CN109995533A - A kind of digital certificate management method on basis - Google Patents

A kind of digital certificate management method on basis Download PDF

Info

Publication number
CN109995533A
CN109995533A CN201711470908.9A CN201711470908A CN109995533A CN 109995533 A CN109995533 A CN 109995533A CN 201711470908 A CN201711470908 A CN 201711470908A CN 109995533 A CN109995533 A CN 109995533A
Authority
CN
China
Prior art keywords
digital certificate
client
management server
application system
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711470908.9A
Other languages
Chinese (zh)
Inventor
吴文斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Weiyan Technology Co ltd
Original Assignee
Guangzhou Weiyan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Weiyan Technology Co ltd filed Critical Guangzhou Weiyan Technology Co ltd
Priority to CN201711470908.9A priority Critical patent/CN109995533A/en
Publication of CN109995533A publication Critical patent/CN109995533A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention explains a kind of digital certificate management method on basis, by the digital certificate of management server Authentication Client, so that the client by digital certificate authentication is accessible with application system, comprising: client needs the application system logged in.Management server is first logged into, whether the application system is allowed access to by digital certificate corresponding with application system, digital signature and the Digest Authentication client.

Description

A kind of digital certificate management method on basis
Technical field
The present invention relates to identity identifying technologies, more specifically to a kind of digital certificate management method on basis.
Technical background
With the high speed development of network technology, personal and enterprise is put into business activity on network more and more, therefore The safety problem of network is just more crucial and important.According to statistics, in the world, caused due to the fragility of information system Economic loss, reach billions of members every year, and show an increasing trend year by year.It is calculated using digital certificate, PKI, symmetric cryptography The encryption technologies such as method, digital signature, digital envelope can establish the high identity authorization system of safe coefficient, it is ensured that online Information effectively and safely carries out.Meanwhile CA digital certificate, PKI construction system country have been made laws, and related application also has become Ripe, all parts of the country establish relevant certificate center, provide standard digital certificate programming interface.
In the prior art, usually used is the digital certificate authentication system based on Radius agreement.RADIUS is mesh One of preceding most common authentication and accounting agreement, it is simple and safe, is easily managed, favorable expandability, so being used widely.But Transmission, simple packet drop mechanism due to the defect of agreement itself, such as based on UDP, not about the regulation of re-transmission and concentration Formula billing of services only supports non-reliable UDP transmission agreement, and attribute is arranged only with 8 bit identifiers etc., all makes it less suitable The development for answering current network, requires further improvement.
The appearance of the aaa protocol of a new generation --- Diameter is so that provide a kind of management system of new digital certificate System and method are possibly realized.
Summary of the invention
The object of the present invention is to provide a kind of digital certificate management methods on basis.
According to an aspect of the present invention, a kind of digital certificate management method is provided, management server Authentication Client is passed through Digital certificate so that passing through the accessible application system of client of digital certificate authentication, comprising: client needs log in One application system, first starting client dialing program, log in management using the user name of the client on the management server Server selects digital certificate corresponding with the application system;Digital signature is calculated to selected digital certificate;To this Digital signature calculates abstract;The digital certificate, digital signature and abstract are supplied to management server, and wait management service Device is responded;Management server is to receive the request for logging in management server, parses the user name;According to the user name, than More provided digital certificate and a scheduled digital certificate enter next step, if the two is not if the two is consistent Symbol, then refuse the corresponding client of the user name and log in the application system;According to the user name, relatively more provided abstract Enter next step if the two is consistent with a scheduled abstract if the two is not inconsistent and it is corresponding to refuse the user name Client logs in the application system;According to the user name, relatively more provided digital signature and a scheduled digital signature, If the two is consistent, enter next step, if the two is not inconsistent, refuses the corresponding client of the user name and log in described answer Use system;It notifies application system, the corresponding client of the user name is allowed to log in the application system.
According to an embodiment, if client is allowed to log in the application system, continue to send out to the management server Send accounting request, charging carried out by the management server, the management server client complete to the access of application system it After generate billing statistics.
According to an embodiment, which carries out charging using Diameter/Radius agreement.
According to an embodiment, a management computer controls the management server to the data being stored in the management server It is managed.For example, being managed to the data being stored in the management server includes: that core interface is called, user's operation, Administrative regional management, client operation, group operation, address pool operation, journalizing, statistical information operation, certificate operation, card number Operation, domain name operation, report management, and global setting.
Detailed description of the invention
The above and other features of the present invention, property and advantage will be by with reference to the accompanying drawing retouching embodiment It states and becomes readily apparent from, in the accompanying drawings, identical appended drawing reference always shows identical feature, in which:
Fig. 1 is the flow chart of the digital certificate management method of an embodiment according to the present invention;
Fig. 2 is the structure chart of the digital certificate management system of an embodiment according to the present invention;
Fig. 3 A- Fig. 3 H is a specific implementation according to the present invention, wherein the operational relationship figure between each software module.
Specific embodiment
Traditional Radius agreement and new Diameter are introduced first.Radius is most common to recognize One of charging protocol is demonstrate,proved, it is simple and safe, is easily managed, favorable expandability, so being used widely.But due to agreement itself Defect, such as the transmission based on UDP, simple packet drop mechanism, not about the regulation of re-transmission and centralized billing of services, all So that it less adapts to the development of current network, require further improvement.
With new access technology introducing (such as wireless access, DSL, mobile IP and Ethernet) and access the quick of network Dilatation, the router and access server to become increasingly complex largely come into operation, put forward new requirements to aaa protocol, so that The shortcomings that traditional Radius structure, is increasingly apparent.Currently, 3G network is just gradually to complete IP network evolution, not only in core network Using the network entity for supporting IP, IP-based technology is also used in access network, and mobile terminal also becomes and can activate IP client.Increase following characteristic: UTRAN and CN transmission enhancing newly if in R6 version of the WCDMA when preplanning;Wireless interface increases By force;Multimedia broadcasting and multicast (MBMS);Digital Right Management (DRM);WLAN-UMTS intercommunication;Priority business;Common user letter It ceases (GUP);Network share;Intercommunication etc. between heterogeneous networks.Within such networks, mobile IP will be widely used.It supports to move The terminal of dynamic IP can move in the home network of registration, or roam into the network of other operators.When terminal will be linked into Network, and when every business of use operator offer, it is necessary to stringent AAA process.Aaa server will to mobile terminal into Row certification, the business that authorization allows user to use, and the case where user is using resource is collected, to generate charge information.This is just needed It will be using aaa protocol -- the Diameter of a new generation.In addition, the draft proplsal of the protocol of wireless local area network 802.16e in IEEE In, identification and authorization server ASA Server are also contained in network reference model, with supports mobile different base station it Between switching.As it can be seen that aaa server occupies critically important position in future mobile communication system.
By discussing, the AAA working group of IETF is agreed to using Diameter as follow-on aaa protocol standard. Diameter (for diameter, implying that Diameter is the upgraded version of Radius agreement) agreement includes basic agreement, NAS (network insertion service) agreement, EAP (expansible identification) agreement, MIP (mobile IP) agreement, CMS (code message grammer) agreement Deng.Diameter supports mobile IP, NAS request and the authentication, authorization, accounting of mobile agent work, the realization of agreement and RADIUS is similar, and uses AVP, attribute value to (use Attribute-Length-Value triple form) Lai Shixian, But wherein specified in more detail error handle, failover mechanism are supported distributed integration, are overcome using Transmission Control Protocol Many disadvantages of Radius are the aaa protocols for being most suitable for future mobile communication system.
Opposite Radius, Diameter is it may be said that have many technical advantages.As its name suggests, Radius (dial by remote authentication Number accessing user service) it is initially that exploitation is authenticated for dial-up access;Diameter is then designed to provide for powerful access control Function processed, to overcome many intrinsic defects in initial Radius.For example, Radius only supports non-reliable UDP transmission agreement, and Diameter supports reliably to transmit with formal TCP and streaming control transport protocol (SCTP), thus is more widely applied.And And the setting of Radius attribute uses 8 bit identifiers;Diameter then uses 32 code values, thus maximum can support 4,000,000,000 A attribute.
Diameter is the extension to Radius agreement, is mainly network insertion, uses in the concrete applications such as mobile IP Certification, authorization, charging one basic frame is provided, certification that it can be used under local and roaming condition authorizes meter Take.Using Diameter as the candidate agreement of certification, authorization, charging in by the prepared IMS system of 3GPP, but due to Mobile IP and IMS is tested or is applied only within a certain range at present, and there is no widely apply.Diameter thus Using also not using on a large scale.Compared with Radius agreement, Diameter is when in use in addition to Radius agreement makes The client of used time use, server also need network agent, redirection agency, transformation agency, repeater, Diameter to save outside Point etc. realizes the functions such as user's roaming authentication.Diameter needs to cooperate with other agreements in use.
The address space that present Internet protocol IP v4 is supported is extremely limited, and International Mobile Subscriber constantly high speed increases It is long, reach so huge scale, this just gives IP agreement used at present -- IPv4 is in future mobile communications complete IP network Using -- bring so heavy pressure.In order to solve the problems, such as address wretched insufficiency, there has been proposed the IP of new version associations View -- IPv6.3.4 × 10E38 128 only the bit address that IPv6 can be supported, enable IPv4 too far behind to catch up.Due to global number 1000000000 equipment and user require respectively only IP address, therefore this huge addressing capacity will realize " to exist always The key factor of line " communication.Although concern is primarily with the addressabilities of IPv6 by people, it also possesses other many important excellent Point, the routing for such as improving and simplifying.IPv6 has also introduced new security level and has improved to mobile service -- including being based on The support of the network of WCDMA technology, this will use 3G with the populous country such as China and become more and more important.Therefore following to move Aaa protocol in dynamic communication network must be the agreement of the support distributed treatment based on mobile IP v 6.But, industry needs are examined Consider and solve the problems, such as still there are many.IPv4 may be a kind of mature and the agreement of obsolescence, but it still can make Significant contribution, and may be coexisted within following a period of time with IPv6 and intercommunication.Diameter, which is used as, aims at future network simultaneously The aaa protocol of compatible current network again, provide the support to both versions MIP (is presently mainly the branch to MIPv4 certainly It holds).
The present invention provides a kind of digital certificate management method based on new Diameter, uses wherein also taking into account Radius agreement.
With reference to Fig. 1, the present invention provides a kind of digital certificate management method 100, passes through management server Authentication Client Digital certificate, so that pass through the accessible application system of client of digital certificate authentication, this method comprises:
102. client needs to log in an application system, first starting client dialing program, using the client in pipe User name on reason server logs in management server, selects digital certificate corresponding with application system;
104. a pair selected digital certificate calculates digital signature;
106. pair digital signature calculates abstract;
108. digital certificate, digital signature and abstract are supplied to management server, and management server is waited to respond;
110. management server is to receive the request for logging in management server, user name is parsed;
112. according to user name, relatively more provided digital certificate and a scheduled digital certificate, if the two is consistent, Into next step, if the two is not inconsistent, refuses the corresponding client of the user name and log in application system;
114. relatively more provided abstract enters next with a scheduled abstract if the two is consistent according to user name Step refuses the corresponding client of the user name and logs in application system if the two is not inconsistent;
116. according to user name, relatively more provided digital signature and a scheduled digital signature, if the two is consistent, Into next step, if the two is not inconsistent, refuses the corresponding client of the user name and log in application system;
118. notifying application system, the corresponding client of user name is allowed to log in application system.
It continues to refer to figure 1, in the embodiment shown in fig. 1, this method 100 further include:
If continuing to ask to management server transmission charging 120. client is allowed to log in the application system It asks, charging is carried out by the management server, which generates meter after client is completed to the access of application system Take statistics.Wherein, which carries out charging using Diameter/Radius agreement.
In addition, embodiment 100 according to figure 1, this method further include:
122. a management computer controls the management server and is managed to the data being stored in the management server. It includes: that core interface is called that this, which is managed the data being stored in the management server, user's operation, administrative region pipe Reason, client operation, group operation, address pool operation, journalizing, statistical information operation, certificate operation, card number operation, domain name Operation, report management, and global setting.
With reference to Fig. 2, the present invention also provides a kind of digital certificate management systems 200, comprising:
Data communication network 202;
Application system 204 is connected to the data communication network 202;
Client 206 is connected to the data communication network 202, when client will be logged in by the data communication network 202 When the application system 204, starts client dialing program first, use user of the client in a management server 208 Name issues log on request to management server, and selects digital certificate corresponding with application system;To selected number card Book calculates digital signature;The digital signature is calculated and is made a summary;And digital certificate, digital signature and abstract are passed through into data communication Network is supplied to management server, and management server is waited to respond;
Management server based on Diameter/Radius is a set of 3A server.The card of access is provided for remote user Book certification, the IP address authorization after certification;The note Fei Gongneng for logining and publishing with user;All users of authentication service, IP, Group, the management function of client.After the certificate verification mode that user passes through RADIUS/DIAMETER certificate server, it is awarded The IP address of Intranet, and specified DNS and gateway address, user can go access pair in the permission of respective application system according to it The application server answered.
The subprogram includes core interface calling module, user's operation module, administrative regional management module, client operation Module organizes operation module, address pool operation module, journalizing module, statistical information operation module, certificate operation operation mould Block, card number operation module, domain name operation module, statement management module, and global setup module.
Core interface calling module is used to declare each interface function of core LgetKnlV2.dll.
User's operation module realizes the operations to user.Such as addition, editor deletes user
Administrative area management module is realized for city, area (county), unit, the addition of department, editor and deletion.
Client makees module realization to the operations of client.Such as addition, editor deletes client
Group operation module realizes the operations to group.Such as addition, editor, deletion group
Address pool operation module realizes the operations to address pool.Such as addition, editor deletes address pool
Journalizing module realizes the operations to log.It such as checks, deletes log
Statistical information operation module realizes the operations to statistical information.Such as check statistical information
The operations of certificate operation module realization certificate.Such as distribute certificate.
The operations of card number operation module realization card number.Such as generate card number.
The operations of domain name operation module realization domain name.Such as generate domain name.
The operations of Report Operations module realization report.Such as generate report.
Overall situation setting operation module is realized to administration interface required parameters access when in use.
The relationship of each module is as illustrated in Figure 3 F.
Using technical solution of the present invention, a kind of management of new new digital certificate based on Diameter is provided Systems and management method provides safely and effectively digital certificate authentication and management.
Above-described embodiment, which is available to, to be familiar with person in the art to realize or use the present invention, and is familiar with this field Personnel can make various modifications or variation, thus this to above-described embodiment without departing from the present invention in the case of the inventive idea Invention protection scope is not limited by above-described embodiment, and should be the maximum for meeting the inventive features that claims are mentioned Range.

Claims (5)

1. a kind of digital certificate management method on basis, by the digital certificate of management server Authentication Client, so that passing through The accessible application system of the client of digital certificate authentication characterized by comprising
Client needs to log in an application system, first starting client dialing program, using the client in certification l management clothes The user name debarkation authentication I management server being engaged on device selects digital certificate corresponding with the application system;
Digital signature is calculated to selected digital certificate;
The digital signature is calculated and is made a summary;
The digital certificate, religion word signature and abstract are supplied to certification l management server, and management server is waited to respond;
Management server is to receive the request of debarkation authentication I management server, parses the user name;
According to the user name, relatively more provided digital certificate and a scheduled digital certificate, if
The two is consistent, then enters next step, if the two is not inconsistent, refuses the corresponding client of the user name and logs in described answer Use system;
According to the user name, relatively more provided abstract enters in next step with a scheduled abstract if the two is consistent Suddenly, if the two is not inconsistent, refuse the corresponding client of the user name and log in the application system;
According to the user name, relatively more provided digital signature and a scheduled digital signature enter if the two is consistent Next step refuses the corresponding client of the user name and logs in the application system if the two is not inconsistent;Notice application system System, allows the corresponding client of the user name to log in the application system.
2. the digital certificate management method on basis as described in claim 1, which is characterized in that if client is allowed to log in The application system then continues to send accounting request to the management server, carries out charging, management clothes by the management server Business device generates billing statistics after client is completed to the access of application system.
3. the digital certificate management method on basis as claimed in claim 2, which is characterized in that the management server uses Diameter/Radius agreement carries out charging.
4. the digital certificate management method on basis as claimed in claim 3, which is characterized in that a management computer, which controls this, to be recognized Card l management server is managed the data being stored in certification l management server.
5. such as the digital certificate management method on the basis that claim 4 is confused, which is characterized in that described pair is stored in certification l Data in management server, which are managed, includes:
Core interface is called, user's operation, administrative area municipal administration reason, client operation, group operation, address pool operation, journalizing, Statistical information operation, certificate operation, card number operation, domain name operation, report management, and global setting.
CN201711470908.9A 2017-12-29 2017-12-29 A kind of digital certificate management method on basis Pending CN109995533A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711470908.9A CN109995533A (en) 2017-12-29 2017-12-29 A kind of digital certificate management method on basis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711470908.9A CN109995533A (en) 2017-12-29 2017-12-29 A kind of digital certificate management method on basis

Publications (1)

Publication Number Publication Date
CN109995533A true CN109995533A (en) 2019-07-09

Family

ID=67108438

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711470908.9A Pending CN109995533A (en) 2017-12-29 2017-12-29 A kind of digital certificate management method on basis

Country Status (1)

Country Link
CN (1) CN109995533A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342960A (en) * 2020-02-24 2020-06-26 洪心科技(广州)有限公司 Management method and device of digital certificate

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342960A (en) * 2020-02-24 2020-06-26 洪心科技(广州)有限公司 Management method and device of digital certificate

Similar Documents

Publication Publication Date Title
US11895157B2 (en) Network security management method, and apparatus
CN1534921B (en) Method of public authentication and authorization between independent networks
CN100484274C (en) Packet mode speech communication
CN1689369B (en) Method and system for establishing a connection via an access network
CN100536465C (en) Configuration of enterprise gateways
CN100379315C (en) Method for carrying out authentication on user terminal
EP1989853B1 (en) Switching system and corresponding method for unicast or multicast end-to-end data and/or multimedia stream transmissions between network nodes
CN102318381A (en) Method for secure network based route optimization in mobile networks
WO2008019989A1 (en) Method and system for providing an access specific key
EP1943855A1 (en) Method and server for providing a mobile key
CN101013941A (en) Digital certificate authentication/management system and authentication/management method
WO2008000192A1 (en) Network access method of terminals, network access system and gateway equipment
WO2020249861A1 (en) Communication security between user equipment and third-party application using communication network-based key
CN104735027A (en) Safety authentication method and authentication certification server
US7962122B2 (en) Secure traffic redirection in a mobile communication system
CN103684958A (en) Method and system for providing flexible VPN (virtual private network) service and VPN service center
CN109995533A (en) A kind of digital certificate management method on basis
WO2020208294A1 (en) Establishing secure communication paths to multipath connection server with initial connection over public network
JP4107436B2 (en) Communication control device and communication control method
WO2016062000A1 (en) Method, device and system for broadcasting and monitoring device-to-device limiting discovery service
CN101355578B (en) Compatible method and system for mobile IP application based on RADIUS and DIAMETER protocol
CN114944927A (en) Portal authentication-based client-side-free mutual exclusion access platform
CN101932083B (en) Method for selecting tunnel establishment mode as well as terminal, server and system
CN115989689A (en) User equipment authentication and authorization procedures for edge data networks
EP1843541B1 (en) A method of securing communication between an access network and a core network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190709

WD01 Invention patent application deemed withdrawn after publication