: determine the first time T in time window.This at the first time for calculating the second identifying code, and this
One time can be previously set, and can be initial time, the knot of the time window at the first time in a time window
Beam time or arbitrary setting time point.
Step 3: the second identifying code is calculated using code=genCode (Key, T),
Wherein, code is the second identifying code, and genCode is identifying code generating algorithm, and Key is the second key.
It should be noted that the algorithm for generating the use of the second identifying code here generates the algorithm of the first identifying code with client
It is identical.In addition, the division for time window, can preset in client and server in advance, to ensure that time window is drawn
The consistency divided.It should be noted that when dividing time window, adjacent time window cannot have overlapping.
Step 206:It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code and the first identifying code
It is identical, step 207 is performed, if the second identifying code is differed with the first identifying code, judges client certificate result to fail simultaneously
Terminate flow, while authentication result is returned into client.
Since the algorithm that the second key of generation uses is identical with the algorithm that CA is centrally generated first key, works as second and test
When card code is identical with the first identifying code, illustrate that the parameters for authentication that client uploads is identical with CA centers.
Step 207:According to the second key and system time generation third identifying code.
Wherein, the specific calculating process of third identifying code is identical with the second identifying code.
Step 208:It is whether identical with the first identifying code to compare third identifying code, if third identifying code and the first identifying code
Identical, judgement client certificate result is success, while authentication result is returned client, if third identifying code is tested with first
Card code differs, and performs step 209.
It, ought the since the algorithm that algorithm and client that generation third identifying code uses generate the first identifying code is identical
When three identifying codes are identical with the first identifying code, illustrate that the client current time that client uploads is identical with system time, this
When judgement client certificate result be success.
Step 209:On the basis of the time window where system time, traveling time window, uses within a predetermined range
Time window after second key and movement generates the 4th identifying code.
Time window refers to a period, such as is 5 points we term it a length points 05 minutes from 10 points to 10
The time window of clock.Formula from step 205 can be seen that for a time window, belong in the time window
All time points calculate the second identifying code when, if Key is identical, result of calculation is identical.
Random time in this time window, when Key is identical, the identifying code of genCode generations is identical.
Step 209 and step 210 are optional step herein, in specific implementation, when third identifying code and first are verified
When code differs, it can also directly judge client certificate result for failure.Due to client and the Time Inconsistency of server,
Prior to server or server may be later than;In order to fault-tolerant, we can be asked by traveling time window to solve this
Topic.When difference is little between client current time and server time, it can still pass through certification.Time window can move
Size, the tolerance to time deviation depending on systemic presupposition.If client current time deviates system time
Predetermined, server provides refusal to service.For example, client current time for 10 points 24 minutes, system time for 10 points 32 minutes (belong to
10 points of 35 minutes this time windows are assigned in 10: 30), if allowing forward or moving backward 3 time windows (i.e. from 10
Point 15 assigns at 10 points 50 minutes), 10 points of 25 minutes this windows finally are assigned to 10: 20, calculate identical third identifying code and the
One identifying code is identical, then certification passes through.
Step 210:It is whether identical with the first identifying code to compare the 4th identifying code, if the 4th identifying code and the first identifying code
Identical, judgement client certificate result is success, while authentication result is returned client, if the 4th identifying code is tested with first
Card code differs, and judges client certificate result for failure, while authentication result is returned client or return to step 209.
It is whether identical with the first identifying code to compare the 4th identifying code, when the 4th identifying code is identical with the first identifying code, sentences
Determine client certificate result be successfully, when the 4th identifying code and the first identifying code differ, the execution number of judgment step 209
Whether reach pre-determined number, if the execution number of step 209 reaches pre-determined number, judge client certificate result for failure,
If the execution number of step 209 does not reach pre-determined number, step 209 is re-executed.
It should be noted that in the concrete realization, step 209 can be with Exactly-once, at this point, without judgment step 209
Execution number whether reach pre-determined number, directly judge client certificate result for failure.In another implementation, also may be used
To judge whether preset time window is used up, if preset time window is used up, client certificate result is judged for failure,
If preset time window is not used up, step 209 is re-executed.
Further, this method further includes:In certification success, when server calculates system time and current client
Between time difference, and time difference is returned into client, authentication authorization and accounting result includes system time and client current time
Time difference.Cause client when asking next time, when the client that can be reported according to the adjustment of this time difference is current
Between, such server there is no need to by traveling time window come certification, so as to shorten the time of certification.
It further,, can also be different by returning if authentication result is failure when authentication result being returned to client
Error code come inform client certificate failure the reason of.For example, when step 203 authentification failure, error code is returned
0x0006019A;When step 206 authentification failure, error code 0x00070190 is returned;When step 210 authentification failure, return
Error code 0x000701A0.
The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close
The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code
When, illustrate that the parameters for authentication that client uploads is identical with CA centers;According to the second key and system time generation third verification
Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested
When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client
Hold the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, it can thus be seen that
During server is authenticated client, the parameters for authentication of server, but root are not needed to obtain to CA centers
Judge whether client is legal according to calculating, so even if the inquiry at CA centers services unavailable, CA central faults or server
Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client
Service uses, and ensures that service can be used normally.
Embodiment three
An embodiment of the present invention provides a kind of client certificate authentication method, by client executing, referring to Fig. 4, this method
Including:
Step 301:Client obtains first key and service expired time and parameters for authentication, and parameters for authentication includes visitor
Name in an account book claims, at least one of sequence number, service identification, model and version.
Wherein first key be by CA centers according to parameters for authentication and service expired time generate, first key with
License is configured to client, and first key has term of validity limitation, when which is also that client service is expired
Between, such as maximum term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.
Step 302:First identifying code is generated using first key and client current time.
It should be noted that algorithm phase of the algorithm of the first identifying code use with generating identifying code in server is generated here
Together.
Step 303:Certification request is generated, and certification request is sent to server, certification request carries:Parameters for authentication, clothes
Business expired time, client current time and the first identifying code, so that server is according to parameters for authentication, service expired time, visitor
Whether family end current time and the first identifying code verification client are legal.
The first key that the embodiment of the present invention is issued by client according to CA centers calculates the first identifying code, and by certification
Parameter, service expired time, client current time and the first identifying code are sent to server so that server may be used with
The identical algorithm of algorithm that CA is centrally generated first key generates the second key, and using and client generate the first identifying code
The identical algorithm of algorithm generates the second identifying code and third identifying code, so as to judge the parameters for authentication of client upload and visitor
Whether family end current time is correct, so as to complete certification, it can thus be seen that the process being authenticated in server to client
In, do not need to obtain the parameters for authentication of server to CA centers, but judge whether client is legal according to calculating, so i.e.
When the inquiry at CA centers being made to service network failure between unavailable, CA central faults or server and CA centers, server is still
It can continue to be authenticated client, and then the service for not interfering with client uses, ensure that service can be used normally.
Example IV
An embodiment of the present invention provides a kind of client certificate authentication method, by client executing, referring to Fig. 5, this method
Including:
Step 401:Client obtains first key and service expired time and parameters for authentication, and parameters for authentication includes visitor
Name in an account book claims, at least one of sequence number, service identification, model and version.
Wherein first key be by CA centers according to parameters for authentication and service expired time generate, first key with
License is configured to client, and first key has term of validity limitation, when which is also that client service is expired
Between, such as maximum term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.
Step 402:First identifying code is generated using first key and client current time.
Here the algorithm for generating the use of the first identifying code is identical with the algorithm that identifying code is generated in server.It specifically can be with
It is realized using following manner:
Step 1: judge the time window where client current time.
Step 2: determine the first time T in time window.This at the first time for calculating the first identifying code, and this
One time can be previously set, and can be initial time, the knot of the time window at the first time in a time window
Beam time or arbitrary setting time point.
Step 3: the first identifying code is calculated using code=genCode (Key, T), wherein, code is the first identifying code,
GenCode algorithms are identifying code generating algorithm, and Key is first key.
Step 403:Certification request is generated, and certification request is sent to server, certification request carries:Parameters for authentication, clothes
Business expired time, client current time and the first identifying code, so that server is according to parameters for authentication, service expired time, visitor
Whether family end current time and the first identifying code verification client are legal.
Step 404:Receive the authentication result that server is sent.
When authentication result is failure, it is also possible that error code in the authentication result, error code, which shows client, to be recognized
The reason of card failure.For example, error code 0x0006019A represents that service is expired, i.e., system time is more than expired time;Error code
The authentication information that expression information errors, i.e. client are uploaded to server is different from the authentication information for being uploaded to CA centers;Mistake
Code 0x000701A0 represents timing error, i.e. client current time and system time is different or more than preset deviation.
When authentication result is successfully, it is also possible that time difference in the authentication result, which refers to service
System time and the time difference of client current time when device receives certification request, in next certification request, client
The client current time reported can be adjusted according to this time difference, there is no need to pass through traveling time window for such server
Mouth carrys out certification, so as to shorten the time of certification.
The first key that the embodiment of the present invention is issued by client according to CA centers calculates the first identifying code, and by certification
Parameter, service expired time, client current time and the first identifying code are sent to server so that server may be used with
The identical algorithm of algorithm that CA is centrally generated first key generates the second key, and using and client generate the first identifying code
The identical algorithm of algorithm generates the second identifying code and third identifying code, so as to judge the parameters for authentication of client upload and visitor
Whether family end current time correct, it can thus be seen that during server is authenticated client, do not need to
CA centers obtain the parameters for authentication of server, but judge whether client is legal according to calculating, so even if CA centers are looked into
When asking network failure between unavailable, the CA central faults of service or server and CA centers, server still can continue to visitor
Family end is authenticated, and then the service for not interfering with client uses, and ensures that service can be used normally.
Embodiment five
An embodiment of the present invention provides a kind of servers, and referring to Fig. 6, which includes:
Receiving module 501, for receiving the certification request of client transmission, which includes:Parameters for authentication, service
Expired time, client current time and the first identifying code, parameters for authentication include customer name, sequence number, service identification, model
At least one of with version.
Wherein, the first identifying code is that client generates before certification is asked according to first key and client current time
, wherein first key is to be generated by CA centers according to parameters for authentication and service expired time, and first key is with License
It is configured to client.
Acquisition module 502, for obtaining system time when server receives certification request.
Processing module 503, for generating the second key using service expired time and parameters for authentication, using the second key and
Client current time generates the second identifying code;
It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code is identical with the first identifying code, adopts
Whether with the second key and system time generation third identifying code, it is identical with the first identifying code to compare third identifying code, if the
Three identifying codes are identical with the first identifying code, and judgement client certificate result is success.
It should be noted that the algorithm for generating the use of the second key here is centrally generated the algorithm phase of first key with CA
Together.The algorithm for generating the use of the second identifying code is identical with the algorithm of client the first identifying code of generation.Generation third identifying code is adopted
The algorithm that algorithm generates the first identifying code with client is identical.
The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close
The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code
When, illustrate that the parameters for authentication that client uploads is identical with CA centers;According to the second key and system time generation third verification
Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested
When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client
Hold the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, it can thus be seen that
During server is authenticated client, the parameters for authentication of server, but root are not needed to obtain to CA centers
Judge whether client is legal according to calculating, so even if the inquiry at CA centers services unavailable, CA central faults or server
Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client
Service uses, and ensures that service can be used normally.
Embodiment six
An embodiment of the present invention provides a kind of servers, and referring to Fig. 7, which includes:
Receiving module 601, for receiving the certification request of client transmission, which includes:Parameters for authentication, service
Expired time, client current time and the first identifying code simultaneously obtain system time, and parameters for authentication includes customer name, sequence
Number, at least one of service identification, model and version.
Wherein, the first identifying code is that client generates before certification is asked according to first key and client current time
, wherein first key is to be generated by CA centers according to parameters for authentication and service expired time, and first key is with License
Client is configured to, and first key has term of validity limitation, which is also client service expired time, such as most
The big term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.
Acquisition module 602, for obtaining system time when server receives certification request.
Processing module 603, for generating the second key according to service expired time and parameters for authentication, according to the second key and
Client current time generates the second identifying code;
It is whether identical with the first identifying code to compare the second identifying code, if the second identifying code is identical with the first identifying code, root
Whether according to the second key and system time generation third identifying code, it is identical with the first identifying code to compare third identifying code, if the
Three identifying codes are identical with the first identifying code, and judgement client certificate result is success.
It should be noted that the algorithm for generating the use of the second key here is centrally generated the algorithm phase of first key with CA
Together;The algorithm for generating the use of the second identifying code is identical with the algorithm of client the first identifying code of generation;Generation third identifying code is adopted
The algorithm that algorithm generates the first identifying code with client is identical.
On the one hand, since the algorithm of generation the second key use is identical with the algorithm that CA is centrally generated first key,
When the second identifying code is identical with the first identifying code, illustrate that the parameters for authentication that client uploads is identical with CA centers.The opposing party
Face, since the algorithm that generation third identifying code uses is identical with the algorithm of client the first identifying code of generation, when third is tested
When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, sentence at this time
It is successfully to determine client certificate result.
In the present embodiment, processing module 603 calculates the second key using following manner:
Second key is calculated using Key=genKey (p1, p2 ..., pn, expire),
Wherein, Key is the second key, and genKey is key schedule, and p1~pn is parameters for authentication, and expire is service
Expired time.
In the present embodiment, processing module 603 includes:
Judging unit, for judging the time window where client current time, time window is a period.
Searching unit, for determining the first time T in time window.This is used to calculate the second identifying code at the first time,
And this can be previously set at the first time, when first time can be the starting of the time window in a time window
Between, end time or arbitrary setting time point.
Computing unit, for calculating the second identifying code using code=genCode (Key, T).
Wherein, code is the second identifying code, and genCode is identifying code generating algorithm, and Key is the second key.
It should be noted that the division for time window, can preset in client and server, in advance to ensure
The consistency that time window divides.
Further, processing module 603, be additionally operable to according to service expired time and parameters for authentication generate the second key it
Before, determine that system time is less than service expired time.
It is close according to service expired time and parameters for authentication generation second when system time is less than service expired time
Key.
It should be noted that if processing module 603 determines that system time is more than service expired time, then client is judged
Authentication result is failure, while authentication result is returned client.
Server by comparing service expired time whether be more than system time, come judge client service whether mistake
Phase when system time is more than service expired time, judges client certificate result for failure, but this mode can only be judged
Whether those clients for reporting service expired time strictly according to the facts are expired, for not reporting the client of service expired time strictly according to the facts
It needs to continue to judge by subsequent step.This mode can improve authentication efficiency.
Specifically, processing module 603 are additionally operable to when third identifying code and the first identifying code differ, with system time
On the basis of the time window at place, traveling time window within a predetermined range;Using the time window after the second key and movement
Generate the 4th identifying code;It is whether identical with the first identifying code to compare the 4th identifying code, if the 4th identifying code and the first identifying code
Identical, judgement client certificate result is success.
In addition, if the 4th identifying code calculated is different from the first identifying code, time window is re-moved, is calculated
4th identifying code, until the 4th identifying code that all time windows moved out calculate is differed with the first identifying code, this
When judge client certificate result for failure.
Time window refers to a period, such as is 5 points we term it a length points 05 minutes from 10 points to 10
The time window of clock.Formula from step 204 can be seen that for a time window, belong in the time window
All time points calculate the second identifying code when, if Key is identical, result of calculation is identical.
Random time in this time window, when Key is identical, the identifying code of genCode generations is identical.
Due to client and the Time Inconsistency of server, prior to server or server may be later than;In order to hold
Mistake, we can solve the problems, such as this by traveling time window.When poor between client current time and server time
When different little, it can still pass through certification.The transportable size of time window, the appearance to time deviation depending on systemic presupposition
Degree of bearing.If it is more than predetermined that client current time, which deviates system time, server provides refusal to service.Traveling time window
It is in order to fault-tolerant.For example, client current time for 10 points 24 minutes, system time (belongs to 10: 30 and assigns to 10 for 10 points for 32 minutes
35 minutes this time windows of point), if allowing forward or moving backward 3 time windows and (assign to 10: 50 from 10: 15
Point), 10 points of 25 minutes this windows finally are assigned to 10: 20, it is identical with the first identifying code to calculate identical third identifying code,
Then certification passes through.
Further, which further includes sending module 604, for authentication result to be returned to client.
Further, in certification success, authentication result includes system time and the time difference of client current time.
So that client when asking next time, the client current time reported can be adjusted according to this time difference, is serviced in this way
Device there is no need to by traveling time window come certification, so as to shorten the time of certification.
Further, in authentification failure, authentication result can also inform client by returning to different error codes
The reason of authentification failure.For example, error code 0x0006019A represents that service is expired, i.e., system time is more than expired time;Mistake
The authentication information that representation information errors, i.e. client are uploaded to server is different from the authentication information for being uploaded to CA centers;It is wrong
Error code 0x000701A0 represents timing error, i.e. client current time and system time is different or more than preset deviation.
The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close
The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code
When, illustrate that the parameters for authentication that client uploads is identical with CA centers;According to the second key and system time generation third verification
Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested
When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client
It holds the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, services in the process
Device does not need to be verified to CA centers, so even if the inquiry at CA centers services unavailable, CA central faults or server
Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client
Service uses.
In a particular embodiment, the server in earlier figures 6,7 can be general server, as shown in Figure 8.Its
Generally comprise the components such as memory 71, processor 72, receiver 73 and transmitter 74.It will be understood by those skilled in the art that Fig. 8
Shown in structure do not form restriction to the present apparatus, can include than illustrating more or fewer components or combination
Certain components or different components arrangement.
Each component parts of server 70 is specifically introduced with reference to Fig. 8:
Memory 71 can be used for storage software program and application module, and processor 72 is stored in memory 71 by operation
Software program and application module, so as to execute server 70 various function application and data processing.Memory 71 can
Mainly include storing program area and storage data field, wherein, storing program area can storage program area, needed at least one function
Application program (such as identifying code calculating) etc.;Storage data field can store the data created according to the processing of server 70.
In addition, memory 71 can include high-speed RAM (Random Access Memory, random access memory), can also include
Nonvolatile memory (non-volatile memory), for example, at least a disk memory, flush memory device or other
Volatile solid-state part.
Processor 72 is the control centre of server 70, utilizes each portion of various interfaces and the entire computer of connection
Point.
Specifically, processor 72 is by running or performing the software program being stored in memory 71 and/or application module,
And the data being stored in memory 71 are called, processor 72 can be realized, receive what client was sent by receiver 73
Certification request, certification request include:Parameters for authentication, service expired time, client current time and the first identifying code, certification ginseng
Number includes at least one of customer name, sequence number, service identification, model and version, the first identifying code be client according to
What first key and client current time generated, first key is expired according to parameters for authentication and service by certificate authority
Time generation;
Obtain system time when server receives certification request;
Second key is generated using service expired time and parameters for authentication, the algorithm that the second key of generation uses is awarded with certificate
The algorithm that power is centrally generated first key is identical;
Second identifying code is generated using the second key and client current time, the algorithm that the second identifying code of generation uses with
The algorithm that client generates the first identifying code is identical;
It is whether identical with the first identifying code to compare the second identifying code;
If the second identifying code is identical with the first identifying code, third identifying code is generated according to the second key and system time,
It is identical with the algorithm of client the first identifying code of generation to generate the algorithm that third identifying code uses;
It is whether identical with the first identifying code to compare third identifying code;
If third identifying code is identical with the first identifying code, judgement client certificate result is success.
Further, processor 72 can also realize the time window judged where client current time;
Determine the first time T in time window;
Using code=genCode (Key, T) calculate the second identifying code, wherein, code be the second identifying code, genCode
Algorithm is identifying code generating algorithm, and Key is the second key.
Further, processor 72 can also generate the second key now according to service expired time and parameters for authentication in fact
Before, determine that system time is less than service expired time.
Further, processor 72 can also be realized on the basis of the time window where system time, in preset range
Interior traveling time window;
4th identifying code is generated using the time window after the second key and movement;
It is whether identical with the first identifying code to compare the 4th identifying code;
If the 4th identifying code is identical with the first identifying code, judge client certificate result for success.
Further, processor 72 can also be realized and authentication result is returned to client by transmitter 74.
Further, when authentication result is successfully, authentication result include system time and client current time when
Between difference.
The server provided in present apparatus embodiment can be applied in the attached scene shown in FIG. 1 of method, and realization wherein takes
The function of business device.Other additional functions and set with other network elements that the server provided in present apparatus embodiment can be realized
It is standby, such as the interactive process of client, the description to server in embodiment of the method one, two is please referred to, is repeated no more herein.
Embodiment seven
An embodiment of the present invention provides a kind of clients, and referring to Fig. 9, which includes:
Acquisition module 801, for obtaining first key and service expired time and parameters for authentication, first key is by demonstrate,proving
Book authorization center generates, and parameters for authentication includes at least one of customer name, sequence number, service identification, model and version.
Wherein first key be by CA centers according to parameters for authentication and service expired time generate, first key with
License is configured to client, and first key has term of validity limitation, and such as maximum term of validity is no more than 24 hours, should
Limited period is also client service expired time, so before first key failure, client needs are authenticated in time.
Processing module 802, for generating the first identifying code using first key and client current time;
Certification request is generated, certification request carries:Parameters for authentication, service expired time, client current time and first
Identifying code.
It should be noted that algorithm phase of the algorithm of the first identifying code use with generating identifying code in server is generated here
Together.
Sending module 803, for certification request to be sent to server so that server according to parameters for authentication, serviced
Whether time phase, client current time and the first identifying code verification client are legal.
The first key that the embodiment of the present invention is issued by client according to CA centers calculates the first identifying code, and by certification
Parameter, service expired time, client current time and the first identifying code are sent to server so that server may be used with
The identical algorithm of algorithm that CA is centrally generated first key generates the second key, and using and client generate the first identifying code
The identical algorithm of algorithm generates the second identifying code and third identifying code, so as to judge the parameters for authentication of client upload and visitor
Whether family end current time is correct, so as to complete certification, it can thus be seen that the process being authenticated in server to client
In, do not need to obtain the parameters for authentication of server to CA centers, but judge whether client is legal according to calculating, so i.e.
When the inquiry at CA centers being made to service network failure between unavailable, CA central faults or server and CA centers, server is still
It can continue to be authenticated client, and then the service for not interfering with client uses, ensure that service can be used normally.
Embodiment eight
An embodiment of the present invention provides a kind of clients, and referring to Figure 10, which includes:
Acquisition module 901, for obtaining first key and service expired time and parameters for authentication, first key is by demonstrate,proving
Book authorization center generates, and parameters for authentication includes at least one of customer name, sequence number, service identification, model and version.
Wherein first key be by CA centers according to parameters for authentication and service expired time generate, first key with
License is configured to client, and first key has term of validity limitation, when which is also that client service is expired
Between, such as maximum term of validity is no more than 24 hours, so before first key failure, client needs are authenticated in time.
Processing module 902, for generating the first identifying code using first key and client current time;
Certification request is generated, certification request carries:Parameters for authentication, service expired time, client current time and first
Identifying code.
Here processing module 902 generates the algorithm phase of algorithm and generation identifying code in server that the first identifying code uses
Together.Specifically, processing module 902, including:
Judging unit, for judging the time window where client current time.
Searching unit, for determining the first time T in time window.This is used to calculate the first identifying code at the first time,
And this can be previously set at the first time, when first time can be the starting of the time window in a time window
Between, end time or arbitrary setting time point.
Computing unit, for calculating the first identifying code using code=genCode (Key, T), wherein, code is tested for first
Code is demonstrate,proved, genCode algorithms are identifying code generating algorithm, and Key is first key.
Sending module 903, for certification request to be sent to server so that server according to parameters for authentication, serviced
Whether time phase, client current time and the first identifying code verification client are legal.
Receiving module 904, for receiving the authentication result of server transmission.
Further, when authentication result is failure, it is also possible that error code in the authentication result, error code is shown
The reason of client certificate fails.For example, error code 0x0006019A represents that service is expired, i.e., when system time is more than expired
Between;Mistake representation information errors, i.e. client are uploaded to the authentication information of server and are uploaded to the authentication information at CA centers
It is different;Error code 0x000701A0 represents timing error, i.e. client current time is different from system time or more than preset
Deviation.
When authentication result is successfully, it is also possible that time difference in the authentication result, which refers to service
System time and the time difference of client current time when device receives certification request, in next certification request, client
The client current time reported can be adjusted according to this time difference, there is no need to pass through traveling time window for such server
Mouth carrys out certification, so as to shorten the time of certification.
The first key that the embodiment of the present invention is issued by client according to CA centers calculates the first identifying code, and by certification
Parameter, service expired time, client current time and the first identifying code are sent to server so that server may be used with
The identical algorithm of algorithm that CA is centrally generated first key generates the second key, and using and client generate the first identifying code
The identical algorithm of algorithm generates the second identifying code and third identifying code, so as to judge the parameters for authentication of client upload and visitor
Whether family end current time is correct, so as to complete certification, it can thus be seen that the process being authenticated in server to client
In, do not need to obtain the parameters for authentication of server to CA centers, but judge whether client is legal according to calculating, so i.e.
When the inquiry at CA centers being made to service network failure between unavailable, CA central faults or server and CA centers, server is still
It can continue to be authenticated client, and then the service for not interfering with client uses, ensure that service can be used normally.
In a particular embodiment, the client in earlier figures 9,10 can be computer or mobile terminal, such as Figure 11
It is shown.It generally comprises the components such as memory 1001, processor 1002, receiver 1003 and transmitter 1004.Art technology
Personnel are appreciated that the structure shown in Figure 11 does not form the restriction to the present apparatus, can include more or more than illustrating
Few component either combines certain components or different components arrangement.
Each component parts of computer 100 is specifically introduced with reference to Figure 11:
Memory 1001 can be used for storage software program and application module, and processor 1002 is stored in storage by operation
The software program and application module of device 1001, various function application and data processing so as to execute server 1000.It deposits
Reservoir 1001 can mainly include storing program area and storage data field, wherein, storing program area can storage program area, at least one
Application program (such as identifying code calculating) needed for a function etc.;Storage data field can store the processing institute according to server 1000
The data of establishment.In addition, memory 1001 can include high-speed RAM (Random Access Memory, random access memory
Device), nonvolatile memory (non-volatile memory) can also be included, a for example, at least disk memory is dodged
Memory device or other volatile solid-state parts.
Processor 1002 is the control centre of server 1000, utilizes each of various interfaces and the entire computer of connection
A part.
Specifically, processor 1002 is by running or performing the software program being stored in memory 1001 and/or application
Module and calling are stored in the data in memory 1001, and processor 1002 can be realized, obtain first key and clothes
Business expired time and parameters for authentication, first key generated by certificate authority, parameters for authentication include customer name, sequence number,
At least one of service identification, model and version, first key are according to parameters for authentication and servicing by certificate authority
The generation of time phase;
First identifying code is generated using first key and client current time;
Certification request is generated, certification request carries:Parameters for authentication, service expired time, client current time and first
Identifying code.
Certification request is sent to server, so that server is current according to parameters for authentication, service expired time, client
Whether time and the first identifying code verification client are legal.
Further, processor 1002 can also be realized, judge the time window T where client current time;
Determine the first time T in time window;
Using code=genCode (Key, T) calculate the first identifying code, wherein, code be the first identifying code, genCode
Algorithm is identifying code generating algorithm, and Key is first key.
Further, processor 1002 can also be realized, receive the authentication result that server is sent.
Further, when authentication result is successfully, authentication result includes system when server receives certification request
Time and the time difference of client current time.
The client provided in present apparatus embodiment can be applied in the attached scene shown in FIG. 1 of method, realize wherein objective
The function at family end.Other additional functions and set with other network elements that the client provided in present apparatus embodiment can be realized
It is standby, such as the interactive process of server, the description to client in embodiment of the method three, four is please referred to, is repeated no more herein.
Embodiment nine
An embodiment of the present invention provides a kind of client certificate Verification Systems, and referring to Figure 12, which includes:
CA (certificate granting) center 1101, client 1102 and server 1103, the client 1102 such as embodiment seven or
Eight, server 1103 such as embodiment five or six.
Identical genKey algorithms are deployed in CA centers 1101 and client 1102.Server 1103 and client 1102
In be deployed with identical genCode algorithms.
CA centers 1101 are used to calculate first key, and be sent to client 1102.Specifically, CA centers 1101 can incite somebody to action
First key is issued with License, i.e., CA centers 1101 issue License to client 1102, which includes the
One key.
The embodiment of the present invention generates the second identifying code according to the second key and client current time, since generation second is close
The algorithm that key uses is identical with the algorithm that CA is centrally generated first key, therefore when the second identifying code is identical with the first identifying code
When, illustrate that the parameters for authentication that client uploads is identical with CA centers;According to the second key and system time generation third verification
Code, since the algorithm that the second identifying code of generation uses is identical with the algorithm of client the first identifying code of generation, when third is tested
When card code is identical with the first identifying code, illustrates that the client current time that client uploads is identical with system time, work as client
Hold the parameters for authentication uploaded identical with CA centers and when client current time is identical with system time, it can thus be seen that
During server is authenticated client, the parameters for authentication of server, but root are not needed to obtain to CA centers
Judge whether client is legal according to calculating, so even if the inquiry at CA centers services unavailable, CA central faults or server
Between CA centers during network failure, server still can continue to be authenticated client, and then do not interfere with client
Service uses, and ensures that service can be used normally.
It should be noted that:Above-described embodiment provide server or client in client certificate certification, only more than
The division progress of each function module is stated for example, in practical application, it can be as needed and by above-mentioned function distribution by difference
Function module complete, i.e., the internal structure of equipment is divided into different function modules, with complete it is described above whole or
Person's partial function.In addition, business device or client that above-described embodiment provides belong to same with client certificate authentication method embodiment
One design, specific implementation process refer to embodiment of the method, and which is not described herein again.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment
Complete, relevant hardware can also be instructed to complete by program, program can be stored in a kind of computer-readable storage
In medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely a prefered embodiment of the invention, is not intended to limit the invention, all in the spirit and principles in the present invention
Within, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.