CN110519304A - HTTPS mutual authentication method based on TEE - Google Patents

HTTPS mutual authentication method based on TEE Download PDF

Info

Publication number
CN110519304A
CN110519304A CN201910941907.0A CN201910941907A CN110519304A CN 110519304 A CN110519304 A CN 110519304A CN 201910941907 A CN201910941907 A CN 201910941907A CN 110519304 A CN110519304 A CN 110519304A
Authority
CN
China
Prior art keywords
client
server
certificate
server end
tee
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910941907.0A
Other languages
Chinese (zh)
Inventor
杨国东
刘建敏
杨超
周强强
翟栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Hongwei Technology Co Ltd
Original Assignee
Sichuan Hongwei Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Hongwei Technology Co Ltd filed Critical Sichuan Hongwei Technology Co Ltd
Priority to CN201910941907.0A priority Critical patent/CN110519304A/en
Publication of CN110519304A publication Critical patent/CN110519304A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of HTTPS mutual authentication method based on TEE, it include: the security feature using trusted end-user performing environment TEE, the private key information of client is stored in TEE environment, when carrying out HTTPS certification, server end needs preset client certificate;Client certificate server end first, after certification passes through, server end also needs Authentication Client, and the mode of symmetric cryptography is used to client certificate and is encrypted, it is decrypted in client TEE using private key, it can guarantee that mutual authentication is completely credible in this way, Malware can not be from intermediate counterfeit server either counterfeit client.The present invention can be with the security credential during effective solution https traffic.

Description

HTTPS mutual authentication method based on TEE
Technical field
The present invention relates to computer software and hardware information security technology area, especially a kind of HTTPS based on TEE is bis- To authentication method.
Background technique
Conventional certification is all unilateral authentication at present, it is ensured that the process of data transmission is the data of encryption, but this Kind of mode is also easy to counterfeit, has third party's Malware therefrom data intercept, to the counterfeit client of server, to client Counterfeit server can take intermediate clear data completely.So the business relatively high for security requirement, such as with The relevant business of finance, must just entirely prevent such situation.
Summary of the invention
To solve problems of the prior art, recognize the object of the present invention is to provide a kind of HTTPS based on TEE is two-way Card method, the present invention can be with the security credentials during effective solution https traffic.
To achieve the above object, the technical solution adopted by the present invention is that: a kind of HTTPS mutual authentication method based on TEE, The following steps are included:
Client private key is stored in the credible performing environment TEE of client by step 1, and client certificate is preset to clothes Business device end;
Step 2, client send the request of SSL version information to server end, and received server-side request returns to SSL editions This and server certificate are to client;
Step 3, client receive server certificate, are trusting inside library the validity of authentication server certificate and legal Property, it is verified, client certificate and supported all symmetric encryption schemes is issued into server end;
The validity and legitimacy of step 4, server end verifying client certificate, and client card is matched in preset library Book, if fitted through, the server end selection high symmetric encryption scheme of level of encryption is simultaneously added using client certificate It is close to be transmitted to client;
Step 5, client receive data, and the client private key stored below using credible performing environment TEE is to encryption Data are decrypted, and obtain the symmetric encryption scheme of server end selection;
Step 6, client generate key of the random number code as symmetric encryption scheme, and using server certificate to symmetrical Key is encrypted, and server end is sent to;
After step 7, received server-side to data, data are decrypted using server end private key, obtain symmetrically adding Close key carries out data interaction by this key.
The beneficial effects of the present invention are:
The present invention protects the certification of server end and client, can effectively prevent secret number in verification process It is intercepted according to by third-party application;Entire identifying procedure is all placed on the credible performing environment in the side TEE, it is ensured that the safety of private data Property and keep verification process stability;HTTPS authentication mode of the invention is not limited only to the certification of client and server Service, also can be applied to all authentication services end to end, prevent any verification process of HTTPS end to end by other the Tripartite's application attack is either distorted, and terminal includes all mobile devices.
Detailed description of the invention
Fig. 1 is the two-way authentication flow diagram of the embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
Embodiment
As shown in Figure 1, a kind of HTTPS mutual authentication method based on TEE, comprising the following steps:
Client private key is stored in the credible performing environment TEE of client by step 1, and client certificate is preset to clothes Business device end, preset mode are unlimited;
Step 2, client send the request of SSL version information to server end, and received server-side request returns to SSL editions This and server certificate are to client;
Step 3, client receive server certificate, are trusting inside library the validity of authentication server certificate and legal Property, it is verified, client certificate and supported all symmetric encryption schemes is issued into server end;
The validity and legitimacy of step 4, server end verifying client certificate, and client card is matched in preset library Book, if fitted through, the server end selection high symmetric encryption scheme of level of encryption is simultaneously added using client certificate It is close to be transmitted to client;
Step 5, client receive data, and the client private key stored below using credible performing environment TEE is to encryption Data are decrypted, and obtain the symmetric encryption scheme of server end selection;
Step 6, client generate key of the random number code as symmetric encryption scheme, and using server certificate to symmetrical Key is encrypted, and server end is sent to;
After step 7, received server-side to data, data are decrypted using server end private key, obtain symmetrically adding Close key carries out data interaction by this key.
HTTPS two-way authentication to this client and server end has all been completed, including client certificate server end, Server-side certificate client negotiates the key of key symmetric cryptography after the completion of certification, server end is in Authentication Client The validity of client certificate must be verified, but also client certificate must be matched inside library trusting, otherwise authentication failed; The private key of client is stored in inside the credible performing environment of TEE, is prevented key from losing, is prevented client counterfeit by other clients It can completely guarantee the safety of private key.,
Using two-way authentication, server-side certificate client need to match the certificate trusted in library, just recognize after fitting through Card passes through, and guarantees the client only crossed by server authentication just accessible server;TEE is credible, and performing environment is mainly used The private key information of client is protected, during HTTPS two-way authentication, server needs whether Authentication Client is legal is No credible, certification passes through the negotiation that can just carry out subsequent symmetric key.
A specific embodiment of the invention above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention Protect range.

Claims (1)

1. a kind of HTTPS mutual authentication method based on TEE, which comprises the following steps:
Client private key is stored in the credible performing environment TEE of client by step 1, and client certificate is preset to server End;
Step 2, client send the request of SSL version information to server end, received server-side request, return SSL version and Server certificate is to client;
Step 3, client receive server certificate, the validity and legitimacy of authentication server certificate inside trust library, It is verified, client certificate and supported all symmetric encryption schemes is issued into server end;
The validity and legitimacy of step 4, server end verifying client certificate, and client certificate is matched in preset library, If fitted through, the high symmetric encryption scheme of server end selection level of encryption is simultaneously encrypted biography using client certificate To client;
Step 5, client receive data, and the client private key stored below using credible performing environment TEE is to encryption data It is decrypted, obtains the symmetric encryption scheme of server end selection;
Step 6, client generate key of the random number code as symmetric encryption scheme, and using server certificate to symmetric key It is encrypted, is sent to server end;
After step 7, received server-side to data, data are decrypted using server end private key, obtain symmetric cryptography Key carries out data interaction by this key.
CN201910941907.0A 2019-09-30 2019-09-30 HTTPS mutual authentication method based on TEE Pending CN110519304A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910941907.0A CN110519304A (en) 2019-09-30 2019-09-30 HTTPS mutual authentication method based on TEE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910941907.0A CN110519304A (en) 2019-09-30 2019-09-30 HTTPS mutual authentication method based on TEE

Publications (1)

Publication Number Publication Date
CN110519304A true CN110519304A (en) 2019-11-29

Family

ID=68633194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910941907.0A Pending CN110519304A (en) 2019-09-30 2019-09-30 HTTPS mutual authentication method based on TEE

Country Status (1)

Country Link
CN (1) CN110519304A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111130799A (en) * 2019-12-25 2020-05-08 上海沄界信息科技有限公司 Method and system for HTTPS protocol transmission based on TEE
CN113242239A (en) * 2021-05-10 2021-08-10 广州欢网科技有限责任公司 Method, device and system for realizing https bidirectional authentication
CN113301016A (en) * 2021-04-16 2021-08-24 航天信息股份有限公司 Method, device and system for realizing https bidirectional verification
CN113328980A (en) * 2020-02-29 2021-08-31 杭州迪普科技股份有限公司 TLS authentication method, device and system, electronic equipment and readable medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426174A (en) * 2017-06-09 2017-12-01 武汉果核科技有限公司 A kind of access control system and method for credible performing environment
US20180048643A1 (en) * 2014-12-22 2018-02-15 Mcafee, Inc. Trust establishment between a trusted execution environment and peripheral devices
CN108418812A (en) * 2018-02-12 2018-08-17 北京豆荚科技有限公司 A kind of intelligent terminal security message method of servicing based on credible performing environment
CN109547451A (en) * 2018-11-30 2019-03-29 四川长虹电器股份有限公司 The method of authentic authentication service authentication based on TEE
CN109600392A (en) * 2019-01-15 2019-04-09 四川虹微技术有限公司 A kind of method and device for preventing information from distorting

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180048643A1 (en) * 2014-12-22 2018-02-15 Mcafee, Inc. Trust establishment between a trusted execution environment and peripheral devices
CN107426174A (en) * 2017-06-09 2017-12-01 武汉果核科技有限公司 A kind of access control system and method for credible performing environment
CN108418812A (en) * 2018-02-12 2018-08-17 北京豆荚科技有限公司 A kind of intelligent terminal security message method of servicing based on credible performing environment
CN109547451A (en) * 2018-11-30 2019-03-29 四川长虹电器股份有限公司 The method of authentic authentication service authentication based on TEE
CN109600392A (en) * 2019-01-15 2019-04-09 四川虹微技术有限公司 A kind of method and device for preventing information from distorting

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杨波等: "《基于TrustZone的可信移动终端云服务安全接入方案》", 《软件学报》 *
王涛: "《移动端爬虫工具与方法介绍》", 《博客园-百度快照》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111130799A (en) * 2019-12-25 2020-05-08 上海沄界信息科技有限公司 Method and system for HTTPS protocol transmission based on TEE
CN111130799B (en) * 2019-12-25 2022-06-14 上海沄界信息科技有限公司 Method and system for HTTPS protocol transmission based on TEE
CN113328980A (en) * 2020-02-29 2021-08-31 杭州迪普科技股份有限公司 TLS authentication method, device and system, electronic equipment and readable medium
CN113328980B (en) * 2020-02-29 2022-05-17 杭州迪普科技股份有限公司 TLS authentication method, device and system, electronic equipment and readable medium
CN113301016A (en) * 2021-04-16 2021-08-24 航天信息股份有限公司 Method, device and system for realizing https bidirectional verification
CN113242239A (en) * 2021-05-10 2021-08-10 广州欢网科技有限责任公司 Method, device and system for realizing https bidirectional authentication

Similar Documents

Publication Publication Date Title
US11757662B2 (en) Confidential authentication and provisioning
AU2011309758B2 (en) Mobile handset identification and communication authentication
US9565180B2 (en) Exchange of digital certificates in a client-proxy-server network configuration
US9231925B1 (en) Network authentication method for secure electronic transactions
US8763097B2 (en) System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication
US8112787B2 (en) System and method for securing a credential via user and server verification
US20170054707A1 (en) Method and Apparatus for Trusted Authentication and Logon
KR101563828B1 (en) Method and apparatus for trusted authentication and logon
US20080134311A1 (en) Authentication delegation based on re-verification of cryptographic evidence
US20090240936A1 (en) System and method for storing client-side certificate credentials
US7930542B2 (en) MashSSL: a novel multi party authentication and key exchange mechanism based on SSL
CN110519304A (en) HTTPS mutual authentication method based on TEE
WO2019085531A1 (en) Method and device for network connection authentication
CN109672675B (en) OAuth 2.0-based WEB authentication method of password service middleware
CN109525565B (en) Defense method and system for short message interception attack
CN114553480B (en) Cross-domain single sign-on method and device, electronic equipment and readable storage medium
CN107566393A (en) A kind of dynamic rights checking system and method based on trust certificate
CN110572392A (en) Identity authentication method based on HyperLegger network
JP2017139026A (en) Method and apparatus for reliable authentication and logon
Yasin et al. Enhancing anti-phishing by a robust multi-level authentication technique (EARMAT).
Chen et al. SSL/TLS session-aware user authentication using a gaa bootstrapped key
JP2015111440A (en) Method and apparatus for trusted authentication and log-on
Li et al. Mobile Security Payment Solution Based on Encrypted SMS Verification Code
CN104901932A (en) Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology
Nagasuresh et al. Defense against Illegal Use of Single Sign on Mechanism for Distributed Network Services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191129