CN107295000A - A kind of communication means and system based on certificate - Google Patents

A kind of communication means and system based on certificate Download PDF

Info

Publication number
CN107295000A
CN107295000A CN201710566442.6A CN201710566442A CN107295000A CN 107295000 A CN107295000 A CN 107295000A CN 201710566442 A CN201710566442 A CN 201710566442A CN 107295000 A CN107295000 A CN 107295000A
Authority
CN
China
Prior art keywords
server
certificate
csr
result
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710566442.6A
Other languages
Chinese (zh)
Inventor
王斐
王一斐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201710566442.6A priority Critical patent/CN107295000A/en
Publication of CN107295000A publication Critical patent/CN107295000A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of communication means based on certificate and system, wherein this method includes:Connection server, sends checking authority to server;The result that the reception server is sent, the result is whether server authentication checking authority passes through rear transmission;The result is parsed, checking authority passes through if the result shows server authentication, to server application CSR;The CSR that the reception server is sent, judges whether CSR is effective, if effectively, First Certificate is signed based on CSR, First Certificate is sent to server, to utilize First Certificate login service device.A kind of communication means based on safety certificate that the present invention is provided is so that attacker not only needs the server that disguises oneself as when obtaining certificate, also need to disguise oneself as and need one end of login service device, so as to improve the difficulty that certificate is obtained by attacker, the technical problem for the risk for how reducing the illegal login service device of attacker's certificate of utility is solved.

Description

A kind of communication means and system based on certificate
Technical field
The present invention relates to communication technical field, more specifically to a kind of communication means based on certificate and system.
Background technology
Verify that login please using certificate more and more with the development of the communication technology, between client and server Ask.Prior art provides a kind of method of commercial accessing server by customer end.Specifically include:Client is set up with server to be connected After connecing, logging request is sent to server, certificate of registry;The card that server authentication logging request passes through rear trust correspondence registration Book;Certificate of the client based on registration realizes the login to server.
But when with the method for above-mentioned commercial accessing server by customer end, the server if attacker disguises oneself as is obtained The certificate that client is created, just can sign in server, so as to reach attack purpose with this certificate.
In summary, the risk for how reducing the illegal login service device of attacker's certificate of utility is current art technology Personnel's urgent problem to be solved.
The content of the invention
It is an object of the invention to provide a kind of communication means based on certificate, it can solve how to reduce attacker using card The technical problem of the risk of the illegal login service device of book.Present invention also offers a kind of communication system based on certificate.
To achieve these goals, the present invention provides following technical scheme:
A kind of communication means based on certificate, including:
Connection server, sends checking authority to the server;
The result that the server is sent is received, the result is to verify authority described in the server authentication Whether rear transmission is passed through;
The result is parsed, if the result shows to verify that authority passes through described in the server authentication, To the server application CSR;
The CSR that the server is sent is received, judges whether the CSR is effective, if effectively, based on the CSR First Certificate is signed, the First Certificate is sent to the server, to log in the server using the First Certificate.
It is preferred that, the connection server includes:
First Contact Connections are set up with server;
It is described receive the result that the server is sent after, it is described also to be wrapped to before the server application CSR Include:
Disconnect the First Contact Connections;
It is described disconnect the First Contact Connections after, it is described also to include to before the server application CSR:
Second is set up with the server to be connected;
Also include after the transmission First Certificate to the server:
Described second is disconnected to connect.
It is preferred that, it is described to set up First Contact Connections with server and include:
First Contact Connections are set up based on ssl protocol with server;
It is described set up with the server be connected for second including:
Ssl protocol foundation is based on the server to be connected for the second time.
It is preferred that, checking authority to the server that sends includes:
Checking authority is sent to the server, the checking authority includes user name, password, CA root certificates and CRL.
It is preferred that, also include before the connection server:
Obtain the second certificate of server;
Verify whether second certificate is legal, if legal, the server is logged in using second certificate, if not It is legal, then the step of performing the connection server.
Present invention also offers a kind of communication system based on certificate, including:
First attachment means, for connection server, send checking authority to the server;
First receiving device, for receiving the result that the server is sent, the result is the service Whether the device checking checking authority passes through rear transmission;
Resolver, for parsing the result, if the result shows to test described in the server authentication Card authority passes through, then to the server application CSR;
Second reception device, for receiving the CSR that the server is sent, judges whether the CSR is effective, if having Effect, then sign First Certificate based on the CSR, the First Certificate is sent to the server, to utilize the First Certificate Log in the server.
It is preferred that, first attachment means include:
First link block, for before the attachment means send checking authority to the server, with server Set up First Contact Connections;
The system also includes:
First disconnects device, after receiving the result in the first receiving device, the resolver To before the server application CSR, the First Contact Connections are disconnected;
Second attachment means, after disconnecting the First Contact Connections in first link block, the parsing dress Put to before the server application CSR, setting up second with the server is connected;
Second disconnects device, after sending the First Certificate to the server in second reception device, Described second is disconnected to connect.
It is preferred that, first link block includes:
First connection unit, for setting up First Contact Connections based on ssl protocol with server;
Second attachment means include:
Second link block, is connected for the second time for being based on ssl protocol foundation with the server.
It is preferred that, first attachment means include:
Sending module, for sending checking authority to the server, the checking authority includes user name, password, CA Root certificate and CRL.
It is preferred that, in addition to:
Acquisition device, for before the first attachment means connection server, obtaining the second certificate of server;
Device is verified, for verifying whether second certificate that the acquisition device is obtained is legal, if legal, utilizes Second certificate logs in the server, if illegal, points out the first attachment means connection server.
A kind of communication means based on certificate that the present invention is provided, including:Connection server, sends checking authority to service Device;The result that the reception server is sent, the result is whether server authentication checking authority passes through rear transmission;Parsing The result, if the result shows server authentication, checking authority passes through, to server application CSR;The reception server is sent out The CSR sent, judges whether CSR is effective, if effectively, First Certificate is signed based on CSR, sends First Certificate to server, with Utilize First Certificate login service device.A kind of communication means based on safety certificate that the present invention is provided is setting up company with server After connecing, checking authority is first sent to server, whether server authentication checking authority passes through, if being verified, in addition it is also necessary to Can just be issued in the case of the CSR of authentication server is effective for server must can realize the First Certificate of login service device, The present invention not only needs server authentication to verify whether authority passes through, in addition it is also necessary to verify whether CSR is effective, and checking number of times is than existing Technology is more, and attacker not only needs the server that disguises oneself as when obtaining certificate, in addition it is also necessary to which disguising oneself as needs login service device One end, needed only to disguise oneself as compared with server just can obtain certificate with attacker in the prior art, camouflage often, is improved The difficulty that certificate is obtained by attacker.In summary, a kind of communication means based on certificate for providing of the present invention solve as The technical problem of the risk of what reduction illegal login service device of attacker's certificate of utility.It is provided by the present invention a kind of based on card The communication system of book also solves corresponding technical problem.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this The embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is a kind of flow chart of the communication means based on certificate provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation of the communication system based on certificate provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of the communication means based on certificate in practical application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
Referring to Fig. 1, Fig. 1 is a kind of flow chart of the communication means based on certificate provided in an embodiment of the present invention.
The executive agent that each in a kind of communication means based on certificate provided by the present invention is acted can be client Itself, and the communication system based on certificate can be provided with the client, therefore it is provided by the present invention a kind of based on certificate Communication means in each executive agent acted can also be the system for being built in client, the present invention does not do specific herein Limit.For convenience, the executive agent below acted each in this method is set as client.
A kind of communication means based on certificate provided in an embodiment of the present invention may comprise steps of:
Step S1:Connection server, sends checking authority to server.
Because client needs to carry out information exchange with server, so needing first connection server.Client connection clothes Business device is verified mutually between client and server to realize, can be set to client connection server to maintain in short-term Between connection, can be disconnected after client and server complete checking mutually.Certainly, it is actually needed according to different, Also client connection server can be set to that prolonged connection can be maintained, the present invention is not specifically limited herein.
Step S2:The result that the reception server is sent, the result is whether server authentication checking authority passes through Send afterwards.
Server can compare client transmission checking authority it is whether legal come authentication authority whether pass through, if testing Card authority is legal, then authentication authority passes through, if checking authority is illegal, authentication authority does not pass through.Actually should In, according to different application scenarios, different methods can be selected to carry out authentication authority whether legal.
Here whether server authentication verifies authority by that whether can trust client for expression server, if Server authentication verifies authority by then representing server trust client, and the authority not table if is verified if server authentication Show that server distrusts client.A result can be sent to client after server authentication checking authority, so as to client Learn the result after server authentication checking authority in end.
Step S3:The result is parsed, checking authority passes through if the result shows server authentication, to server Shen Please CSR.
Client only show that the result shows the situation that server authentication checking authority passes through in parsing the result Under, just to server application CSR (Certificate Signing Request, Certificate Signature Request) and step can be performed S4。
If client parsing the result show that the result shows that server authentication checking authority does not pass through, client End can terminate the connection between server, it is possibility to have other operations, the present invention is not specifically limited herein.
Step S4:The CSR that the reception server is sent, judges whether CSR is effective, if effectively, being demonstrate,proved based on CSR signatures first Book, sends First Certificate to server, to utilize First Certificate login service device.
After the CSR that client the reception server is sent, first judge whether CSR is effective, if effectively, showing client trust Server, can be server certificate;If CSR is invalid, show that client distrusts server, client can terminate Connection between server, it is possibility to have other operations, the present invention is not specifically limited herein.
Client can sign First Certificate based on CSR, then send First Certificate in the case of judging that CSR is effective It is that server issues First Certificate to server, i.e. client.Because First Certificate is passed through in server authentication checking authority And in the case of client judges that CSR is effective, i.e., in the case of server trust client and client trusting server, Client is presented to server, so First Certificate is the safety certificate of accessing server by customer end.
CSR in the application can be corresponding with checking authority, further, because CSR is to be sent with client to service The checking authority of device is corresponding, so client can judge that CSR's is effective by judging whether CSR is corresponding with checking authority Property, if CSR is corresponding with checking authority, effectively, if CSR and checking authority is not corresponding, CSR is invalid, naturally it is also possible to have by CSR Other judge the whether effective methods of CSR, and the present invention is not specifically limited herein.Client is judging the effective situations of CSR Under, First Certificate corresponding with these information can be produced according to information such as certificate effective time, the titles included in CSR.
A kind of communication means based on safety certificate that the present invention is provided with server set up be connected after, first will verify with According to server is sent to, whether server authentication checking authority passes through, if being verified, in addition it is also necessary in client validation server CSR it is effective in the case of just can issue for server and must can realize the First Certificate of login service device, the present invention is not only Server authentication is needed to verify whether authority passes through, in addition it is also necessary to which whether client validation CSR is effective, it is seen that need to lead in the application The login for realizing that multiple authentication finally realizes server is crossed, and attacker not only needs to disguise oneself as client also when obtaining certificate Disguise oneself as server, needs only to disguise oneself as compared with server just can obtain certificate with attacker in the prior art, improves The difficulty that certificate is obtained by attacker.In summary, a kind of communication means based on certificate for providing of the present invention solve how Reduce the technical problem of the risk of the illegal login service device of attacker's certificate of utility.
In a kind of communication means based on certificate provided in an embodiment of the present invention, connection server can include:
First Contact Connections are set up with server;
The reception server send the result after, to server application CSR before can also include:
Disconnect First Contact Connections;
Disconnect First Contact Connections after, to server application CSR before can also include:
Second is set up with server to be connected;
It can also include after First Certificate to server is sent:
Second is disconnected to connect.
Before parsing the result, First Contact Connections can be disconnected after the result that the reception server is sent, this Can after First Contact Connections are disconnected, before parsing the result, set up second with server and be connected in the case of kind, Can also after parsing the result, to before server application CSR, set up second with server and be connected;Can also After parsing the result, to server application CSR before disconnect First Contact Connections, the present invention does not do specific limit herein It is fixed.
After First Contact Connections are disconnected, to before server application CSR, second can be set up with server and be connected. After the result sent if in the reception server, before parsing the result, First Contact Connections are disconnected, then can be After First Contact Connections are disconnected, before parsing the result, set up second with server and be connected or tested in parsing Demonstrate,prove after result, to before server application CSR, set up second with server and be connected;If in parsing the result it Afterwards, to before server application CSR, First Contact Connections are disconnected, then can be after First Contact Connections are disconnected, to server Shen Second please be set up with server and is connected before CSR.The present invention is not specifically limited herein.
In actual applications, client can be completed as server certificate by with server be repeatedly connected Process, such as can be completed by connecting twice.The benefit so repeatedly connected is that having attacker's attack service In the case of device, due to repeatedly being connected between client and server, so attacker is not only needed in the client that disguises oneself as Repeatedly it is connected with server when end, and needs with client repeatedly to be connected when server is disguised oneself as Connect so that annexation of the attacker in attack server between client and server becomes complicated, further improves The difficulty that certificate is obtained by attacker, so as to reduce the risk that certificate is attacked.
In a kind of communication means based on certificate provided in an embodiment of the present invention, setting up First Contact Connections with server can be with Including:
First Contact Connections are set up based on ssl protocol with server;
Second is set up with server to be connected and can include:
Ssl protocol foundation is based on server to be connected for the second time.
During being connected with server based on ssl protocol foundation, client can first send SSL connection requests to clothes Business device, server is received to judge whether to set up with client after SSL connection requests and is connected, and is connected if so, then being set up with client, It is connected if it is not, not set up with client then.
Client can select different agreements when setting up and connecting from server according to different application scenarios, this Invention is not specifically limited herein.It is preferred that, the present invention selects ssl protocol herein, because selection ssl protocol can cause The process of client connection server is simply easily realized.
In a kind of communication means based on certificate provided in an embodiment of the present invention, sending checking authority to server can wrap Include:
Checking authority is sent to server, checking authority can include user name, password, CA root certificates and CRL.
Under different application scenarios, client can send different checking authoritys to server, such as only send and use Name in an account book and password, only send CA root certificates (CA Root Certificate, the root certificate of digital certification authority) and CRL (Certificate Revocation List, CRL) etc., the present invention is not specifically limited herein.It is preferred that, Present invention selection user end to server, which is sent, includes user name, password, CA root certificates and CRL checking authority, because checking The content of authority is more, and the result of server authentication checking authority is more accurate, so that attacker is more difficult to attack server, further Reduction certificate obtains risk by attacker.
Server is received after user name, password, CA root certificates and the CRL of client transmission, can compare client hair Whether corresponding user name that the user name sent, password are stored with server itself, password are consistent, specially judge that client is sent User name with itself storage user name it is whether consistent while judge client send password with itself store password It is whether consistent;And judge whether CA root certificates and CRL are legal, if the user name of client transmission, password are with server itself The user name of storage, password are consistent and CA root certificates and CRL are legal, then authentication authority passes through, otherwise then authentication with According to not passing through.It is of course also possible to there is the method whether other authentication authoritys pass through, the present invention does not do specific limit herein It is fixed.
Server judges whether CA root certificates and CRL are legal namely judge whether server approves client, if CA roots are demonstrate,proved Book and CRL are legal, then server accreditation client, and otherwise server does not approve client.Here server accreditation client Simply a part for server trust client, only approves client in server and verifies what other checking authoritys passed through In the case of, server just trusts client.
It is preferred that, server in the case of, can add CA root certificates and CRL to server in authentication authority Trust storehouse in.Server can generate CSR corresponding with CA root certificates and CRL, accordingly, and whether client is verifying CSR It can verify whether CSR is CSR corresponding with itself CA root certificates and CRL when effectively, if corresponding, then CSR is effectively, no Then CSR is invalid.Because CSR is with the corresponding relation between CA root certificates and CRL, if server adds CA root certificates and CRL Into the trust storehouse of server, then can be provided further for client validation CSR and based on CSR signature First Certificates Safety assurance.
In a kind of communication means based on certificate provided in an embodiment of the present invention, it can also include before connection server:
Obtain the second certificate of server;
Verify whether the second certificate is legal, if legal, using the second certificate login service device, if illegal, perform The step of connection server.
In practical application scene, client with server set up be connected before can elder generation authentication server the second certificate be It is no legal, if so, can then utilize the direct login service device of the second certificate, it is not necessary to enter the mistake of behavior server certificate Journey, so as to save the time of accessing server by customer end, improves efficiency.
Here whether the second certificate of client validation server legal namely the second certificate of authentication server whether be Client is presented to server, if the second certificate of server is legal, and the second certificate of server is that client is issued To server, the second certificate is the safety certificate of accessing server by customer end;If the second certificate of server is illegal, Second certificate of server is not that client is presented to server, and the second certificate is not the safe-conduct of accessing server by customer end Book, at this moment needs client to issue new certificate for server.
Here the second certificate and the whether legal process of the second certificate of checking of acquisition server are also that client is utilized The process of the certificate login service device of server is presented to, if the second certificate of server is that client is presented to server , then allow the direct login service device of client.
Because client can affix one's name to certificate fingerprint by bookmark as evidence during for server certificate, so client can Whether it is that client signature verifies whether the second certificate is legal with the certificate fingerprint of the second certificate by judging server, If the certificate fingerprint of the second certificate is client signature, the second certificate is legal, if the certificate fingerprint of the second certificate is not It is client signature, then the second certificate is illegal.There can also be other to verify the whether legal method of the second certificate, the present invention It is not specifically limited herein.
In practical application, after accessing server by customer end, the first card that client is issued for server can also be deleted Book, advantage of this is that attacker can be avoided to need only to obtain First Certificate just using First Certificate attack service Device, improves the degree of difficulty of attacker's attack server.First Certificate can not certainly be deleted, the present invention does not do specific herein Limit.
Present invention also offers a kind of communication system based on certificate, it is a kind of based on certificate that it has that the present invention provides The corresponding effect that communication means has.Referring to Fig. 2, Fig. 2 is a kind of communication system based on certificate provided in an embodiment of the present invention The structural representation of system.
A kind of communication system based on certificate provided in an embodiment of the present invention can include:
First attachment means A1, for connection server, sends checking authority to server;
First receiving device A2, the result sent for the reception server, the result is verified for server authentication Whether authority passes through rear transmission;
Resolver A3, for parsing the result, if the result shows server authentication, checking authority passes through, to Server application CSR;
Second reception device A4, the CSR sent for the reception server, judges whether CSR is effective, if effectively, being based on CSR signs First Certificate, First Certificate is sent to server, to utilize First Certificate login service device.
In a kind of communication system based on certificate provided in an embodiment of the present invention, attachment means can include:
First link block, for before attachment means send checking authority to server, first to be set up with server Secondary connection;
Communication system can also include:
First disconnects device, and after receiving the result in first receiving device, resolver is to server application Before CSR, First Contact Connections are disconnected;
Second attachment means, after disconnecting First Contact Connections in the first link block, resolver is to server Shen Second please be set up with server and is connected before CSR;
Second disconnects device, and after sending the second certificate to server in the second reception device, disconnection connects for the second time Connect.
In a kind of communication system based on certificate provided in an embodiment of the present invention, the first link block can include:
First connection unit, for setting up First Contact Connections based on ssl protocol with server;
Second attachment means can include:
Second link block, is connected for the second time for being based on ssl protocol foundation with server.
In a kind of communication system based on certificate provided in an embodiment of the present invention, the first attachment means can include:
Sending module, for sending checking authority to server, checking authority include user name, password, CA root certificates and CRL。
In a kind of communication system based on certificate provided in an embodiment of the present invention, it can also include:
Acquisition device, for before the first attachment means connection server, obtaining the second certificate of server;
Device is verified, for verifying whether the second certificate that acquisition device is obtained is legal, if legal, utilizes the second certificate Login service device, if illegal, points out the first attachment means connection server.
The explanation of relevant portion refers to the present invention in a kind of communication system based on certificate provided in an embodiment of the present invention The detailed description of corresponding part, will not be repeated here in a kind of communication means based on certificate that embodiment is provided.In addition, this hair The part consistent with corresponding technical scheme realization principle in the prior art be not detailed in the above-mentioned technical proposal that bright embodiment is provided Describe in detail it is bright, in order to avoid excessively repeat.
In actual applications, according to different application scenarios, different methods can be selected to reduce certificate by attacker The risk of acquisition.It is a kind of flow chart of the communication means based on certificate in practical application to refer to 3, Fig. 3.
In this practical application, server disposition has self-signed certificate, and accessing server by customer end may comprise steps of:
The self-signed certificate of client request server, server sends self-signed certificate to client, client validation Whether self-signed certificate is legal, if legal, using the direct login service device of self-signed certificate, if illegal, performs follow-up Step;
Client is by the first SSL connection request connection servers, using user name, password, CA root certificates and CRL as testing Card authority is sent to server, and whether server authentication checking authority passes through, if passing through, and adds CA root certificates and CRL to letter Ren Ku, disconnects the first SSL connections;
Client is by the 2nd SSL connection request connection servers, to server application CSR;Server sends CSR to visitor Family end;Whether client validation CSR is effective, if effectively, based on CSR self-signing certificates, sending certificate to server, disconnecting second SSL connections;The certificate that server is signed with client replaces self-signed certificate;
Client utilizes the certificate login service device of signature by the 3rd SSL connection request connection servers.
The foregoing description of the disclosed embodiments, enables those skilled in the art to realize or using the present invention.To this A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and generic principles defined herein can Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited It is formed on the embodiments shown herein, and is to fit to consistent with features of novelty with principles disclosed herein most wide Scope.

Claims (10)

1. a kind of communication means based on certificate, it is characterised in that including:
Connection server, sends checking authority to the server;
The result that the server is sent is received, the result is whether to verify authority described in the server authentication Pass through rear transmission;
The result is parsed, if the result shows to verify that authority passes through described in the server authentication, to institute State server application CSR;
The CSR that the server is sent is received, judges whether the CSR is effective, if effectively, based on CSR signatures First Certificate, sends the First Certificate to the server, to log in the server using the First Certificate.
2. according to the method described in claim 1, it is characterised in that the connection server includes:
First Contact Connections are set up with server;
It is described receive the result that the server is sent after, it is described also to include to before the server application CSR:
Disconnect the First Contact Connections;
It is described disconnect the First Contact Connections after, it is described also to include to before the server application CSR:
Second is set up with the server to be connected;
Also include after the transmission First Certificate to the server:
Described second is disconnected to connect.
3. method according to claim 2, it is characterised in that described to set up First Contact Connections with server and include:
First Contact Connections are set up based on ssl protocol with server;
It is described set up with the server be connected for second including:
Ssl protocol foundation is based on the server to be connected for the second time.
4. method according to claim 3, it is characterised in that transmission checking authority to the server includes:
Checking authority is sent to the server, the checking authority includes user name, password, CA root certificates and CRL.
5. according to the method described in claim 1, it is characterised in that also include before the connection server:
Obtain the second certificate of server;
Verify whether second certificate is legal, if legal, the server is logged in using second certificate, if not conforming to Method, then the step of performing the connection server.
6. a kind of communication system based on certificate, it is characterised in that including:
First attachment means, for connection server, send checking authority to the server;
First receiving device, for receiving the result that the server is sent, the result is that the server is tested Whether the card checking authority passes through rear transmission;
Resolver, for parsing the result, if the result show to verify described in the server authentication with According to passing through, then to the server application CSR;
Second reception device, for receiving the CSR that the server is sent, judges whether the CSR is effective, if effectively, First Certificate is then signed based on the CSR, the First Certificate is sent to the server, to be logged in using the First Certificate The server.
7. system according to claim 6, it is characterised in that first attachment means include:
First link block, for before the attachment means send checking authority to the server, being set up with server First Contact Connections;
The system also includes:
First disconnects device, after receiving the result in the first receiving device, and the resolver is to institute State before server application CSR, disconnect the First Contact Connections;Second attachment means, for disconnected in first link block After opening the First Contact Connections, the resolver sets up second to before the server application CSR with the server Secondary connection;
Second disconnects device, after sending the First Certificate to the server in second reception device, disconnects Second of connection.
8. system according to claim 7, it is characterised in that first link block includes:
First connection unit, for setting up First Contact Connections based on ssl protocol with server;
Second attachment means include:
Second link block, is connected for the second time for being based on ssl protocol foundation with the server.
9. system according to claim 8, it is characterised in that first attachment means include:
Sending module, for sending checking authority to the server, the checking authority includes user name, password, CA roots card Book and CRL.
10. system according to claim 6, it is characterised in that also include:
Acquisition device, for before the first attachment means connection server, obtaining the second certificate of server;
Device is verified, for verifying whether second certificate that the acquisition device is obtained is legal, if legal, using described Second certificate logs in the server, if illegal, points out the first attachment means connection server.
CN201710566442.6A 2017-07-12 2017-07-12 A kind of communication means and system based on certificate Pending CN107295000A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710566442.6A CN107295000A (en) 2017-07-12 2017-07-12 A kind of communication means and system based on certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710566442.6A CN107295000A (en) 2017-07-12 2017-07-12 A kind of communication means and system based on certificate

Publications (1)

Publication Number Publication Date
CN107295000A true CN107295000A (en) 2017-10-24

Family

ID=60101340

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710566442.6A Pending CN107295000A (en) 2017-07-12 2017-07-12 A kind of communication means and system based on certificate

Country Status (1)

Country Link
CN (1) CN107295000A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194631A (en) * 2018-08-17 2019-01-11 郑州云海信息技术有限公司 A kind of proof of identity method and relevant apparatus
US20200396610A1 (en) * 2018-02-28 2020-12-17 Steven K. Turner Method of utilizing a trusted secret package for certificate enrollment
CN114598549A (en) * 2022-03-25 2022-06-07 杭州迪普科技股份有限公司 Client SSL certificate verification method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883106A (en) * 2010-06-30 2010-11-10 赛尔网络有限公司 Network access authentication method and server based on digital certificate
CN102075522A (en) * 2010-12-22 2011-05-25 北京航空航天大学 Secure certification and transaction method with combination of digital certificate and one-time password
CN102307096A (en) * 2011-08-26 2012-01-04 武汉理工大学 Pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for recent public key cryptography algorithm
CN103237038A (en) * 2013-05-09 2013-08-07 中国电子科技集团公司第三十研究所 Two-way network access authentication method based on digital certificate
CN103716794A (en) * 2013-12-25 2014-04-09 北京握奇数据系统有限公司 Two-way safety verification method and system based on portable device
CN103888422A (en) * 2012-12-21 2014-06-25 华为技术有限公司 Security certificate updating method, client and server
US20150058634A1 (en) * 2011-09-29 2015-02-26 Juniper Networks, Inc. Automatically authenticating a host key via a dynamically generated certificate using an embedded cryptographic processor

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883106A (en) * 2010-06-30 2010-11-10 赛尔网络有限公司 Network access authentication method and server based on digital certificate
CN102075522A (en) * 2010-12-22 2011-05-25 北京航空航天大学 Secure certification and transaction method with combination of digital certificate and one-time password
CN102307096A (en) * 2011-08-26 2012-01-04 武汉理工大学 Pseudo-Rivest, Shamir and Adleman (RSA)-key-based application method for recent public key cryptography algorithm
US20150058634A1 (en) * 2011-09-29 2015-02-26 Juniper Networks, Inc. Automatically authenticating a host key via a dynamically generated certificate using an embedded cryptographic processor
CN103888422A (en) * 2012-12-21 2014-06-25 华为技术有限公司 Security certificate updating method, client and server
CN103237038A (en) * 2013-05-09 2013-08-07 中国电子科技集团公司第三十研究所 Two-way network access authentication method based on digital certificate
CN103716794A (en) * 2013-12-25 2014-04-09 北京握奇数据系统有限公司 Two-way safety verification method and system based on portable device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200396610A1 (en) * 2018-02-28 2020-12-17 Steven K. Turner Method of utilizing a trusted secret package for certificate enrollment
US11502849B2 (en) * 2018-02-28 2022-11-15 Motorola Solutions, Inc. Method of utilizing a trusted secret package for certificate enrollment
CN109194631A (en) * 2018-08-17 2019-01-11 郑州云海信息技术有限公司 A kind of proof of identity method and relevant apparatus
CN114598549A (en) * 2022-03-25 2022-06-07 杭州迪普科技股份有限公司 Client SSL certificate verification method and device
CN114598549B (en) * 2022-03-25 2023-07-07 杭州迪普科技股份有限公司 Customer SSL certificate verification method and device

Similar Documents

Publication Publication Date Title
CN107277061A (en) End cloud security communication means based on IOT equipment
CN102201915B (en) Terminal authentication method and device based on single sign-on
CN101183932B (en) Security identification system of wireless application service and login and entry method thereof
CN107294916B (en) Single-point logging method, single-sign-on terminal and single-node login system
CN101039311B (en) Identification web page service network system and its authentication method
CN104767731B (en) A kind of Restful move transactions system identity certification means of defence
CN101867476B (en) 3G virtual private dialing network user safety authentication method and device thereof
CN106470190A (en) A kind of Web real-time communication platform authentication cut-in method and device
CN106452782A (en) Method and system for producing a secure communication channel for terminals
CN113285807B (en) Network access authentication method and system for intelligent equipment
CN110930147B (en) Offline payment method and device, electronic equipment and computer-readable storage medium
CN101808092B (en) Multi-certificate sharing method and system as well as intelligent card
CN103905194B (en) Identity traceability authentication method and system
CN102202306A (en) Mobile security authentication terminal and method
CN106453431A (en) Method for realizing Internet intersystem authentication based on PKI
CN107360125A (en) Access authentication method, WAP and user terminal
CN106534086A (en) Device authentication method and system, terminal device and server
CN107295000A (en) A kind of communication means and system based on certificate
CN109194631A (en) A kind of proof of identity method and relevant apparatus
CN107113613A (en) Server, mobile terminal, real-name network authentication system and method
CN113515756B (en) High-credibility digital identity management method and system based on block chain
CN112437068B (en) Authentication and key agreement method, device and system
CN112055019A (en) Method for establishing communication channel and user terminal
CN113726524A (en) Secure communication method and communication system
CN101394395B (en) Authentication method, system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171024