CN109831311B - Server verification method, system, user terminal and readable storage medium - Google Patents
Server verification method, system, user terminal and readable storage medium Download PDFInfo
- Publication number
- CN109831311B CN109831311B CN201910217655.7A CN201910217655A CN109831311B CN 109831311 B CN109831311 B CN 109831311B CN 201910217655 A CN201910217655 A CN 201910217655A CN 109831311 B CN109831311 B CN 109831311B
- Authority
- CN
- China
- Prior art keywords
- server
- public key
- certificate
- root
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The application discloses a server verification method, which does not take the verification result of a root certificate as a basis for judging whether a server is legal or not, but embeds a root public key generated by the server in a client side which performs data transmission with a server of a certain website based on an HTTPS protocol in advance, when the server responds to an access request sent by the client side, the server public key is encrypted by using the root private key corresponding to the root public key to obtain a pseudo server certificate, and whether the client side can decrypt the pseudo server certificate through the embedded root public key to verify whether the server sending the server certificate is a real target server or not. The application also discloses a server verification system, a user terminal and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of HTTPS technologies, and in particular, to a server authentication method, a server authentication system, a user terminal, and a computer-readable storage medium.
Background
The HTTPS protocol is a novel network data transmission protocol developed by adding an SSL encryption layer on the basis of the HTTP protocol, and can transmit data in a form of ciphertext at a client and a server based on the HTTPS protocol so as to ensure the security of data transmission in a network.
Before a client and a server establish an encrypted data transmission path based on an HTTPS protocol, the client firstly sends an access request to the server, the server responds to the access request and returns a server Certificate issued by an Authority (CA) to the client, the client also utilizes a preset root Certificate issued by the same Authority Certificate to carry out validity verification on the server Certificate, if the server Certificate is issued by the same Authority Certificate Authority, the server Certificate will pass the validity verification, the client determines that the server passing the validity verification is a legal and real target server at the moment, and then can use a server public key contained in the server Certificate to encrypt an encryption key which is used as a key for encrypting data to be transmitted in the encrypted data transmission path.
Since the whole process of the HTTPS protocol is disclosed, a malicious attacker or a malicious data stealer may make the client consider a third party as the target server by tampering the root certificate in the client, and impersonate the server (as viewed from the client) and the client (as viewed from the server) at the same time by the third party between the client and the server, and since the tampered root certificate recognizes that the fake certificate from the third party is legitimate, the third party exists as a role that may obtain plaintext data from the client and the server at the same time, which poses a great threat to the secure transmission of data.
Therefore, how to overcome the technical defect that the HTTPS data transmission is insecure due to malicious tampering of the root certificate in the prior art, and to provide a mechanism for verifying the server legitimacy more securely is a problem to be solved by those skilled in the art.
Disclosure of Invention
The present application mainly aims to provide a server verification method, a server verification system, a user terminal, and a computer-readable storage medium, and aims to solve the problem in the prior art that HTTPS data transmission is unsafe due to malicious tampering of a root certificate, and improve the security of data transmission based on an HTTPS protocol.
In order to achieve the above object, the present application provides a server authentication method, including:
initiating an access request to a target server;
receiving a pseudo server certificate generated after the target server encrypts a server public key by using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
judging whether the pseudo server certificate can be decrypted by a root public key built in a client;
if the pseudo server certificate can be successfully decrypted by the root public key, judging that the target server is legal, encrypting data to be transmitted by using the decrypted server public key, and sending an encrypted ciphertext to the target server;
and if the pseudo server certificate cannot be decrypted by the root public key, judging that the target server is illegal, and stopping information interaction with the target server.
Optionally, the server authentication method further includes:
receiving a server signature generated after the target server signs the authentication character string by using a server private key; wherein the authentication string is included in the access request;
correspondingly, before encrypting the data to be transmitted by using the server public key obtained after decryption, the method further comprises the following steps:
decrypting the server signature by using the server public key obtained after decryption to obtain an actual authentication character string;
judging whether the actual authentication character string is consistent with the authentication character string in the access request or not;
if the data to be transmitted are consistent, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed;
and if the information is inconsistent, judging that the target server is illegal, and stopping information interaction with the target server.
Optionally, the authentication string information is specifically a random number generated by using a random algorithm.
Optionally, the server authentication method further includes:
and updating the root public key built in the client through a preset path, and recording the replacement information of the root public key during each updating.
Optionally, the server authentication method further includes:
receiving a true server certificate issued by an authoritative certification authority by the target server;
verifying the validity of the genuine server certificate using a root certificate issued by the authoritative certification authority;
correspondingly, after the preset root public key successfully decrypts the pseudo server certificate, and before the server public key obtained after decryption is used to encrypt data to be transmitted, the method further includes:
judging whether the real server certificate is legal or not;
and if the true server certificate is legal, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed.
In order to achieve the above object, the present application further provides a system for verifying the validity of a server, the system comprising:
an access request initiating unit, configured to initiate an access request to a target server;
the pseudo server certificate receiving unit is used for receiving a pseudo server certificate generated after the target server encrypts a server public key by using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
a decryption success judgment unit configured to judge whether the pseudo server certificate can be decrypted by a root public key built in the client;
the legal judging and encrypting transmission unit is used for judging that the target server is legal when the fake server certificate can be successfully decrypted by the root public key, encrypting the data to be transmitted by using the decrypted server public key and sending the encrypted ciphertext to the target server;
and the illegal judging and processing unit is used for judging that the target server is illegal and stopping information interaction with the target server when the fake server certificate cannot be decrypted by the root public key.
Optionally, the server authentication system further includes:
the server signature receiving unit is used for receiving a server signature generated after the target server signs the authentication character string by using a server private key; wherein the authentication string is included in the access request;
correspondingly, the server authentication system further comprises:
the server signature decryption unit is used for decrypting the server signature by using the server public key before judging that the target server is legal to obtain an actual authentication character string;
the authentication character string consistency judging unit is used for judging whether the actual authentication character string is consistent with the authentication character string in the access request or not;
a validity determination first execution unit configured to execute the step of determining that the target server is valid when the actual authentication string coincides with an authentication string in the access request;
an illegal determination first execution unit configured to execute the step of determining that the target server is illegal when the actual authentication string does not coincide with the authentication string from the access request.
Optionally, the server authentication system further includes:
and the root public key updating and replacing information recording unit is used for updating the root public key built in the client through a preset path and recording the replacing information of the root public key during each updating.
Optionally, the server authentication system further includes:
a true server certificate receiving unit for receiving a true server certificate issued by an authoritative certification authority by the target server;
a certificate validity verifying unit, configured to verify validity of the certificate of the true server by using a root certificate issued by the authoritative certification authority;
correspondingly, the server authentication system further comprises:
the certificate legality judging unit is used for judging whether the certificate of the true server is legal or not after the preset root public key successfully decrypts the fake server certificate and before the server public key obtained after decryption is used for encrypting data to be transmitted;
and the legal judgment execution second unit is used for executing the step of encrypting the data to be transmitted by using the server public key obtained after decryption when the true server certificate is legal.
To achieve the above object, the present application also provides a user terminal, which includes a memory, a processor, and a bus, wherein the memory stores a server authentication program executable on the processor, the server authentication program is transmitted to the processor through the bus, and when executed by the processor, the user terminal implements the following steps:
initiating an access request to a target server;
receiving a pseudo server certificate generated after the target server encrypts a server public key by using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
judging whether the pseudo server certificate can be decrypted by a root public key built in a client;
if the pseudo server certificate can be successfully decrypted by the root public key, judging that the target server is legal, encrypting data to be transmitted by using the decrypted server public key, and sending an encrypted ciphertext to the target server;
and if the pseudo server certificate cannot be decrypted by the root public key, judging that the target server is illegal, and stopping information interaction with the target server.
Optionally, the server authentication program, when executed by the processor, further implements:
and updating the root public key built in the client through a preset path, and recording the replacement information of the root public key during each updating.
Optionally, the server authentication program, when executed by the processor, further implements:
receiving a server signature generated after the target server signs the authentication character string by using a server private key; wherein the authentication string is included in the access request;
correspondingly, before encrypting the data to be transmitted by using the server public key obtained after decryption, the method further comprises the following steps:
decrypting the server signature by using the server public key to obtain an actual authentication character string;
judging whether the actual authentication character string is consistent with the authentication character string in the access request or not;
if the data to be transmitted are consistent, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed;
and if the information is inconsistent, judging that the target server is illegal, and stopping information interaction with the target server.
Optionally, the server authentication program, when executed by the processor, further implements:
receiving a true server certificate issued by an authoritative certification authority by the target server;
verifying the validity of the genuine server certificate using a root certificate issued by the authoritative certification authority;
correspondingly, after the preset root public key successfully decrypts the pseudo server certificate, and before the server public key obtained after decryption is used to encrypt the data to be transmitted, the method further includes:
judging whether the real server certificate is legal or not;
and if the true server certificate is legal, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed.
To achieve the above object, the present application further provides a computer-readable storage medium having a server authentication program stored thereon, the server authentication program being executable by one or more processors to implement the server authentication method as described above.
Obviously, in the server verification method provided by the application, the verification result of the root certificate is no longer taken as a basis for judging whether the server is legal, but the root public key generated by the server is pre-embedded in the client side which performs data transmission with the server of a certain website based on the HTTPS protocol, when the server responds to an access request sent by the client side, the server public key is encrypted by using the root private key corresponding to the root public key to obtain a pseudo server certificate, and whether the client side can decrypt the pseudo server certificate through the embedded root public key to verify whether the server sending the server certificate is a real target server, because the root private key is only stored in the server after being generated, the security is guaranteed, and the security of data transmission is improved.
The application also provides a server verification system, a user terminal and a computer readable storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a server authentication method according to an embodiment of the present application;
fig. 2 is a flowchart of another server authentication method provided in an embodiment of the present application;
fig. 3 is a flowchart of another server authentication method provided in an embodiment of the present application;
fig. 4 is a block diagram illustrating a server authentication system according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a user terminal according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the description relating to "first", "second", etc. in the present invention is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
Example one
Please refer to fig. 1, fig. 1 is a flowchart of a server authentication method provided in an embodiment of the present application, where it should be noted that all execution subjects of the steps in the embodiment are clients, that is, the clients need to verify the validity of their identities before establishing an HTTPS connection with a server to transmit encrypted data, and this embodiment is intended to explain the invention and the operations performed for achieving the purpose of the present application from the perspective of the clients, and includes the following steps:
s101: initiating an access request to a target server;
an access request is first initiated to a target server, which exists as the first step of establishing an HTTPS connection with the target server. The access request usually contains some parameters of the client, such as the type, version, supported encryption algorithm candidate list, supported compression algorithm candidate list, random number, and some additional extension fields, so as to enable the server receiving the information to select an appropriate algorithm for subsequent data encryption and other operations. Specifically, what information to be included in the access request should be flexibly selected in combination with the actual application scenario is not specifically limited herein, and this step is not the inventive point of the present application, but exists as an essential step in the process of establishing an HTTPS connection with a server, and this step is not changed in any way from the prior art.
S102: receiving a pseudo server certificate generated after a target server encrypts a server public key by using a preset root private key;
on the basis of S101, the target server receiving the access request sent by the client returns the pseudo server certificate to the client. The pseudo server certificate is obtained by encrypting a server public key by using a root private key additionally generated in advance by the target server.
It should be noted that the root private key and the root public key to be used subsequently are both generated by the target server in advance by using the asymmetric encryption algorithm, and in the prior art, the server public key and the server private key are generated by using the asymmetric encryption algorithm only according to a conventional means. That is, the scheme provided by the present application requires that each target server generate two pairs of public and private keys in advance by using an asymmetric encryption algorithm, where one pair is the root public key and the root private key, and the other pair is the server public key and the server private key. The method for using the server public key and the server private key has no difference from the prior art, and is characterized in that the root private key is used for encrypting the server public key to obtain the pseudo server certificate. Furthermore, in the process of encrypting the server public key by using the root private key, some other information can be added to be encrypted together with the server public key, so that the generated pseudo server certificate has more information, that is, more information can be obtained after the pseudo server certificate is successfully decrypted, and the information shows corresponding value according to the expressive meaning.
S103: judging whether the pseudo server certificate can be decrypted by a root public key built in the client side, if so, executing S105, otherwise, executing S104;
on the basis of S102, this step is intended to determine whether the received pseudo server certificate can be decrypted by the root public key embedded in the client itself in advance, and to obtain a conclusion whether the server from which the pseudo server certificate is issued is legitimate according to the determination result.
The root public key is the root public key, which is opposite to the root private key used when encrypting the server public key, and in order to verify whether the server sending the pseudo server certificate is the server which previously generated the root public key, the root public key is pre-embedded in the client which establishes the HTTPS connection with the server, specifically, the embedded manner may be a manner directly embedded in the program code, a manner installed on the client in a manner of necessary plug-in, and the like, as long as the root public key can be used for decryption verification by the client before this step is performed, which is not limited specifically herein.
Furthermore, considering that the root public key may need to be replaced to ensure the security, the root public key built in the client can be updated through a preset path, and the replacement information of the root public key at each updating time is recorded, so as to be used in a later retrospective manner.
S104: judging that the target server is illegal, and stopping information interaction with the target server;
this step is established on the basis that the determination result of S103 is that the pseudo server certificate cannot be decrypted by the root public key, which indicates that the key encrypted to obtain the pseudo server certificate is not the root private key corresponding to the root public key, and thus it can be proved that the server issuing the pseudo server certificate is not the server that the client really wants to access, because if the server really wants to access, the server can be successfully decrypted on the premise of holding the root public key.
Therefore, when the received pseudo server certificate cannot be successfully decrypted, the server from which the pseudo server certificate is sent is determined to be an illegal server, and all subsequent information interaction with the server is stopped in order to prevent additional loss. Even, the server may be pulled into a blacklist, so that a determination result is obtained according to the blacklist before determining whether the pseudo server certificate sent by the server can be decrypted.
S105: and judging that the target server is legal, encrypting the data to be transmitted by using the server public key obtained after decryption, and sending the encrypted ciphertext to the target server.
This step is established in that, on the basis that the determination result of S103 is that the pseudo server certificate can be decrypted by the root public key, it is described that the key for obtaining the pseudo server certificate through encryption is the root private key corresponding to the root public key, and in consideration that the root private key is only stored by the target server itself, successful decryption means that the server from which the pseudo server certificate is sent is a server to which the client really wants to access and establish a connection, in other words, the server from which the pseudo server certificate is sent is a legitimate server.
Therefore, after determining the validity of the server responding to the issued access request, the HTTPS connection can be established with the server to transmit the encrypted data, and the key for encrypting the plaintext data is the server public key obtained by decrypting the pseudo server certificate, and can only be decrypted by the server private key stored in the server itself.
According to the method for verifying the server legitimacy provided by the embodiment, the verification result of the root certificate is not taken as a basis for judging whether the server is legal, but the root public key generated by the server is pre-built in the client side which performs data transmission with the server of a certain website based on the HTTPS protocol, when the server responds to an access request sent by the client side, the root private key corresponding to the root public key is used for encrypting the server public key to obtain the pseudo server certificate, and whether the client side can decrypt the pseudo server certificate through the built-in root public key to verify whether the server sending the server certificate is a real target server, and as the root private key is only stored in the server after being generated, the security is guaranteed, and the security of data transmission is improved.
Example two
Referring to fig. 2, fig. 2 is a flowchart of another server verification method provided in this embodiment of the present application, and this embodiment provides a method for further verifying whether a server public key is a true server public key on the basis of the first embodiment, so that the consideration for verifying the validity of the server is more comprehensive, and various unexpected tampering situations existing in complex situations are prevented, including the following steps:
s201: initiating an access request to a target server;
s202: receiving a pseudo server certificate generated after a target server encrypts a server public key by using a preset root private key;
s203: receiving a server signature generated after a target server signs an authentication character string by using a server private key;
in addition to the step S202, the present embodiment will also receive a server signature generated after the target server signs the authentication string with the server private key, that is, the target server will also sign a string that is partially usable for identity authentication from the portion included in the access request (that is, the authentication string used in the subsequent step) with the server private key held by the target server, so as to further verify the correctness of the server public key with the generated server signature.
It should be noted that S202 and S203 are two relatively independent steps, and there is no sequential relationship that must be followed by each other, and the two steps can be completely executed simultaneously under the condition that the computing resource allows.
S204: judging whether the pseudo server certificate can be decrypted by a root public key built in the client, if so, executing S205, otherwise, executing S207;
s205: decrypting the server signature by using the server public key to obtain an actual authentication character string;
this step is established based on the determination result of S204 being that the pseudo server certificate can be decrypted by the root public key embedded in the client, at this time, the client will be able to obtain the server public key decrypted from the pseudo server certificate, at this time, the server signature will be decrypted by using the server public key, and a character string included therein will be obtained, and the character string will exist as an actual authentication character string. Specifically, the authentication character string may be a random number randomly generated by the client using a random algorithm, or may also be a character string to be used for comparison consistency generated in the same or similar manner, which is not specifically limited herein.
S206: judging whether the actual authentication character string is consistent with the authentication character string in the access request, if so, executing S208, otherwise, executing S207;
on the basis of S205, this step is intended to determine whether the actual authentication string matches the authentication string originally issued by itself and included in the access request. If the two are consistent, the server returning the pseudo server certificate and the server signature to the server is really the server receiving the access request sent by the server, and the reliability of the server public key obtained by decryption can be further verified.
S207: judging that the target server is illegal, and stopping information interaction with the target server;
this step is established on the basis that the judgment result of S204 is that the pseudo server certificate cannot be decrypted by the root public key built in the client or the judgment result of S206 is that the actual authentication character string is inconsistent with the authentication character string in the access request, wherein if the reason leading to this step is the judgment result of S204, it is indicated that the server issuing the pseudo server certificate is not a server acknowledged by the client built in the root public key, or that there are other servers intended to be counterfeited intercepting the request from the client to the true server and trying to counterfeit, since it does not know the pseudo server certificate which can be decrypted by the root public key and will be judged as illegal, thereby not establishing continuity therewith; if the reason leading to this step is the determination result in S206, it indicates that the server returning the data acquires the access request in a fake manner, and has the server private key and the root private key of the genuine server, but does not know the mechanism of the server signature, and therefore it is determined that the server is an illegal server, that is, the server does not really want to establish the HTTPS connection.
S208: and judging that the target server is legal, encrypting the data to be transmitted by using the server public key obtained after decryption, and sending the data to be transmitted to the target server in a ciphertext form.
This step is established on the basis that the determination result of S206 is that the actual authentication string is consistent with the authentication string in the access request, which indicates that the server returning the data not only possesses the server private key and the root private key of the real server, but also knows the server signature manner negotiated only between the client and the real server, so that the validity of the target server can be further determined through multiple determinations.
On the basis of the first embodiment, whether the server is a real server is further determined by adding a server signature generation method determined by additional negotiation, and it can be found that an access request sent by the client, a server private key and a root private key which possess the real server, but an illegal server of the server signature generation method is not known, so that the reliability of a determination result is further improved, and data can be more safely encrypted and transmitted with the real server.
In another embodiment different from the present embodiment, the server signature may also be encrypted by the root private key as part of the pseudo server certificate together with the server public key, and the same effect may also be achieved.
EXAMPLE III
Please refer to fig. 3, fig. 3 is a flowchart of another server verification method provided in an embodiment of the present application, and this embodiment provides a preferred validity verification method that combines a traditional validity verification method based on a root certificate and a validity verification method based on a preset root public key, based on the above embodiments, where it should be noted that, because the traditional validity verification method based on a root certificate has been proved to be unreliable, a verification result thereof will only serve as a precondition for starting another verification method provided by the present application, that is, the verification method still takes a result of the validity verification method based on a preset root public key provided by the present application as a reference, and includes the following steps:
s301: initiating an access request to a target server;
s302: receiving a true server certificate issued by an authoritative certification authority by a target server;
s303: verifying the validity of a certificate of a true server by using a root certificate issued by an authoritative certification authority;
s302 and S303 are conventional ways of verifying the true server certificate returned by the server based on a preset root certificate issued by an authoritative certification authority.
S304: receiving a pseudo server certificate generated after a target server encrypts a server public key by using a preset root private key;
this step is established on the basis that the determination result of S303 is that the conventional authentication manner obtains that the target server is a legitimate server, and is intended to further perform subsequent authentication in the manner provided by the present application.
S305: judging whether the pseudo server certificate can be decrypted by a root public key built in the client side;
s306: judging that the target server is legal, encrypting the data to be transmitted by using the server public key obtained after decryption, and sending the data to be transmitted to the target server in a ciphertext form;
s307: and judging that the target server is illegal, and stopping information interaction with the target server.
On the basis of the above embodiments, the embodiment can screen out some illegal scenes through the conventional verification method and the mechanism of the verification method newly provided by the application in sequence, and can also perform validity verification on the server which is not preset with the corresponding server root public key, so that the application range of the client is wider, and the client is not limited to validity verification of the server preset with the root public key.
Because the situation is complicated and cannot be illustrated by a list, a person skilled in the art can realize that many examples exist according to the basic method principle provided by the application and the practical situation, and the protection scope of the application should be protected without enough inventive work.
Example four
Referring to fig. 4, fig. 4 is a block diagram of a server verification system according to an embodiment of the present disclosure, where the system may include:
an access request initiating unit 100, configured to initiate an access request to a target server;
a pseudo server certificate receiving unit 200, configured to receive a pseudo server certificate generated after a target server encrypts a server public key using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
a decryption success judgment unit 300 configured to judge whether the pseudo server certificate can be decrypted by a root public key built in the client;
a legitimacy determination and encryption transmission unit 400, configured to determine that the target server is legitimate when the fake server certificate can be successfully decrypted by the root public key, encrypt the data to be transmitted using the server public key obtained after decryption, and send the ciphertext obtained after encryption to the target server;
and an illegal determination and processing unit 500 for determining that the target server is illegal and stopping information interaction with the target server when the pseudo server certificate cannot be decrypted by the root public key.
Further, the server authentication system may further include:
the server signature receiving unit is used for receiving a server signature generated after the target server signs the authentication character string by using a server private key; wherein the authentication string is included in the access request;
correspondingly, the server authentication system may further include:
the server signature decryption unit is used for decrypting the server signature by using the server public key to obtain an actual authentication character string before the data to be transmitted is encrypted by using the server public key obtained after decryption;
the authentication character string consistency judging unit is used for judging whether the actual authentication character string is consistent with the authentication character string in the access request or not;
a legitimacy determination first execution unit configured to execute a step of encrypting data to be transmitted using a server public key obtained after decryption when the actual authentication string is consistent with the authentication string in the slave access request;
and the illegal determination first execution unit is used for executing the steps of determining that the target server is illegal and stopping information interaction with the target server when the actual authentication character string is inconsistent with the authentication character string in the slave access request.
Further, the server authentication system may further include:
and the root public key updating and replacing information recording unit is used for updating the root public key arranged in the client through a preset path and recording the replacing information of the root public key during each updating.
Further, the server authentication system may further include:
a true server certificate receiving unit for receiving a true server certificate issued by an authoritative certification authority by a target server;
the certificate validity verifying unit is used for verifying the validity of the certificate of the true server by using a root certificate issued by an authoritative certification authority;
correspondingly, the server authentication system may further include:
the true certificate legality judging unit is used for judging whether the true server certificate is legal or not after the preset root public key successfully decrypts the pseudo server certificate and before the server public key obtained after decryption is used for encrypting the data to be transmitted;
and a legitimacy determination execution second unit configured to execute a step of determining that the server public key obtained after decryption is used to encrypt the data to be transmitted, when the genuine server certificate is legitimate.
The system for verifying the server validity corresponds to the method for verifying the server validity, and the embodiment exists as a product embodiment corresponding to the method embodiment, has the same beneficial effects as the method embodiment, and is not repeated herein.
EXAMPLE five
In the above, through the description and description of how to verify the validity of the server in a safer and more reliable manner by using several different embodiments, the present application further provides an entity hardware device corresponding to the method, where the content principle of this part corresponds to the scheme part, and the part implementing the principle is not described herein again, and the following will describe the hardware composition of the entity hardware device, please refer to fig. 5, where fig. 5 is a schematic structural diagram of a user terminal (a terminal device bearing a client function) provided in the embodiments of the present application:
the user terminal 600 includes a memory 610, a processor 620 and a bus 630, wherein the memory 610 stores a server authentication program operable on the processor 620, and the server authentication program is received by the processor 620 via the bus 630 and executed to implement the steps for authenticating the server validity as described in the above embodiments.
The memory 610 includes at least one type of readable storage medium, which includes flash memory, hard disk, multimedia card, card type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, and the like. The memory 610 may in some embodiments be an internal storage unit of the user terminal 600, such as a hard disk of the user terminal 600. The memory 610 may also be an external storage device of the user terminal 600 in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the user terminal 600. Further, the memory 610 may also be simultaneously composed of an internal storage unit and an external storage device. Further, the memory 610 may be used not only to store various application software and various types of data installed in the user terminal 600, but also to temporarily store data that has been output or will be output.
The bus 630 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one bi-directional hollow indicator line is shown in FIG. 5, but does not indicate only one bus or one type of bus.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method provided in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that the above-mentioned numbers of the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments. And the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that includes the element.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A server authentication method, characterized in that the server authentication method comprises:
initiating an access request to a target server;
receiving a pseudo server certificate generated after the target server encrypts a server public key by using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
judging whether the pseudo server certificate can be decrypted by a root public key built in a client;
if the pseudo server certificate can be decrypted by the root public key, judging that the target server is legal, encrypting data to be transmitted by using the decrypted server public key, and sending an encrypted ciphertext to the target server;
and if the pseudo server certificate cannot be decrypted by the root public key, judging that the target server is illegal, and stopping information interaction with the target server.
2. The server authentication method according to claim 1, further comprising:
receiving a server signature generated after the target server signs the authentication character string by using a server private key; wherein the authentication string is included in the access request;
correspondingly, before encrypting the data to be transmitted by using the server public key obtained after decryption, the method further comprises the following steps:
decrypting the server signature by using the server public key obtained after decryption to obtain an actual authentication character string;
judging whether the actual authentication character string is consistent with the authentication character string in the access request or not;
if the data to be transmitted are consistent, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed;
and if the information is inconsistent, judging that the target server is illegal, and stopping information interaction with the target server.
3. The server authentication method according to claim 2, wherein the authentication string is specifically a random number generated using a random algorithm.
4. The server authentication method according to claim 1, further comprising:
and updating the root public key built in the client through a preset path, and recording the replacement information of the root public key during each updating.
5. The server authentication method according to any one of claims 1 to 4, further comprising:
receiving a true server certificate issued by an authoritative certification authority by the target server;
verifying the validity of the genuine server certificate using a root certificate issued by the authoritative certification authority;
correspondingly, after the preset root public key successfully decrypts the pseudo server certificate and before the server public key obtained after decryption is used to encrypt the data to be transmitted, the method further includes:
judging whether the real server certificate is legal or not;
and if the true server certificate is legal, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed.
6. A server authentication system, characterized in that the server authentication system comprises:
an access request initiating unit, configured to initiate an access request to a target server;
the pseudo server certificate receiving unit is used for receiving a pseudo server certificate generated after the target server encrypts a server public key by using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
a decryption success judgment unit configured to judge whether the pseudo server certificate can be decrypted by a root public key built in the client;
the legal judging and encrypting transmission unit is used for judging that the target server is legal when the fake server certificate can be successfully decrypted by the root public key, encrypting the data to be transmitted by using the decrypted server public key and sending the encrypted ciphertext to the target server;
and the illegal judging and processing unit is used for judging that the target server is illegal and stopping information interaction with the target server when the fake server certificate cannot be decrypted by the root public key.
7. A user terminal comprising a memory, a processor and a bus, the memory having stored thereon a server authentication program executable on the processor, the server authentication program being transmitted to the processor over the bus and when executed by the processor performing the steps of:
initiating an access request to a target server;
receiving a pseudo server certificate generated after the target server encrypts a server public key by using a preset root private key; the root private key and the root public key are a pair of asymmetric keys generated by the target server in advance;
judging whether the pseudo server certificate can be decrypted by a root public key built in a client;
if the pseudo server certificate can be successfully decrypted by the root public key, judging that the target server is legal, encrypting data to be transmitted by using the decrypted server public key, and sending an encrypted ciphertext to the target server;
and if the pseudo server certificate cannot be decrypted by the root public key, judging that the target server is illegal, and stopping information interaction with the target server.
8. The user terminal of claim 7, wherein the server authentication program, when executed by the processor, further implements:
receiving a server signature generated after the target server signs the authentication character string by using a server private key; wherein the authentication string is included in the access request;
correspondingly, before encrypting the data to be transmitted by using the server public key obtained after decryption, the method further comprises the following steps:
decrypting the server signature by using the server public key obtained after decryption to obtain an actual authentication character string;
judging whether the actual authentication character string is consistent with the authentication character string in the access request or not;
if the data to be transmitted are consistent, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed;
and if the information is inconsistent, judging that the target server is illegal, and stopping information interaction with the target server.
9. The user terminal according to claim 7 or 8, wherein the server authentication program, when executed by the processor, further implements:
receiving a true server certificate issued by an authoritative certification authority by the target server;
verifying the validity of the genuine server certificate using a root certificate issued by the authoritative certification authority;
correspondingly, after the preset root public key successfully decrypts the pseudo server certificate and before the server public key obtained after decryption is used to encrypt the data to be transmitted, the method further includes:
judging whether the real server certificate is legal or not;
and if the true server certificate is legal, the step of encrypting the data to be transmitted by using the server public key obtained after decryption is executed.
10. A computer-readable storage medium having stored thereon a server authentication program executable by one or more processors to implement the server authentication method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910217655.7A CN109831311B (en) | 2019-03-21 | 2019-03-21 | Server verification method, system, user terminal and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910217655.7A CN109831311B (en) | 2019-03-21 | 2019-03-21 | Server verification method, system, user terminal and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109831311A CN109831311A (en) | 2019-05-31 |
| CN109831311B true CN109831311B (en) | 2022-04-01 |
Family
ID=66870938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910217655.7A Active CN109831311B (en) | 2019-03-21 | 2019-03-21 | Server verification method, system, user terminal and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109831311B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110868291B (en) * | 2019-11-26 | 2023-03-24 | 上海联虹技术有限公司 | Data encryption transmission method, device, system and storage medium |
| CN111131215B (en) * | 2019-12-18 | 2022-08-05 | 深圳市任子行科技开发有限公司 | Non-perception audit deployment method and device |
| CN110971616B (en) * | 2019-12-24 | 2022-04-01 | 广州市百果园信息技术有限公司 | Connection establishing method based on secure transport layer protocol, client and server |
| CN111698682A (en) * | 2020-06-12 | 2020-09-22 | 深圳天度物联信息技术有限公司 | Data transmission method based on public WiFi network environment, server and storage medium |
| CN111935169B (en) * | 2020-08-20 | 2021-10-26 | 腾讯云计算(北京)有限责任公司 | Business data access method, device, equipment and storage medium |
| CN113381855B (en) * | 2021-06-11 | 2022-12-27 | 上海哔哩哔哩科技有限公司 | Communication method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
| CN106161366A (en) * | 2015-04-03 | 2016-11-23 | 上海庆科信息技术有限公司 | The method and system that a kind of SSL of minimizing takes up room |
| CN106685983A (en) * | 2017-01-13 | 2017-05-17 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | Data recovery method and device based on SSL protocol |
| CN107360124A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method and device, WAP and user terminal |
| CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2016116134A (en) * | 2014-12-16 | 2016-06-23 | パナソニックIpマネジメント株式会社 | Signature verification device, signature generation device, signature processing system, signature verification method, and signature generation method |
-
2019
- 2019-03-21 CN CN201910217655.7A patent/CN109831311B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
| CN106161366A (en) * | 2015-04-03 | 2016-11-23 | 上海庆科信息技术有限公司 | The method and system that a kind of SSL of minimizing takes up room |
| CN107360124A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method and device, WAP and user terminal |
| CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
| CN106685983A (en) * | 2017-01-13 | 2017-05-17 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | Data recovery method and device based on SSL protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109831311A (en) | 2019-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831311B (en) | Server verification method, system, user terminal and readable storage medium | |
| US11128477B2 (en) | Electronic certification system | |
| US7689828B2 (en) | System and method for implementing digital signature using one time private keys | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| US9531540B2 (en) | Secure token-based signature schemes using look-up tables | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| US20170118029A1 (en) | Method and a system for verifying the authenticity of a certificate in a web browser using the ssl/tls protocol in an encrypted internet connection to an https website | |
| CN109150897B (en) | End-to-end communication encryption method and device | |
| CN111404696B (en) | Collaborative signature method, security service middleware, related platform and system | |
| CN109510802B (en) | Authentication method, device and system | |
| CN108243176B (en) | Data transmission method and device | |
| CN111275419B (en) | Block chain wallet signature right confirming method, device and system | |
| US20100250949A1 (en) | Generation, requesting, and/or reception, at least in part, of token | |
| KR101531662B1 (en) | Method and system for mutual authentication between client and server | |
| CN109347887B (en) | Identity authentication method and device | |
| US20220029819A1 (en) | Ssl communication system, client, server, ssl communication method, and computer program | |
| WO2015158228A1 (en) | Server, user equipment, and method for user equipment to interact with server | |
| CN114127768A (en) | Computer-implemented systems and methods for facilitating transactions associated with blockchains using network identifiers of participating entities | |
| CN112769789B (en) | Encryption communication method and system | |
| CN112600831B (en) | Network client identity authentication system and method | |
| CN111953477B (en) | Terminal equipment, generation method of identification token of terminal equipment and interaction method of client | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN103281188A (en) | Method and system for backing up private key in electronic signature token | |
| US7330982B1 (en) | Secured automated process for signed, encrypted or validated content generation | |
| CN107241341B (en) | Access control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |