CN109995694A - A method of passing through gateway authentication user - Google Patents

A method of passing through gateway authentication user Download PDF

Info

Publication number
CN109995694A
CN109995694A CN201711463034.4A CN201711463034A CN109995694A CN 109995694 A CN109995694 A CN 109995694A CN 201711463034 A CN201711463034 A CN 201711463034A CN 109995694 A CN109995694 A CN 109995694A
Authority
CN
China
Prior art keywords
gateway
party
certificate
client
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711463034.4A
Other languages
Chinese (zh)
Inventor
吴文斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Weiyan Technology Co ltd
Original Assignee
Guangzhou Weiyan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Weiyan Technology Co ltd filed Critical Guangzhou Weiyan Technology Co ltd
Priority to CN201711463034.4A priority Critical patent/CN109995694A/en
Publication of CN109995694A publication Critical patent/CN109995694A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of client (42) and server (44) are authenticated each other by gateway (46), wherein client using oneself first cryptographic protocol and server between gateway using oneself second cryptographic protocol between gateway, method includes the following steps: setting gateway is the certification authority (48) being trusted on the server;Gateway issues digital certificate authentication client;And server authentication digital certificate is so as to oneself confirming the digital certificate from the certification being trusted.

Description

A method of passing through gateway authentication user
Technical field
The present invention relates to certification and particularly, but not is directed exclusively to communication system.In one embodiment, It is related to wireless communication system.
Technical background
Communication on the internet uses TCP/IP protocol suite.TCP refers to transmission control protocol and IP refers to Internet protocol. TCP/IP refers to a big group agreement as defined in Internet Engineering Task group (IETF).TCP/IP is basic internet and inline Netcom Believe agreement.It allows information to be sent to its destination from a computer by intermediate equipment and individual network.
The very big flexibility of TCP/IP causes it to be received by the whole world.Meanwhile TCP/IP allows information to set by centre The standby fact makes it possible that third party intervenes communication in the following manner.
Encryption (cryptography) be used to solve these problems.Therefore encryption enables information to be presented by secret to earwig's hardly possible To understand.It provides confidentiality in this way.Recipient can not be modified in transport with checking information or when detect it It is modified.Recipient can determine that information is originated from the source that it is claimed, and therefore can be certified.In addition to this, encryption can be with Offer forbids the sender of information to claim that it does not send the non-repudiation of the information in the period of later.
A kind of form of encryption is symmetric key encryption.In symmetric key encryption, key can from decruption key quilt It calculates or opposite.Using most of symmetry algorithms, identical key is for encrypting and decrypting.The realization of symmetric key encryption can To there is very high efficiency, therefore user does not undergo any significant time delay of the result as encryption and decryption processes. Symmetric key encryption also provides a degree of certification, because cannot be with any other right with the information of a symmetric key encryption Claim key decryption.
Only symmetric key keeps secret by the both sides being related to, and symmetric key encryption is only effectively.If other human hairs Key is showed, then it influences confidentiality and certification.The people of symmetric key with unauthorized can not only decrypt to be sent out with the key The message sent can also encrypt new message and be sent to, just as its one of two side from the initially use key.
Another form of encryption is public-key encryption.One version of public-key encryption is pacified based on RSA data Full algorithm.Public keys (also referred to as asymmetric key) is related to and needs electronically to identify its identity or signature or encryption number According to the relevant a pair of secret keys of a side, public keys and private cipher key.Public key must be reliable.Public key can be by It announces, and corresponding private cipher key must maintain secrecy.The message encrypted using public keys and Encryption Algorithm only can be with privately owned close Key decryption.So if a side has been given public keys, then this key, which can be used, in it only can use this to encrypt The message of private cipher key decryption.This provides confidentiality and confidentiality.On the contrary, using private key encryption message only It can use public keys decryption.Therefore, if a side has a private cipher key, this key is can be used encrypt can be in the party The message decrypted by another party with public keys.The message that public keys decryption can be utilized only can come from possessing One side of corresponding private cipher key.This provides certification or signatures.
To solve this problem, certification authority is used as shown in Figure 1.This scheme show sender 12, recipient 14 with And certification authority (CA) 16.CA 16 is connected to sender 12 and recipient 14 and is trusted by the two.Sender 12 has privately owned Key (S-SK) and public keys (S-PK), recipient 14 has private cipher key (R-SK) and public keys (R-PK), and CA has Private cipher key (CA-SK) and public keys (CA-PK).CA-PK is provided to sender 12 and recipient 14 for use in certification Communication occur.Obviously, CA-PK must be provided in a manner of certification, therefore sender 12 and recipient 14 are believed that it Source.
Sender 12 generates Certificate Signature Request (CSR), is sent to CA 16.Sender 12 provides its body to CA 16 Part (either using the user of sender 12 send some personal data or using to be presented to being used for sender 12 privately owned Code).Sender 12 also sends its public keys S-PK in CSR.CA 16 with unique digital signature sign personal data or Privately owned code and public keys S-PK are to prove that they are consistent.The certificate of signature is returned to sender 12.Recipient 14 Similar process is executed with CA 16 to obtain the certificate of their own signature.When sender 12 wants to talk with recipient 14, Need shaking hands between them, wherein sender 12 and recipient 14 exchange its digital certificate (this exchange does not encrypt).
Then sender 12 and recipient 14 can use CA-PK verify the certificate of received signature so as to ensure its by CA 16 is authenticated and therefore can be trusted.Because sender 12 and recipient 14 have the public close of another each of now Key, secret and certification communication can occur.Actually sender 12 and recipient 14 can send certification certificate and (beg for below By) rather than only send the public keys of certification.
General CA is pressed the hierarchical ar-rangement from common root.This layered structure is referred to as public keys basis knot Structure.This means that CA can be authenticated each other.
Compared with symmetric key encryption, public-key encryption needs more calculating and is therefore not always suitable for a large amount of Data.Therefore, RSA or the public-key encryption of some other forms are only used for the protocol handshake part of communication to generate master The secret wanted.This is shown in Fig. 2, and wherein public-key encryption is used for consult session key.Because data communication is two-way , below with reference to client and server end rather than sender and recipients.
Initially, client 22 and server end 24 have the public keys from certification authority (CA-PK).22 kimonos of client Each of business device end 24 enters certification authority so as to certified certificate, is signed by the CA-SK of certification authority.In addition to (example Such as client 22 or server end 24) except public keys, certificate includes the title of the entity of its identification (with the title of difference Form), due date (validity period), issue certificate certification authority title (in the form of the title of difference, hereinafter referred to as DN), Serial number and other information.Most important, certificate always includes the digital signature for issuing certification authority.The digital signature of certification authority Certificate is enabled not know that the user of the entity identified by the certificate " is situated between as knowing and trusting the authorized organization Continue letter ".
DN is personal unique identifier, such as a people or a terminal node for identification.If DN is included in In digital certificate and the certificate is signed by trusted CA, then it is believed that the individual of identification is true and has corresponding to card The individual of the private cipher key of public keys is that this is true personal in book.In fact, by the certificate of certification authority's distribution by one A particular public key merges in the title of entity or multiple entities that the certificate identifies.Before CA signing certificate, test Demonstrate,proving individual is that claimed.This verifying includes analysis, signature or the other information of personally identifiable information.In this implementation In scheme, title (DN) the identification client 22 or server end 24 of difference.
When the encryption method one of another communication protocol from TCP/IP's and from the security layers with their own It rises in use, there is a problem.For example, when be used to access interconnection according to the mobile terminal that Wireless Application Protocol (WAP) is operated When net, such case may occur in which.In order to provide secrecy connection, internet uses transport layer secrecy (TLS) such as (to be advised by RFC 2246 It is fixed) and security socket layer (SSL) (de facto standards developed by Netscape) confidentiality agreement layer.? Protocol layer of equal value used in WAP net is wireless transmission layer secrecy (WTLS) (being standardized by WAP Forum).
Although internet and WAP net are very similar, they are incompatible and therefore need to be implemented hypertext markup language Say the Content Transformation between (HTML) and Wireless Markup Language (WML) and between HTTP and WSP layers.This is illustrated with reference to Fig. 3 A problem.Wap protocol stack 32 (being included in client) is connected to ICP/IP protocol stack 34 by gateway 36 and (is included in server End).Wap protocol stack 32 has protocol layer Wireless Datagram Protocol (WDP), wireless transmission layer secrecy (WTLS), wireless transactions agreement (WTP) and wireless session protocol (WSP).It provides WML content.ICP/IP protocol stack 34 has protocol layer Internet protocol (IP), transaction control protocol (TCP), security socket layer (SSL) and hypertext transfer protocol (HTTP).It is provided HTML content.
In the case where WAP and ICP/IP protocol stack, if WTLS and SSL layers is movable, and gateway 36 does not possess Required key decrypts the message sent, then be located at the layer on encryption layer in a gateway cannot be modified and therefore it Between conversion (between WSP and HTTP or between WML and HTML) can not.Because gateway cannot access the key of needs (usually it is stored in a manner of it cannot be read out therefrom physically resists in the equipment distorted), so another add should be used Close scheme.Client should authentication gateway and gateway should authenticate originating services device and server should authentication gateway and Gateway should Authentication Client.In this scheme must both sides all trust the gateway.Because current cryptographic protocol (SSL, TLS, WTLS) assume end to end encryption connection therefore they cannot support this encipherment scheme.
Summary of the invention
According to the first aspect of the invention, it provides a kind of for authenticating first party and the second party each other by gateway Method, the method comprising the steps of:
The gateway for having gateway public key and corresponding gateway private cipher key is provided;
Common public key is provided for first party and gateway to authenticate the information source for being sent to another from one;And
Gateway public key is provided for second party to authenticate from the received information of gateway, which is different from Common public key.
Preferably first party is client.Preferably second party is server.
It is the public keys from certification authority that preferably second party, which is apprised of the gateway public key,.Therefore, when second When side receives the certificate signed via gateway private cipher key from gateway, second party verifies this using gateway public key The certificate of signature comes from source identical with gateway public key, and therefore equally receives as the certificate from certification authority. In this way, gateway can send it to second party to persuade the second party gateway be actually that the information of first party is included in certificate In.
The preferably common public key public keys that is certification authority that is true and being trusted.
According to the second aspect of the invention, a kind of method that first party is authenticated to second party by gateway is provided, the One side uses oneself cryptographic protocol between gateway, the party using its own cryptographic protocol and second party between gateway Method comprising steps of
It is the certification authority being trusted that gateway is arranged in second party;
The digital certificate of gateway distribution certification first party;And
Second party verifies the digital certificate to confirm the digital certificate from the certification authority being trusted to second party.
Cryptographic protocol preferably between first party and gateway and between second party and gateway is different.Preferably Cryptographic protocol between one side and gateway is WTLS.Cryptographic protocol preferably between gateway and second party is SSL.
According to the third aspect of the present invention, it provides a kind of for authenticating client and server each other by gateway Method, the method comprising the steps of:
Client public key and corresponding client private cipher key are provided for client;
Client certificate is provided for client;
For server providing services device public keys and corresponding server private cipher key;
For server providing services device certificate;
Gateway public key and corresponding gateway private cipher key are provided for gateway;And
Gateway certificate is provided for gateway.
Preferably client certificate is issued by general CA.Preferably client certificate include client difference title with And client public key.Client certificate is signed, and the certification authority's certification being therefore trusted.
The preferably title and server public key of difference of the server certificate comprising server.It also includes other Item of information.This server certificate is signed, and the certification authority's certification being therefore trusted.Preferably this certification authority with Sign client certificate is same.Its of substitution can be different certification authority.
The preferably title and gateway public key of difference of the gateway certificate comprising server.This gateway certificate can be with The certification authority's certification for being signed and being therefore trusted.Preferably this certification authority and signature server certificate is same It is a.Its of substitution can be different certification authority.Only in the case where server and gateway belong to identical tissue, believed Appoint certification authority can just sign gateway certificate (distinguished name comprising server), this is because only one tissue for Different public keys possesses identical distinguished name.
Preferably gateway imitates certification authority.Preferably the gateway public key of server offer is by as certification authority Public keys be indicated to server.Preferably gateway is that each client generates different public-private cipher key pairs, Mei Gemi Client private cipher key of the key to the client public key generated comprising one and a generation.Gateway can be with different visitors The name at family end generates different certificates.Gateway can sign these certificates with gateway private cipher key.Preferably these certificate packets The client public key of distinguished name and generation containing client.As extension, these client certificates generated include Original client certificate is to make server obtain reliable client public key.
Preferably this method includes the steps that providing the identifier of its origin of instruction for server.Preferably it includes for net Close the step of instruction and the identifier of the common origin of server are provided.Preferably it for server and gateway comprising steps of ask The generic identifier (element type name) corresponding to the server and gateway is sought, but includes be belonging respectively to server and gateway different public close The certificate of key.
Preferably this method include shake hands it is close to authenticate each direction another party and to negotiate one or more sessions Key.This can be dual shake hands.In one embodiment, client and gateway, which execute, (utilizes client certificate and gateway Certificate) each other authenticate and negotiate master secret (can therefrom calculate session key) general first time shake hands.Once Client is authenticated to gateway, then client private cipher key and generation of the gateway using the generation for belonging to the client being certified Client certificate execute and the second handshake of server (in server service device using its server certificate).This two Secondary shake hands overlaps each other.As second handshake as a result, gateway and server negotiate general master secret (can therefrom count Calculate session key).
In this way, because the distinguished name and the certificate in gateway certificate including server are by the certification authority that is trusted Signature, receives certification from gateway so the present invention provides clients.Moreover, because of the client in the client certificate of generation Distinguished name included and the certificate by server receive as trust certification authority gateway signature, so server Receive certification from gateway.
It shakes hands and can be shaking hands of occurring before the communication according to WTSL.It can be holding before SSL or TLS Hand.Preferably it includes the handshake procedure before the communication by WTLS and SSL or TLS.
The present invention is also considered to be the Content Transformation that will be encrypted according to first agreement into the content according to second agreement The method method that either is used to making such conversion can occur.Such method needs each party to pass through intermediate gateway quilt It authenticates to another party and the authentication method of previous aspect according to the present invention therefore can be used.
According to the fourth aspect of the present invention, the transaction system comprising first party and the second party is provided, by needing It to be authenticated using the cryptographic protocol between the cryptographic protocol and second party and gateway between first party and gateway to second party Gateway communication between each side of first party communicates, in which:
Gateway includes digital certificate signature device to issue the digital certificate of certification first party;
Second party includes the digital certificate authentication device of the digital certificate signature device corresponding to gateway, verifies number card Book is reliable so as to the digital certificate for confirming the gateway signature to second party.
Preferably the transaction system is communication system.
According to the fifth aspect of the present invention, the gateway that can be communicated by its first party and the second party, each side are provided Between communication need will using the cryptographic protocol between cryptographic protocol and second party and gateway between first party and gateway The certification of first direction second party, which includes digital certificate signature device to issue digital certificate authentication first party, gateway Signature apparatus corresponds to the verifying device of second party, verifies digital certificate to confirm the number of the gateway signature to second party Certificate is reliable.
According to the sixth aspect of the invention, the computer journey for authenticating first party to second party by gateway is provided Sequence product, first party use adding between their own and gateway using the cryptographic protocol between their own and gateway and second party Close agreement, the computer program product include:
Indicate that the gateway is the computer-executable code device for the certification authority being trusted to second party;
Gateway is enabled to issue digital certificate to authenticate the computer-executable code device of first party;And
So that second party is able to verify that the digital certificate to confirm that the digital certificate is recognized by what is be trusted to second party Demonstrate,prove the computer-executable code device of authority releases.
According to the seventh aspect of the present invention, the content delivery by communication network from content provider to terminal is provided Method, wherein content provider and terminal are authenticated each other by gateway, and the method comprising the steps of:
Gateway public key and corresponding gateway private cipher key are provided for gateway;
Common public key is provided for terminal and gateway to authenticate the information source for being sent to another from one;And
Gateway public key is provided for content provider to authenticate from the received information of gateway, and the gateway public key is not It is same as common public key.
According to the eighth aspect of the present invention, the content delivery by communication network from content provider to terminal is provided Method, wherein content provider and terminal are authenticated each other by gateway, and terminal uses the cryptographic protocol between their own and gateway And content provider is using oneself cryptographic protocol between gateway, and the method comprising the steps of:
Content provider determines that the gateway is the certification authority being trusted;
Gateway issues the digital certificate authentication terminal;And
Content provider verifies digital certificate to confirm the digital certificate from the certification being trusted to content provider Mechanism.
According to the ninth aspect of the present invention, the content delivery by communication network from content provider to terminal is provided Method, wherein content provider and terminal are authenticated each other by gateway, and the method comprising the steps of:
Client public key and corresponding client private cipher key are provided for client;
Client certificate is provided for client;
For server providing services device public keys and corresponding server private cipher key;
For server providing services device certificate;
Gateway public key and corresponding gateway private cipher key are provided for gateway;And
Gateway certificate is provided for gateway;
The present invention is suitable for telecommunications, and particularly suitable for mobile terminal, such as mobile phone, personal digital assistant, electronics Books or browser.It can be applied to access internet using mobile terminal safety.It can be by one embodiment The mobile terminal of Wireless Application Protocol (WAP) is utilized and using between the www server of internet security agreement for providing End-by-end security.
Detailed description of the invention
One embodiment of the invention is described with reference to the drawings, in which:
Fig. 1 shows the communication between sender and recipients;
The step of Fig. 2 display generates master secret;
Fig. 3 shows the communication by gateway;
Fig. 4 shows the communication by gateway according to the present invention;And
Fig. 5 shows the flow chart of step.
Specific embodiment
Fig. 4 is shown including having the client 42 (such as mobile phone) of wap protocol stack, the originator with ICP/IP protocol stack The communication system 40 of server 44, gateway 46 and certification authority (CA) 48.Gateway 46 by originating services device 44 operator institute Have, that is, originating services device 44 and gateway 46 are under co- controlling.CA 48 can be accessed by client 42, originating services device 44 It is used to authenticate each party for belonging to each side with gateway 46.Originating services device 44 is located in communication network.In this implementation of the invention In scheme, it is located in radio telecommunication network.
CA 48 is independent mechanism, and distribution digital certificate confirms to verify a side for its identity to CA.Because of each party Trust CA, therefore they receive the digital certificate identified in person by CA via the display of CA digital signature its other party.CA 48 have private and public key pair CA-SK and CA-PK.
Client 42 has the key pair including public keys (C-PK) and private cipher key (C-SK).It has comprising following message Certificate:
(i)C-PK;
(ii) validity period of certificate;
(iii) DN of client;
(iv) DN (DN of CA) of publisher;And
(v) by the digital signature of the above- mentioned information of the private cipher key of publisher (CA-SK) signature.
CA-PK of the client 42 also from CA 48.This can be installed in advance, such as in manufacture client or system When making a part (such as manufacture or configuration of SIM card) of client, or it can be mounted when later.
Originating services device 44 has the key pair including public keys (S-PK) and private cipher key (S-SK).It has comprising following The certificate of information:
(i)S-PK;
(ii) validity period of certificate;
(iii) DN of originating services device;
(iv) DN (DN of CA) of publisher;And
(v) by the digital signature of the above- mentioned information of the private cipher key of publisher (CA-SK) signature.
Instead of the CA-PK from CA 48, originating services device 44 has the public keys as explained below from gateway 46.
Gateway 46 has the key pair including public keys (G-PK) and private cipher key (G-SK).It has comprising following message Certificate:
(i)G-PK;
(ii) validity period of certificate;
(iii) DN of gateway (it is identical as the tissue of server or at least belongs to tissue identical with server);
(iv) DN (DN of CA) of publisher;And
(v) by the digital signature of the above- mentioned information of the private cipher key of publisher (CA-SK) signature.
Gateway server 46 also has the CA-PK from CA 48.CA-PK is presented to gateway 46 in a manner of reliable. For example, CA-PK is loaded into gateway 46 by floppy disk.
It is above-mentioned related to wherein all certificates are issued by identical CA embodiment.But there are several CA.For example, having With the CA-C of the certificate of private cipher key CA-C-SK signature client, signed the CA-G of the certificate of gateway with private cipher key CA-G-SK And the CA-S of the certificate with private cipher key CA-S-SK signature server.By public keys CA-C-PK and CA-S-PK to gateway And by public keys CA-G-PK to client.By gateway public key G-PK to server.
As mentioned above, G-PK rather than CA-PK is loaded into originating services device 44.Originating services device 44 is notified G- PK is really CA-PK.Because originating services device 44 and gateway 46 are under identical organizational controls and can be located at identical (physics quilt Protection) position in (and may even on the same machine), by CA-PK be loaded into gateway 46 and using G-PK as It is direct that CA-PK, which is loaded into originating services device 44,.Public keys can be loaded directly or be provided in connection.It is all It is important that G-PK should be downloaded in a trusted manner.
It should be understood that in the certificate of originating services device 44 and gateway 46, if the extension of validity period and the DN of publisher are phases With.In addition to this, the DN of the originating services device and DN of gateway is identical.But in one embodiment of the invention, The DN of the gateway and DN of originating services device is somewhat different but identical enough instruction DN indicates identical tissue.For example, originator The DN of server can indicate that the DN of bank server and gateway can indicate another server of identical bank.
The operation of this system is described referring now to the step flow chart of Fig. 5.Association between client 42 and gateway 46 View, which is shaken hands, to be done as follows.The certificate (being signed by the CA-SK of CA 48) of client is sent to gateway 46.Gateway 46 being capable of benefit The certificate of this signature is verified with CA-PK and therefore it obtains C-PK, is initially authenticated by CA 48.In the response, gateway 46 Client 42 is sent by its (by CA-SK signature) certificate.Client 42 can verify the certificate of this signature using CA-PK And therefore it obtains G-PK, is initially authenticated by CA 48.Because gateway certificate has the DN of originating services device, client Believe that gateway 46 is originating services device 44 in end.Because client 42 and gateway 46 each have another public keys, It can be communicated in believable and secret mode and agree to the master secret according to cryptographic protocol to be used (such as WTLS). Client 42 and gateway 46 can use WTLS coded communication now.
Protocol handshake between present originating services device 44 and gateway 46 is done as follows.Gateway 46 is raw for each client At public keys G-C-PK and G-C-SK couples of private cipher key.Client specific key is preferably used to be different clients End provides different keys (for the purpose that do not deny).
Gateway 46 generates the new certificate of the DN including the client public key (G-C-PK) and client that generate.New Certificate is signed by the G-SK of gateway 46 and is sent to originating services device 44.In this way, gateway 46 generate originating services device will be as Its certificate equally received from client.Originating services device 44 can also be verified using G-PK this signature certificate and Therefore its DN for obtaining the client public key (G-C-PK) and client that generate.(note: because gateway 46 is not involved in card The layered structure of book, so this certificate will only be received by originating services device 44 and will be illegal for any other side, because Gateway 46 cannot play the part of client in other cases for this.)
Therefore, because the client certificate generated has DN and SSL layers of the built-in variable instruction of client to have to client The secure connection at end, so originating services device 44 thinks that it is communicated with client 42.In this way in the application of originating services device 44 The program of layer will not pay attention to any difference and will receive the certification.Because of the CA label that original client certificate is trusted Name, so gateway thinks the DN and the Fang Xiangguan that should be trusted of client.The certificate of originating services device 44 is signed simultaneously by CA-SK And gateway 46 is sent by this certificate signed.Gateway 46 can verify the certificate and therefore of this signature using CA-PK It obtains S-PK, is initially authenticated by CA 48.
Because originating services device 44 has the client public key (being G-C-PK in this case) of the gateway of generation simultaneously And gateway 46 has the public keys (S-PK) of originating services device, originating services device 44 and gateway 46 can communicate in a secured manner And a master secret is agreed in mode similar in foregoing description relevant to Fig. 2.Present originating services device 44 and gateway 46 can use SSL (or TLS) encryption to communicate.
Therefore, after the process being discussed above, present client 42 and originating services device 44 can securely with gateway 46 communications.It can be decrypted by gateway 46 by either one message sent, be converted between WML and HTML in gateway 46, and And it is therefore re-encrypted before the recipient for being sent to plan with the name of sender.Gateway 46 is by client 42 and hair End server 44 is considered as exponent trusty, because both sides directly talk with it in SSL or WTLS secure connection.
It should notice that gateway 46 is related to originating services device 44 above to run as certification authority.However it should be noted that In this role, gateway 46 is not involved in the layered structure of certificate and not as to the formal of its other party in addition to server 44 Certification authority operation.On the other hand, gateway 46 is relevant to client 42 runs as server and has from true Certification authority, that is, CA 48 signature certificate.Under co- controlling and therefore originating services device 44 and gateway 46 are started Server 44 can trust gateway 46 and client can receive it and belong to identical tissue.
In preferred embodiments, gateway 46 is run on machine identical with originating services device 44, that is, it has phase Same IP address, the title of difference and certificate.In this case, client 42 will not pay attention to about any different of conversion Often.
If the speed for establishing the secure communication between client 42 and originating services device 44 is critically important, scalable base It can be used for the gateway in the algorithm of hardware.It is substitution or additional, the client of generation can be calculated before actually shaking hands Hold key.
The specific key pair of client can be used between gateway and server in an identical manner, the specific net of server Pass can be used between client and gateway.It is exactly such feelings when if having multiple and different keys for different servers Condition.
Because gateway is the specific operation decryption such as paid and encrypts all message, it is preferred to use another application The solution of grade.In this case, the visitor that gateway 46 can generate the original certificate of client as attachment insertion In the certificate of family end, therefore the true end to end authentication on application level can be executed.Then original certificate can be used for Assess digital signature.
It can be easily seen that this solution is independently of the difference between WTLS and SSL and in client or clothes Business device or both works in the case where not being certified.In other words, in SSL and WTLS, client server certification It is optional.If we forbid one of these certifications, method provided by the invention is also capable of handling the situation.
It is one advantage of the present invention that it does not need not needing in the communication of the WAP between client 42 and gateway 46 yet It modifies in TCP/IP communication between originating services device 44 and gateway 46.It is compatible with suitable standard in this way.
The present invention can provide internet clothes between SSL and WTLS layers that make each protocol stack in a manner of seamless conversation The secrecy end to end being engaged between device and WAP client.
Specific implementation and embodiment of the invention has been described.It is obviously of the invention for those skilled in the art It is not limited to the details of the embodiment above, but it can use equivalent arrangements and exists without departing substantially from feature of the invention It is implemented in other embodiments.The scope of the present invention is not limited except as by the appended claims.

Claims (12)

1. one kind is by gateway (46) to the method for second party (44) certification first party (42), first party uses oneself and the net The first cryptographic protocol and the second cryptographic protocol between pass are used between the second party and be confused gateway, the method packet Include step: the transmission of Xiang Suoshu gateway includes the first digital certificate of information related with first party, so that be confused gateway generates Disconnected digital certificate comprising information related with first party, so that the second party can be described disconnected in order to confirm to second party Digital certificate verifies the disconnected digital certificate from the certification authority being trusted.
2. the method according to claim 1, wherein the first and second cryptographic protocols are different.
3. method according to claim 2, wherein the first cryptographic protocol is wireless transmission layer secrecy (WTLS) and the second encryption Agreement is security socket layer (SSL).
4. the method according to claim 1, wherein gateway public key is provided to second party (44) and by second party (44) public keys of the instruction as the certification authority (48) being trusted.
5. the method according to claim 1, wherein gateway (46) is that multiple first party generate different public private cipher key pairs, often A key pair includes first party (42) public keys generated and the first party private cipher key of generation.
6. method according to claim 5, wherein gateway (46) generates different certificates with the title of different first party.
7. method according to claim 6, wherein gateway (46) signs the different certificate with gateway private cipher key.
8. method according to claim 6, wherein the different certificate includes the name and the of the difference of first party (42) One side's public keys.
9. the method according to claim 1 includes the steps that providing the identifier of its origin of instruction for second party (44).
10. method according to claim 9, including providing the identification of instruction with the common origin of second party (44) for gateway (46) The step of symbol.
11. method according to claim 10, comprising steps of for second party (44) and gateway (46) request correspond to second party with The generic identifier (element type name) of gateway includes still the certificate for belonging to the different public keys of second party and gateway.
12. the method according to claim 1, including shake hands to authenticate other side to each party and to negotiate one or more sessions Key.
CN201711463034.4A 2017-12-29 2017-12-29 A method of passing through gateway authentication user Pending CN109995694A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711463034.4A CN109995694A (en) 2017-12-29 2017-12-29 A method of passing through gateway authentication user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711463034.4A CN109995694A (en) 2017-12-29 2017-12-29 A method of passing through gateway authentication user

Publications (1)

Publication Number Publication Date
CN109995694A true CN109995694A (en) 2019-07-09

Family

ID=67108314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711463034.4A Pending CN109995694A (en) 2017-12-29 2017-12-29 A method of passing through gateway authentication user

Country Status (1)

Country Link
CN (1) CN109995694A (en)

Similar Documents

Publication Publication Date Title
EP1312191B1 (en) Method and system for authentification of a mobile user via a gateway
CN1701295B (en) Method and system for a single-sign-on access to a computer grid
US7366905B2 (en) Method and system for user generated keys and certificates
Nakhjiri et al. AAA and network security for mobile access: radius, diameter, EAP, PKI and IP mobility
EP2639997B1 (en) Method and system for secure access of a first computer to a second computer
JP4304362B2 (en) PKI-compliant certificate confirmation processing method and apparatus, and PKI-compliant certificate confirmation processing program
EP1635502B1 (en) Session control server and communication system
CN110535628A (en) The method and device of Secure calculating is carried out by certificate issuance
US20060206433A1 (en) Secure and authenticated delivery of data from an automated meter reading system
EP2553894B1 (en) Certificate authority
Sankar Cisco wireless LAN security
CN103905384B (en) The implementation method of session handshake between built-in terminal based on secure digital certificate
WO2005069531A1 (en) Establishing a secure context for communicating messages between computer systems
JP2005505991A (en) Method and system for providing client privacy when content is requested from a public server
WO2009028794A2 (en) Method for providing anonymous public key infrastructure and method for providing service using the same
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
KR20090098542A (en) Encryption data communication system using proxy and method for encryption data communication thereof
CN116886288A (en) Quantum session key distribution method and device
CN109995723A (en) A kind of method, apparatus and system of the interaction of domain name analysis system DNS information
KR100970552B1 (en) Method for generating secure key using certificateless public key
JP4499575B2 (en) Network security method and network security system
JP3634279B2 (en) Application linkage method between multiple IC cards and within the same IC card
CN109995694A (en) A method of passing through gateway authentication user
Ou et al. A high-level 3G wireless PKI solution for secure healthcare communications
Gan et al. A PKI-based authentication approach for E-Business systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190709