CN109995533A - A kind of digital certificate management method on basis - Google Patents
A kind of digital certificate management method on basis Download PDFInfo
- Publication number
- CN109995533A CN109995533A CN201711470908.9A CN201711470908A CN109995533A CN 109995533 A CN109995533 A CN 109995533A CN 201711470908 A CN201711470908 A CN 201711470908A CN 109995533 A CN109995533 A CN 109995533A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- client
- management server
- application system
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention explains a kind of digital certificate management method on basis, by the digital certificate of management server Authentication Client, so that the client by digital certificate authentication is accessible with application system, comprising: client needs the application system logged in.Management server is first logged into, whether the application system is allowed access to by digital certificate corresponding with application system, digital signature and the Digest Authentication client.
Description
Technical field
The present invention relates to identity identifying technologies, more specifically to a kind of digital certificate management method on basis.
Technical background
With the high speed development of network technology, personal and enterprise is put into business activity on network more and more, therefore
The safety problem of network is just more crucial and important.According to statistics, in the world, caused due to the fragility of information system
Economic loss, reach billions of members every year, and show an increasing trend year by year.It is calculated using digital certificate, PKI, symmetric cryptography
The encryption technologies such as method, digital signature, digital envelope can establish the high identity authorization system of safe coefficient, it is ensured that online
Information effectively and safely carries out.Meanwhile CA digital certificate, PKI construction system country have been made laws, and related application also has become
Ripe, all parts of the country establish relevant certificate center, provide standard digital certificate programming interface.
In the prior art, usually used is the digital certificate authentication system based on Radius agreement.RADIUS is mesh
One of preceding most common authentication and accounting agreement, it is simple and safe, is easily managed, favorable expandability, so being used widely.But
Transmission, simple packet drop mechanism due to the defect of agreement itself, such as based on UDP, not about the regulation of re-transmission and concentration
Formula billing of services only supports non-reliable UDP transmission agreement, and attribute is arranged only with 8 bit identifiers etc., all makes it less suitable
The development for answering current network, requires further improvement.
The appearance of the aaa protocol of a new generation --- Diameter is so that provide a kind of management system of new digital certificate
System and method are possibly realized.
Summary of the invention
The object of the present invention is to provide a kind of digital certificate management methods on basis.
According to an aspect of the present invention, a kind of digital certificate management method is provided, management server Authentication Client is passed through
Digital certificate so that passing through the accessible application system of client of digital certificate authentication, comprising: client needs log in
One application system, first starting client dialing program, log in management using the user name of the client on the management server
Server selects digital certificate corresponding with the application system;Digital signature is calculated to selected digital certificate;To this
Digital signature calculates abstract;The digital certificate, digital signature and abstract are supplied to management server, and wait management service
Device is responded;Management server is to receive the request for logging in management server, parses the user name;According to the user name, than
More provided digital certificate and a scheduled digital certificate enter next step, if the two is not if the two is consistent
Symbol, then refuse the corresponding client of the user name and log in the application system;According to the user name, relatively more provided abstract
Enter next step if the two is consistent with a scheduled abstract if the two is not inconsistent and it is corresponding to refuse the user name
Client logs in the application system;According to the user name, relatively more provided digital signature and a scheduled digital signature,
If the two is consistent, enter next step, if the two is not inconsistent, refuses the corresponding client of the user name and log in described answer
Use system;It notifies application system, the corresponding client of the user name is allowed to log in the application system.
According to an embodiment, if client is allowed to log in the application system, continue to send out to the management server
Send accounting request, charging carried out by the management server, the management server client complete to the access of application system it
After generate billing statistics.
According to an embodiment, which carries out charging using Diameter/Radius agreement.
According to an embodiment, a management computer controls the management server to the data being stored in the management server
It is managed.For example, being managed to the data being stored in the management server includes: that core interface is called, user's operation,
Administrative regional management, client operation, group operation, address pool operation, journalizing, statistical information operation, certificate operation, card number
Operation, domain name operation, report management, and global setting.
Detailed description of the invention
The above and other features of the present invention, property and advantage will be by with reference to the accompanying drawing retouching embodiment
It states and becomes readily apparent from, in the accompanying drawings, identical appended drawing reference always shows identical feature, in which:
Fig. 1 is the flow chart of the digital certificate management method of an embodiment according to the present invention;
Fig. 2 is the structure chart of the digital certificate management system of an embodiment according to the present invention;
Fig. 3 A- Fig. 3 H is a specific implementation according to the present invention, wherein the operational relationship figure between each software module.
Specific embodiment
Traditional Radius agreement and new Diameter are introduced first.Radius is most common to recognize
One of charging protocol is demonstrate,proved, it is simple and safe, is easily managed, favorable expandability, so being used widely.But due to agreement itself
Defect, such as the transmission based on UDP, simple packet drop mechanism, not about the regulation of re-transmission and centralized billing of services, all
So that it less adapts to the development of current network, require further improvement.
With new access technology introducing (such as wireless access, DSL, mobile IP and Ethernet) and access the quick of network
Dilatation, the router and access server to become increasingly complex largely come into operation, put forward new requirements to aaa protocol, so that
The shortcomings that traditional Radius structure, is increasingly apparent.Currently, 3G network is just gradually to complete IP network evolution, not only in core network
Using the network entity for supporting IP, IP-based technology is also used in access network, and mobile terminal also becomes and can activate
IP client.Increase following characteristic: UTRAN and CN transmission enhancing newly if in R6 version of the WCDMA when preplanning;Wireless interface increases
By force;Multimedia broadcasting and multicast (MBMS);Digital Right Management (DRM);WLAN-UMTS intercommunication;Priority business;Common user letter
It ceases (GUP);Network share;Intercommunication etc. between heterogeneous networks.Within such networks, mobile IP will be widely used.It supports to move
The terminal of dynamic IP can move in the home network of registration, or roam into the network of other operators.When terminal will be linked into
Network, and when every business of use operator offer, it is necessary to stringent AAA process.Aaa server will to mobile terminal into
Row certification, the business that authorization allows user to use, and the case where user is using resource is collected, to generate charge information.This is just needed
It will be using aaa protocol -- the Diameter of a new generation.In addition, the draft proplsal of the protocol of wireless local area network 802.16e in IEEE
In, identification and authorization server ASA Server are also contained in network reference model, with supports mobile different base station it
Between switching.As it can be seen that aaa server occupies critically important position in future mobile communication system.
By discussing, the AAA working group of IETF is agreed to using Diameter as follow-on aaa protocol standard.
Diameter (for diameter, implying that Diameter is the upgraded version of Radius agreement) agreement includes basic agreement, NAS
(network insertion service) agreement, EAP (expansible identification) agreement, MIP (mobile IP) agreement, CMS (code message grammer) agreement
Deng.Diameter supports mobile IP, NAS request and the authentication, authorization, accounting of mobile agent work, the realization of agreement and
RADIUS is similar, and uses AVP, attribute value to (use Attribute-Length-Value triple form) Lai Shixian,
But wherein specified in more detail error handle, failover mechanism are supported distributed integration, are overcome using Transmission Control Protocol
Many disadvantages of Radius are the aaa protocols for being most suitable for future mobile communication system.
Opposite Radius, Diameter is it may be said that have many technical advantages.As its name suggests, Radius (dial by remote authentication
Number accessing user service) it is initially that exploitation is authenticated for dial-up access;Diameter is then designed to provide for powerful access control
Function processed, to overcome many intrinsic defects in initial Radius.For example, Radius only supports non-reliable UDP transmission agreement, and
Diameter supports reliably to transmit with formal TCP and streaming control transport protocol (SCTP), thus is more widely applied.And
And the setting of Radius attribute uses 8 bit identifiers;Diameter then uses 32 code values, thus maximum can support 4,000,000,000
A attribute.
Diameter is the extension to Radius agreement, is mainly network insertion, uses in the concrete applications such as mobile IP
Certification, authorization, charging one basic frame is provided, certification that it can be used under local and roaming condition authorizes meter
Take.Using Diameter as the candidate agreement of certification, authorization, charging in by the prepared IMS system of 3GPP, but due to
Mobile IP and IMS is tested or is applied only within a certain range at present, and there is no widely apply.Diameter thus
Using also not using on a large scale.Compared with Radius agreement, Diameter is when in use in addition to Radius agreement makes
The client of used time use, server also need network agent, redirection agency, transformation agency, repeater, Diameter to save outside
Point etc. realizes the functions such as user's roaming authentication.Diameter needs to cooperate with other agreements in use.
The address space that present Internet protocol IP v4 is supported is extremely limited, and International Mobile Subscriber constantly high speed increases
It is long, reach so huge scale, this just gives IP agreement used at present -- IPv4 is in future mobile communications complete IP network
Using -- bring so heavy pressure.In order to solve the problems, such as address wretched insufficiency, there has been proposed the IP of new version associations
View -- IPv6.3.4 × 10E38 128 only the bit address that IPv6 can be supported, enable IPv4 too far behind to catch up.Due to global number
1000000000 equipment and user require respectively only IP address, therefore this huge addressing capacity will realize " to exist always
The key factor of line " communication.Although concern is primarily with the addressabilities of IPv6 by people, it also possesses other many important excellent
Point, the routing for such as improving and simplifying.IPv6 has also introduced new security level and has improved to mobile service -- including being based on
The support of the network of WCDMA technology, this will use 3G with the populous country such as China and become more and more important.Therefore following to move
Aaa protocol in dynamic communication network must be the agreement of the support distributed treatment based on mobile IP v 6.But, industry needs are examined
Consider and solve the problems, such as still there are many.IPv4 may be a kind of mature and the agreement of obsolescence, but it still can make
Significant contribution, and may be coexisted within following a period of time with IPv6 and intercommunication.Diameter, which is used as, aims at future network simultaneously
The aaa protocol of compatible current network again, provide the support to both versions MIP (is presently mainly the branch to MIPv4 certainly
It holds).
The present invention provides a kind of digital certificate management method based on new Diameter, uses wherein also taking into account
Radius agreement.
With reference to Fig. 1, the present invention provides a kind of digital certificate management method 100, passes through management server Authentication Client
Digital certificate, so that pass through the accessible application system of client of digital certificate authentication, this method comprises:
102. client needs to log in an application system, first starting client dialing program, using the client in pipe
User name on reason server logs in management server, selects digital certificate corresponding with application system;
104. a pair selected digital certificate calculates digital signature;
106. pair digital signature calculates abstract;
108. digital certificate, digital signature and abstract are supplied to management server, and management server is waited to respond;
110. management server is to receive the request for logging in management server, user name is parsed;
112. according to user name, relatively more provided digital certificate and a scheduled digital certificate, if the two is consistent,
Into next step, if the two is not inconsistent, refuses the corresponding client of the user name and log in application system;
114. relatively more provided abstract enters next with a scheduled abstract if the two is consistent according to user name
Step refuses the corresponding client of the user name and logs in application system if the two is not inconsistent;
116. according to user name, relatively more provided digital signature and a scheduled digital signature, if the two is consistent,
Into next step, if the two is not inconsistent, refuses the corresponding client of the user name and log in application system;
118. notifying application system, the corresponding client of user name is allowed to log in application system.
It continues to refer to figure 1, in the embodiment shown in fig. 1, this method 100 further include:
If continuing to ask to management server transmission charging 120. client is allowed to log in the application system
It asks, charging is carried out by the management server, which generates meter after client is completed to the access of application system
Take statistics.Wherein, which carries out charging using Diameter/Radius agreement.
In addition, embodiment 100 according to figure 1, this method further include:
122. a management computer controls the management server and is managed to the data being stored in the management server.
It includes: that core interface is called that this, which is managed the data being stored in the management server, user's operation, administrative region pipe
Reason, client operation, group operation, address pool operation, journalizing, statistical information operation, certificate operation, card number operation, domain name
Operation, report management, and global setting.
With reference to Fig. 2, the present invention also provides a kind of digital certificate management systems 200, comprising:
Data communication network 202;
Application system 204 is connected to the data communication network 202;
Client 206 is connected to the data communication network 202, when client will be logged in by the data communication network 202
When the application system 204, starts client dialing program first, use user of the client in a management server 208
Name issues log on request to management server, and selects digital certificate corresponding with application system;To selected number card
Book calculates digital signature;The digital signature is calculated and is made a summary;And digital certificate, digital signature and abstract are passed through into data communication
Network is supplied to management server, and management server is waited to respond;
Management server based on Diameter/Radius is a set of 3A server.The card of access is provided for remote user
Book certification, the IP address authorization after certification;The note Fei Gongneng for logining and publishing with user;All users of authentication service, IP,
Group, the management function of client.After the certificate verification mode that user passes through RADIUS/DIAMETER certificate server, it is awarded
The IP address of Intranet, and specified DNS and gateway address, user can go access pair in the permission of respective application system according to it
The application server answered.
The subprogram includes core interface calling module, user's operation module, administrative regional management module, client operation
Module organizes operation module, address pool operation module, journalizing module, statistical information operation module, certificate operation operation mould
Block, card number operation module, domain name operation module, statement management module, and global setup module.
Core interface calling module is used to declare each interface function of core LgetKnlV2.dll.
User's operation module realizes the operations to user.Such as addition, editor deletes user
Administrative area management module is realized for city, area (county), unit, the addition of department, editor and deletion.
Client makees module realization to the operations of client.Such as addition, editor deletes client
Group operation module realizes the operations to group.Such as addition, editor, deletion group
Address pool operation module realizes the operations to address pool.Such as addition, editor deletes address pool
Journalizing module realizes the operations to log.It such as checks, deletes log
Statistical information operation module realizes the operations to statistical information.Such as check statistical information
The operations of certificate operation module realization certificate.Such as distribute certificate.
The operations of card number operation module realization card number.Such as generate card number.
The operations of domain name operation module realization domain name.Such as generate domain name.
The operations of Report Operations module realization report.Such as generate report.
Overall situation setting operation module is realized to administration interface required parameters access when in use.
The relationship of each module is as illustrated in Figure 3 F.
Using technical solution of the present invention, a kind of management of new new digital certificate based on Diameter is provided
Systems and management method provides safely and effectively digital certificate authentication and management.
Above-described embodiment, which is available to, to be familiar with person in the art to realize or use the present invention, and is familiar with this field
Personnel can make various modifications or variation, thus this to above-described embodiment without departing from the present invention in the case of the inventive idea
Invention protection scope is not limited by above-described embodiment, and should be the maximum for meeting the inventive features that claims are mentioned
Range.
Claims (5)
1. a kind of digital certificate management method on basis, by the digital certificate of management server Authentication Client, so that passing through
The accessible application system of the client of digital certificate authentication characterized by comprising
Client needs to log in an application system, first starting client dialing program, using the client in certification l management clothes
The user name debarkation authentication I management server being engaged on device selects digital certificate corresponding with the application system;
Digital signature is calculated to selected digital certificate;
The digital signature is calculated and is made a summary;
The digital certificate, religion word signature and abstract are supplied to certification l management server, and management server is waited to respond;
Management server is to receive the request of debarkation authentication I management server, parses the user name;
According to the user name, relatively more provided digital certificate and a scheduled digital certificate, if
The two is consistent, then enters next step, if the two is not inconsistent, refuses the corresponding client of the user name and logs in described answer
Use system;
According to the user name, relatively more provided abstract enters in next step with a scheduled abstract if the two is consistent
Suddenly, if the two is not inconsistent, refuse the corresponding client of the user name and log in the application system;
According to the user name, relatively more provided digital signature and a scheduled digital signature enter if the two is consistent
Next step refuses the corresponding client of the user name and logs in the application system if the two is not inconsistent;Notice application system
System, allows the corresponding client of the user name to log in the application system.
2. the digital certificate management method on basis as described in claim 1, which is characterized in that if client is allowed to log in
The application system then continues to send accounting request to the management server, carries out charging, management clothes by the management server
Business device generates billing statistics after client is completed to the access of application system.
3. the digital certificate management method on basis as claimed in claim 2, which is characterized in that the management server uses
Diameter/Radius agreement carries out charging.
4. the digital certificate management method on basis as claimed in claim 3, which is characterized in that a management computer, which controls this, to be recognized
Card l management server is managed the data being stored in certification l management server.
5. such as the digital certificate management method on the basis that claim 4 is confused, which is characterized in that described pair is stored in certification l
Data in management server, which are managed, includes:
Core interface is called, user's operation, administrative area municipal administration reason, client operation, group operation, address pool operation, journalizing,
Statistical information operation, certificate operation, card number operation, domain name operation, report management, and global setting.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711470908.9A CN109995533A (en) | 2017-12-29 | 2017-12-29 | A kind of digital certificate management method on basis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711470908.9A CN109995533A (en) | 2017-12-29 | 2017-12-29 | A kind of digital certificate management method on basis |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109995533A true CN109995533A (en) | 2019-07-09 |
Family
ID=67108438
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711470908.9A Pending CN109995533A (en) | 2017-12-29 | 2017-12-29 | A kind of digital certificate management method on basis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109995533A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111342960A (en) * | 2020-02-24 | 2020-06-26 | 洪心科技(广州)有限公司 | Management method and device of digital certificate |
-
2017
- 2017-12-29 CN CN201711470908.9A patent/CN109995533A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111342960A (en) * | 2020-02-24 | 2020-06-26 | 洪心科技(广州)有限公司 | Management method and device of digital certificate |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11895157B2 (en) | Network security management method, and apparatus | |
CN1534921B (en) | Method of public authentication and authorization between independent networks | |
CN100484274C (en) | Packet mode speech communication | |
CN1689369B (en) | Method and system for establishing a connection via an access network | |
CN100536465C (en) | Configuration of enterprise gateways | |
CN100379315C (en) | Method for carrying out authentication on user terminal | |
EP1989853B1 (en) | Switching system and corresponding method for unicast or multicast end-to-end data and/or multimedia stream transmissions between network nodes | |
CN102318381A (en) | Method for secure network based route optimization in mobile networks | |
WO2008019989A1 (en) | Method and system for providing an access specific key | |
EP1943855A1 (en) | Method and server for providing a mobile key | |
CN101013941A (en) | Digital certificate authentication/management system and authentication/management method | |
WO2008000192A1 (en) | Network access method of terminals, network access system and gateway equipment | |
WO2020249861A1 (en) | Communication security between user equipment and third-party application using communication network-based key | |
CN104735027A (en) | Safety authentication method and authentication certification server | |
US7962122B2 (en) | Secure traffic redirection in a mobile communication system | |
CN103684958A (en) | Method and system for providing flexible VPN (virtual private network) service and VPN service center | |
CN109995533A (en) | A kind of digital certificate management method on basis | |
WO2020208294A1 (en) | Establishing secure communication paths to multipath connection server with initial connection over public network | |
JP4107436B2 (en) | Communication control device and communication control method | |
WO2016062000A1 (en) | Method, device and system for broadcasting and monitoring device-to-device limiting discovery service | |
CN101355578B (en) | Compatible method and system for mobile IP application based on RADIUS and DIAMETER protocol | |
CN114944927A (en) | Portal authentication-based client-side-free mutual exclusion access platform | |
CN101932083B (en) | Method for selecting tunnel establishment mode as well as terminal, server and system | |
CN115989689A (en) | User equipment authentication and authorization procedures for edge data networks | |
EP1843541B1 (en) | A method of securing communication between an access network and a core network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190709 |
|
WD01 | Invention patent application deemed withdrawn after publication |