CN110690969B - Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation - Google Patents

Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation Download PDF

Info

Publication number
CN110690969B
CN110690969B CN201810736473.6A CN201810736473A CN110690969B CN 110690969 B CN110690969 B CN 110690969B CN 201810736473 A CN201810736473 A CN 201810736473A CN 110690969 B CN110690969 B CN 110690969B
Authority
CN
China
Prior art keywords
client
server
information
signature
sends
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810736473.6A
Other languages
Chinese (zh)
Other versions
CN110690969A (en
Inventor
胡进
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD, Beijing Infosec Technologies Co Ltd filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN201810736473.6A priority Critical patent/CN110690969B/en
Publication of CN110690969A publication Critical patent/CN110690969A/en
Application granted granted Critical
Publication of CN110690969B publication Critical patent/CN110690969B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Abstract

The invention discloses a method for completing bidirectional SSL/TLS authentication by multiparty cooperation, which comprises the following steps: the method comprises the steps that a first client establishes communication connection with a server, sends a handshake request to the server and waits for response information from the server, the first client carries out hash operation on all information which is used as signature texts from the beginning of sending the handshake request to the beginning of receiving the response information to obtain hash values, the first client sends the hash values to a second client when the type of a cipher algorithm to be used by the first client is RSA cipher algorithm, and the second client carries out digital signature on the hash values or the signature texts from the first client by using a first private key of the second client to generate first signature information. The invention can solve the technical problems of lower security caused by the fact that an SSL/TLS client side singly generates client side handshake identity signature information, high user cost and high use complexity caused by the fact that professional hardware safety equipment is needed in the existing method.

Description

Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation
Technical Field
The invention belongs to the field of information security, and in particular relates to a method and a system for achieving bidirectional SSL/TLS authentication through multiparty cooperation.
Background
The secure socket layer (Secure Sockets Layer, SSL) and its successor transport layer security (Transport Layer Security, TLS) are one security protocol that provides security and data integrity for network communications. The SSL/TLS protocol uses both public key encryption and symmetric encryption techniques, which, although faster than public key encryption techniques, provide better authentication techniques.
The identity authentication of the SSL/TLS protocol is divided into two authentication modes, namely one-way authentication and two-way authentication. In the one-way authentication protocol, only the client authentication server is needed; in the two-way authentication protocol, besides the client needs to authenticate the server, the server also needs to authenticate the client, that is, after the server sends the certificate request information to the client, the client returns the digital certificate to the server, and meanwhile, returns the identity signature information with the digital signature to the server for the server to authenticate the identity of the client.
However, the existing bidirectional authentication method based on SSL/TLS protocol has the following technical problems:
firstly, the client identity signature information is completely and independently generated by a party, so that the security is low;
second, the private key corresponding to the client digital certificate is independently generated and stored by the client, and is easy to be stolen by a hacker. In order to ensure the security of the private key, it is conventional in the industry to use special hardware security devices (such as smart cards, U-shields, smart key devices, SSS/TLS gateways, etc.) to store and protect the private key, but this requires that users must purchase the hardware security devices to complete the operation of using the digital certificate, thereby increasing the cost of use for users and the complexity of use for users.
Disclosure of Invention
Aiming at the defects or improvement demands of the prior art, the invention provides a method and a system for completing bidirectional SSL/TLS authentication by multiparty cooperation, which aim to solve the technical problems of lower security caused by the fact that an SSL/TLS client generates client handshake identity signature information by a single party and high user cost and high use complexity caused by the fact that professional hardware security equipment is needed in the prior art.
To achieve the above object, according to one aspect of the present invention, there is provided a method for multi-party cooperative completion of bidirectional SSL/TLS authentication, comprising the steps of:
(1) The method comprises the steps that a first client side establishes communication connection with a server side, sends a handshake request to the server side, and waits for response information from the server side;
(2) The first client hashes all information as signature originals from the beginning of sending the handshake request to the receiving of the response information to obtain hash values.
(3) The first client judges whether the type of the cryptographic algorithm to be used is an RSA cryptographic algorithm or an elliptic curve cryptographic algorithm, if the cryptographic algorithm is the RSA cryptographic algorithm, the hash value obtained in the step (2) is directly sent to the second client, then the step (5) is entered, and if the cryptographic algorithm is the elliptic curve cryptographic algorithm, the step (4) is entered;
(4) The first client sends the signature original text to the second client;
(5) The second client digitally signs the hash value or signature original from the first client by using its own first private key to generate first signature information, and sends the first signature information to the first client.
(6) The first client processes the first signature information by using the second private key of the first client to generate complete signature information, and sends the complete signature information to the server.
(7) The method comprises the steps that a first client generates a password specification changing message and sends the password specification changing message and a handshake ending message to a server, wherein the password specification changing message comprises a hash algorithm, a signature algorithm and an encryption algorithm which are used subsequently;
(8) The server side sends a password specification change response message and a handshake ending message to the first client side.
Preferably, the method further comprises, after step (4) and before step (5), the second client performing an authentication operation on the first private key, if the authentication is passed, proceeding to step (5), otherwise the process ends, wherein the authentication information used in the authentication operation comprises static cryptographic data of the second client, and/or physiological characteristic data thereof, and/or behavioral characteristic data thereof.
Preferably, the method further comprises after step (5), before step (6), the first client verifying the authorization verification information of the second private key, if the verification passes, proceeding to the next step, otherwise the process ends, wherein the authorization verification information comprises the static cryptographic data of the first client, and/or its physiological characteristic data, and/or its behavioral characteristic data.
According to another aspect of the present invention, there is provided a method for multi-party cooperative completion of bidirectional SSL/TLS authentication, comprising the steps of:
(1) The client establishes communication connection with the server, sends a handshake request to the server, and waits for response information from the server;
(2) The client hashes all information as signature originals from the beginning of sending the handshake request to the receipt of the response information to obtain hash values.
(3) The client judges whether the type of the cryptographic algorithm to be used is an RSA cryptographic algorithm or an elliptic curve cryptographic algorithm, if the type of the cryptographic algorithm is the RSA cryptographic algorithm, the hash value obtained in the step (2) is directly sent to the server, then the step (5) is entered, and if the type of the cryptographic algorithm is the elliptic curve cryptographic algorithm, the step (4) is entered;
(4) The client sends the signature original text to the server;
(5) The server side digitally signs the hash value or signature original text from the client side by using the first private key of the server side to generate first signature information, and sends the first signature information to the client side.
(6) The client processes the first signature information by using the second private key of the client to generate complete signature information, and sends the complete signature information to the server.
(7) The client generates a password specification change message (Change cipher message) and sends the password specification change message and a handshake ending message to the server, wherein the password specification change message comprises a hash algorithm, a signature algorithm and an encryption algorithm which are used later;
(8) The server side sends a password specification change response message and a handshake ending message to the client side.
Preferably, the method further comprises the step of performing authentication operation on the first private key by the server after the step (4) and before the step (5), entering the step (5) if the authentication is passed, and ending the process otherwise.
Preferably, the method further comprises after step (5) and before step (6), the client verifying the authorization verification information of the second private key, if the verification is passed, proceeding to the next step, otherwise the process ends.
Preferably, the process of sending the handshake request to the server side is to first send a hello message to the server side, and wait for response information returned by the server side to the client side in response to the hello message, where the response information includes a certificate of the server side, a certificate request, and a hello completion message.
Preferably, the first private key is randomly generated and stored, or generated by executing a key derivation function, or directly imported and stored from outside; the second private key is randomly generated and stored, or generated by executing a key derivation function, or directly imported and stored from outside.
Preferably, the authentication information used in the authentication operation comprises static cryptographic data, and/or physiological characteristic data thereof, and/or behavioral characteristic data thereof; the authorization verification information comprises static password data and/or physiological characteristic data and/or behavioral characteristic data thereof.
According to yet another aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program, characterized in that the program, when executed by a processor, implements the steps of the above-described method of multiparty collaboration completion of bi-directional SSL/TLS authentication.
In general, the above technical solutions conceived by the present invention, compared with the prior art, enable the following beneficial effects to be obtained:
1. the invention adopts the method that the complete private key representing the identity of the client is dispersed into two independent private keys which are respectively generated and stored by two parties, and any party can not independently synthesize the complete private key of the client, thereby ensuring the safety of the private key of the client, and even if one party key is stolen by a hacker, the hacker can not recover the complete key, thereby increasing the safety of bidirectional SSL/TLS authentication;
2. because the invention adopts two parties to participate in the generation of the client identity signature information at the same time, the two scattered secret keys of the client only participate in operation under the condition of meeting, partial identity signature information is generated, and any party cannot independently generate complete identity signature information, thereby further ensuring the security of bidirectional SSL/TLS authentication.
3. Because the private key of the client is stored in a scattered way, no extra and special hardware safety equipment is needed to store the private key, thereby reducing the use cost and complexity of users.
Drawings
Fig. 1 is an application environment diagram of a method of multi-party cooperative completion of bidirectional SSL/TLS authentication according to a first embodiment of the present invention.
Fig. 2 is a flowchart of a method for multi-party collaboration to accomplish two-way SSL/TLS authentication according to a first embodiment of the present invention.
Fig. 3 is an application environment diagram of a method of multi-party cooperative completion of bidirectional SSL/TLS authentication according to a second embodiment of the present invention.
Fig. 4 is a flowchart of a method for multi-party collaboration to accomplish two-way SSL/TLS authentication according to a second embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
As shown in fig. 1, the method for achieving bidirectional SSL/TLS authentication by multiparty collaboration according to the present invention is applied to a secure communication system including a first client, a second client, and a server, where the first client and the second client may be client programs or client devices, and the server may be a server program or a server device.
As shown in fig. 2, the method for multi-party cooperative completion of bidirectional SSL/TLS authentication according to the first embodiment of the present invention includes the steps of:
(1) The method comprises the steps that a first client side establishes communication connection with a server side, sends a handshake request to the server side, and waits for response information from the server side;
specifically, the process of sending the handshake request to the server side includes that the first client side firstly sends hello information to the server side, and waits for response information returned to the client side by the server side in response to the hello information, wherein the response information includes, but is not limited to, a certificate of the server side, a certificate request and hello completion information;
(2) The first client hashes all information as signature originals from the beginning of sending the handshake request to the receiving of the response information to obtain a hash value H.
Specifically, the hash algorithm employed in this step is a hash algorithm specified by the first client.
(3) The first client judges whether the type of the cipher algorithm to be used is an RSA cipher algorithm (such as RSA_SHA1, RSA_SM3 and the like) or an elliptic curve cipher algorithm, if the cipher algorithm is the RSA cipher algorithm, the hash value H obtained in the step (2) is directly sent to the second client, then the step (5) is entered, and if the cipher algorithm is the elliptic curve cipher algorithm, the step (4) is entered;
(4) The first client sends the signature original text to the second client;
(5) The second client uses its own first private key d 1 The hash value H or the signature original from the first client is digitally signed to generate first signature information S1, and the first signature information S1 is sent to the first client.
Specifically, the first private key d of the second client 1 The second client may be randomly generated and stored, or the second client may be generated by performing a key derivation function, or the second client may be directly imported and stored from the outside.
It should be noted that, in this step, the process of digitally signing the signature original text by using the private key to generate the first signature information is disclosed in the application of the applicant having the application number 201611194899.0 and the name of a method for cooperatively generating a digital signature by the client and the server, which is not described herein.
In addition, the process of digitally signing the hash value H by using the private key to generate the first signature information is described in detail in the 2.1 section of page 3 of the paper A method for fast revocation of public key certificates and security capabilities published by Dan Boneh et al, and will not be described in detail herein.
(6) The first client uses its own second private key d 2 The first signature information S1 is processed to generate complete signature information S, and the complete signature information S is sent to the server.
Specifically, the second private key d of the first client 2 The first client may be randomly generated and stored, or the first client may be generated by executing a key derivation function, or the first client may be directly imported and stored from the outside.
It should be noted that, if the first signature information is generated by the foregoing signature text, in this step, a process of processing the first signature information by using the private key to generate the complete signature information is disclosed in the applicant application No. 201611194899.0, entitled "a method for cooperatively generating a digital signature by a client and a server", which is not described herein again.
In addition, if the first signature information is generated by the hash value, in this step, the process of processing the first signature information by using the private key to generate the complete signature information is already disclosed in detail in section 2.1 of page 3 of paper A method for fast revocation of public key certificates and security capabilities published by Dan Boneh et al, and will not be described in detail herein.
(7) The method comprises the steps that a first client generates a password specification change message (Change cipher message) and sends the password specification change message and a handshake ending message to a server, wherein the password specification change message comprises a hash algorithm, a signature algorithm and an encryption algorithm which are used subsequently;
(8) The server side sends a password specification change response message and a handshake ending message to the first client side.
As a further improvement of the present invention, the method of the present invention may further comprise the following steps after the above step (4) and before step (5):
second client-side pair first private key d 1 And (5) performing authentication operation, if the authentication is passed, entering a step (5), otherwise ending the process.
The authentication information used in the authentication operation of the step comprises static password data of the second client and/or physiological characteristic data and/or behavior characteristic data of the second client, the static password data is obtained by storing the static password data recorded by the private key, and the physiological characteristic data and the behavior characteristic data are obtained by collecting the physiological characteristic data and the behavior characteristic data of the private key user.
As a further improvement of the present invention, the method of the present invention may further comprise the following steps after the above step (5) and before the step (6):
the first client verifies the second private key d 2 If the authentication is passed, the next step is entered, otherwise the process is ended.
The authorization verification information comprises static password data of the first client and/or physiological characteristic data and/or behavior characteristic data of the first client, the static password data is obtained by storing the static password data recorded by the key, and the physiological characteristic data and the behavior characteristic data are obtained by collecting the physiological characteristic data and the behavior characteristic data of the key user.
As shown in fig. 3, the method for achieving bidirectional SSL/TLS authentication by multiparty collaboration according to the present invention is applied to a secure communication system including a client and a server, where the client may be a client program or a client device, and the server may be a server program or a server device.
As shown in fig. 4, the method for multi-party cooperative completion of bidirectional SSL/TLS authentication according to the second embodiment of the present invention includes the steps of:
(1) The client establishes communication connection with the server, sends a handshake request to the server, and waits for response information from the server;
specifically, the process of sending the handshake request to the server side includes that the client side firstly sends hello information to the server side, and waits for response information returned to the client side by the server side in response to the hello information, wherein the response information includes, but is not limited to, a certificate of the server side, a certificate request and hello completion information;
(2) The client hashes all information as signature originals from the beginning of sending the handshake request to the receipt of the response information to obtain a hash value H.
Specifically, the hash algorithm employed in this step is a client-specified hash algorithm.
(3) The client judges whether the type of the cryptographic algorithm to be used is an RSA cryptographic algorithm (such as RSA_SHA1, RSA_SM3 and the like) or an elliptic curve cryptographic algorithm, if the cryptographic algorithm is the RSA cryptographic algorithm, the hash value H obtained in the step (2) is directly sent to the server, then the step (5) is entered, and if the cryptographic algorithm is the elliptic curve cryptographic algorithm, the step (4) is entered;
(4) The client sends the signature original text to the server;
(5) The server uses its own first private key d 1 The hash value H or the signature original from the client is digitally signed to generate first signature information S1, and the first signature information S1 is sent to the client.
Specifically, the first private key d of the server 1 The key derivation function can be randomly generated and stored by the server, or the server is generated by executing the key derivation function, or the server is directly imported and stored from the outside.
It should be noted that, in this step, the process of digitally signing the signature original text by using the private key to generate the first signature information is disclosed in the application of the applicant having the application number 201611194899.0 and the name of a method for cooperatively generating a digital signature by the client and the server, which is not described herein.
In addition, the process of digitally signing the hash value H by using the private key to generate the first signature information is described in detail in the 2.1 section of page 3 of the paper A method for fast revocation of public key certificates and security capabilities published by Dan Boneh et al, and will not be described in detail herein.
(6) The client uses its own second private key d 2 The first signature information S1 is processed to generate complete signature information S, and the complete signature information S is sent to the server.
Specifically, the second private key d of the client 2 It may be randomly generated and saved by the client, or the client may be generated by executing a key derivation function, or the client may be directly imported and saved from the outside.
It should be noted that, if the first signature information is generated by the foregoing signature text, in this step, a process of processing the first signature information by using the private key to generate the complete signature information is disclosed in the applicant application No. 201611194899.0, entitled "a method for cooperatively generating a digital signature by a client and a server", which is not described herein again.
In addition, if the first signature information is generated by the hash value, in this step, the process of processing the first signature information by using the private key to generate the complete signature information is already disclosed in detail in section 2.1 of page 3 of paper A method for fast revocation of public key certificates and security capabilities published by DanBoneh et al, and will not be described in detail here.
(7) The client generates a password specification change message (Change cipher message) and sends the password specification change message and a handshake ending message to the server, wherein the password specification change message comprises a hash algorithm, a signature algorithm and an encryption algorithm which are used later;
(8) The server side sends a password specification change response message and a handshake ending message to the client side.
As a further improvement of the present invention, the method of the present invention may further comprise the following steps after the above step (4) and before step (5):
the server side pair first private key d 1 And (5) performing authentication operation, if the authentication is passed, entering a step (5), otherwise ending the process.
The authentication information used in the authentication operation of the step comprises static password data of the second client and/or physiological characteristic data and/or behavior characteristic data of the second client, the static password data is obtained by storing the static password data recorded by the private key, and the physiological characteristic data and the behavior characteristic data are obtained by collecting the physiological characteristic data and the behavior characteristic data of the private key user.
As a further improvement of the present invention, the method of the present invention may further comprise the following steps after the above step (5) and before the step (6):
the client verifies the second private key d 2 If the authentication is passed, the next step is entered, otherwise the process is ended.
The authorization verification information comprises static password data of the client and/or physiological characteristic data and/or behavior characteristic data of the client, the static password data is obtained by storing the static password data recorded by the key, and the physiological characteristic data and the behavior characteristic data are obtained by collecting the physiological characteristic data and the behavior characteristic data of the key user.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (6)

1. The method for achieving bidirectional SSL/TLS authentication through multiparty cooperation is characterized by comprising the following steps of:
(1) The method comprises the steps that a first client side establishes communication connection with a server side, sends a handshake request to the server side, and waits for response information from the server side;
(2) The first client performs hash operation on all information as signature texts from the beginning of sending a handshake request to the receiving of response information to obtain hash values;
(3) The first client judges whether the type of the cryptographic algorithm to be used is an RSA cryptographic algorithm or an elliptic curve cryptographic algorithm, if the cryptographic algorithm is the RSA cryptographic algorithm, the hash value obtained in the step (2) is directly sent to the second client, then the step (5) is entered, and if the cryptographic algorithm is the elliptic curve cryptographic algorithm, the step (4) is entered;
(4) The first client sends the signature original text to the second client;
(5) The second client digitally signs the hash value or signature original from the first client by using the first private key of the second client to generate first signature information, and sends the first signature information to the first client;
(6) The first client processes the first signature information by using a second private key of the first client to generate complete signature information, and sends the complete signature information to the server;
(7) The method comprises the steps that a first client generates a password specification changing message and sends the password specification changing message and a handshake ending message to a server, wherein the password specification changing message comprises a hash algorithm, a signature algorithm and an encryption algorithm which are used subsequently;
(8) The server side sends a password specification change response message and a handshake ending message to the first client side.
2. The method according to claim 1, further comprising, after step (4) and before step (5), the second client performing an authentication operation on the first private key, if the authentication is passed, proceeding to step (5), otherwise the process ends, wherein the authentication information used in the authentication operation comprises static cryptographic data of the second client, and/or physiological characteristic data thereof, and/or behavioral characteristic data thereof.
3. The method according to claim 1, further comprising after step (5), before step (6), the first client verifying authorization verification information of the second private key, and if verification passes, proceeding to the next step, otherwise the process ends, wherein the authorization verification information comprises static cryptographic data of the first client, and/or physiological characteristic data thereof, and/or behavioral characteristic data thereof.
4. The method of claim 1 wherein sending a handshake request to the server first sends a hello message to the server and waits for response information from the server to the client in response to the hello message, the response information including a certificate of the server, a certificate request, and a hello complete message.
5. A method according to any one of claims 1 to 4,
the first private key is randomly generated and stored, or is generated by executing a key derivative function, or is directly imported and stored from the outside;
the second private key is randomly generated and stored, or generated by executing a key derivation function, or directly imported and stored from outside.
6. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method of multiparty cooperative achievement of bi-directional SSL/TLS authentication according to any of claims 1 to 5.
CN201810736473.6A 2018-07-06 2018-07-06 Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation Active CN110690969B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810736473.6A CN110690969B (en) 2018-07-06 2018-07-06 Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810736473.6A CN110690969B (en) 2018-07-06 2018-07-06 Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation

Publications (2)

Publication Number Publication Date
CN110690969A CN110690969A (en) 2020-01-14
CN110690969B true CN110690969B (en) 2023-06-16

Family

ID=69107188

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810736473.6A Active CN110690969B (en) 2018-07-06 2018-07-06 Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation

Country Status (1)

Country Link
CN (1) CN110690969B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995223A (en) * 2021-05-11 2021-06-18 深圳市安软科技股份有限公司 Streaming media transmission control method and device, electronic equipment and storage medium
CN113347010B (en) * 2021-08-05 2021-11-05 深圳市财富趋势科技股份有限公司 Mutual authentication method and system based on SSL-TLS protocol
CN113992702B (en) * 2021-09-16 2023-11-03 深圳市证通电子股份有限公司 Ceph distributed file system storage state password reinforcement method and system
CN115913672B (en) * 2022-11-02 2023-09-01 广州市南方人力资源评价中心有限公司 Electronic file encryption transmission method, system, terminal equipment and computer medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181017B1 (en) * 2001-03-23 2007-02-20 David Felsher System and method for secure three-party communications
CN103118027A (en) * 2013-02-05 2013-05-22 中金金融认证中心有限公司 Transport layer security (TLS) channel constructing method based on cryptographic algorithm
CN103338215A (en) * 2013-07-26 2013-10-02 中金金融认证中心有限公司 Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN103581167A (en) * 2013-07-29 2014-02-12 华为技术有限公司 Security authentication method, equipment and system based on transport layer security protocol
CN104378374A (en) * 2014-11-14 2015-02-25 国家超级计算深圳中心(深圳云计算中心) SSL-based method and system for establishing communication
CN104618116A (en) * 2015-01-30 2015-05-13 北京数字认证股份有限公司 Collaborative digital signature system and method
CN106572109A (en) * 2016-11-08 2017-04-19 广东信鉴信息科技有限公司 Method for realizing encrypted communication based on TLS protocol and device
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN107483212A (en) * 2017-08-15 2017-12-15 武汉信安珞珈科技有限公司 A kind of method of both sides' cooperation generation digital signature

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181017B1 (en) * 2001-03-23 2007-02-20 David Felsher System and method for secure three-party communications
CN103118027A (en) * 2013-02-05 2013-05-22 中金金融认证中心有限公司 Transport layer security (TLS) channel constructing method based on cryptographic algorithm
CN103338215A (en) * 2013-07-26 2013-10-02 中金金融认证中心有限公司 Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN103581167A (en) * 2013-07-29 2014-02-12 华为技术有限公司 Security authentication method, equipment and system based on transport layer security protocol
CN104378374A (en) * 2014-11-14 2015-02-25 国家超级计算深圳中心(深圳云计算中心) SSL-based method and system for establishing communication
CN104618116A (en) * 2015-01-30 2015-05-13 北京数字认证股份有限公司 Collaborative digital signature system and method
CN106572109A (en) * 2016-11-08 2017-04-19 广东信鉴信息科技有限公司 Method for realizing encrypted communication based on TLS protocol and device
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN107483212A (en) * 2017-08-15 2017-12-15 武汉信安珞珈科技有限公司 A kind of method of both sides' cooperation generation digital signature

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
一种改进SSL/TLS协议的通信加密方案;杨璐;《中国新通信》;20101105(第21期);全文 *
基于ECC加密算法的SSL VPN安全握手技术研究;李丽等;《辽宁工业大学学报(自然科学版)》;20080815(第04期);全文 *
基于ECC算法的SSL协议改进;杨文军等;《南开大学学报(自然科学版)》;20160420(第02期);全文 *

Also Published As

Publication number Publication date
CN110690969A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN109756485B (en) Electronic contract signing method, electronic contract signing device, computer equipment and storage medium
CN107483212B (en) Method for generating digital signature by cooperation of two parties
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN107948189B (en) Asymmetric password identity authentication method and device, computer equipment and storage medium
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US10263969B2 (en) Method and apparatus for authenticated key exchange using password and identity-based signature
WO2022021992A1 (en) Data transmission method and system based on nb-iot communication, and medium
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN110690969B (en) Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation
CN111030814B (en) Secret key negotiation method and device
US10693638B1 (en) Protected cryptographic environment
US8422670B2 (en) Password authentication method
CN111404950B (en) Information sharing method and device based on block chain network and related equipment
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
WO2019110018A1 (en) Message authentication method for communication network system, communication method and communication network system
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN113572741A (en) Method for realizing safe data transmission based on SM2-SM3-SM4 algorithm
CN111404664A (en) Quantum secret communication identity authentication system and method based on secret sharing and multiple mobile devices
CN107483430A (en) A kind of testimony of a witness unification authentication method and device of the cloud identification of identity-based card
CN114553441A (en) Electronic contract signing method and system
CN109005187A (en) A kind of communication information guard method and device
CN110784318B (en) Group key updating method, device, electronic equipment, storage medium and communication system
CN109246156B (en) Login authentication method and device, login method and device, and login authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant