CN110519304A - HTTPS mutual authentication method based on TEE - Google Patents
HTTPS mutual authentication method based on TEE Download PDFInfo
- Publication number
- CN110519304A CN110519304A CN201910941907.0A CN201910941907A CN110519304A CN 110519304 A CN110519304 A CN 110519304A CN 201910941907 A CN201910941907 A CN 201910941907A CN 110519304 A CN110519304 A CN 110519304A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- certificate
- server end
- tee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of HTTPS mutual authentication method based on TEE, it include: the security feature using trusted end-user performing environment TEE, the private key information of client is stored in TEE environment, when carrying out HTTPS certification, server end needs preset client certificate;Client certificate server end first, after certification passes through, server end also needs Authentication Client, and the mode of symmetric cryptography is used to client certificate and is encrypted, it is decrypted in client TEE using private key, it can guarantee that mutual authentication is completely credible in this way, Malware can not be from intermediate counterfeit server either counterfeit client.The present invention can be with the security credential during effective solution https traffic.
Description
Technical field
The present invention relates to computer software and hardware information security technology area, especially a kind of HTTPS based on TEE is bis-
To authentication method.
Background technique
Conventional certification is all unilateral authentication at present, it is ensured that the process of data transmission is the data of encryption, but this
Kind of mode is also easy to counterfeit, has third party's Malware therefrom data intercept, to the counterfeit client of server, to client
Counterfeit server can take intermediate clear data completely.So the business relatively high for security requirement, such as with
The relevant business of finance, must just entirely prevent such situation.
Summary of the invention
To solve problems of the prior art, recognize the object of the present invention is to provide a kind of HTTPS based on TEE is two-way
Card method, the present invention can be with the security credentials during effective solution https traffic.
To achieve the above object, the technical solution adopted by the present invention is that: a kind of HTTPS mutual authentication method based on TEE,
The following steps are included:
Client private key is stored in the credible performing environment TEE of client by step 1, and client certificate is preset to clothes
Business device end;
Step 2, client send the request of SSL version information to server end, and received server-side request returns to SSL editions
This and server certificate are to client;
Step 3, client receive server certificate, are trusting inside library the validity of authentication server certificate and legal
Property, it is verified, client certificate and supported all symmetric encryption schemes is issued into server end;
The validity and legitimacy of step 4, server end verifying client certificate, and client card is matched in preset library
Book, if fitted through, the server end selection high symmetric encryption scheme of level of encryption is simultaneously added using client certificate
It is close to be transmitted to client;
Step 5, client receive data, and the client private key stored below using credible performing environment TEE is to encryption
Data are decrypted, and obtain the symmetric encryption scheme of server end selection;
Step 6, client generate key of the random number code as symmetric encryption scheme, and using server certificate to symmetrical
Key is encrypted, and server end is sent to;
After step 7, received server-side to data, data are decrypted using server end private key, obtain symmetrically adding
Close key carries out data interaction by this key.
The beneficial effects of the present invention are:
The present invention protects the certification of server end and client, can effectively prevent secret number in verification process
It is intercepted according to by third-party application;Entire identifying procedure is all placed on the credible performing environment in the side TEE, it is ensured that the safety of private data
Property and keep verification process stability;HTTPS authentication mode of the invention is not limited only to the certification of client and server
Service, also can be applied to all authentication services end to end, prevent any verification process of HTTPS end to end by other the
Tripartite's application attack is either distorted, and terminal includes all mobile devices.
Detailed description of the invention
Fig. 1 is the two-way authentication flow diagram of the embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
Embodiment
As shown in Figure 1, a kind of HTTPS mutual authentication method based on TEE, comprising the following steps:
Client private key is stored in the credible performing environment TEE of client by step 1, and client certificate is preset to clothes
Business device end, preset mode are unlimited;
Step 2, client send the request of SSL version information to server end, and received server-side request returns to SSL editions
This and server certificate are to client;
Step 3, client receive server certificate, are trusting inside library the validity of authentication server certificate and legal
Property, it is verified, client certificate and supported all symmetric encryption schemes is issued into server end;
The validity and legitimacy of step 4, server end verifying client certificate, and client card is matched in preset library
Book, if fitted through, the server end selection high symmetric encryption scheme of level of encryption is simultaneously added using client certificate
It is close to be transmitted to client;
Step 5, client receive data, and the client private key stored below using credible performing environment TEE is to encryption
Data are decrypted, and obtain the symmetric encryption scheme of server end selection;
Step 6, client generate key of the random number code as symmetric encryption scheme, and using server certificate to symmetrical
Key is encrypted, and server end is sent to;
After step 7, received server-side to data, data are decrypted using server end private key, obtain symmetrically adding
Close key carries out data interaction by this key.
HTTPS two-way authentication to this client and server end has all been completed, including client certificate server end,
Server-side certificate client negotiates the key of key symmetric cryptography after the completion of certification, server end is in Authentication Client
The validity of client certificate must be verified, but also client certificate must be matched inside library trusting, otherwise authentication failed;
The private key of client is stored in inside the credible performing environment of TEE, is prevented key from losing, is prevented client counterfeit by other clients
It can completely guarantee the safety of private key.,
Using two-way authentication, server-side certificate client need to match the certificate trusted in library, just recognize after fitting through
Card passes through, and guarantees the client only crossed by server authentication just accessible server;TEE is credible, and performing environment is mainly used
The private key information of client is protected, during HTTPS two-way authentication, server needs whether Authentication Client is legal is
No credible, certification passes through the negotiation that can just carry out subsequent symmetric key.
A specific embodiment of the invention above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.
Claims (1)
1. a kind of HTTPS mutual authentication method based on TEE, which comprises the following steps:
Client private key is stored in the credible performing environment TEE of client by step 1, and client certificate is preset to server
End;
Step 2, client send the request of SSL version information to server end, received server-side request, return SSL version and
Server certificate is to client;
Step 3, client receive server certificate, the validity and legitimacy of authentication server certificate inside trust library,
It is verified, client certificate and supported all symmetric encryption schemes is issued into server end;
The validity and legitimacy of step 4, server end verifying client certificate, and client certificate is matched in preset library,
If fitted through, the high symmetric encryption scheme of server end selection level of encryption is simultaneously encrypted biography using client certificate
To client;
Step 5, client receive data, and the client private key stored below using credible performing environment TEE is to encryption data
It is decrypted, obtains the symmetric encryption scheme of server end selection;
Step 6, client generate key of the random number code as symmetric encryption scheme, and using server certificate to symmetric key
It is encrypted, is sent to server end;
After step 7, received server-side to data, data are decrypted using server end private key, obtain symmetric cryptography
Key carries out data interaction by this key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910941907.0A CN110519304A (en) | 2019-09-30 | 2019-09-30 | HTTPS mutual authentication method based on TEE |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910941907.0A CN110519304A (en) | 2019-09-30 | 2019-09-30 | HTTPS mutual authentication method based on TEE |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110519304A true CN110519304A (en) | 2019-11-29 |
Family
ID=68633194
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910941907.0A Pending CN110519304A (en) | 2019-09-30 | 2019-09-30 | HTTPS mutual authentication method based on TEE |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110519304A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111130799A (en) * | 2019-12-25 | 2020-05-08 | 上海沄界信息科技有限公司 | Method and system for HTTPS protocol transmission based on TEE |
CN113242239A (en) * | 2021-05-10 | 2021-08-10 | 广州欢网科技有限责任公司 | Method, device and system for realizing https bidirectional authentication |
CN113301016A (en) * | 2021-04-16 | 2021-08-24 | 航天信息股份有限公司 | Method, device and system for realizing https bidirectional verification |
CN113328980A (en) * | 2020-02-29 | 2021-08-31 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107426174A (en) * | 2017-06-09 | 2017-12-01 | 武汉果核科技有限公司 | A kind of access control system and method for credible performing environment |
US20180048643A1 (en) * | 2014-12-22 | 2018-02-15 | Mcafee, Inc. | Trust establishment between a trusted execution environment and peripheral devices |
CN108418812A (en) * | 2018-02-12 | 2018-08-17 | 北京豆荚科技有限公司 | A kind of intelligent terminal security message method of servicing based on credible performing environment |
CN109547451A (en) * | 2018-11-30 | 2019-03-29 | 四川长虹电器股份有限公司 | The method of authentic authentication service authentication based on TEE |
CN109600392A (en) * | 2019-01-15 | 2019-04-09 | 四川虹微技术有限公司 | A kind of method and device for preventing information from distorting |
-
2019
- 2019-09-30 CN CN201910941907.0A patent/CN110519304A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180048643A1 (en) * | 2014-12-22 | 2018-02-15 | Mcafee, Inc. | Trust establishment between a trusted execution environment and peripheral devices |
CN107426174A (en) * | 2017-06-09 | 2017-12-01 | 武汉果核科技有限公司 | A kind of access control system and method for credible performing environment |
CN108418812A (en) * | 2018-02-12 | 2018-08-17 | 北京豆荚科技有限公司 | A kind of intelligent terminal security message method of servicing based on credible performing environment |
CN109547451A (en) * | 2018-11-30 | 2019-03-29 | 四川长虹电器股份有限公司 | The method of authentic authentication service authentication based on TEE |
CN109600392A (en) * | 2019-01-15 | 2019-04-09 | 四川虹微技术有限公司 | A kind of method and device for preventing information from distorting |
Non-Patent Citations (2)
Title |
---|
杨波等: "《基于TrustZone的可信移动终端云服务安全接入方案》", 《软件学报》 * |
王涛: "《移动端爬虫工具与方法介绍》", 《博客园-百度快照》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111130799A (en) * | 2019-12-25 | 2020-05-08 | 上海沄界信息科技有限公司 | Method and system for HTTPS protocol transmission based on TEE |
CN111130799B (en) * | 2019-12-25 | 2022-06-14 | 上海沄界信息科技有限公司 | Method and system for HTTPS protocol transmission based on TEE |
CN113328980A (en) * | 2020-02-29 | 2021-08-31 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
CN113328980B (en) * | 2020-02-29 | 2022-05-17 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
CN113301016A (en) * | 2021-04-16 | 2021-08-24 | 航天信息股份有限公司 | Method, device and system for realizing https bidirectional verification |
CN113242239A (en) * | 2021-05-10 | 2021-08-10 | 广州欢网科技有限责任公司 | Method, device and system for realizing https bidirectional authentication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11757662B2 (en) | Confidential authentication and provisioning | |
AU2011309758B2 (en) | Mobile handset identification and communication authentication | |
US9565180B2 (en) | Exchange of digital certificates in a client-proxy-server network configuration | |
US9231925B1 (en) | Network authentication method for secure electronic transactions | |
US8763097B2 (en) | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication | |
US8112787B2 (en) | System and method for securing a credential via user and server verification | |
US20170054707A1 (en) | Method and Apparatus for Trusted Authentication and Logon | |
KR101563828B1 (en) | Method and apparatus for trusted authentication and logon | |
US20080134311A1 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
US20090240936A1 (en) | System and method for storing client-side certificate credentials | |
US7930542B2 (en) | MashSSL: a novel multi party authentication and key exchange mechanism based on SSL | |
CN110519304A (en) | HTTPS mutual authentication method based on TEE | |
WO2019085531A1 (en) | Method and device for network connection authentication | |
CN109672675B (en) | OAuth 2.0-based WEB authentication method of password service middleware | |
CN109525565B (en) | Defense method and system for short message interception attack | |
CN114553480B (en) | Cross-domain single sign-on method and device, electronic equipment and readable storage medium | |
CN107566393A (en) | A kind of dynamic rights checking system and method based on trust certificate | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
JP2017139026A (en) | Method and apparatus for reliable authentication and logon | |
Yasin et al. | Enhancing anti-phishing by a robust multi-level authentication technique (EARMAT). | |
Chen et al. | SSL/TLS session-aware user authentication using a gaa bootstrapped key | |
JP2015111440A (en) | Method and apparatus for trusted authentication and log-on | |
Li et al. | Mobile Security Payment Solution Based on Encrypted SMS Verification Code | |
CN104901932A (en) | Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology | |
Nagasuresh et al. | Defense against Illegal Use of Single Sign on Mechanism for Distributed Network Services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191129 |