CN108965250B - Digital certificate installation method and system - Google Patents
Digital certificate installation method and system Download PDFInfo
- Publication number
- CN108965250B CN108965250B CN201810575697.3A CN201810575697A CN108965250B CN 108965250 B CN108965250 B CN 108965250B CN 201810575697 A CN201810575697 A CN 201810575697A CN 108965250 B CN108965250 B CN 108965250B
- Authority
- CN
- China
- Prior art keywords
- authentication
- storage environment
- digital certificate
- service
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Abstract
A digital certificate installation method and system are disclosed. A method of digital certificate installation, the method comprising: after receiving a service request of a client, a service server determines a target authentication mode and acquires authentication information, and sends the authentication information to an authentication server; the authentication server side performs identity authentication on the authentication subject according to the authentication information and returns an authentication result to the service server side; after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service; the authentication server generates and returns a digital certificate to the service server according to the identity information carried in the request; and the service server side issues the digital certificate to the client side and specifies the target storage environment so that the client side stores the digital certificate to the target storage environment.
Description
Technical Field
The embodiment of the specification relates to the technical field of internet application, in particular to a digital certificate installation method and system.
Background
In order to guarantee the information security of users, various services performed on the internet generally require that parties (people, terminal devices, servers, etc.) participating in the services hold digital certificates. With the improvement of the functions of the mobile terminal devices, users increasingly rely on various clients installed in the mobile terminal devices to process various services in the network. Therefore, based on the prior art, a more comprehensive method for installing the digital certificate of the mobile terminal device is needed for different security requirements of abundant service types such as e-commerce and network finance.
Disclosure of Invention
In view of the above technical problems, embodiments of the present specification provide a method and a system for installing a digital certificate, where the technical scheme is as follows:
according to a first aspect of embodiments of the present specification, there is provided a digital certificate installation method, including:
after receiving a service request of a client, a service server determines a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject in the target authentication mode according to the authentication information and returns an authentication result to the service server;
after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
after receiving a digital certificate request sent by a service server, an authentication server generates and returns a digital certificate to the service server according to identity information carried in the request;
after receiving the digital certificate returned by the authentication server, the service server determines a target storage environment corresponding to the service type of the service request according to a preset corresponding relationship between the service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
According to a second aspect of the embodiments of the present specification, there is provided a digital certificate installation method, applied to a service end, the method including:
after receiving a service request of a client, determining a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving an authentication passing result returned by an authentication server, sending a digital certificate request to an authentication service, wherein the request carries identity information of the authentication subject;
after receiving the digital certificate returned by the authentication server, determining a target storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
According to a third aspect of the embodiments of the present specification, there is provided a digital certificate installation method applied to an authentication server, the method including:
after receiving authentication information sent by a service server, according to the authentication information, performing identity authentication on an authentication subject in a target authentication mode corresponding to the authentication information, and returning an authentication result to the service server;
and after receiving a digital certificate request sent by the service server, generating and returning a digital certificate to the service server according to the identity information of the authentication main body carried in the request.
According to a fourth aspect of embodiments herein, there is provided a digital certificate installation system, the system comprising: a service server and an authentication server;
after receiving a service request of a client, a service server determines a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject in the target authentication mode according to the authentication information and returns an authentication result to the service server;
after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
after receiving a digital certificate request sent by a service server, an authentication server generates and returns a digital certificate to the service server according to identity information carried in the request;
after receiving the digital certificate returned by the authentication server, the service server determines a target storage environment corresponding to the service type of the service request according to a preset corresponding relationship between the service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
According to a fifth aspect of the embodiments of the present specification, there is provided a digital certificate installation apparatus, applied to a service end, the apparatus including:
the authentication mode determining module is used for determining a target authentication mode corresponding to the service type of the service request according to the corresponding relation between the preset service type and the authentication mode after receiving the service request of the client;
the authentication information sending module is used for obtaining authentication information required for authenticating the authentication main body through the target authentication mode and sending the authentication information to the authentication server;
the digital certificate request module is used for sending a digital certificate request to the authentication service after receiving an authentication passing result returned by the authentication service end, wherein the request carries the identity information of the authentication subject;
the storage environment determining module is used for determining a target storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment after receiving the digital certificate returned by the authentication server;
and the digital certificate issuing module is used for issuing the digital certificate to the client and appointing the target storage environment so that the client stores the digital certificate to the target storage environment.
According to a sixth aspect of the embodiments of the present specification, there is provided a digital certificate installation apparatus applied to an authentication server, the apparatus including:
the identity authentication module is used for authenticating the identity of an authentication subject through a target authentication mode corresponding to authentication information according to the authentication information after receiving the authentication information sent by the service server and returning an authentication result to the service server;
and the digital certificate generating module is used for generating and returning a digital certificate to the service server according to the identity information of the authentication main body carried in the request after receiving the digital certificate request sent by the service server.
According to the technical scheme provided by the embodiment of the specification, the service server can specifically judge the security level required by the service according to the service type of the service request, so that the authentication mode of identity authentication and the storage environment of the digital certificate are determined. The service server side combines different authentication modes and storage environments, so that the client side can install the digital certificate at different security levels, and the security requirements of different service types at different levels are met.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of embodiments of the invention.
In addition, any one of the embodiments in the present specification is not required to achieve all of the effects described above.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic structural diagram of a digital certificate installation system according to an embodiment of the present specification;
fig. 2 is a schematic flow chart of a digital certificate installation method according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart of a digital certificate installation method according to an embodiment of the present disclosure;
FIG. 4 is a schematic flow chart of a digital certificate installation method according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a digital certificate installation apparatus applied to a business server in an embodiment of the present specification;
fig. 6 is a schematic structural diagram of a digital certificate installation apparatus applied to an authentication server in an embodiment of the present specification;
fig. 7 is a schematic structural diagram of an apparatus for configuring a device according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
The digital Certificate is issued by a CA (Certificate Authority) Authority, and has an authoritative identity Certificate for certifying the identity of a subject participating in various services in the internet, where the subject may be a natural person, an account, a terminal device, a server, and the like. The digital certificate contains the identity information of the main body, the held public key, the digital signature of the CA mechanism and other information, so that two information interaction parties in the Internet can identify the identity of the other party and ensure that the information is not tampered by a third party in the transmission process.
When a main body applies for a digital certificate to a CA mechanism, identity authentication is firstly needed, and for the main bodies in different or same forms, the identity authentication can be carried out in different modes, and the safety requirements which can be met by different authentication modes are also different.
After the identity authentication is passed, the CA organization authorizes the digital certificate to the main body and stores the digital certificate by the equipment corresponding to the main body, namely, the installation of the digital certificate is completed, and the installed digital certificate can be directly used in the subsequent business processing without repeated application.
With the development of mobile terminals such as mobile phones and tablet computers, the mobile terminals become devices commonly used by users and also become common digital certificate storage media. The digital certificates applied to different service scenes have different safety requirements on storage environments, and the mobile terminal generally has multiple storage environments, so that different safety requirements can be met.
The embodiment of the specification provides a digital certificate installation method, which can intelligently match an identity authentication mode and a storage environment, of which the security level meets the requirements, according to the security requirements of a service scene.
In the embodiment of the present specification, the flow of digital certificate installation relates to a client, a business server, and an authentication server, and a corresponding system architecture diagram is shown in fig. 1, and includes a client device 10, a business server device 20, and an authentication server device 20. The specific form of the client device, that is, the mobile terminal device storing the digital certificate, the specific form of the service server device and the specific form of the authentication server device may be a specific server or a server cluster, and the three-terminal device may implement communication connection through various forms of networks, which is not limited in this specification.
Fig. 2 is an interaction flowchart of a digital certificate installation method provided in an embodiment of this specification, which may specifically include the following steps:
s201, after receiving a service request of a client, a service server determines a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
when a user participates in a certain service through a client installed on a mobile terminal, the client sends a corresponding service request to a service server, and the service server installs a corresponding digital certificate according to the service request.
As described above, when installing a digital certificate, identity authentication is first required, and different authentication methods may be adopted for different types of subjects.
For example, when the subject is a natural person, authentication may be performed using a verification id card, a face, a voiceprint, an iris, or the like; when the main body is a terminal device which can be inserted into an SIM card, authentication can be performed through modes of short message verification and the like; when the main body is an account, authentication can be performed in a password verification mode and the like; and so on.
In addition, in different service scenarios, the security requirements of the service processing process are different, and the digital certificate as a means for identifying the identity of the subject and guaranteeing the information transmission also has different security requirements for the digital certificates applied to different service scenarios. For example, e-commerce type of traffic may have higher security requirements than social networking type of traffic, e-government type of traffic may have higher security requirements than e-commerce, etc.
The security requirements of the digital certificate are mainly reflected in the authentication mode and the storage environment, and different authentication modes also have different security levels, so that different security requirements can be met.
For example, when the subject is a natural person, because the identity card may be stolen, the authentication method for simultaneously verifying the identity card and the face is more comprehensive than the authentication method for only verifying the identity card, so that the authentication method is safer and can be used in a service scene with higher requirements on security.
The digital certificate installation scheme provided by the embodiment of the description can intelligently match the authentication mode with the security level meeting the requirement according to the service type of the service request. Therefore, the service server side determines a target authentication mode corresponding to the service type of the service request according to the preset corresponding relationship between the service type and the authentication mode.
The corresponding relationship between the service type and the authentication mode can be preset by a developer. For example, the authentication mode of the government affair type business is natural person authentication, the authentication mode of the social affair type business is account authentication, and the like; or the authentication mode of the small transaction business is limited to be low-level natural person authentication for verifying an identity card, and the authentication mode of the large transaction business is limited to be high-level natural person authentication for verifying the identity card, the face and the voiceprint, and the like. The specific setting of the correspondence relationship in the embodiments of the present description is not limited, and those skilled in the art can flexibly set the correspondence relationship according to actual situations.
It can be understood that, a developer may preset corresponding identity authentication modes for different service types, but due to differences in software and hardware configurations of terminal devices, there are differences in authentication modes that can be supported by different terminal devices.
Therefore, in order to avoid improving the efficiency of identity authentication, and match the most appropriate authentication manner for the service request, in a specific implementation manner of the embodiment of the present specification, the authentication manner locally supported by the client may be first detected to obtain at least one available authentication manner, and then the preferred authentication manner corresponding to the service type of the service request may be determined according to a preset correspondence between the service type and the authentication manner.
If the available authentication mode comprises the preferred authentication mode, determining the preferred authentication mode as a target authentication mode; and if the available authentication mode does not comprise the preferred authentication mode, determining a target authentication mode according to a preset authentication mode security level and an authentication mode delay rule.
For example, the security levels of the authentication modes can be preset from high to low as follows: the authentication mode is carried forward to a high-level authentication mode according to a forward-extending rule. If the terminal equipment is a tablet personal computer, 4 available authentication modes are detected, the registration service of the social application with lower safety requirement is determined according to the corresponding relation, the corresponding preferred authentication mode is equipment short message authentication, and the tablet personal computer cannot use SIM (subscriber identity module) card and does not support the equipment short message authentication, so that the account password authentication with the target authentication mode of the higher level is carried out.
After the target authentication mode is determined, authentication information required for authentication through the target authentication mode can be further obtained, and authentication is performed.
Of course, as described above, if the same service is authenticated previously or the same service type is authenticated in a similar service scenario, there is a case that the client has installed the corresponding digital certificate, and in order to avoid that repeated installation affects the service processing efficiency, in a specific implementation manner of the embodiment of the present specification, it may be first detected whether the corresponding digital certificate is installed after determining the target authentication manner.
Specifically, an authentication subject of the target authentication mode is determined, each authentication mode has an authentication subject corresponding to the target authentication mode, for example, an authentication subject authenticated by a natural person is a natural person, an authentication subject authenticated by an account number is an account number, and the like, and for example, authentication subjects authenticated by a high-level natural person and low-level natural person are both natural persons, and the like.
After the authentication subject is determined, detecting whether the client side locally installs the digital certificate of the authentication subject. In a specific implementation manner of the embodiment of the present specification, a target storage environment corresponding to the service type of the service request may be determined according to a preset correspondence between the service type and the storage environment, so as to further detect a range locally at the client. Detecting whether a digital certificate of the authentication subject is stored in a target storage environment local to a client; if yes, determining that the digital certificate of the authentication subject is installed; if not, determining that the digital certificate of the authentication subject is not installed.
If the digital certificate of the authentication subject is determined not to be installed through detection, the authentication subject needs to be continuously authenticated, and authentication information required for authenticating the authentication subject through the target authentication mode is obtained. For example, when the target authentication mode is a device authentication mode for verifying a short message, the information required for authentication, that is, the short message verification content sent to the terminal device and the short message verification content returned by the terminal device, may be obtained in a specific process in which, after the service server sends a short message including a verification code to the terminal device, the user inputs the verification code into the client and sends the verification code to the service server.
S202, after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject according to the authentication information in the target authentication mode and returns an authentication result to the service server;
s203, after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
s204, after receiving the digital certificate request sent by the service server, the authentication server generates and returns a digital certificate to the service server according to the identity information carried in the request;
for convenience of description, S202 to S204 will be described in conjunction.
It can be understood that the authentication server described in the embodiments of the present specification may refer to a CA organization, that is, the CA organization performs identity authentication and issues a digital certificate in a unified manner; the combination of the CA organization and other related systems can also be referred to, for example, the CA organization authorizes the function of identity authentication to the identity authentication system of the payment bank, and the authentication server side includes the certificate issuing system of the CA organization and the identity authentication system of the payment bank; the term "authentication" may also refer to one or a combination of a plurality of other entities or systems authorized to perform authentication and issue digital certificates; and so on.
S205, after receiving the digital certificate returned by the authentication server, the service server determines a target storage environment corresponding to the service type of the service request according to a preset corresponding relationship between the service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
In one implementation of the embodiments of the present description, the storage environment may include one or more of a secure element SE, a trusted execution environment TEE, and a common execution environment REE.
The REE (common Execution Environment) refers to a general Environment of the terminal device, and is used for running an OS (Operating System) such as Android, iOS, Linux, and the like, and providing all functions of the device for the upper App. The REE environment is universal and open, so that the security level is low, the OS can directly acquire all data of the App in the REE, and the App isolation realized based on the OS is easier to bypass.
A TEE (Trusted Execution Environment) is an Environment isolated from an REE by a hardware mechanism, the REE can only communicate with the TEE through a specific entry, the TEE can access a memory of the REE, but otherwise the REE cannot access a TEE memory protected by hardware, so that the security level of the TEE is higher than that of the REE, and a storage Environment with higher confidentiality can be provided for a digital certificate.
SE (Secure Element) generally provides a storage environment in the form of a chip, and an encryption/decryption logic circuit is provided in the chip, so that external malicious analysis attacks can be prevented, data security is protected, and the security level is higher than that of TEE and REE.
It is to be understood that the storage environment in the solutions provided in the embodiments of the present specification may also include other storage environments provided in the terminal device based on other software and hardware.
Developers can preset corresponding storage environments for different service types, but due to the difference of software and hardware configurations of terminal equipment, the storage environments supported by different terminal equipment are different. Therefore, as a specific implementation manner for determining the target storage environment, the storage environment locally supported by the client may be first detected to obtain at least one available storage environment, and the preferred storage environment corresponding to the service type of the service request is determined according to a preset correspondence between the service type and the storage environment.
If the available storage environment comprises the preferred storage environment, determining the preferred storage environment as a target storage environment; and if the available storage environment does not comprise the preferred storage environment, determining a target storage environment according to a preset storage environment security level and a storage environment sequential rule.
For example, the security levels of the storage environment may be preset from high to low as: SE, TEE, REE, the storage environment sequential rule is the storage environment sequential to the highest level. If the terminal equipment is not configured with SE, the 2 available storage environments of the TEE and the REE are detected, the transfer opening service of the financial application with higher safety requirement is determined according to the corresponding relation, the corresponding preferred storage environment is SE, and the terminal equipment does not support SE storage because of not being configured, so that the target storage environment is determined to be the highest-level TEE in a sequential manner.
After receiving the digital certificate and the appointed target storage environment issued by the service server, the client can store the digital certificate to the appointed environment, thereby completing the installation of the digital certificate.
In order to more clearly describe the digital certificate installation scheme in the embodiment of the present specification, the following describes the digital certificate installation method executed by the service end and the authentication service end from a single-side perspective respectively:
fig. 3 is a flowchart of a digital certificate installation method executed by a service server, which may specifically include the following steps:
s301, after receiving a service request of a client, determining a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
s302, after receiving the result of passing the authentication returned by the authentication server, sending a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
s303, after receiving the digital certificate returned by the authentication server, determining a target storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
Fig. 4 is a flowchart illustrating a digital certificate installation method executed by an authentication server, which may specifically include the following steps:
s401, after receiving authentication information sent by a service server, according to the authentication information, performing identity authentication on an authentication subject in a target authentication mode corresponding to the authentication information, and returning an authentication result to the service server;
s402, after receiving the digital certificate request sent by the service end, generating and returning the digital certificate to the service end according to the identity information of the authentication subject carried in the request.
For details of the single-side execution method of the service server and the authentication server, reference may be made to the description of the foregoing embodiment, which is not described herein again.
The digital certificate installation method provided in the present specification will be described below with reference to a more specific example.
Assuming that a certain user of a payment treasure needs to use the bei value service, the bei value service can be opened through a payment treasure client installed in the smart phone.
The payment treasure client sends a service request for opening flowers to a security center (namely a service server) of the payment treasure.
The security center detects that the identity authentication mode locally supported by the client comprises natural person authentication, account authentication and equipment authentication, and determines that the natural person authentication is required according to the corresponding relation between the preset service type and the authentication mode, so that the natural person authentication is determined as a target authentication mode, and the authentication subject is a natural person.
In addition, the security center can also detect that the storage environment locally supported by the client comprises REE, TEE and SE, and determine that the storage environment needs to be stored in the SE according to the corresponding relation between the preset service type and the storage environment, so that the SE is determined as the target storage environment.
Further, in an SE local to the client, it is detected whether the user's natural person digital certificate has been stored. Since the user has not performed the natural person authentication in the previously opened and used service, the certificate is not detected locally, and thus it is determined that the natural person digital certificate of the user is not installed locally, and the natural person authentication needs to be performed continuously.
Therefore, the security center prompts the user to upload the identity card photo through the client, performs dynamic face recognition, receives authentication information uploaded by the client, namely identity card information and face recognition information, and sends the authentication information to the payment bank identity authentication system authorized by the CA mechanism.
And after receiving the authentication information, the identity authentication system authenticates the identity of the user in a natural person authentication mode according to the information of the identity card, the face and the like of the user, and returns an authentication passing result to the security center if the authentication passes.
And after receiving the result of passing the authentication, the security center sends a digital certificate request carrying the user identity information to the CA mechanism.
And the CA mechanism generates a corresponding digital certificate according to the identity information and returns the digital certificate to the security center of the Payment treasure. The certificate may include information such as the identity information of the user, a held public key, and a digital signature of the CA authority.
The security center issues the received digital certificate to the client of the user and instructs the client to store the digital certificate to the SE, so that the installation of the digital certificate of the user is completed after the client stores the digital certificate.
Therefore, by applying the scheme, the security level required by the service can be judged according to the service type, so that the identity authentication mode and the digital certificate storage environment meeting the security requirement are intelligently matched, the digital certificates of different service types are realized, and the digital certificates are installed at the appropriate security level.
Corresponding to the foregoing method embodiment, an embodiment of this specification further provides a digital certificate installation apparatus, which is applied to a service end, and as shown in fig. 5, the apparatus may include:
an authentication mode determining module 110, configured to determine, after receiving a service request from a client, a target authentication mode corresponding to a service type of the service request according to a preset correspondence between the service type and the authentication mode;
an authentication information sending module 120, configured to obtain authentication information required for authenticating the authentication subject in the target authentication manner, and send the authentication information to the authentication server;
a digital certificate request module 130, configured to send a digital certificate request to an authentication service after receiving a result of passing authentication returned by the authentication service, where the request carries identity information of the authentication subject;
the storage environment determining module 140 is configured to determine, after receiving the digital certificate returned by the authentication server, a target storage environment corresponding to the service type of the service request according to a preset correspondence between the service type and the storage environment;
the digital certificate issuing module 150 is configured to issue the digital certificate to the client and specify the target storage environment, so that the client stores the digital certificate in the target storage environment.
An embodiment of the present specification further provides a digital certificate installation apparatus, which is applied to an authentication server, and as shown in fig. 6, the apparatus includes:
the identity authentication module 210 is configured to, after receiving authentication information sent by the service server, perform identity authentication on an authentication subject according to the authentication information in a target authentication manner corresponding to the authentication information, and return an authentication result to the service server;
the digital certificate generating module 220 is configured to generate and return a digital certificate to the service server according to the identity information of the authentication subject carried in the request after receiving the digital certificate request sent by the service server.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
Embodiments of the present specification also provide a computer device, which at least includes a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to implement the aforementioned digital certificate installation method. The method at least comprises the following steps:
a method of digital certificate installation, the method comprising:
after receiving a service request of a client, a service server determines a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject in the target authentication mode according to the authentication information and returns an authentication result to the service server;
after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
after receiving a digital certificate request sent by a service server, an authentication server generates and returns a digital certificate to the service server according to identity information carried in the request;
after receiving the digital certificate returned by the authentication server, the service server determines a target storage environment corresponding to the service type of the service request according to a preset corresponding relationship between the service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
Fig. 7 is a more specific hardware structure diagram of a computing device provided in an embodiment of the present specification, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present specification also provide a computer-readable storage medium on which a computer program is stored, where the computer program is executed by a processor to implement the foregoing digital certificate installation method. The method at least comprises the following steps:
a method of digital certificate installation, the method comprising:
after receiving a service request of a client, a service server determines a target authentication mode corresponding to the service type of the service request according to a preset corresponding relation between the service type and the authentication mode; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject in the target authentication mode according to the authentication information and returns an authentication result to the service server;
after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
after receiving a digital certificate request sent by a service server, an authentication server generates and returns a digital certificate to the service server according to identity information carried in the request;
after receiving the digital certificate returned by the authentication server, the service server determines a target storage environment corresponding to the service type of the service request according to a preset corresponding relationship between the service type and the storage environment; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.
Claims (17)
1. A method of digital certificate installation, the method comprising:
after receiving a service request of a client, a service server determines a target authentication mode according to a preset corresponding relation between a service type and an authentication mode, a preset security level of the authentication mode and an authentication mode delay rule; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject in the target authentication mode according to the authentication information and returns an authentication result to the service server;
after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
after receiving a digital certificate request sent by a service server, an authentication server generates and returns a digital certificate to the service server according to identity information carried in the request;
after receiving the digital certificate returned by the authentication server, the business server determines a target storage environment according to the corresponding relation between the preset business type and the storage environment, the preset storage environment security level and the storage environment sequential rule; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
2. The method of claim 1, wherein the obtaining authentication information required to authenticate the authentication subject by the target authentication method comprises:
determining an authentication subject of the target authentication mode;
detecting whether a client side has installed the digital certificate of the authentication subject locally;
and if the digital certificate of the authentication subject is not installed, acquiring authentication information required for authenticating the authentication subject through the target authentication mode.
3. The method of claim 2, the detecting whether a client has installed a digital certificate of the authentication principal locally, comprising:
determining a target storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment;
detecting whether a digital certificate of the authentication subject is stored in a target storage environment local to a client; if yes, determining that the digital certificate of the authentication subject is installed; if not, determining that the digital certificate of the authentication subject is not installed.
4. The method according to claim 1, wherein the determining a target authentication method corresponding to the service type of the service request according to a preset correspondence between the service type and the authentication method, a preset security level of the authentication method, and an authentication method continuation rule includes:
detecting the authentication mode locally supported by the client to obtain at least one available authentication mode;
determining a preferred authentication mode corresponding to the service type of the service request according to a corresponding relation between a preset service type and the authentication mode;
if the available authentication mode comprises the preferred authentication mode, determining the preferred authentication mode as a target authentication mode;
and if the available authentication mode does not comprise the preferred authentication mode, determining a target authentication mode according to a preset authentication mode security level and an authentication mode delay rule.
5. The method according to claim 1, wherein the determining a target storage environment corresponding to the service type of the service request according to a preset correspondence between the service type and the storage environment, a preset storage environment security level, and a storage environment delay rule, includes:
detecting a storage environment locally supported by a client to obtain at least one available storage environment;
determining a preferred storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment;
if the available storage environment comprises the preferred storage environment, determining the preferred storage environment as a target storage environment;
and if the available storage environment does not comprise the preferred storage environment, determining a target storage environment according to a preset storage environment security level and a storage environment sequential rule.
6. The method of claim 1, the storage environment, comprising:
one or more of a secure element SE, a trusted execution environment TEE and a normal execution environment REE.
7. A digital certificate installation method is applied to a business server side, and comprises the following steps:
after receiving a service request of a client, determining a target authentication mode according to a preset corresponding relation between a service type and an authentication mode, a preset security level of the authentication mode and an authentication mode delay rule; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving an authentication passing result returned by an authentication server, sending a digital certificate request to an authentication service, wherein the request carries identity information of the authentication subject;
after receiving the digital certificate returned by the authentication server, determining a target storage environment according to a preset corresponding relation between the service type and the storage environment, a preset storage environment security level and a storage environment sequential rule; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
8. A digital certificate installation method is applied to an authentication server side, and comprises the following steps:
after receiving authentication information sent by a service server, according to the authentication information, performing identity authentication on an authentication subject in a target authentication mode corresponding to the authentication information, and returning an authentication result to the service server; after receiving a service request of a client by a service server, determining a target authentication mode according to a preset corresponding relation between a service type and an authentication mode, a preset security level of the authentication mode and an authentication mode delay rule; obtaining authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving a digital certificate request sent by a service server, generating and returning a digital certificate to the service server according to the identity information of the authentication main body carried in the request, so that after the service server receives the digital certificate returned by the authentication server, a target storage environment is determined according to the corresponding relation between the preset service type and the storage environment, the preset storage environment security level and the storage environment sequential rule, the digital certificate is issued to a client, and the target storage environment is designated, so that the client stores the digital certificate in the target storage environment.
9. A digital certificate installation system, the system comprising: a service server and an authentication server;
after receiving a service request of a client, a service server determines a target authentication mode according to a preset corresponding relation between a service type and an authentication mode, a preset security level of the authentication mode and an authentication mode delay rule; acquiring authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
after receiving the authentication information sent by the service server, the authentication server performs identity authentication on the authentication subject in the target authentication mode according to the authentication information and returns an authentication result to the service server;
after receiving the result of passing the authentication returned by the authentication server, the service server sends a digital certificate request to the authentication service, wherein the request carries the identity information of the authentication subject;
after receiving a digital certificate request sent by a service server, an authentication server generates and returns a digital certificate to the service server according to identity information carried in the request;
after receiving the digital certificate returned by the authentication server, the business server determines a target storage environment according to the corresponding relation between the preset business type and the storage environment, the preset storage environment security level and the storage environment sequential rule; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
10. The system of claim 9, wherein the service server is specifically configured to obtain the authentication information required for authenticating the authentication subject in the target authentication manner by:
determining an authentication subject of the target authentication mode;
detecting whether a client side has installed the digital certificate of the authentication subject locally;
and if the digital certificate of the authentication subject is not installed, acquiring authentication information required for authenticating the authentication subject through the target authentication mode.
11. The system according to claim 10, wherein the service end is specifically configured to detect whether the digital certificate of the authentication subject is installed locally at the client end by:
determining a target storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment;
detecting whether a digital certificate of the authentication subject is stored in a target storage environment local to a client; if yes, determining that the digital certificate of the authentication subject is installed; if not, determining that the digital certificate of the authentication subject is not installed.
12. The system of claim 9, wherein the service end is specifically configured to determine the target authentication method by:
detecting the authentication mode locally supported by the client to obtain at least one available authentication mode;
determining a preferred authentication mode corresponding to the service type of the service request according to a corresponding relation between a preset service type and the authentication mode;
if the available authentication mode comprises the preferred authentication mode, determining the preferred authentication mode as a target authentication mode;
and if the available authentication mode does not comprise the preferred authentication mode, determining a target authentication mode according to a preset authentication mode security level and an authentication mode delay rule.
13. The system of claim 9, wherein the business server is specifically configured to determine the target storage environment by:
detecting a storage environment locally supported by a client to obtain at least one available storage environment;
determining a preferred storage environment corresponding to the service type of the service request according to the corresponding relation between the preset service type and the storage environment;
if the available storage environment comprises the preferred storage environment, determining the preferred storage environment as a target storage environment;
and if the available storage environment does not comprise the preferred storage environment, determining a target storage environment according to a preset storage environment security level and a storage environment sequential rule.
14. The system of claim 9, the storage environment, comprising:
one or more of a secure element SE, a trusted execution environment TEE and a normal execution environment REE.
15. A digital certificate installation device is applied to a business server side and comprises:
the authentication mode determining module is used for determining a target authentication mode according to the corresponding relation between the preset service type and the authentication mode, the preset security level of the authentication mode and the authentication mode delay rule after receiving a service request of the client;
the authentication information sending module is used for obtaining authentication information required for authenticating the authentication main body through the target authentication mode and sending the authentication information to the authentication server;
the digital certificate request module is used for sending a digital certificate request to the authentication service after receiving an authentication passing result returned by the authentication service end, wherein the request carries the identity information of the authentication subject;
the storage environment determining module is used for determining a target storage environment according to the corresponding relation between the preset service type and the storage environment, the preset storage environment security level and the storage environment sequential rule after receiving the digital certificate returned by the authentication server;
and the digital certificate issuing module is used for issuing the digital certificate to the client and appointing the target storage environment so that the client stores the digital certificate to the target storage environment.
16. A digital certificate installation device is applied to an authentication server side and comprises:
the identity authentication module is used for authenticating the identity of an authentication subject through a target authentication mode corresponding to authentication information according to the authentication information after receiving the authentication information sent by the service server and returning an authentication result to the service server; after receiving a service request of a client by a service server, determining a target authentication mode according to a preset corresponding relation between a service type and an authentication mode, a preset security level of the authentication mode and an authentication mode delay rule; obtaining authentication information required for authenticating the authentication main body through the target authentication mode, and sending the authentication information to an authentication server;
the digital certificate generating module is used for generating and returning a digital certificate to the service server according to the identity information of the authentication main body carried in a request after receiving the digital certificate request sent by the service server, so that the service server determines a target storage environment according to the corresponding relation between a preset service type and the storage environment, the preset storage environment security level and the storage environment sequential rule after receiving the digital certificate returned by the authentication server; and issuing the digital certificate to a client, and designating the target storage environment so that the client stores the digital certificate to the target storage environment.
17. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of claim 7 or 8 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810575697.3A CN108965250B (en) | 2018-06-06 | 2018-06-06 | Digital certificate installation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810575697.3A CN108965250B (en) | 2018-06-06 | 2018-06-06 | Digital certificate installation method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108965250A CN108965250A (en) | 2018-12-07 |
| CN108965250B true CN108965250B (en) | 2020-12-29 |
Family
ID=64493560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810575697.3A Active CN108965250B (en) | 2018-06-06 | 2018-06-06 | Digital certificate installation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108965250B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110677240B (en) * | 2019-08-29 | 2020-07-10 | 阿里巴巴集团控股有限公司 | Method, apparatus and medium for providing highly available computing services through certificate issuance |
| US10790979B1 (en) | 2019-08-29 | 2020-09-29 | Alibaba Group Holding Limited | Providing high availability computing service by issuing a certificate |
| CN110717156B (en) * | 2019-09-06 | 2022-09-09 | 未鲲(上海)科技服务有限公司 | Identity authentication method, system, computer device and storage medium |
| CN111262830B (en) * | 2020-01-07 | 2022-08-19 | 广州虎牙科技有限公司 | Security authentication method, device, system, electronic equipment and storage medium |
| CN111552942B (en) * | 2020-04-27 | 2023-02-10 | 北京三快在线科技有限公司 | Identity authentication method, system, device and computer storage medium |
| CN114363073A (en) * | 2022-01-07 | 2022-04-15 | 中国联合网络通信集团有限公司 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
| CN115834245A (en) * | 2023-01-05 | 2023-03-21 | 卓望数码技术(深圳)有限公司 | Security authentication method, system, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070077195A (en) * | 2007-06-28 | 2007-07-25 | 김경호 | Wireless internet environment for hand phone user authentication |
| CN101043337A (en) * | 2007-03-22 | 2007-09-26 | 中兴通讯股份有限公司 | Interactive process for content class service |
| CN106487505A (en) * | 2016-09-12 | 2017-03-08 | 北京安御道合科技有限公司 | Key management, acquisition methods and relevant apparatus and system |
| CN107786344A (en) * | 2017-10-30 | 2018-03-09 | 阿里巴巴集团控股有限公司 | Applying digital certificate, the implementation method used and device |
-
2018
- 2018-06-06 CN CN201810575697.3A patent/CN108965250B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043337A (en) * | 2007-03-22 | 2007-09-26 | 中兴通讯股份有限公司 | Interactive process for content class service |
| KR20070077195A (en) * | 2007-06-28 | 2007-07-25 | 김경호 | Wireless internet environment for hand phone user authentication |
| CN106487505A (en) * | 2016-09-12 | 2017-03-08 | 北京安御道合科技有限公司 | Key management, acquisition methods and relevant apparatus and system |
| CN107786344A (en) * | 2017-10-30 | 2018-03-09 | 阿里巴巴集团控股有限公司 | Applying digital certificate, the implementation method used and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108965250A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965250B (en) | Digital certificate installation method and system | |
| US20240127235A1 (en) | Extending a secure key storage for transaction confirmation and cryptocurrency | |
| EP3602388B1 (en) | Blockchain node communication method and apparatus | |
| US10237070B2 (en) | System and method for sharing keys across authenticators | |
| US10091195B2 (en) | System and method for bootstrapping a user binding | |
| EP3439230B1 (en) | Method and device for registering biometric identity and authenticating biometric identity | |
| KR102586749B1 (en) | Authentication techniques including speech and/or lip movement analysis | |
| KR102577208B1 (en) | Authentication techniques including speech and/or lip movement analysis | |
| US11870769B2 (en) | System and method for identifying a browser instance in a browser session with a server | |
| US8387119B2 (en) | Secure application network | |
| US10362026B2 (en) | Providing multi-factor authentication credentials via device notifications | |
| US11805129B2 (en) | Fictitious account generation on detection of account takeover conditions | |
| US9578022B2 (en) | Multi-factor authentication techniques | |
| US11539526B2 (en) | Method and apparatus for managing user authentication in a blockchain network | |
| CN106575281B (en) | System and method for implementing hosted authentication services | |
| US20200265438A1 (en) | Systems and methods for estimating authenticity of local network of device initiating remote transaction | |
| US20230091318A1 (en) | System and method for pre-registration of fido authenticators | |
| CN112583593B (en) | Private communication method and device between users | |
| KR20190069574A (en) | Wireless network type detection method and apparatus, and electronic device | |
| WO2023241060A1 (en) | Data access method and apparatus | |
| EP3329650B1 (en) | Providing multi-factor authentication credentials via device notifications | |
| WO2015184809A1 (en) | Method, mobile terminal, service provider device and system for mobile terminal payment transaction | |
| CN115333748A (en) | Anti-counterfeiting communication method, system, electronic device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200924 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Applicant after: Innovative advanced technology Co.,Ltd. Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Applicant before: Advanced innovation technology Co.,Ltd. Effective date of registration: 20200924 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Applicant after: Advanced innovation technology Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: Alibaba Group Holding Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |