CN107295000A - A kind of communication means and system based on certificate - Google Patents
A kind of communication means and system based on certificate Download PDFInfo
- Publication number
- CN107295000A CN107295000A CN201710566442.6A CN201710566442A CN107295000A CN 107295000 A CN107295000 A CN 107295000A CN 201710566442 A CN201710566442 A CN 201710566442A CN 107295000 A CN107295000 A CN 107295000A
- Authority
- CN
- China
- Prior art keywords
- server
- certificate
- csr
- result
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of communication means based on certificate and system, wherein this method includes:Connection server, sends checking authority to server;The result that the reception server is sent, the result is whether server authentication checking authority passes through rear transmission;The result is parsed, checking authority passes through if the result shows server authentication, to server application CSR;The CSR that the reception server is sent, judges whether CSR is effective, if effectively, First Certificate is signed based on CSR, First Certificate is sent to server, to utilize First Certificate login service device.A kind of communication means based on safety certificate that the present invention is provided is so that attacker not only needs the server that disguises oneself as when obtaining certificate, also need to disguise oneself as and need one end of login service device, so as to improve the difficulty that certificate is obtained by attacker, the technical problem for the risk for how reducing the illegal login service device of attacker's certificate of utility is solved.
Description
Technical field
The present invention relates to communication technical field, more specifically to a kind of communication means based on certificate and system.
Background technology
Verify that login please using certificate more and more with the development of the communication technology, between client and server
Ask.Prior art provides a kind of method of commercial accessing server by customer end.Specifically include:Client is set up with server to be connected
After connecing, logging request is sent to server, certificate of registry;The card that server authentication logging request passes through rear trust correspondence registration
Book;Certificate of the client based on registration realizes the login to server.
But when with the method for above-mentioned commercial accessing server by customer end, the server if attacker disguises oneself as is obtained
The certificate that client is created, just can sign in server, so as to reach attack purpose with this certificate.
In summary, the risk for how reducing the illegal login service device of attacker's certificate of utility is current art technology
Personnel's urgent problem to be solved.
The content of the invention
It is an object of the invention to provide a kind of communication means based on certificate, it can solve how to reduce attacker using card
The technical problem of the risk of the illegal login service device of book.Present invention also offers a kind of communication system based on certificate.
To achieve these goals, the present invention provides following technical scheme:
A kind of communication means based on certificate, including:
Connection server, sends checking authority to the server;
The result that the server is sent is received, the result is to verify authority described in the server authentication
Whether rear transmission is passed through;
The result is parsed, if the result shows to verify that authority passes through described in the server authentication,
To the server application CSR;
The CSR that the server is sent is received, judges whether the CSR is effective, if effectively, based on the CSR
First Certificate is signed, the First Certificate is sent to the server, to log in the server using the First Certificate.
It is preferred that, the connection server includes:
First Contact Connections are set up with server;
It is described receive the result that the server is sent after, it is described also to be wrapped to before the server application CSR
Include:
Disconnect the First Contact Connections;
It is described disconnect the First Contact Connections after, it is described also to include to before the server application CSR:
Second is set up with the server to be connected;
Also include after the transmission First Certificate to the server:
Described second is disconnected to connect.
It is preferred that, it is described to set up First Contact Connections with server and include:
First Contact Connections are set up based on ssl protocol with server;
It is described set up with the server be connected for second including:
Ssl protocol foundation is based on the server to be connected for the second time.
It is preferred that, checking authority to the server that sends includes:
Checking authority is sent to the server, the checking authority includes user name, password, CA root certificates and CRL.
It is preferred that, also include before the connection server:
Obtain the second certificate of server;
Verify whether second certificate is legal, if legal, the server is logged in using second certificate, if not
It is legal, then the step of performing the connection server.
Present invention also offers a kind of communication system based on certificate, including:
First attachment means, for connection server, send checking authority to the server;
First receiving device, for receiving the result that the server is sent, the result is the service
Whether the device checking checking authority passes through rear transmission;
Resolver, for parsing the result, if the result shows to test described in the server authentication
Card authority passes through, then to the server application CSR;
Second reception device, for receiving the CSR that the server is sent, judges whether the CSR is effective, if having
Effect, then sign First Certificate based on the CSR, the First Certificate is sent to the server, to utilize the First Certificate
Log in the server.
It is preferred that, first attachment means include:
First link block, for before the attachment means send checking authority to the server, with server
Set up First Contact Connections;
The system also includes:
First disconnects device, after receiving the result in the first receiving device, the resolver
To before the server application CSR, the First Contact Connections are disconnected;
Second attachment means, after disconnecting the First Contact Connections in first link block, the parsing dress
Put to before the server application CSR, setting up second with the server is connected;
Second disconnects device, after sending the First Certificate to the server in second reception device,
Described second is disconnected to connect.
It is preferred that, first link block includes:
First connection unit, for setting up First Contact Connections based on ssl protocol with server;
Second attachment means include:
Second link block, is connected for the second time for being based on ssl protocol foundation with the server.
It is preferred that, first attachment means include:
Sending module, for sending checking authority to the server, the checking authority includes user name, password, CA
Root certificate and CRL.
It is preferred that, in addition to:
Acquisition device, for before the first attachment means connection server, obtaining the second certificate of server;
Device is verified, for verifying whether second certificate that the acquisition device is obtained is legal, if legal, utilizes
Second certificate logs in the server, if illegal, points out the first attachment means connection server.
A kind of communication means based on certificate that the present invention is provided, including:Connection server, sends checking authority to service
Device;The result that the reception server is sent, the result is whether server authentication checking authority passes through rear transmission;Parsing
The result, if the result shows server authentication, checking authority passes through, to server application CSR;The reception server is sent out
The CSR sent, judges whether CSR is effective, if effectively, First Certificate is signed based on CSR, sends First Certificate to server, with
Utilize First Certificate login service device.A kind of communication means based on safety certificate that the present invention is provided is setting up company with server
After connecing, checking authority is first sent to server, whether server authentication checking authority passes through, if being verified, in addition it is also necessary to
Can just be issued in the case of the CSR of authentication server is effective for server must can realize the First Certificate of login service device,
The present invention not only needs server authentication to verify whether authority passes through, in addition it is also necessary to verify whether CSR is effective, and checking number of times is than existing
Technology is more, and attacker not only needs the server that disguises oneself as when obtaining certificate, in addition it is also necessary to which disguising oneself as needs login service device
One end, needed only to disguise oneself as compared with server just can obtain certificate with attacker in the prior art, camouflage often, is improved
The difficulty that certificate is obtained by attacker.In summary, a kind of communication means based on certificate for providing of the present invention solve as
The technical problem of the risk of what reduction illegal login service device of attacker's certificate of utility.It is provided by the present invention a kind of based on card
The communication system of book also solves corresponding technical problem.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
The embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is a kind of flow chart of the communication means based on certificate provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation of the communication system based on certificate provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of the communication means based on certificate in practical application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
Referring to Fig. 1, Fig. 1 is a kind of flow chart of the communication means based on certificate provided in an embodiment of the present invention.
The executive agent that each in a kind of communication means based on certificate provided by the present invention is acted can be client
Itself, and the communication system based on certificate can be provided with the client, therefore it is provided by the present invention a kind of based on certificate
Communication means in each executive agent acted can also be the system for being built in client, the present invention does not do specific herein
Limit.For convenience, the executive agent below acted each in this method is set as client.
A kind of communication means based on certificate provided in an embodiment of the present invention may comprise steps of:
Step S1:Connection server, sends checking authority to server.
Because client needs to carry out information exchange with server, so needing first connection server.Client connection clothes
Business device is verified mutually between client and server to realize, can be set to client connection server to maintain in short-term
Between connection, can be disconnected after client and server complete checking mutually.Certainly, it is actually needed according to different,
Also client connection server can be set to that prolonged connection can be maintained, the present invention is not specifically limited herein.
Step S2:The result that the reception server is sent, the result is whether server authentication checking authority passes through
Send afterwards.
Server can compare client transmission checking authority it is whether legal come authentication authority whether pass through, if testing
Card authority is legal, then authentication authority passes through, if checking authority is illegal, authentication authority does not pass through.Actually should
In, according to different application scenarios, different methods can be selected to carry out authentication authority whether legal.
Here whether server authentication verifies authority by that whether can trust client for expression server, if
Server authentication verifies authority by then representing server trust client, and the authority not table if is verified if server authentication
Show that server distrusts client.A result can be sent to client after server authentication checking authority, so as to client
Learn the result after server authentication checking authority in end.
Step S3:The result is parsed, checking authority passes through if the result shows server authentication, to server Shen
Please CSR.
Client only show that the result shows the situation that server authentication checking authority passes through in parsing the result
Under, just to server application CSR (Certificate Signing Request, Certificate Signature Request) and step can be performed
S4。
If client parsing the result show that the result shows that server authentication checking authority does not pass through, client
End can terminate the connection between server, it is possibility to have other operations, the present invention is not specifically limited herein.
Step S4:The CSR that the reception server is sent, judges whether CSR is effective, if effectively, being demonstrate,proved based on CSR signatures first
Book, sends First Certificate to server, to utilize First Certificate login service device.
After the CSR that client the reception server is sent, first judge whether CSR is effective, if effectively, showing client trust
Server, can be server certificate;If CSR is invalid, show that client distrusts server, client can terminate
Connection between server, it is possibility to have other operations, the present invention is not specifically limited herein.
Client can sign First Certificate based on CSR, then send First Certificate in the case of judging that CSR is effective
It is that server issues First Certificate to server, i.e. client.Because First Certificate is passed through in server authentication checking authority
And in the case of client judges that CSR is effective, i.e., in the case of server trust client and client trusting server,
Client is presented to server, so First Certificate is the safety certificate of accessing server by customer end.
CSR in the application can be corresponding with checking authority, further, because CSR is to be sent with client to service
The checking authority of device is corresponding, so client can judge that CSR's is effective by judging whether CSR is corresponding with checking authority
Property, if CSR is corresponding with checking authority, effectively, if CSR and checking authority is not corresponding, CSR is invalid, naturally it is also possible to have by CSR
Other judge the whether effective methods of CSR, and the present invention is not specifically limited herein.Client is judging the effective situations of CSR
Under, First Certificate corresponding with these information can be produced according to information such as certificate effective time, the titles included in CSR.
A kind of communication means based on safety certificate that the present invention is provided with server set up be connected after, first will verify with
According to server is sent to, whether server authentication checking authority passes through, if being verified, in addition it is also necessary in client validation server
CSR it is effective in the case of just can issue for server and must can realize the First Certificate of login service device, the present invention is not only
Server authentication is needed to verify whether authority passes through, in addition it is also necessary to which whether client validation CSR is effective, it is seen that need to lead in the application
The login for realizing that multiple authentication finally realizes server is crossed, and attacker not only needs to disguise oneself as client also when obtaining certificate
Disguise oneself as server, needs only to disguise oneself as compared with server just can obtain certificate with attacker in the prior art, improves
The difficulty that certificate is obtained by attacker.In summary, a kind of communication means based on certificate for providing of the present invention solve how
Reduce the technical problem of the risk of the illegal login service device of attacker's certificate of utility.
In a kind of communication means based on certificate provided in an embodiment of the present invention, connection server can include:
First Contact Connections are set up with server;
The reception server send the result after, to server application CSR before can also include:
Disconnect First Contact Connections;
Disconnect First Contact Connections after, to server application CSR before can also include:
Second is set up with server to be connected;
It can also include after First Certificate to server is sent:
Second is disconnected to connect.
Before parsing the result, First Contact Connections can be disconnected after the result that the reception server is sent, this
Can after First Contact Connections are disconnected, before parsing the result, set up second with server and be connected in the case of kind,
Can also after parsing the result, to before server application CSR, set up second with server and be connected;Can also
After parsing the result, to server application CSR before disconnect First Contact Connections, the present invention does not do specific limit herein
It is fixed.
After First Contact Connections are disconnected, to before server application CSR, second can be set up with server and be connected.
After the result sent if in the reception server, before parsing the result, First Contact Connections are disconnected, then can be
After First Contact Connections are disconnected, before parsing the result, set up second with server and be connected or tested in parsing
Demonstrate,prove after result, to before server application CSR, set up second with server and be connected;If in parsing the result it
Afterwards, to before server application CSR, First Contact Connections are disconnected, then can be after First Contact Connections are disconnected, to server Shen
Second please be set up with server and is connected before CSR.The present invention is not specifically limited herein.
In actual applications, client can be completed as server certificate by with server be repeatedly connected
Process, such as can be completed by connecting twice.The benefit so repeatedly connected is that having attacker's attack service
In the case of device, due to repeatedly being connected between client and server, so attacker is not only needed in the client that disguises oneself as
Repeatedly it is connected with server when end, and needs with client repeatedly to be connected when server is disguised oneself as
Connect so that annexation of the attacker in attack server between client and server becomes complicated, further improves
The difficulty that certificate is obtained by attacker, so as to reduce the risk that certificate is attacked.
In a kind of communication means based on certificate provided in an embodiment of the present invention, setting up First Contact Connections with server can be with
Including:
First Contact Connections are set up based on ssl protocol with server;
Second is set up with server to be connected and can include:
Ssl protocol foundation is based on server to be connected for the second time.
During being connected with server based on ssl protocol foundation, client can first send SSL connection requests to clothes
Business device, server is received to judge whether to set up with client after SSL connection requests and is connected, and is connected if so, then being set up with client,
It is connected if it is not, not set up with client then.
Client can select different agreements when setting up and connecting from server according to different application scenarios, this
Invention is not specifically limited herein.It is preferred that, the present invention selects ssl protocol herein, because selection ssl protocol can cause
The process of client connection server is simply easily realized.
In a kind of communication means based on certificate provided in an embodiment of the present invention, sending checking authority to server can wrap
Include:
Checking authority is sent to server, checking authority can include user name, password, CA root certificates and CRL.
Under different application scenarios, client can send different checking authoritys to server, such as only send and use
Name in an account book and password, only send CA root certificates (CA Root Certificate, the root certificate of digital certification authority) and CRL
(Certificate Revocation List, CRL) etc., the present invention is not specifically limited herein.It is preferred that,
Present invention selection user end to server, which is sent, includes user name, password, CA root certificates and CRL checking authority, because checking
The content of authority is more, and the result of server authentication checking authority is more accurate, so that attacker is more difficult to attack server, further
Reduction certificate obtains risk by attacker.
Server is received after user name, password, CA root certificates and the CRL of client transmission, can compare client hair
Whether corresponding user name that the user name sent, password are stored with server itself, password are consistent, specially judge that client is sent
User name with itself storage user name it is whether consistent while judge client send password with itself store password
It is whether consistent;And judge whether CA root certificates and CRL are legal, if the user name of client transmission, password are with server itself
The user name of storage, password are consistent and CA root certificates and CRL are legal, then authentication authority passes through, otherwise then authentication with
According to not passing through.It is of course also possible to there is the method whether other authentication authoritys pass through, the present invention does not do specific limit herein
It is fixed.
Server judges whether CA root certificates and CRL are legal namely judge whether server approves client, if CA roots are demonstrate,proved
Book and CRL are legal, then server accreditation client, and otherwise server does not approve client.Here server accreditation client
Simply a part for server trust client, only approves client in server and verifies what other checking authoritys passed through
In the case of, server just trusts client.
It is preferred that, server in the case of, can add CA root certificates and CRL to server in authentication authority
Trust storehouse in.Server can generate CSR corresponding with CA root certificates and CRL, accordingly, and whether client is verifying CSR
It can verify whether CSR is CSR corresponding with itself CA root certificates and CRL when effectively, if corresponding, then CSR is effectively, no
Then CSR is invalid.Because CSR is with the corresponding relation between CA root certificates and CRL, if server adds CA root certificates and CRL
Into the trust storehouse of server, then can be provided further for client validation CSR and based on CSR signature First Certificates
Safety assurance.
In a kind of communication means based on certificate provided in an embodiment of the present invention, it can also include before connection server:
Obtain the second certificate of server;
Verify whether the second certificate is legal, if legal, using the second certificate login service device, if illegal, perform
The step of connection server.
In practical application scene, client with server set up be connected before can elder generation authentication server the second certificate be
It is no legal, if so, can then utilize the direct login service device of the second certificate, it is not necessary to enter the mistake of behavior server certificate
Journey, so as to save the time of accessing server by customer end, improves efficiency.
Here whether the second certificate of client validation server legal namely the second certificate of authentication server whether be
Client is presented to server, if the second certificate of server is legal, and the second certificate of server is that client is issued
To server, the second certificate is the safety certificate of accessing server by customer end;If the second certificate of server is illegal,
Second certificate of server is not that client is presented to server, and the second certificate is not the safe-conduct of accessing server by customer end
Book, at this moment needs client to issue new certificate for server.
Here the second certificate and the whether legal process of the second certificate of checking of acquisition server are also that client is utilized
The process of the certificate login service device of server is presented to, if the second certificate of server is that client is presented to server
, then allow the direct login service device of client.
Because client can affix one's name to certificate fingerprint by bookmark as evidence during for server certificate, so client can
Whether it is that client signature verifies whether the second certificate is legal with the certificate fingerprint of the second certificate by judging server,
If the certificate fingerprint of the second certificate is client signature, the second certificate is legal, if the certificate fingerprint of the second certificate is not
It is client signature, then the second certificate is illegal.There can also be other to verify the whether legal method of the second certificate, the present invention
It is not specifically limited herein.
In practical application, after accessing server by customer end, the first card that client is issued for server can also be deleted
Book, advantage of this is that attacker can be avoided to need only to obtain First Certificate just using First Certificate attack service
Device, improves the degree of difficulty of attacker's attack server.First Certificate can not certainly be deleted, the present invention does not do specific herein
Limit.
Present invention also offers a kind of communication system based on certificate, it is a kind of based on certificate that it has that the present invention provides
The corresponding effect that communication means has.Referring to Fig. 2, Fig. 2 is a kind of communication system based on certificate provided in an embodiment of the present invention
The structural representation of system.
A kind of communication system based on certificate provided in an embodiment of the present invention can include:
First attachment means A1, for connection server, sends checking authority to server;
First receiving device A2, the result sent for the reception server, the result is verified for server authentication
Whether authority passes through rear transmission;
Resolver A3, for parsing the result, if the result shows server authentication, checking authority passes through, to
Server application CSR;
Second reception device A4, the CSR sent for the reception server, judges whether CSR is effective, if effectively, being based on
CSR signs First Certificate, First Certificate is sent to server, to utilize First Certificate login service device.
In a kind of communication system based on certificate provided in an embodiment of the present invention, attachment means can include:
First link block, for before attachment means send checking authority to server, first to be set up with server
Secondary connection;
Communication system can also include:
First disconnects device, and after receiving the result in first receiving device, resolver is to server application
Before CSR, First Contact Connections are disconnected;
Second attachment means, after disconnecting First Contact Connections in the first link block, resolver is to server Shen
Second please be set up with server and is connected before CSR;
Second disconnects device, and after sending the second certificate to server in the second reception device, disconnection connects for the second time
Connect.
In a kind of communication system based on certificate provided in an embodiment of the present invention, the first link block can include:
First connection unit, for setting up First Contact Connections based on ssl protocol with server;
Second attachment means can include:
Second link block, is connected for the second time for being based on ssl protocol foundation with server.
In a kind of communication system based on certificate provided in an embodiment of the present invention, the first attachment means can include:
Sending module, for sending checking authority to server, checking authority include user name, password, CA root certificates and
CRL。
In a kind of communication system based on certificate provided in an embodiment of the present invention, it can also include:
Acquisition device, for before the first attachment means connection server, obtaining the second certificate of server;
Device is verified, for verifying whether the second certificate that acquisition device is obtained is legal, if legal, utilizes the second certificate
Login service device, if illegal, points out the first attachment means connection server.
The explanation of relevant portion refers to the present invention in a kind of communication system based on certificate provided in an embodiment of the present invention
The detailed description of corresponding part, will not be repeated here in a kind of communication means based on certificate that embodiment is provided.In addition, this hair
The part consistent with corresponding technical scheme realization principle in the prior art be not detailed in the above-mentioned technical proposal that bright embodiment is provided
Describe in detail it is bright, in order to avoid excessively repeat.
In actual applications, according to different application scenarios, different methods can be selected to reduce certificate by attacker
The risk of acquisition.It is a kind of flow chart of the communication means based on certificate in practical application to refer to 3, Fig. 3.
In this practical application, server disposition has self-signed certificate, and accessing server by customer end may comprise steps of:
The self-signed certificate of client request server, server sends self-signed certificate to client, client validation
Whether self-signed certificate is legal, if legal, using the direct login service device of self-signed certificate, if illegal, performs follow-up
Step;
Client is by the first SSL connection request connection servers, using user name, password, CA root certificates and CRL as testing
Card authority is sent to server, and whether server authentication checking authority passes through, if passing through, and adds CA root certificates and CRL to letter
Ren Ku, disconnects the first SSL connections;
Client is by the 2nd SSL connection request connection servers, to server application CSR;Server sends CSR to visitor
Family end;Whether client validation CSR is effective, if effectively, based on CSR self-signing certificates, sending certificate to server, disconnecting second
SSL connections;The certificate that server is signed with client replaces self-signed certificate;
Client utilizes the certificate login service device of signature by the 3rd SSL connection request connection servers.
The foregoing description of the disclosed embodiments, enables those skilled in the art to realize or using the present invention.To this
A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and generic principles defined herein can
Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited
It is formed on the embodiments shown herein, and is to fit to consistent with features of novelty with principles disclosed herein most wide
Scope.
Claims (10)
1. a kind of communication means based on certificate, it is characterised in that including:
Connection server, sends checking authority to the server;
The result that the server is sent is received, the result is whether to verify authority described in the server authentication
Pass through rear transmission;
The result is parsed, if the result shows to verify that authority passes through described in the server authentication, to institute
State server application CSR;
The CSR that the server is sent is received, judges whether the CSR is effective, if effectively, based on CSR signatures
First Certificate, sends the First Certificate to the server, to log in the server using the First Certificate.
2. according to the method described in claim 1, it is characterised in that the connection server includes:
First Contact Connections are set up with server;
It is described receive the result that the server is sent after, it is described also to include to before the server application CSR:
Disconnect the First Contact Connections;
It is described disconnect the First Contact Connections after, it is described also to include to before the server application CSR:
Second is set up with the server to be connected;
Also include after the transmission First Certificate to the server:
Described second is disconnected to connect.
3. method according to claim 2, it is characterised in that described to set up First Contact Connections with server and include:
First Contact Connections are set up based on ssl protocol with server;
It is described set up with the server be connected for second including:
Ssl protocol foundation is based on the server to be connected for the second time.
4. method according to claim 3, it is characterised in that transmission checking authority to the server includes:
Checking authority is sent to the server, the checking authority includes user name, password, CA root certificates and CRL.
5. according to the method described in claim 1, it is characterised in that also include before the connection server:
Obtain the second certificate of server;
Verify whether second certificate is legal, if legal, the server is logged in using second certificate, if not conforming to
Method, then the step of performing the connection server.
6. a kind of communication system based on certificate, it is characterised in that including:
First attachment means, for connection server, send checking authority to the server;
First receiving device, for receiving the result that the server is sent, the result is that the server is tested
Whether the card checking authority passes through rear transmission;
Resolver, for parsing the result, if the result show to verify described in the server authentication with
According to passing through, then to the server application CSR;
Second reception device, for receiving the CSR that the server is sent, judges whether the CSR is effective, if effectively,
First Certificate is then signed based on the CSR, the First Certificate is sent to the server, to be logged in using the First Certificate
The server.
7. system according to claim 6, it is characterised in that first attachment means include:
First link block, for before the attachment means send checking authority to the server, being set up with server
First Contact Connections;
The system also includes:
First disconnects device, after receiving the result in the first receiving device, and the resolver is to institute
State before server application CSR, disconnect the First Contact Connections;Second attachment means, for disconnected in first link block
After opening the First Contact Connections, the resolver sets up second to before the server application CSR with the server
Secondary connection;
Second disconnects device, after sending the First Certificate to the server in second reception device, disconnects
Second of connection.
8. system according to claim 7, it is characterised in that first link block includes:
First connection unit, for setting up First Contact Connections based on ssl protocol with server;
Second attachment means include:
Second link block, is connected for the second time for being based on ssl protocol foundation with the server.
9. system according to claim 8, it is characterised in that first attachment means include:
Sending module, for sending checking authority to the server, the checking authority includes user name, password, CA roots card
Book and CRL.
10. system according to claim 6, it is characterised in that also include:
Acquisition device, for before the first attachment means connection server, obtaining the second certificate of server;
Device is verified, for verifying whether second certificate that the acquisition device is obtained is legal, if legal, using described
Second certificate logs in the server, if illegal, points out the first attachment means connection server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710566442.6A CN107295000A (en) | 2017-07-12 | 2017-07-12 | A kind of communication means and system based on certificate |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710566442.6A CN107295000A (en) | 2017-07-12 | 2017-07-12 | A kind of communication means and system based on certificate |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107295000A true CN107295000A (en) | 2017-10-24 |
Family
ID=60101340
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710566442.6A Pending CN107295000A (en) | 2017-07-12 | 2017-07-12 | A kind of communication means and system based on certificate |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107295000A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109194631A (en) * | 2018-08-17 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of proof of identity method and relevant apparatus |
US20200396610A1 (en) * | 2018-02-28 | 2020-12-17 | Steven K. Turner | Method of utilizing a trusted secret package for certificate enrollment |
CN114598549A (en) * | 2022-03-25 | 2022-06-07 | 杭州迪普科技股份有限公司 | Client SSL certificate verification method and device |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101883106A (en) * | 2010-06-30 | 2010-11-10 | 赛尔网络有限公司 | Network access authentication method and server based on digital certificate |
CN102075522A (en) * | 2010-12-22 | 2011-05-25 | 北京航空航天大学 | Secure certification and transaction method with combination of digital certificate and one-time password |
CN102307096A (en) * | 2011-08-26 | 2012-01-04 | 武汉理工大学 | Pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for recent public key cryptography algorithm |
CN103237038A (en) * | 2013-05-09 | 2013-08-07 | 中国电子科技集团公司第三十研究所 | Two-way network access authentication method based on digital certificate |
CN103716794A (en) * | 2013-12-25 | 2014-04-09 | 北京握奇数据系统有限公司 | Two-way safety verification method and system based on portable device |
CN103888422A (en) * | 2012-12-21 | 2014-06-25 | 华为技术有限公司 | Security certificate updating method, client and server |
US20150058634A1 (en) * | 2011-09-29 | 2015-02-26 | Juniper Networks, Inc. | Automatically authenticating a host key via a dynamically generated certificate using an embedded cryptographic processor |
-
2017
- 2017-07-12 CN CN201710566442.6A patent/CN107295000A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101883106A (en) * | 2010-06-30 | 2010-11-10 | 赛尔网络有限公司 | Network access authentication method and server based on digital certificate |
CN102075522A (en) * | 2010-12-22 | 2011-05-25 | 北京航空航天大学 | Secure certification and transaction method with combination of digital certificate and one-time password |
CN102307096A (en) * | 2011-08-26 | 2012-01-04 | 武汉理工大学 | Pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for recent public key cryptography algorithm |
US20150058634A1 (en) * | 2011-09-29 | 2015-02-26 | Juniper Networks, Inc. | Automatically authenticating a host key via a dynamically generated certificate using an embedded cryptographic processor |
CN103888422A (en) * | 2012-12-21 | 2014-06-25 | 华为技术有限公司 | Security certificate updating method, client and server |
CN103237038A (en) * | 2013-05-09 | 2013-08-07 | 中国电子科技集团公司第三十研究所 | Two-way network access authentication method based on digital certificate |
CN103716794A (en) * | 2013-12-25 | 2014-04-09 | 北京握奇数据系统有限公司 | Two-way safety verification method and system based on portable device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200396610A1 (en) * | 2018-02-28 | 2020-12-17 | Steven K. Turner | Method of utilizing a trusted secret package for certificate enrollment |
US11502849B2 (en) * | 2018-02-28 | 2022-11-15 | Motorola Solutions, Inc. | Method of utilizing a trusted secret package for certificate enrollment |
CN109194631A (en) * | 2018-08-17 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of proof of identity method and relevant apparatus |
CN114598549A (en) * | 2022-03-25 | 2022-06-07 | 杭州迪普科技股份有限公司 | Client SSL certificate verification method and device |
CN114598549B (en) * | 2022-03-25 | 2023-07-07 | 杭州迪普科技股份有限公司 | Customer SSL certificate verification method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107277061A (en) | End cloud security communication means based on IOT equipment | |
CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
CN101183932B (en) | Security identification system of wireless application service and login and entry method thereof | |
CN107294916B (en) | Single-point logging method, single-sign-on terminal and single-node login system | |
CN101039311B (en) | Identification web page service network system and its authentication method | |
CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
CN101867476B (en) | 3G virtual private dialing network user safety authentication method and device thereof | |
CN106470190A (en) | A kind of Web real-time communication platform authentication cut-in method and device | |
CN106452782A (en) | Method and system for producing a secure communication channel for terminals | |
CN113285807B (en) | Network access authentication method and system for intelligent equipment | |
CN110930147B (en) | Offline payment method and device, electronic equipment and computer-readable storage medium | |
CN101808092B (en) | Multi-certificate sharing method and system as well as intelligent card | |
CN103905194B (en) | Identity traceability authentication method and system | |
CN102202306A (en) | Mobile security authentication terminal and method | |
CN106453431A (en) | Method for realizing Internet intersystem authentication based on PKI | |
CN107360125A (en) | Access authentication method, WAP and user terminal | |
CN106534086A (en) | Device authentication method and system, terminal device and server | |
CN107295000A (en) | A kind of communication means and system based on certificate | |
CN109194631A (en) | A kind of proof of identity method and relevant apparatus | |
CN107113613A (en) | Server, mobile terminal, real-name network authentication system and method | |
CN113515756B (en) | High-credibility digital identity management method and system based on block chain | |
CN112437068B (en) | Authentication and key agreement method, device and system | |
CN112055019A (en) | Method for establishing communication channel and user terminal | |
CN113726524A (en) | Secure communication method and communication system | |
CN101394395B (en) | Authentication method, system and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171024 |