CN109409041A - A kind of server-side safety certifying method and system based on the application of more certificates - Google Patents
A kind of server-side safety certifying method and system based on the application of more certificates Download PDFInfo
- Publication number
- CN109409041A CN109409041A CN201811027897.1A CN201811027897A CN109409041A CN 109409041 A CN109409041 A CN 109409041A CN 201811027897 A CN201811027897 A CN 201811027897A CN 109409041 A CN109409041 A CN 109409041A
- Authority
- CN
- China
- Prior art keywords
- client
- certificate
- communication server
- safety communication
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of server-side safety certifying methods and system based on the application of more certificates, it is characterized in that, it include: to be authenticated positioned at the safety communication server of server end with positioned at the USB key of client, CA root certificate corresponding with business operation type is generated, and is directed respectively into safety communication server and USB key;According to business operation demand, the CA root certificate corresponding with business operation type and client certificate that USB key described in the safety communication server by utilizing is sent are compared with the CA root certificate that the safety communication server stores, and are verified to the identity of client;The client receives the CA root certificate of the safety communication server, and is compared using the CA root certificate of the CA root certificate of the safety communication server and the USB key server being written, and verifies the true and false of the safety communication server;After the USB key of the safety communication server and client side is verified, the transmission of data is carried out according to the business operation demand.
Description
Technical field
The present invention relates to technical field of data security, and more particularly, to a kind of service based on the application of more certificates
Hold safety certifying method and system.
Background technique
IT application in government affairs degree is improved in recent years, financial settlement efficiency, abundant type of business, has been enhanced internal management at each
The main target of own serving capabilities and competitiveness, therefore IT application in government affairs, e-finance etc. improve in government organs and enterprise
A series of high-tech means start to be applied by vast government and enterprises' unit, while bringing interests, also bring new safety and ask
Topic.Business remotely handle mode it is universal after, be related to the interaction of internet external user data, department or buearu's Intranet business data processing
Etc. links, involve the data exchange of department or buearu's Intranet and internet, system safe moment is by Intranet (office complicated and changeable now
Domain net), the challenge of outer net (internet) environment.
With popularizing for office OA, some regional department or buearu use USB key embedded digital certificate and peace inside local area network
Full USB flash disk function, realizes the confidentiality and safety of business.A plurality of types of service systems of initial deployment, substantially by such as
Windows browser control shown in FIG. 1 and background network version application server, core business server and data verification processing
Server is constituted, and improves the traffic handing capacity of system, the flexibility that the system of enhancing uses is met to a certain extent
The common requirements of server-side and user personnel at that time.Along with the iterative method of System information process, user internet end is drawn
Enter digital certificate system, signed to data, ensures the safety of user's end data.But in department or buearu's Intranet, service
The data exchange of terminal (self-service machine and window service handle computer) and server-side background server, using only basic data
Encrypted tunnel is transmitted, as shown in Fig. 2, the safety of business entirety can only be ensured substantially, not to service terminal with after
The identity of platform server is authenticated.
Therefore, it is necessary to a kind of realization service terminals and background server to be mutually authenticated, and guarantee secrecy in data interaction
Property and safety issue.
Summary of the invention
The present invention proposes a kind of server-side safety certifying method and system based on the application of more certificates, to solve service terminal
It is mutually authenticated with background server, and guarantees the problem of confidentiality and safety in data interaction.
To solve the above-mentioned problems, according to an aspect of the invention, there is provided a kind of service based on the application of more certificates
Hold safety certifying method, which is characterized in that the described method includes:
Safety communication server positioned at server end is authenticated with the USB key for being located at client, generation and business
The corresponding CA root certificate of action type, and be directed respectively into safety communication server and USB key;Wherein, when more certificates are applied
It supports to import multiple CA root certificates;
According to business operation demand, the safety communication server receive that the USB key sends with business operation class
The corresponding CA root certificate of type and client certificate, and the CA root corresponding with business operation type sent using the USB key
Certificate and client certificate are compared with the CA root certificate that the safety communication server stores, and are carried out to the identity of client
Verifying;
The client receives the CA root certificate of the safety communication server, and utilizes the safety communication server
CA root certificate and the CA root certificate of the server of USB key write-in are compared, and verify the safety communication server
The true and false;
After the USB key of the safety communication server and client side is verified, according to the business operation demand
Carry out the transmission of data.
Preferably, wherein the method also includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand,
So that data service operational data security is rapidly transmitted.
Preferably, wherein the method also includes:
In business operation processing stage, the identity information of client user is acquired, with the body to client user
Part is authenticated;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identification authentication, mobile phone and number
Certificate verification, digital certificate and the certification of brush face.
Preferably, wherein the method also includes:
Access list is set in the safety communication server, and when the client is serviced by the safety communication
After the verifying of device, the corresponding attribute information of active client in access list is updated;Wherein, the attribute packet in the access list
It includes: operating right, access control and active index;The corresponding CA root certificate of different business operation types corresponds to different operations
Permission.
Preferably, wherein the method also includes:
After verifying of the client by the safety communication server, increase the certificate serial number of the client
Active index the card of the client is set and when the active index of the certificate serial number reaches default alive threshold
The term of validity of preface row number.
Preferably, wherein the method also includes:
Audited according to preset audit cycle to the access list, delete within a preset period of time be not used or
The client certificate sequence number of not up to default active index threshold value, and corresponding client is carried out to reduce permission processing.
Preferably, wherein the method also includes: record the certificate serial number of client, and by the certificate serial number
It imports and delete operation is recorded in log for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
According to another aspect of the present invention, a kind of server-side security certification system based on the application of more certificates is provided,
It is characterized in that, the system comprises:
Issue accreditation module, for be located at server end safety communication server be located at client USB key into
Row certification, generates CA root certificate corresponding with business operation type, and be directed respectively into safety communication server and USB key;
Wherein, it supports to import multiple CA root certificates when more certificates are applied;
Client identity authentication module, for according to business operation demand, the safety communication server to receive the USB
Key send CA root certificate corresponding with business operation type and client certificate, and using the USB key send and industry
The CA root certificate that the corresponding CA root certificate of business action type and client certificate are stored with the safety communication server is compared
Compared with being verified to the identity of client;
Safety communication server identity authentication module receives the CA root of the safety communication server for the client
Certificate, and using the safety communication server CA root certificate and the USB key write-in server CA root certificate into
Row compares, and verifies the true and false of the safety communication server;
Data transmission module, for after the USB key of the safety communication server and client side is verified, according to
The business operation demand carries out the transmission of data.
Preferably, wherein the data transmission module, further includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand,
So that data service operational data security is rapidly transmitted.
Preferably, wherein the system also includes:
User identity authentication module, for being adopted to the identity information of client user in business operation processing stage
Collection, is authenticated with the identity to client user;Wherein, authentication mode includes: finger print identifying, iris authentication, password sum number
Word authentication, mobile phone and digital certificate authentication, digital certificate and the certification of brush face.
Preferably, wherein the system also includes:
Access list update module for access list to be arranged in the safety communication server, and works as the client
After holding the verifying by the safety communication server, the corresponding attribute information of active client in access list is updated;Wherein,
Attribute in the access list includes: operating right, access control and active index;Different business operation types is corresponding
CA root certificate corresponds to different operating rights.
Preferably, wherein the access list update module, further includes:
Active index updating unit, for increasing after verifying of the client by the safety communication server
The active index of the certificate serial number of the client, and reach default alive threshold in the active index of the certificate serial number
When, the term of validity of the certificate serial number of the client is set.
Preferably, wherein the access list update module, further includes:
Auditable unit is deleted for being audited according to preset audit cycle to the access list in preset time
The client certificate sequence number of active index threshold value is not used or not up to preset in section, and corresponding client is dropped
Low rights processing.
Preferably, wherein the access list update module, further includes:
Certificate serial number recording unit, for recording the certificate serial number of client, and leading the certificate serial number
Enter to be recorded in log with delete operation for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
The present invention provides a kind of server-side safety certifying methods and system based on the application of more certificates, comprising: is located at clothes
The safety communication server at business device end and the USB key for being located at client are authenticated, and are generated corresponding with business operation type
CA root certificate, and be directed respectively into safety communication server and USB key;According to business operation demand, the safety communication clothes
Business device is logical using the USB key CA root certificate corresponding with business operation type sent and client certificate and the safety
The CA root certificate of inquiry server storage is compared, and is verified to the identity of client;The client utilizes the safety
The CA root certificate of communication server and the CA root certificate of the server of USB key write-in are compared, and verify the safety
The true and false of communication server;After the USB key of the safety communication server and client side is verified, according to the business
The transmission of operational requirements progress data.The present invention integrates a variety of certificate applications, and a variety of usb class key equipment of client are integrated into
One, in conjunction with the client-side interface in business procedure, the double authentication of server and client can be completed, avoids either one quilt
When capturing or is leaky, the leakage of code key and data is caused;The digital certificate authentication function of safety communication server enhancing, permission
The technologies such as audit complete the integration of OA and government and enterprises' business function, accomplish that multiple function is completed in set of system service, avoid repeating to match
The waste of server resource caused by setting;Suitable for multiple systems, certificate application method can be transplanted, to enhance existing system safety
Property;Safe and secret data communication services can be provided for internet trading system, prevent the generation of online various frauds;It is applicable in
In various types of information systems, it is particularly suitable for transaction system trans-regional, across mechanism;It can be provided in real time for host close
The cryptographic services such as key management, information authentication, data encryption, the generation of signature and verifying guarantee data from generation, transmission, reception
The safety problems such as safety, validity, integrality, non repudiation to management whole process, can be widely used for finance, tax
In the computer network systems such as business, social security, there is apparent Social benefit and economic benefit.
Detailed description of the invention
By reference to the following drawings, exemplary embodiments of the present invention can be more fully understood by:
Fig. 1 is the schematic diagram of a plurality of types of service systems of initial deployment;
Fig. 2 is the schematic diagram of the service system after existing upgrading;
Fig. 3 is the process according to the server-side safety certifying method 300 based on the application of more certificates of embodiment of the present invention
Figure;
Fig. 4 is the service system schematic diagram according to increase the USB key and safety communication server of embodiment of the present invention;
Fig. 5 is the structure according to the server-side security certification system 500 based on the application of more certificates of embodiment of the present invention
Schematic diagram.
Specific embodiment
Exemplary embodiments of the present invention are introduced referring now to the drawings, however, the present invention can use many different shapes
Formula is implemented, and is not limited to the embodiment described herein, and to provide these embodiments be at large and fully disclose
The present invention, and the scope of the present invention is sufficiently conveyed to person of ordinary skill in the field.Show for what is be illustrated in the accompanying drawings
Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements use identical attached
Icon note.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has person of ordinary skill in the field
It is common to understand meaning.Further it will be understood that with the term that usually used dictionary limits, should be understood as and its
The context of related fields has consistent meaning, and is not construed as Utopian or too formal meaning.
Fig. 3 is the process according to the server-side safety certifying method 300 based on the application of more certificates of embodiment of the present invention
Figure.As shown in figure 3, embodiments of the present invention provide a kind of server-side safety certifying method based on the application of more certificates, it is whole
A variety of certificate applications are closed, a variety of usb class key equipment of client are integrated into one, in conjunction with the client-side interface in business procedure,
The double authentication that can complete server and client when either one being avoided to be captured or is leaky, causes code key and data
Leakage;The digital certificate authentication function of safety communication server enhancing, the technologies such as permission audit, completes OA and government and enterprises' business function
Integration, accomplish set of system service complete multiple function, avoid repeat configure caused by server resource waste;Suitable for more
Kind system, can transplant certificate application method, to enhance existing system safety;Safe guarantor can be provided for internet trading system
Ciphertext data communication service prevents the generation of online various frauds;Suitable for various types of information systems, it is particularly suitable for
Transaction system trans-regional, across mechanism;Can key management, information authentication, data encryption, signature be provided for host in real time
Generate and the cryptographic services such as verifying, guarantee data from generation, transmit, receive the management safety of whole process, validity, complete
The safety problems such as whole property, non repudiation, can be widely used in the computer network systems such as finance, the tax, social security, have obvious
Social benefit and economic benefit.The server-side safety certifying method based on the application of more certificates that embodiments of the present invention provide
300 since step 301 place, is located at the safety communication server of server end and the USB key for being located at client in step 301
It is authenticated, generates CA root certificate corresponding with business operation type, and be directed respectively into safety communication server and USB
key.Wherein, it supports to import multiple CA root certificates when more certificates are applied.
Preferably, in step 302 according to business operation demand, the safety communication server receives the USB key hair
The CA root certificate corresponding with business operation type and client certificate sent, and what is sent using the USB key is grasped with business
Make the corresponding CA root certificate of type and client certificate is compared with the CA root certificate that the safety communication server stores, it is right
The identity of client is verified.
Preferably, the client described in step 303 receives the CA root certificate of the safety communication server, and described in utilization
The CA root certificate of safety communication server and the CA root certificate of the server of USB key write-in are compared, described in verifying
The true and false of safety communication server.
Preferably, in step 304 after the USB key of the safety communication server and client side is verified, according to
The business operation demand carries out the transmission of data.
Preferably, wherein the method also includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand,
So that data service operational data security is rapidly transmitted.
Preferably, wherein the method also includes:
In business operation processing stage, the identity information of client user is acquired, with the body to client user
Part is authenticated;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identification authentication, mobile phone and number
Certificate verification, digital certificate and the certification of brush face.
Preferably, wherein the method also includes:
Access list is set in the safety communication server, and when the client is serviced by the safety communication
After the verifying of device, the corresponding attribute information of active client in access list is updated;Wherein, the attribute packet in the access list
It includes: operating right, access control and active index;The corresponding CA root certificate of different business operation types corresponds to different operations
Permission.
Preferably, wherein the method also includes:
After verifying of the client by the safety communication server, increase the certificate serial number of the client
Active index the card of the client is set and when the active index of the certificate serial number reaches default alive threshold
The term of validity of preface row number.
Preferably, wherein the method also includes:
Audited according to preset audit cycle to the access list, delete within a preset period of time be not used or
The client certificate sequence number of not up to default active index threshold value, and corresponding client is carried out to reduce permission processing.
Preferably, wherein the method also includes: record the certificate serial number of client, and by the certificate serial number
It imports and delete operation is recorded in log for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
Fig. 4 is the service system schematic diagram according to increase the USB key and safety communication server of embodiment of the present invention.
As shown in figure 4, in embodiments of the present invention, going out from close office, state to the following angle made demands of information system information security
Hair, in existing core business server basis, a preposition safety communication server is as shown in figure 3, the safety communication
CA certificate management can be run on server and SSL supports that department or buearu's Intranet client by the way of USB key, adopt by processing end
With soft certificate, existing customer digital certificate is can be used in external network user.
The every province of server end is equipped with (or a pair of of a standby machine) safety communication server, identifies for client identity,
Ensure data transmission security.Safety communication server stores core business server CA root certificate and server certificate, USB key
Store CA root certificate and client certificate.Server end does not store client certificate, conversational communication process incipient stage, client
Itself certificate or certificate serial number are transmitted, so that server identifies the client true and false, conversation procedure encrypts number using random secret key
According to, and itself certificate serial number is added, so that data safety is quickly transmitted.USB key insertion after distribution is installed mating
On the client computer of driver, data interaction can be carried out by safety communication server and core business server.
Server end (safety communication server) in embodiment of the present invention does not store client certificate, biography when doing business
Client certificate is passed for identification authentication;General data transmission and encryption interface are designed, meets multiple systems requirement, enhancing moves
Plant property;Access list is set, there are a variety of attributes such as logon rights, access control, active index, can be used for completing client
The functions such as permission, change log audit.Client certificate sequence number is recorded, the operations such as importing, the deletion of sequence number record day
Will is for auditing, and log is by the way of it cannot modify and recycle covering;After server end is verified client, access list
Corresponding certificate active index increases, and when active index reaches default alive threshold, then the certificate serial number of the client is arranged
Term of validity;It periodically audits to access list, long-term unused or sluggish certificate serial number is deleted, to for a long time not
The client used carries out drop power, avoids the wasting of resources, and corpse client certificate is avoided to occupy server resource.
Client in embodiment of the present invention use USB key as with the matching used client of safety communication server
Terminal encryption authenticating device, it is ensured that key message such as key, certificate and Authorization Attributes are safely stored in hardware device;Tool
There are authentication, the proprietary business of binding and safe U disc function, hardware internal zone dividing, prevents the transregional access of software vulnerability;It is using
In the process, client uses the server root certificate authentication server true and false being written;It supports more certificate applications, meets Various Complex
Application scenarios demand;During business operation, carry out the identity information stored in identity-acquiring and client USB key into
Row verification confirmation in real time, it is ensured that be " real people, real name, real client ", identity-acquiring mode includes:
Fingerprint, iris, password and digital ID card, mobile phone and digital certificate, digital certificate and brush face authentication mode, root
According to job position request and various regions actual conditions, user can choose suitable identification authentication mode.
Embodiments of the present invention are examined by introducing more certificate applications, server-side and client two-way authentication and permission
The technologies such as meter, can ensure the safety of server and client, avoid server kidnapping and client from forging, lead to leaking data
Deng.It can be avoided generation waste of resource using audit function and the case where being easy the corpse client by malicious exploitation hair occur
It is raw.
Fig. 5 is the structure according to the server-side security certification system 500 based on the application of more certificates of embodiment of the present invention
Schematic diagram.As shown in figure 5, the server-side security certification system 500 based on the application of more certificates that embodiments of the present invention provide,
It include: distribution accreditation module 501, client identity authentication module 502,503 sum number of safety communication server identity authentication module
According to transmission module 504.
Preferably, the distribution accreditation module 501, for being located at the safety communication server of server end and being located at client
The USB key at end is authenticated, and generates CA root certificate corresponding with business operation type, and be directed respectively into safety communication service
Device and USB key;Wherein, it supports to import multiple CA root certificates when more certificates are applied.
Preferably, the client identity authentication module 502, for according to business operation demand, the safety communication clothes
Business device receives the CA root certificate corresponding with business operation type and client certificate that the USB key is sent, and described in utilization
The CA root certificate corresponding with business operation type and client certificate and the safety communication server that USB key is sent store
CA root certificate be compared, the identity of client is verified.
Preferably, wherein the data transmission module 502, further includes: determine that data add according to the business operation demand
Close mode and data transmission interface, and additional client certificate, so that data service operational data security is rapidly transmitted.
Preferably, it is logical to receive the safety for the client for the safety communication server identity authentication module 503
The CA root certificate of inquiry server, and utilize the service of the CA root certificate of the safety communication server and USB key write-in
The CA root certificate of device is compared, and verifies the true and false of the safety communication server.
Preferably, the data transmission module 504, for working as the USB key of the safety communication server and client side
After being verified, the transmission of data is carried out according to the business operation demand.
Preferably, right in business operation processing stage wherein the system also includes user identity authentication module
The identity information of client user is acquired, and is authenticated with the identity to client user;Wherein, authentication mode includes:
Finger print identifying, iris authentication, password and digital identification authentication, mobile phone and digital certificate authentication, digital certificate and the certification of brush face.
Preferably, wherein the system also includes access list update module, in the safety communication server
Access list is set, and after verifying of the client by the safety communication server, is updated current in access list
The corresponding attribute information of client;Wherein, the attribute in the access list includes: operating right, access control and active finger
Number;The corresponding CA root certificate of different business operation types corresponds to different operating rights.
Preferably, wherein the access list update module, further includes: active index updating unit, for working as the visitor
After verifying of the family end by the safety communication server, increase the active index of the certificate serial number of the client, and
When the active index of the certificate serial number reaches default alive threshold, the validity period of the certificate serial number of the client is set
Limit.Preferably, wherein the access list update module, further includes: auditable unit is used for according to preset audit cycle to institute
It states access list to audit, deletes the client for being not used within a preset period of time or not up to presetting active index threshold value
Certificate serial number, and corresponding client is carried out to reduce permission processing.Preferably, wherein the access list update module,
Further include: certificate serial number recording unit, for recording the certificate serial number of client, and by the importing of the certificate serial number
Log is recorded in delete operation for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
The server-side security certification system 500 and of the invention another based on the application of more certificates of the embodiment of the present invention
The server-side safety certifying method 100 based on the application of more certificates of embodiment is corresponding, and details are not described herein.
The present invention is described by reference to a small amount of embodiment.However, it is known in those skilled in the art, as
Defined by subsidiary Patent right requirement, in addition to the present invention other embodiments disclosed above equally fall in it is of the invention
In range.
Normally, all terms used in the claims are all solved according to them in the common meaning of technical field
It releases, unless in addition clearly being defined wherein.All references " one/described/be somebody's turn to do [device, component etc.] " are all opened ground
At least one example being construed in described device, component etc., unless otherwise expressly specified.Any method disclosed herein
Step need not all be run with disclosed accurate sequence, unless explicitly stated otherwise.
Claims (14)
1. a kind of server-side safety certifying method based on the application of more certificates, which is characterized in that the described method includes:
Safety communication server positioned at server end is authenticated with the USB key for being located at client, generation and business operation
The corresponding CA root certificate of type, and be directed respectively into safety communication server and USB key;Wherein, it is supported when more certificates are applied
Import multiple CA root certificates;
According to business operation demand, the safety communication server receive that the USB key sends with business operation type pair
The CA root certificate and client certificate answered, and the CA root certificate corresponding with business operation type sent using the USB key
It is compared with client certificate with the CA root certificate that the safety communication server stores, the identity of client is tested
Card;
The client receives the CA root certificate of the safety communication server, and utilizes the CA root of the safety communication server
The CA root certificate of certificate and the server of USB key write-in is compared, and verifies the true and false of the safety communication server;
After the USB key of the safety communication server and client side is verified, carried out according to the business operation demand
The transmission of data.
2. the method according to claim 1, wherein the method also includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, so that
Data business operation data safety is obtained quickly to transmit.
3. the method according to claim 1, wherein the method also includes:
In business operation processing stage, the identity information of client user is acquired, with the identity to client user into
Row certification;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identification authentication, mobile phone and digital certificate
Certification, digital certificate and the certification of brush face.
4. the method according to claim 1, wherein the method also includes:
Access list is set in the safety communication server, and when the client passes through the safety communication server
After verifying, the corresponding attribute information of active client in access list is updated;Wherein, the attribute in the access list includes:
Operating right, access control and active index;The corresponding CA root certificate of different business operation types corresponds to different operating rights
Limit.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
After verifying of the client by the safety communication server, increase the work of the certificate serial number of the client
Jump index, and when the active index of the certificate serial number reaches default alive threshold, the certificate sequence of the client is arranged
The term of validity of row number.
6. according to the method described in claim 4, it is characterized in that, the method also includes:
It is audited according to preset audit cycle to the access list, deletes and be not used or do not reach within a preset period of time
To the client certificate sequence number of default active index threshold value, and corresponding client is carried out to reduce permission processing.
7. according to the method described in claim 4, it is characterized in that, the method also includes: record the certificate sequence of client
Number, and the importing of the certificate serial number and delete operation are recorded in log and are used to audit;Wherein, the log is not using
It can modify and recycle the mode of covering.
8. a kind of server-side security certification system based on the application of more certificates, which is characterized in that the system comprises:
Accreditation module is issued, the safety communication server for being located at server end is recognized with the USB key for being located at client
Card generates CA root certificate corresponding with business operation type, and is directed respectively into safety communication server and USB key;Wherein,
It supports to import multiple CA root certificates when more certificates are applied;
Client identity authentication module, for according to business operation demand, the safety communication server to receive the USB key
Send CA root certificate corresponding with business operation type and client certificate, and using the USB key send and business
The corresponding CA root certificate of action type and client certificate are compared with the CA root certificate that the safety communication server stores,
The identity of client is verified;
Safety communication server identity authentication module receives the CA root card of the safety communication server for the client
Book, and carried out using the CA root certificate of the CA root certificate of the safety communication server and the USB key server being written
Compare, verifies the true and false of the safety communication server;
Data transmission module, for after the USB key of the safety communication server and client side is verified, according to described
The transmission of business operation demand progress data.
9. system according to claim 8, which is characterized in that the data transmission module, further includes:
Data encryption mode and data transmission interface, and additional client certificate are determined according to the business operation demand, so that
Data business operation data safety is obtained quickly to transmit.
10. system according to claim 8, which is characterized in that the system also includes:
User identity authentication module, for being acquired to the identity information of client user in business operation processing stage, with
The identity of client user is authenticated;Wherein, authentication mode includes: finger print identifying, iris authentication, password and digital identity
Certification, mobile phone and digital certificate authentication, digital certificate and the certification of brush face.
11. system according to claim 8, which is characterized in that the system also includes:
Access list update module, for access list to be arranged in the safety communication server, and when the client is logical
After crossing the verifying of the safety communication server, the corresponding attribute information of active client in access list is updated;Wherein, described
Attribute in access list includes: operating right, access control and active index;The corresponding CA root of different business operation types
Certificate corresponds to different operating rights.
12. system according to claim 11, which is characterized in that the access list update module, further includes:
Active index updating unit, for after verifying of the client by the safety communication server, described in increase
The active index of the certificate serial number of client, and when the active index of the certificate serial number reaches default alive threshold,
The term of validity of the certificate serial number of the client is set.
13. system according to claim 11, which is characterized in that the access list update module, further includes:
Auditable unit is deleted within a preset period of time for being audited according to preset audit cycle to the access list
It is not used or is not up to preset the client certificate sequence number of active index threshold value, and reduction power is carried out to corresponding client
Limit processing.
14. system according to claim 11, which is characterized in that the access list update module, further includes:
Certificate serial number recording unit, for recording the certificate serial number of client, and by the importing of the certificate serial number and
Delete operation is recorded in log for auditing;Wherein, the log is by the way of it cannot modify and recycle covering.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811027897.1A CN109409041A (en) | 2018-09-04 | 2018-09-04 | A kind of server-side safety certifying method and system based on the application of more certificates |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811027897.1A CN109409041A (en) | 2018-09-04 | 2018-09-04 | A kind of server-side safety certifying method and system based on the application of more certificates |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109409041A true CN109409041A (en) | 2019-03-01 |
Family
ID=65463812
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811027897.1A Pending CN109409041A (en) | 2018-09-04 | 2018-09-04 | A kind of server-side safety certifying method and system based on the application of more certificates |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109409041A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110855442A (en) * | 2019-10-10 | 2020-02-28 | 北京握奇智能科技有限公司 | PKI (public key infrastructure) technology-based inter-device certificate verification method |
CN112153032A (en) * | 2020-09-15 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Information processing method, device, computer readable storage medium and system |
CN112800411A (en) * | 2021-02-19 | 2021-05-14 | 浪潮云信息技术股份公司 | Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device |
CN113672897A (en) * | 2021-07-22 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Data communication method, device, electronic equipment and storage medium |
CN113691394A (en) * | 2021-07-29 | 2021-11-23 | 广州鲁邦通物联网科技有限公司 | Method and system for establishing and switching VPN communication |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102271042A (en) * | 2011-08-25 | 2011-12-07 | 北京神州绿盟信息安全科技股份有限公司 | Certificate authorization method, system, universal serial bus (USB) Key equipment and server |
-
2018
- 2018-09-04 CN CN201811027897.1A patent/CN109409041A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102271042A (en) * | 2011-08-25 | 2011-12-07 | 北京神州绿盟信息安全科技股份有限公司 | Certificate authorization method, system, universal serial bus (USB) Key equipment and server |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110855442A (en) * | 2019-10-10 | 2020-02-28 | 北京握奇智能科技有限公司 | PKI (public key infrastructure) technology-based inter-device certificate verification method |
CN112153032A (en) * | 2020-09-15 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Information processing method, device, computer readable storage medium and system |
CN112800411A (en) * | 2021-02-19 | 2021-05-14 | 浪潮云信息技术股份公司 | Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device |
CN112800411B (en) * | 2021-02-19 | 2023-04-14 | 浪潮云信息技术股份公司 | Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device |
CN113672897A (en) * | 2021-07-22 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Data communication method, device, electronic equipment and storage medium |
CN113672897B (en) * | 2021-07-22 | 2024-03-08 | 北京奇艺世纪科技有限公司 | Data communication method, device, electronic equipment and storage medium |
CN113691394A (en) * | 2021-07-29 | 2021-11-23 | 广州鲁邦通物联网科技有限公司 | Method and system for establishing and switching VPN communication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2021203598B2 (en) | Systems and mechanism to control the lifetime of an access token dynamically based on access token use | |
US9892404B2 (en) | Secure identity authentication in an electronic transaction | |
CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
CN109409041A (en) | A kind of server-side safety certifying method and system based on the application of more certificates | |
CN108804906B (en) | System and method for application login | |
JP6514218B2 (en) | Client authentication using social data | |
US9691067B2 (en) | Validation database resident on a network server and containing specified distinctive identifiers of local/mobile computing devices may be used as a digital hardware key in the process of gaining authorized access to a users online website account such as, but not limited to, e-commerce website account, online financial accounts and online email accounts | |
CN110569658B (en) | User information processing method and device based on blockchain network, electronic equipment and storage medium | |
CN117579281A (en) | Method and system for ownership verification using blockchain | |
CN100518411C (en) | Dynamic cipher system and method based on mobile communication terminal | |
CN104364790B (en) | System and method for implementing dual factor anthentication | |
CN107306183A (en) | Client, service end, method and authentication system | |
KR101876674B1 (en) | Method of managing common account using block chain and system performing the same | |
CN100397814C (en) | Uniform identication method and system based on network | |
CN104424676A (en) | Identity information sending method, identity information sending device, access control card reader and access control system | |
US20190306153A1 (en) | Adaptive risk-based password syncronization | |
CN106789024A (en) | A kind of remote de-locking method, device and system | |
US20190288833A1 (en) | System and Method for Securing Private Keys Behind a Biometric Authentication Gateway | |
US10915888B1 (en) | Contactless card with multiple rotating security keys | |
US11234235B2 (en) | Resource distribution hub generation on a mobile device | |
CN108183906B (en) | Time bank management method, server, terminal, storage medium and electronic device | |
CN109413200A (en) | A kind of method, client, MES and electronic equipment that resource imports | |
CN101588243A (en) | A kind of electronic transaction historical record querying method and system | |
CN117795505A (en) | System and method for contactless card communication and multiple device key pair encryption authentication | |
CN109934009A (en) | A kind of personal information data query interaction authorization method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |