CN106936789B - Application method for authentication by using double certificates - Google Patents

Application method for authentication by using double certificates Download PDF

Info

Publication number
CN106936789B
CN106936789B CN201511025602.3A CN201511025602A CN106936789B CN 106936789 B CN106936789 B CN 106936789B CN 201511025602 A CN201511025602 A CN 201511025602A CN 106936789 B CN106936789 B CN 106936789B
Authority
CN
China
Prior art keywords
certificate
authentication
work
working
certificates
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511025602.3A
Other languages
Chinese (zh)
Other versions
CN106936789A (en
Inventor
杨弘斐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koal Software Co ltd
Original Assignee
Koal Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koal Software Co ltd filed Critical Koal Software Co ltd
Priority to CN201511025602.3A priority Critical patent/CN106936789B/en
Publication of CN106936789A publication Critical patent/CN106936789A/en
Application granted granted Critical
Publication of CN106936789B publication Critical patent/CN106936789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an application method for authentication by using double certificates, which comprises the following steps: 1) configuring an application system, designating a working certificate available for the application system, designating an authentication certificate and a working certificate pair which can pass two-way authentication, and designating a condition for starting the working certificate; 2) enabling the authentication certificate by the user; 3) the authentication certificate and the work certificate are subjected to bidirectional authentication; 4) and starting the work certificate to realize the operation of various functions of the application system. The invention has the beneficial effects that: the invention can safely and conveniently start the work certificate in the application system, provides an emergency plan with strong safety, and can well solve the actual requirement that a plurality of users need to cooperate together in the business system to start some functions of the system.

Description

Application method for authentication by using double certificates
Technical Field
The invention belongs to the technical field of computers and information security, and particularly relates to an application method for safely and conveniently starting a work certificate by using an authentication certificate.
Background
With the rapid development of information industry technology, various industries are beginning to perform informatization and networking. In order to protect the legitimate rights and interests of owners and users of various industry information systems, the industry information systems use digital certificates for identity authentication, data encryption and integrity protection. Currently, the mainstream practice is to use the USB Key as a carrier of the digital certificate, and to enable the digital certificate, a PIN code needs to be input or a user fingerprint needs to be verified. This approach has some disadvantages:
1. if the USB Key is lost or forgotten to be taken, the USB Key cannot be used for carrying out strong identity authentication in a digital certificate mode. Before re-claiming the USB Key, only an emergency plan can be used to perform identity authentication, such as password authentication, issuing a temporary soft certificate, and the like. The reliability and security of these emergency plans are lower than the way that hardware uses digital certificates;
2. if the USB Key is connected to the computer through USB, the user must physically approach the computer in order to enter a PIN code or perform fingerprint verification. If the USB Key is connected with the computer in a wireless mode such as Bluetooth and the like, the USB Key and the computer cannot perform identity authentication through a digital certificate, so that a small safety risk exists;
3. TF cards are commonly used on mobile terminal devices as carriers of digital certificates, which the user inserts into the mobile terminal when using. Most users are used to avoid pulling out the TF card after using the TF card for convenience. Once the mobile terminal is lost, only certificate PIN codes and the like are used for protecting the security of the user, and the security can be threatened.
4. The existing USB Key only supports a one-person one-certificate one-Key using method, namely, one user holds one USB Key, only stores a digital certificate corresponding to the user in the USB Key, and when the user uses an application system, the digital certificate is used for completing corresponding functional operation. In many cases, multiple users are required to collaborate together to enable certain functions of the system, for example, a decision may require four of seven administrators to approve. Obviously, the existing method of one person and one certificate and one Key cannot meet the requirements, and the application system brings great troubles.
Therefore, how to safely and conveniently enable the digital certificate in the application system is a technical problem which needs to be solved urgently in the field. The applicant has therefore made an advantageous search and attempt to solve the above-mentioned problems, in the context of which the technical solutions to be described below have been created.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: aiming at the defects of the prior art, the application method using the double certificates for authentication is provided, a user has the authentication certificate, the application system on the computer uses the working certificate, and the user uses the authentication certificate to start the working certificate to complete various functional operations of the application system on the computer.
The technical problem solved by the invention can be realized by adopting the following technical scheme:
an application method using dual certificates for authentication, comprising the steps of:
1) configuring an application system, designating a working certificate available for the application system, designating an authentication certificate and a working certificate pair which can pass two-way authentication, and designating a condition for starting the working certificate;
2) enabling the authentication certificate by the user;
3) the authentication certificate and the work certificate are subjected to bidirectional authentication;
4) and starting the work certificate to realize the operation of various functions of the application system.
In a preferred embodiment of the present invention, in step 1), default configuration may be performed on the application system, the default specifies a work certificate available to the application system, the default specifies an authentication certificate and a work certificate pair that can pass mutual authentication, and the default specifies a condition for starting the work certificate.
In a preferred embodiment of the present invention, in step 1), the condition for starting the work certificate includes directly using a PIN code or satisfying a condition that a certain number of authentication certificates and the work certificate pass through mutual authentication.
In a preferred embodiment of the present invention, when the working certificate available to the application system is specified in step 1), a certain authentication certificate may be specified to be directly used as an available working certificate to implement operations on various functions of the application system.
In a preferred embodiment of the present invention, in the step 1), the working certificate or the authentication certificate is a certificate conforming to an x.509 format.
In a preferred embodiment of the present invention, in the step 1), the working certificate and the authentication certificate are in the same medium or in different media.
In a preferred embodiment of the present invention, in the step 2), the enabling manner of the user to enable the authentication certificate is a verification fingerprint enabling manner or an input PIN code enabling manner.
In a preferred embodiment of the present invention, in step 3), the same work certificate can be bidirectionally authenticated with multiple authentication certificates at the same time, and the same authentication certificate can be bidirectionally authenticated with multiple work certificates at the same time.
In a preferred embodiment of the present invention, in step 3), the communication mode for performing mutual authentication between the authentication certificate and the employee certificate in different mediums is one of WIFI, bluetooth or NFC.
In a preferred embodiment of the present invention, in the step 3), the method for performing mutual authentication between the authentication certificate and the work certificate is an SSL mutual authentication method or an SPKM mutual authentication method.
Due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. a strong safety emergency plan. When the work certificate cannot be used due to reasons such as medium loss and the like, the application system can set an authentication certificate held by a user as the work certificate, and directly use the authentication certificate to work so as to complete various functional operations on the application system; when the authentication certificate cannot be used due to media loss and the like, the application system can directly use the PIN code to enable the work certificate to work, and various functional operations of the application system are completed.
2. And (4) an unbounded working mode. The medium of the work certificate is directly connected with the computer, the medium of the authentication certificate is carried by the user, bidirectional authentication is performed through wireless connection modes such as WIFI and the like, the user can freely move without being bound by the work computer through the working mode, and the highest safety of a communication link is guaranteed.
3. Rich system applications are supported. For example, the application system may set a certain number of authentication certificates and the work certificate to be started after the work certificate passes the bidirectional authentication, and the work certificate and the authentication certificate perform the bidirectional authentication one to many at the same time, which is particularly suitable for the process that needs the simultaneous cooperation of many people to complete.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block flow diagram of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
Referring to fig. 1, an application method of the present invention for authentication using dual certificates is shown, which includes the following steps:
step 101, configuring an application system, designating an available work certificate of the application system, designating an authentication certificate and work certificate pair which can pass two-way authentication, and designating conditions for starting the work certificate. The condition for starting the work certificate comprises a mode of directly using PIN codes or a mode of meeting the condition that a certain number of authentication certificates and the work certificate pass through mutual authentication. In addition, when the working certificate available for the application system is specified, a certain authentication certificate can be directly specified as the available working certificate to realize the operation of each function of the application system. The application system can be configured in a default mode, the available work certificates of the application system are specified in the default mode, the authentication certificates and work certificate pairs which can pass the mutual authentication are specified in the default mode, and the condition for starting the work certificates is specified in the default mode. In this embodiment, the working certificate or the authentication certificate is a certificate conforming to the x.509 format, and the working certificate and the authentication certificate are in the same medium or in different media;
step 102, judging whether the designated authentication certificate is an available employee certificate of the system, if so, entering step 106, and if not, entering step 103;
step 103, judging whether the condition of the appointed starting work certificate is a certain number of authentication certificates and the work certificate carries out mutual authentication, if so, entering step 104, and if not, entering step 106;
104, enabling an authentication certificate by a user through fingerprint verification, PIN code input and other modes;
step 105, the certification certificate and the working certificate are subjected to bidirectional certification by adopting a bidirectional certification method such as an SSL bidirectional certification method or an SPKM bidirectional certification method, and after the specified number of certification certificates and the working certificate are subjected to bidirectional certification, the step 106 is carried out. In addition, when the authentication certificate and the employee certificate are in different media, the authentication certificate and the employee certificate can be in communication connection in a WIFI, Bluetooth or NFC mode. Of course, the same work certificate can be bidirectionally authenticated with a plurality of authentication certificates at the same time, and the same authentication certificate can be bidirectionally authenticated with a plurality of work certificates at the same time;
and 106, starting the work certificate to realize the operation of each function of the application system. If it is specified that the user authentication certificate is the work certificate, or the condition for starting the work certificate is not that a certain number of authentication certificates are authenticated against it, the fingerprint or PIN code is checked before the work certificate is started.
The invention can safely and conveniently start the work certificate in the application system, provides an emergency plan with strong safety, and can well solve the actual requirement that a plurality of users need to cooperate together in the business system to start some functions of the system.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (10)

1. An application method using dual certificates for authentication, comprising the steps of:
1) configuring an application system, designating a working certificate available for the application system, designating an authentication certificate and a working certificate pair which can pass two-way authentication, and designating a condition for starting the working certificate;
2) judging whether the designated certificate is an available working certificate of the system, if so, entering a step 6), and if not, entering a step 3);
3) judging whether the condition for appointing to start the work certificate is a certain number of authentication certificates and the work certificate carries out mutual authentication, if so, entering a step 4), and if not, entering a step 6);
4) enabling the authentication certificate by the user;
5) the authentication certificate and the work certificate are subjected to bidirectional authentication;
6) and starting the work certificate to realize the operation of various functions of the application system.
2. The application method for authentication using dual certificates as claimed in claim 1, wherein in step 1), default configuration can be performed on the application system, default designates the work certificate available to the application system, default designates the authentication certificate and work certificate pair that can pass the mutual authentication, and default designates the condition for starting the work certificate.
3. The method for applying authentication using dual certificates according to claim 1, wherein in step 1), the condition for starting the working certificate includes directly using a PIN code or satisfying a certain number of authentication certificates and the working certificate passing mutual authentication.
4. The method for performing authentication using dual certificates according to claim 1, wherein when the working certificate available to the application system is specified in step 1), a certain authentication certificate can be specified to be directly used as an available working certificate to perform operations on functions of the application system.
5. The application method using dual certificate for authentication according to claim 1, wherein in step 1), the working certificate or the authentication certificate is a certificate conforming to x.509 format.
6. The application method using dual certificate for authentication according to claim 1, wherein in step 1), the working certificate and the authentication certificate are in the same medium or in different media.
7. The application method using dual certificate for authentication as claimed in claim 1, wherein in step 4), the enabling manner of the user to enable the authentication certificate is a verification fingerprint enabling manner or an input PIN code enabling manner.
8. The method for authenticating applications using dual certificates according to claim 1, wherein in step 5), the same certificate of work can be authenticated with multiple certificates at the same time, and the same certificate of work can be authenticated with multiple certificates at the same time.
9. The method for applying authentication using dual certificates as claimed in claim 1, wherein in step 5), the authentication certificate in different medium and the employee certificate are bi-directionally authenticated in one of WIFI, bluetooth or NFC.
10. The method for applying authentication using dual certificates as claimed in claim 1, wherein in the step 5), the method for performing mutual authentication between the authentication certificate and the working certificate is SSL mutual authentication method or SPKM mutual authentication method.
CN201511025602.3A 2015-12-30 2015-12-30 Application method for authentication by using double certificates Active CN106936789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511025602.3A CN106936789B (en) 2015-12-30 2015-12-30 Application method for authentication by using double certificates

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511025602.3A CN106936789B (en) 2015-12-30 2015-12-30 Application method for authentication by using double certificates

Publications (2)

Publication Number Publication Date
CN106936789A CN106936789A (en) 2017-07-07
CN106936789B true CN106936789B (en) 2021-04-13

Family

ID=59442622

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511025602.3A Active CN106936789B (en) 2015-12-30 2015-12-30 Application method for authentication by using double certificates

Country Status (1)

Country Link
CN (1) CN106936789B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342968B (en) * 2018-12-18 2023-04-07 武汉信安珞珈科技有限公司 Method and system for issuing double digital certificates
CN110769393B (en) * 2019-11-07 2021-12-24 公安部交通管理科学研究所 Identity authentication system and method for vehicle-road cooperation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1663175A (en) * 2002-06-17 2005-08-31 皇家飞利浦电子股份有限公司 System for authentication between devices using group certificates
CN1787525A (en) * 2005-11-15 2006-06-14 上海格尔软件股份有限公司 Method for application of double certificate in SSL protocol
CN101145233A (en) * 2006-09-12 2008-03-19 中国农业银行 Data ciphered-mortgage transaction system, teller identification system, trans-center transaction system and method
CN102271040A (en) * 2011-07-26 2011-12-07 北京华大信安科技有限公司 Identity verifying system and method
CN103117862A (en) * 2013-02-18 2013-05-22 无锡矽鼎科技有限公司 Method for using X.509 digital certificate of openssl for verifying Java certificate

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9021254B2 (en) * 2007-07-27 2015-04-28 White Sky, Inc. Multi-platform user device malicious website protection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1663175A (en) * 2002-06-17 2005-08-31 皇家飞利浦电子股份有限公司 System for authentication between devices using group certificates
CN1787525A (en) * 2005-11-15 2006-06-14 上海格尔软件股份有限公司 Method for application of double certificate in SSL protocol
CN101145233A (en) * 2006-09-12 2008-03-19 中国农业银行 Data ciphered-mortgage transaction system, teller identification system, trans-center transaction system and method
CN102271040A (en) * 2011-07-26 2011-12-07 北京华大信安科技有限公司 Identity verifying system and method
CN103117862A (en) * 2013-02-18 2013-05-22 无锡矽鼎科技有限公司 Method for using X.509 digital certificate of openssl for verifying Java certificate

Also Published As

Publication number Publication date
CN106936789A (en) 2017-07-07

Similar Documents

Publication Publication Date Title
US20210209614A1 (en) Systems and methods for secure access to property or information using blockchain
US10523652B2 (en) Secure identity sharing using a wearable device
CN102509055A (en) Mobile terminal and method for hiding programs of mobile terminal
CN102970139B (en) Data security validation method and device
CN104243165A (en) Intelligent movable terminal privacy protection system and method based on intelligent bracelet
CN104657643A (en) Privacy protection method, wearable device and mobile terminal
JP2015519637A (en) System and method for secure transaction processing by a mobile device
US9699656B2 (en) Systems and methods of authenticating and controlling access over customer data
US10298556B2 (en) Systems and methods for secure storage and management of credentials and encryption keys
KR20210127125A (en) Systems and methods for secure access to properties or information using blockchain
CN103984904A (en) Method and device for preventing screen locking code of mobile terminal from being cracked
CN105307287A (en) Connection method and wearable equipment
CN105915338A (en) Key generation method and key generation system
CN102521169B (en) Confidential USB (universal serial bus) memory disk with display screen and security control method of confidential USB memory disk
CN105933886A (en) ESIM number writing method, security system, ESIM number server and terminal
CN103914772A (en) Wireless authentication method, system and device for mobile payment
CN112016075B (en) Travel information verification method based on block chain, electronic device and medium
JP7105495B2 (en) Segmented key authenticator
KR20130064373A (en) System for entering and location authentication of smart device using sequential wireless authentication and method for entering and location authentication using the same
CN104469736A (en) Data processing method, server and terminal
CN106936789B (en) Application method for authentication by using double certificates
CN102413146B (en) Client authorized logon method based on dynamic codes
CN101296231A (en) Data card operation method and data card
CN104299134A (en) Payment method, device and terminal
CN106156549B (en) application program authorization processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 200436 Room 601, Lane 299, Lane 299, JIANGCHANG West Road, Jingan District, Shanghai

Applicant after: Geer software Limited by Share Ltd

Address before: 200070 Room 601, Lane 299, Lane 299, JIANGCHANG West Road, Zhabei District, Shanghai

Applicant before: Geer Software Co., Ltd., Shanghai

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant