CN109409041A - A kind of server-side safety certifying method and system based on the application of more certificates - Google Patents

A kind of server-side safety certifying method and system based on the application of more certificates Download PDF

Info

Publication number
CN109409041A
CN109409041A CN201811027897.1A CN201811027897A CN109409041A CN 109409041 A CN109409041 A CN 109409041A CN 201811027897 A CN201811027897 A CN 201811027897A CN 109409041 A CN109409041 A CN 109409041A
Authority
CN
China
Prior art keywords
client
certificate
communication server
safety communication
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811027897.1A
Other languages
Chinese (zh)
Inventor
黄和石
缪云青
李继
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201811027897.1A priority Critical patent/CN109409041A/en
Publication of CN109409041A publication Critical patent/CN109409041A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a kind of server-side safety certifying methods and system based on the application of more certificates, it is characterized in that, it include: to be authenticated positioned at the safety communication server of server end with positioned at the USB key of client, CA root certificate corresponding with business operation type is generated, and is directed respectively into safety communication server and USB key;According to business operation demand, the CA root certificate corresponding with business operation type and client certificate that USB key described in the safety communication server by utilizing is sent are compared with the CA root certificate that the safety communication server stores, and are verified to the identity of client;The client receives the CA root certificate of the safety communication server, and is compared using the CA root certificate of the CA root certificate of the safety communication server and the USB key server being written, and verifies the true and false of the safety communication server;After the USB key of the safety communication server and client side is verified, the transmission of data is carried out according to the business operation demand.

Description

A kind of server-side safety certifying method and system based on the application of more certificates
Technical field
The present invention relates to technical field of data security, and more particularly, to a kind of service based on the application of more certificates Hold safety certifying method and system.
Background technique
IT application in government affairs degree is improved in recent years, financial settlement efficiency, abundant type of business, has been enhanced internal management at each The main target of own serving capabilities and competitiveness, therefore IT application in government affairs, e-finance etc. improve in government organs and enterprise A series of high-tech means start to be applied by vast government and enterprises' unit, while bringing interests, also bring new safety and ask Topic.Business remotely handle mode it is universal after, be related to the interaction of internet external user data, department or buearu's Intranet business data processing Etc. links, involve the data exchange of department or buearu's Intranet and internet, system safe moment is by Intranet (office complicated and changeable now Domain net), the challenge of outer net (internet) environment.
With popularizing for office OA, some regional department or buearu use USB key embedded digital certificate and peace inside local area network Full USB flash disk function, realizes the confidentiality and safety of business.A plurality of types of service systems of initial deployment, substantially by such as Windows browser control shown in FIG. 1 and background network version application server, core business server and data verification processing Server is constituted, and improves the traffic handing capacity of system, the flexibility that the system of enhancing uses is met to a certain extent The common requirements of server-side and user personnel at that time.Along with the iterative method of System information process, user internet end is drawn Enter digital certificate system, signed to data, ensures the safety of user's end data.But in department or buearu's Intranet, service The data exchange of terminal (self-service machine and window service handle computer) and server-side background server, using only basic data Encrypted tunnel is transmitted, as shown in Fig. 2, the safety of business entirety can only be ensured substantially, not to service terminal with after The identity of platform server is authenticated.
Therefore, it is necessary to a kind of realization service terminals and background server to be mutually authenticated, and guarantee secrecy in data interaction Property and safety issue.
Summary of the invention
The present invention proposes a kind of server-side safety certifying method and system based on the application of more certificates, to solve service terminal It is mutually authenticated with background server, and guarantees the problem of confidentiality and safety in data interaction.
To solve the above-mentioned problems, according to an aspect of the invention, there is provided a kind of service based on the application of more certificates Hold safety certifying method, which is characterized in that the described method includes:
Safety communication server positioned at server end is authenticated with the USB key for being located at client, generation and business The corresponding CA root certificate of action type, and be directed respectively into safety communication server and USB key;Wherein, when more certificates are applied It supports to import multiple CA root certificates;
According to business operation demand, the safety communication server receive that the USB key sends with business operation class The corresponding CA root certificate of type and client certificate, and the CA root corresponding with business operation type sent using the USB key Certificate and client certificate are compared with the CA root certificate that the safety communication server stores, and are carried out to the identity of client Verifying;
The client receives the CA root certificate of the safety communication server, and utilizes the safety communication server CA root certificate and the CA root certificate of the server of USB key write-in are compared, and verify the safety communication server The true and false;
After the USB key of the safety communication server and client side is verified, according to the business operation demand Carry out the transmission of data.
Preferably, wherein the method also includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, So that data service operational data security is rapidly transmitted.
Preferably, wherein the method also includes:
In business operation processing stage, the identity information of client user is acquired, with the body to client user Part is authenticated;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identification authentication, mobile phone and number Certificate verification, digital certificate and the certification of brush face.
Preferably, wherein the method also includes:
Access list is set in the safety communication server, and when the client is serviced by the safety communication After the verifying of device, the corresponding attribute information of active client in access list is updated;Wherein, the attribute packet in the access list It includes: operating right, access control and active index;The corresponding CA root certificate of different business operation types corresponds to different operations Permission.
Preferably, wherein the method also includes:
After verifying of the client by the safety communication server, increase the certificate serial number of the client Active index the card of the client is set and when the active index of the certificate serial number reaches default alive threshold The term of validity of preface row number.
Preferably, wherein the method also includes:
Audited according to preset audit cycle to the access list, delete within a preset period of time be not used or The client certificate sequence number of not up to default active index threshold value, and corresponding client is carried out to reduce permission processing.
Preferably, wherein the method also includes: record the certificate serial number of client, and by the certificate serial number It imports and delete operation is recorded in log for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
According to another aspect of the present invention, a kind of server-side security certification system based on the application of more certificates is provided, It is characterized in that, the system comprises:
Issue accreditation module, for be located at server end safety communication server be located at client USB key into Row certification, generates CA root certificate corresponding with business operation type, and be directed respectively into safety communication server and USB key; Wherein, it supports to import multiple CA root certificates when more certificates are applied;
Client identity authentication module, for according to business operation demand, the safety communication server to receive the USB Key send CA root certificate corresponding with business operation type and client certificate, and using the USB key send and industry The CA root certificate that the corresponding CA root certificate of business action type and client certificate are stored with the safety communication server is compared Compared with being verified to the identity of client;
Safety communication server identity authentication module receives the CA root of the safety communication server for the client Certificate, and using the safety communication server CA root certificate and the USB key write-in server CA root certificate into Row compares, and verifies the true and false of the safety communication server;
Data transmission module, for after the USB key of the safety communication server and client side is verified, according to The business operation demand carries out the transmission of data.
Preferably, wherein the data transmission module, further includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, So that data service operational data security is rapidly transmitted.
Preferably, wherein the system also includes:
User identity authentication module, for being adopted to the identity information of client user in business operation processing stage Collection, is authenticated with the identity to client user;Wherein, authentication mode includes: finger print identifying, iris authentication, password sum number Word authentication, mobile phone and digital certificate authentication, digital certificate and the certification of brush face.
Preferably, wherein the system also includes:
Access list update module for access list to be arranged in the safety communication server, and works as the client After holding the verifying by the safety communication server, the corresponding attribute information of active client in access list is updated;Wherein, Attribute in the access list includes: operating right, access control and active index;Different business operation types is corresponding CA root certificate corresponds to different operating rights.
Preferably, wherein the access list update module, further includes:
Active index updating unit, for increasing after verifying of the client by the safety communication server The active index of the certificate serial number of the client, and reach default alive threshold in the active index of the certificate serial number When, the term of validity of the certificate serial number of the client is set.
Preferably, wherein the access list update module, further includes:
Auditable unit is deleted for being audited according to preset audit cycle to the access list in preset time The client certificate sequence number of active index threshold value is not used or not up to preset in section, and corresponding client is dropped Low rights processing.
Preferably, wherein the access list update module, further includes:
Certificate serial number recording unit, for recording the certificate serial number of client, and leading the certificate serial number Enter to be recorded in log with delete operation for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
The present invention provides a kind of server-side safety certifying methods and system based on the application of more certificates, comprising: is located at clothes The safety communication server at business device end and the USB key for being located at client are authenticated, and are generated corresponding with business operation type CA root certificate, and be directed respectively into safety communication server and USB key;According to business operation demand, the safety communication clothes Business device is logical using the USB key CA root certificate corresponding with business operation type sent and client certificate and the safety The CA root certificate of inquiry server storage is compared, and is verified to the identity of client;The client utilizes the safety The CA root certificate of communication server and the CA root certificate of the server of USB key write-in are compared, and verify the safety The true and false of communication server;After the USB key of the safety communication server and client side is verified, according to the business The transmission of operational requirements progress data.The present invention integrates a variety of certificate applications, and a variety of usb class key equipment of client are integrated into One, in conjunction with the client-side interface in business procedure, the double authentication of server and client can be completed, avoids either one quilt When capturing or is leaky, the leakage of code key and data is caused;The digital certificate authentication function of safety communication server enhancing, permission The technologies such as audit complete the integration of OA and government and enterprises' business function, accomplish that multiple function is completed in set of system service, avoid repeating to match The waste of server resource caused by setting;Suitable for multiple systems, certificate application method can be transplanted, to enhance existing system safety Property;Safe and secret data communication services can be provided for internet trading system, prevent the generation of online various frauds;It is applicable in In various types of information systems, it is particularly suitable for transaction system trans-regional, across mechanism;It can be provided in real time for host close The cryptographic services such as key management, information authentication, data encryption, the generation of signature and verifying guarantee data from generation, transmission, reception The safety problems such as safety, validity, integrality, non repudiation to management whole process, can be widely used for finance, tax In the computer network systems such as business, social security, there is apparent Social benefit and economic benefit.
Detailed description of the invention
By reference to the following drawings, exemplary embodiments of the present invention can be more fully understood by:
Fig. 1 is the schematic diagram of a plurality of types of service systems of initial deployment;
Fig. 2 is the schematic diagram of the service system after existing upgrading;
Fig. 3 is the process according to the server-side safety certifying method 300 based on the application of more certificates of embodiment of the present invention Figure;
Fig. 4 is the service system schematic diagram according to increase the USB key and safety communication server of embodiment of the present invention;
Fig. 5 is the structure according to the server-side security certification system 500 based on the application of more certificates of embodiment of the present invention Schematic diagram.
Specific embodiment
Exemplary embodiments of the present invention are introduced referring now to the drawings, however, the present invention can use many different shapes Formula is implemented, and is not limited to the embodiment described herein, and to provide these embodiments be at large and fully disclose The present invention, and the scope of the present invention is sufficiently conveyed to person of ordinary skill in the field.Show for what is be illustrated in the accompanying drawings Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements use identical attached Icon note.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has person of ordinary skill in the field It is common to understand meaning.Further it will be understood that with the term that usually used dictionary limits, should be understood as and its The context of related fields has consistent meaning, and is not construed as Utopian or too formal meaning.
Fig. 3 is the process according to the server-side safety certifying method 300 based on the application of more certificates of embodiment of the present invention Figure.As shown in figure 3, embodiments of the present invention provide a kind of server-side safety certifying method based on the application of more certificates, it is whole A variety of certificate applications are closed, a variety of usb class key equipment of client are integrated into one, in conjunction with the client-side interface in business procedure, The double authentication that can complete server and client when either one being avoided to be captured or is leaky, causes code key and data Leakage;The digital certificate authentication function of safety communication server enhancing, the technologies such as permission audit, completes OA and government and enterprises' business function Integration, accomplish set of system service complete multiple function, avoid repeat configure caused by server resource waste;Suitable for more Kind system, can transplant certificate application method, to enhance existing system safety;Safe guarantor can be provided for internet trading system Ciphertext data communication service prevents the generation of online various frauds;Suitable for various types of information systems, it is particularly suitable for Transaction system trans-regional, across mechanism;Can key management, information authentication, data encryption, signature be provided for host in real time Generate and the cryptographic services such as verifying, guarantee data from generation, transmit, receive the management safety of whole process, validity, complete The safety problems such as whole property, non repudiation, can be widely used in the computer network systems such as finance, the tax, social security, have obvious Social benefit and economic benefit.The server-side safety certifying method based on the application of more certificates that embodiments of the present invention provide 300 since step 301 place, is located at the safety communication server of server end and the USB key for being located at client in step 301 It is authenticated, generates CA root certificate corresponding with business operation type, and be directed respectively into safety communication server and USB key.Wherein, it supports to import multiple CA root certificates when more certificates are applied.
Preferably, in step 302 according to business operation demand, the safety communication server receives the USB key hair The CA root certificate corresponding with business operation type and client certificate sent, and what is sent using the USB key is grasped with business Make the corresponding CA root certificate of type and client certificate is compared with the CA root certificate that the safety communication server stores, it is right The identity of client is verified.
Preferably, the client described in step 303 receives the CA root certificate of the safety communication server, and described in utilization The CA root certificate of safety communication server and the CA root certificate of the server of USB key write-in are compared, described in verifying The true and false of safety communication server.
Preferably, in step 304 after the USB key of the safety communication server and client side is verified, according to The business operation demand carries out the transmission of data.
Preferably, wherein the method also includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, So that data service operational data security is rapidly transmitted.
Preferably, wherein the method also includes:
In business operation processing stage, the identity information of client user is acquired, with the body to client user Part is authenticated;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identification authentication, mobile phone and number Certificate verification, digital certificate and the certification of brush face.
Preferably, wherein the method also includes:
Access list is set in the safety communication server, and when the client is serviced by the safety communication After the verifying of device, the corresponding attribute information of active client in access list is updated;Wherein, the attribute packet in the access list It includes: operating right, access control and active index;The corresponding CA root certificate of different business operation types corresponds to different operations Permission.
Preferably, wherein the method also includes:
After verifying of the client by the safety communication server, increase the certificate serial number of the client Active index the card of the client is set and when the active index of the certificate serial number reaches default alive threshold The term of validity of preface row number.
Preferably, wherein the method also includes:
Audited according to preset audit cycle to the access list, delete within a preset period of time be not used or The client certificate sequence number of not up to default active index threshold value, and corresponding client is carried out to reduce permission processing.
Preferably, wherein the method also includes: record the certificate serial number of client, and by the certificate serial number It imports and delete operation is recorded in log for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
Fig. 4 is the service system schematic diagram according to increase the USB key and safety communication server of embodiment of the present invention. As shown in figure 4, in embodiments of the present invention, going out from close office, state to the following angle made demands of information system information security Hair, in existing core business server basis, a preposition safety communication server is as shown in figure 3, the safety communication CA certificate management can be run on server and SSL supports that department or buearu's Intranet client by the way of USB key, adopt by processing end With soft certificate, existing customer digital certificate is can be used in external network user.
The every province of server end is equipped with (or a pair of of a standby machine) safety communication server, identifies for client identity, Ensure data transmission security.Safety communication server stores core business server CA root certificate and server certificate, USB key Store CA root certificate and client certificate.Server end does not store client certificate, conversational communication process incipient stage, client Itself certificate or certificate serial number are transmitted, so that server identifies the client true and false, conversation procedure encrypts number using random secret key According to, and itself certificate serial number is added, so that data safety is quickly transmitted.USB key insertion after distribution is installed mating On the client computer of driver, data interaction can be carried out by safety communication server and core business server.
Server end (safety communication server) in embodiment of the present invention does not store client certificate, biography when doing business Client certificate is passed for identification authentication;General data transmission and encryption interface are designed, meets multiple systems requirement, enhancing moves Plant property;Access list is set, there are a variety of attributes such as logon rights, access control, active index, can be used for completing client The functions such as permission, change log audit.Client certificate sequence number is recorded, the operations such as importing, the deletion of sequence number record day Will is for auditing, and log is by the way of it cannot modify and recycle covering;After server end is verified client, access list Corresponding certificate active index increases, and when active index reaches default alive threshold, then the certificate serial number of the client is arranged Term of validity;It periodically audits to access list, long-term unused or sluggish certificate serial number is deleted, to for a long time not The client used carries out drop power, avoids the wasting of resources, and corpse client certificate is avoided to occupy server resource.
Client in embodiment of the present invention use USB key as with the matching used client of safety communication server Terminal encryption authenticating device, it is ensured that key message such as key, certificate and Authorization Attributes are safely stored in hardware device;Tool There are authentication, the proprietary business of binding and safe U disc function, hardware internal zone dividing, prevents the transregional access of software vulnerability;It is using In the process, client uses the server root certificate authentication server true and false being written;It supports more certificate applications, meets Various Complex Application scenarios demand;During business operation, carry out the identity information stored in identity-acquiring and client USB key into Row verification confirmation in real time, it is ensured that be " real people, real name, real client ", identity-acquiring mode includes:
Fingerprint, iris, password and digital ID card, mobile phone and digital certificate, digital certificate and brush face authentication mode, root According to job position request and various regions actual conditions, user can choose suitable identification authentication mode.
Embodiments of the present invention are examined by introducing more certificate applications, server-side and client two-way authentication and permission The technologies such as meter, can ensure the safety of server and client, avoid server kidnapping and client from forging, lead to leaking data Deng.It can be avoided generation waste of resource using audit function and the case where being easy the corpse client by malicious exploitation hair occur It is raw.
Fig. 5 is the structure according to the server-side security certification system 500 based on the application of more certificates of embodiment of the present invention Schematic diagram.As shown in figure 5, the server-side security certification system 500 based on the application of more certificates that embodiments of the present invention provide, It include: distribution accreditation module 501, client identity authentication module 502,503 sum number of safety communication server identity authentication module According to transmission module 504.
Preferably, the distribution accreditation module 501, for being located at the safety communication server of server end and being located at client The USB key at end is authenticated, and generates CA root certificate corresponding with business operation type, and be directed respectively into safety communication service Device and USB key;Wherein, it supports to import multiple CA root certificates when more certificates are applied.
Preferably, the client identity authentication module 502, for according to business operation demand, the safety communication clothes Business device receives the CA root certificate corresponding with business operation type and client certificate that the USB key is sent, and described in utilization The CA root certificate corresponding with business operation type and client certificate and the safety communication server that USB key is sent store CA root certificate be compared, the identity of client is verified.
Preferably, wherein the data transmission module 502, further includes: determine that data add according to the business operation demand Close mode and data transmission interface, and additional client certificate, so that data service operational data security is rapidly transmitted.
Preferably, it is logical to receive the safety for the client for the safety communication server identity authentication module 503 The CA root certificate of inquiry server, and utilize the service of the CA root certificate of the safety communication server and USB key write-in The CA root certificate of device is compared, and verifies the true and false of the safety communication server.
Preferably, the data transmission module 504, for working as the USB key of the safety communication server and client side After being verified, the transmission of data is carried out according to the business operation demand.
Preferably, right in business operation processing stage wherein the system also includes user identity authentication module The identity information of client user is acquired, and is authenticated with the identity to client user;Wherein, authentication mode includes: Finger print identifying, iris authentication, password and digital identification authentication, mobile phone and digital certificate authentication, digital certificate and the certification of brush face.
Preferably, wherein the system also includes access list update module, in the safety communication server Access list is set, and after verifying of the client by the safety communication server, is updated current in access list The corresponding attribute information of client;Wherein, the attribute in the access list includes: operating right, access control and active finger Number;The corresponding CA root certificate of different business operation types corresponds to different operating rights.
Preferably, wherein the access list update module, further includes: active index updating unit, for working as the visitor After verifying of the family end by the safety communication server, increase the active index of the certificate serial number of the client, and When the active index of the certificate serial number reaches default alive threshold, the validity period of the certificate serial number of the client is set Limit.Preferably, wherein the access list update module, further includes: auditable unit is used for according to preset audit cycle to institute It states access list to audit, deletes the client for being not used within a preset period of time or not up to presetting active index threshold value Certificate serial number, and corresponding client is carried out to reduce permission processing.Preferably, wherein the access list update module, Further include: certificate serial number recording unit, for recording the certificate serial number of client, and by the importing of the certificate serial number Log is recorded in delete operation for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
The server-side security certification system 500 and of the invention another based on the application of more certificates of the embodiment of the present invention The server-side safety certifying method 100 based on the application of more certificates of embodiment is corresponding, and details are not described herein.
The present invention is described by reference to a small amount of embodiment.However, it is known in those skilled in the art, as Defined by subsidiary Patent right requirement, in addition to the present invention other embodiments disclosed above equally fall in it is of the invention In range.
Normally, all terms used in the claims are all solved according to them in the common meaning of technical field It releases, unless in addition clearly being defined wherein.All references " one/described/be somebody's turn to do [device, component etc.] " are all opened ground At least one example being construed in described device, component etc., unless otherwise expressly specified.Any method disclosed herein Step need not all be run with disclosed accurate sequence, unless explicitly stated otherwise.

Claims (14)

1. a kind of server-side safety certifying method based on the application of more certificates, which is characterized in that the described method includes:
Safety communication server positioned at server end is authenticated with the USB key for being located at client, generation and business operation The corresponding CA root certificate of type, and be directed respectively into safety communication server and USB key;Wherein, it is supported when more certificates are applied Import multiple CA root certificates;
According to business operation demand, the safety communication server receive that the USB key sends with business operation type pair The CA root certificate and client certificate answered, and the CA root certificate corresponding with business operation type sent using the USB key It is compared with client certificate with the CA root certificate that the safety communication server stores, the identity of client is tested Card;
The client receives the CA root certificate of the safety communication server, and utilizes the CA root of the safety communication server The CA root certificate of certificate and the server of USB key write-in is compared, and verifies the true and false of the safety communication server;
After the USB key of the safety communication server and client side is verified, carried out according to the business operation demand The transmission of data.
2. the method according to claim 1, wherein the method also includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, so that Data business operation data safety is obtained quickly to transmit.
3. the method according to claim 1, wherein the method also includes:
In business operation processing stage, the identity information of client user is acquired, with the identity to client user into Row certification;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identification authentication, mobile phone and digital certificate Certification, digital certificate and the certification of brush face.
4. the method according to claim 1, wherein the method also includes:
Access list is set in the safety communication server, and when the client passes through the safety communication server After verifying, the corresponding attribute information of active client in access list is updated;Wherein, the attribute in the access list includes: Operating right, access control and active index;The corresponding CA root certificate of different business operation types corresponds to different operating rights Limit.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
After verifying of the client by the safety communication server, increase the work of the certificate serial number of the client Jump index, and when the active index of the certificate serial number reaches default alive threshold, the certificate sequence of the client is arranged The term of validity of row number.
6. according to the method described in claim 4, it is characterized in that, the method also includes:
It is audited according to preset audit cycle to the access list, deletes and be not used or do not reach within a preset period of time To the client certificate sequence number of default active index threshold value, and corresponding client is carried out to reduce permission processing.
7. according to the method described in claim 4, it is characterized in that, the method also includes: record the certificate sequence of client Number, and the importing of the certificate serial number and delete operation are recorded in log and are used to audit;Wherein, the log is not using It can modify and recycle the mode of covering.
8. a kind of server-side security certification system based on the application of more certificates, which is characterized in that the system comprises:
Accreditation module is issued, the safety communication server for being located at server end is recognized with the USB key for being located at client Card generates CA root certificate corresponding with business operation type, and is directed respectively into safety communication server and USB key;Wherein, It supports to import multiple CA root certificates when more certificates are applied;
Client identity authentication module, for according to business operation demand, the safety communication server to receive the USB key Send CA root certificate corresponding with business operation type and client certificate, and using the USB key send and business The corresponding CA root certificate of action type and client certificate are compared with the CA root certificate that the safety communication server stores, The identity of client is verified;
Safety communication server identity authentication module receives the CA root card of the safety communication server for the client Book, and carried out using the CA root certificate of the CA root certificate of the safety communication server and the USB key server being written Compare, verifies the true and false of the safety communication server;
Data transmission module, for after the USB key of the safety communication server and client side is verified, according to described The transmission of business operation demand progress data.
9. system according to claim 8, which is characterized in that the data transmission module, further includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, so that Data business operation data safety is obtained quickly to transmit.
10. system according to claim 8, which is characterized in that the system also includes:
User identity authentication module, for being acquired to the identity information of client user in business operation processing stage, with The identity of client user is authenticated;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identity Certification, mobile phone and digital certificate authentication, digital certificate and the certification of brush face.
11. system according to claim 8, which is characterized in that the system also includes:
Access list update module, for access list to be arranged in the safety communication server, and when the client is logical After crossing the verifying of the safety communication server, the corresponding attribute information of active client in access list is updated;Wherein, described Attribute in access list includes: operating right, access control and active index;The corresponding CA root of different business operation types Certificate corresponds to different operating rights.
12. system according to claim 11, which is characterized in that the access list update module, further includes:
Active index updating unit, for after verifying of the client by the safety communication server, described in increase The active index of the certificate serial number of client, and when the active index of the certificate serial number reaches default alive threshold, The term of validity of the certificate serial number of the client is set.
13. system according to claim 11, which is characterized in that the access list update module, further includes:
Auditable unit is deleted within a preset period of time for being audited according to preset audit cycle to the access list It is not used or is not up to preset the client certificate sequence number of active index threshold value, and reduction power is carried out to corresponding client Limit processing.
14. system according to claim 11, which is characterized in that the access list update module, further includes:
Certificate serial number recording unit, for recording the certificate serial number of client, and by the importing of the certificate serial number and Delete operation is recorded in log for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
CN201811027897.1A 2018-09-04 2018-09-04 A kind of server-side safety certifying method and system based on the application of more certificates Pending CN109409041A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811027897.1A CN109409041A (en) 2018-09-04 2018-09-04 A kind of server-side safety certifying method and system based on the application of more certificates

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811027897.1A CN109409041A (en) 2018-09-04 2018-09-04 A kind of server-side safety certifying method and system based on the application of more certificates

Publications (1)

Publication Number Publication Date
CN109409041A true CN109409041A (en) 2019-03-01

Family

ID=65463812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811027897.1A Pending CN109409041A (en) 2018-09-04 2018-09-04 A kind of server-side safety certifying method and system based on the application of more certificates

Country Status (1)

Country Link
CN (1) CN109409041A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855442A (en) * 2019-10-10 2020-02-28 北京握奇智能科技有限公司 PKI (public key infrastructure) technology-based inter-device certificate verification method
CN112153032A (en) * 2020-09-15 2020-12-29 腾讯科技(深圳)有限公司 Information processing method, device, computer readable storage medium and system
CN112800411A (en) * 2021-02-19 2021-05-14 浪潮云信息技术股份公司 Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device
CN113672897A (en) * 2021-07-22 2021-11-19 北京奇艺世纪科技有限公司 Data communication method, device, electronic equipment and storage medium
CN113691394A (en) * 2021-07-29 2021-11-23 广州鲁邦通物联网科技有限公司 Method and system for establishing and switching VPN communication

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102271042A (en) * 2011-08-25 2011-12-07 北京神州绿盟信息安全科技股份有限公司 Certificate authorization method, system, universal serial bus (USB) Key equipment and server

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102271042A (en) * 2011-08-25 2011-12-07 北京神州绿盟信息安全科技股份有限公司 Certificate authorization method, system, universal serial bus (USB) Key equipment and server

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855442A (en) * 2019-10-10 2020-02-28 北京握奇智能科技有限公司 PKI (public key infrastructure) technology-based inter-device certificate verification method
CN112153032A (en) * 2020-09-15 2020-12-29 腾讯科技(深圳)有限公司 Information processing method, device, computer readable storage medium and system
CN112800411A (en) * 2021-02-19 2021-05-14 浪潮云信息技术股份公司 Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device
CN112800411B (en) * 2021-02-19 2023-04-14 浪潮云信息技术股份公司 Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device
CN113672897A (en) * 2021-07-22 2021-11-19 北京奇艺世纪科技有限公司 Data communication method, device, electronic equipment and storage medium
CN113672897B (en) * 2021-07-22 2024-03-08 北京奇艺世纪科技有限公司 Data communication method, device, electronic equipment and storage medium
CN113691394A (en) * 2021-07-29 2021-11-23 广州鲁邦通物联网科技有限公司 Method and system for establishing and switching VPN communication

Similar Documents

Publication Publication Date Title
AU2021203598B2 (en) Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US9892404B2 (en) Secure identity authentication in an electronic transaction
CN108989346B (en) Third-party valid identity escrow agile authentication access method based on account hiding
CN109409041A (en) A kind of server-side safety certifying method and system based on the application of more certificates
CN108804906B (en) System and method for application login
JP6514218B2 (en) Client authentication using social data
US9691067B2 (en) Validation database resident on a network server and containing specified distinctive identifiers of local/mobile computing devices may be used as a digital hardware key in the process of gaining authorized access to a users online website account such as, but not limited to, e-commerce website account, online financial accounts and online email accounts
CN110569658B (en) User information processing method and device based on blockchain network, electronic equipment and storage medium
CN117579281A (en) Method and system for ownership verification using blockchain
CN100518411C (en) Dynamic cipher system and method based on mobile communication terminal
CN104364790B (en) System and method for implementing dual factor anthentication
CN107306183A (en) Client, service end, method and authentication system
KR101876674B1 (en) Method of managing common account using block chain and system performing the same
CN100397814C (en) Uniform identication method and system based on network
CN104424676A (en) Identity information sending method, identity information sending device, access control card reader and access control system
US20190306153A1 (en) Adaptive risk-based password syncronization
CN106789024A (en) A kind of remote de-locking method, device and system
US20190288833A1 (en) System and Method for Securing Private Keys Behind a Biometric Authentication Gateway
US10915888B1 (en) Contactless card with multiple rotating security keys
US11234235B2 (en) Resource distribution hub generation on a mobile device
CN108183906B (en) Time bank management method, server, terminal, storage medium and electronic device
CN109413200A (en) A kind of method, client, MES and electronic equipment that resource imports
CN101588243A (en) A kind of electronic transaction historical record querying method and system
CN117795505A (en) System and method for contactless card communication and multiple device key pair encryption authentication
CN109934009A (en) A kind of personal information data query interaction authorization method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190301