CN110730189A - Communication authentication method, device, equipment and storage medium - Google Patents
Communication authentication method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110730189A CN110730189A CN201911013801.0A CN201911013801A CN110730189A CN 110730189 A CN110730189 A CN 110730189A CN 201911013801 A CN201911013801 A CN 201911013801A CN 110730189 A CN110730189 A CN 110730189A
- Authority
- CN
- China
- Prior art keywords
- authentication
- client
- certificate
- identity
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The application discloses a communication authentication method, a device, equipment and a storage medium, wherein the method comprises the following steps: receiving an HTTPS request initiated by a client; acquiring an authentication equipment certificate, wherein the authentication equipment certificate is generated according to a root certificate and an identity parameter of a server site carried in an HTTPS request; establishing SSL connection with a client through an HTTPS request and an authentication device certificate; an authentication page is returned to the client based on the SSL connection. As SSL connection with the server is not required to be established and the identity parameters of the server site are not required to be acquired in the communication authentication process, the overall occupation degree of the operation resources in the authentication process is relatively reduced, the jumping speed of the authentication page when the client requests to access the server through the HTTPS can be relatively ensured, and the overall efficiency of the communication authentication process is relatively ensured. In addition, the application also provides a communication authentication device, equipment and a storage medium, and the beneficial effects are as described above.
Description
Technical Field
The present application relates to the field of network communications, and in particular, to a communication authentication method, apparatus, device, and storage medium.
Background
In some current scenarios, a server page in the internet only allows a user with access right to access, and in order to authenticate the user identity of a client before the client accesses the page of the server, an authentication device is usually arranged between the client and the server currently, that is, a method of acting an HTTPS request initiated by the client through the authentication device realizes a jump to an authentication page. Since the authentication device needs to establish SSL connections with the client and the server, respectively, the performance requirement on the authentication device is very high, and the jump speed of the authentication page is affected when the client requests access to the server through HTTPS, which makes it difficult to ensure the overall efficiency of communication authentication.
Therefore, it is a problem to be solved by those skilled in the art to provide a communication authentication method to relatively ensure the overall efficiency of the communication authentication process.
Disclosure of Invention
The purpose of the application is to provide a communication authentication method, a communication authentication device and a storage medium, so as to relatively ensure the overall efficiency of a communication authentication process.
In order to solve the above technical problem, the present application provides a communication authentication method, including:
receiving an HTTPS request initiated by a client;
acquiring an authentication equipment certificate, wherein the authentication equipment certificate is generated according to a root certificate and an identity parameter of a server site carried in an HTTPS request;
establishing SSL connection with a client through an HTTPS request and an authentication device certificate;
an authentication page is returned to the client based on the SSL connection.
Preferably, the obtaining of the authentication device certificate comprises:
reading the identity parameters of the server sites carried in the HTTPS request, and acquiring a root certificate;
and adding the identity parameters to the target field of the root certificate to generate the certificate of the authentication equipment.
Preferably, obtaining the root certificate comprises:
obtain a root certificate generated by a self-signature manner and pre-imported to a client, or
Obtain a root certificate applied to the server site, or
Obtaining root certificates applied to other server sites except the server site.
Preferably, before obtaining the authentication device certificate, the method further comprises:
judging whether the client side is not authenticated;
if the client has not been authenticated, the step of obtaining the authentication device certificate is performed.
Preferably, after determining whether the client has not been authenticated, the method further comprises:
if the client has been authenticated, the HTTPS request is redirected to the server site.
Preferably, after returning the authentication page to the client based on the SSL connection, the method further comprises:
acquiring identity authentication information transmitted by an authentication page;
judging whether the identity authentication information is matched with standard identity information, wherein the standard identity information is identity information of a user with communication authority;
if the authentication information matches the standard identity information, the HTTPS request is redirected to the server site.
Preferably, the identity parameter comprises a site domain name parameter.
In addition, the present application also provides a communication authentication apparatus including:
the request receiving module is used for receiving an HTTPS request initiated by a client;
the certificate acquisition module is used for acquiring an authentication equipment certificate, and the authentication equipment certificate is generated according to the root certificate and the identity parameters of the server site carried in the HTTPS request;
the connection establishing module is used for establishing SSL connection with the client through an HTTPS request and an authentication equipment certificate;
and the page returning module is used for returning the authentication page to the client based on the SSL connection.
In addition, the present application also provides a communication authentication apparatus, including:
a memory for storing a computer program;
a processor for implementing the steps of the communication authentication method as described above when executing the computer program.
Furthermore, the present application also provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, realizes the steps of the communication authentication method as described above.
According to the communication authentication method, after an HTTPS request initiated by a client is received, an authentication device certificate generated based on a root certificate and identity parameters of a server site carried in the HTTPS request is obtained, SSL connection is established between the HTTPS request and the client through the authentication device certificate, and an authentication page is returned to the client based on the SSL connection so that a user of the client can perform identity authentication. Because the authentication equipment certificate used for establishing the SSL connection with the client is generated according to the identity parameters of the server station carried in the HTTPS request, the SSL connection with the server and the identity parameters of the server station are not required to be established in the communication authentication process, the overall occupation degree of the operation resources in the authentication process is relatively reduced, the jumping speed of the authentication page when the client accesses the server through the HTTPS request can be relatively ensured, and the overall efficiency of the communication authentication process is relatively ensured. In addition, the application also provides a communication authentication device, equipment and a storage medium, and the beneficial effects are as described above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flow chart of a communication authentication method disclosed herein;
fig. 2 is a flow chart of a specific communication authentication method disclosed in the present application;
fig. 3 is a flow chart of a specific communication authentication method disclosed in the present application;
fig. 4 is a flow chart of a specific communication authentication method disclosed herein;
fig. 5 is a schematic diagram of a device topology based on which a communication authentication method is based in a specific application scenario disclosed in the present application;
fig. 6 is a schematic structural diagram of a communication authentication apparatus disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
In some current scenarios, a server page in the internet only allows a user with access right to access, and in order to authenticate the user identity of a client before the client accesses the page of the server, an authentication device is usually currently arranged between the client and the server, that is, a method of proxying an https (hyper text transfer Protocol over Secure Socket layer) request initiated by the client by the authentication device realizes a jump to an authentication page. Since the authentication device needs to establish SSL (Secure Sockets Layer) connection with the client and the server, respectively, SSL is a security protocol providing security and data integrity for network communication, so that the requirement on the performance of the authentication device is very high, and when the client accesses the server through an HTTPS request, the jump speed of the authentication page is affected, which makes it difficult to ensure the overall efficiency of communication authentication.
Therefore, the core of the application is to provide a communication authentication method to relatively ensure the overall efficiency of the communication authentication process.
Referring to fig. 1, an embodiment of the present application discloses a communication authentication method, including:
step S10: and receiving an HTTPS request initiated by a client.
It should be noted that the execution subject of this embodiment should be an authentication device, and the authentication device is disposed between the client and the server site, so as to authenticate the authority of the user who uses the client to initiate access when the client initiates access to the server site.
The client in this step refers to a device used by a user to initiate access to the server site, and the user often initiates access to the server site by using browser software in the client, and it should be noted that the browser software in this application refers to a browser that does not enable a protocol for preventing SSL stripping attack, including an hsts (http traffic security) protocol.
When a current client initiates access to a server site, an HTTPS request is usually generated and sent to the server site to request corresponding data from the server site, which is called as Hyper text transfer Protocol over Secure Socket Layer, and is an HTTP channel with security as a target, that is, an SSL Layer, that is, a Secure Socket Layer, is added under HTTP, so as to ensure the security of data transmission between the client and the server. Based on the topology structure of this embodiment, the authentication device, as an intermediate device, first receives an HTTPS request generated by the client, and then performs communication authentication on the client according to the HTTPS request.
Step S11: and acquiring an authentication equipment certificate, wherein the authentication equipment certificate is generated according to the root certificate and the identity parameter of the server site carried in the HTTPS request.
After receiving an HTTPS request initiated by a client, the authentication device further obtains an authentication device certificate jointly generated based on a root certificate and an identity parameter of a server site carried in the HTTPS request, wherein the root certificate refers to an unsigned public key certificate or a self-signed certificate in the fields of cryptography and computer security. The identity parameter refers to a parameter capable of characterizing a unique attribute of the server site, that is, the identity parameter can uniquely correspond to the server site, and in order to further ensure that the identity parameter can uniquely characterize the server site, the identity parameter may specifically be a site domain name parameter of the server site.
The focus of this step is due to the consideration that the authentication device can read the identity parameters of the server site it accesses in the HTTPS request by means of a read-ahead, and then the certification equipment certificate is jointly generated according to the root certificate and the identity parameters of the server site acquired in the HTTPS request, the authentication device certificate thus corresponds to the certificate issued by the authentication device to the client instead of the server site, since communication with the client needs to be performed in advance based on establishing an SSL connection with the client, and the establishment of the SSL connection needs to be implemented based on the certificate issued to the client, so that on the premise that the content of the authentication device certificate is known by the authentication device, the SSL connection can be established with the client based on the authentication device certificate and the HTTPS request of the client, and further, communication with the client is realized, and the final purpose is to return an authentication page to the client on the basis of communication with the client.
Step S12: an SSL connection is established with the client through an HTTPS request and an authentication device certificate.
After the authentication device certificate is acquired, the authentication device further establishes an SSL connection with the client through the HTTPS request and the authentication device certificate, and the authentication device can transmit related data based on an HTTPS protocol to the client based on the SSL connection.
Step S13: an authentication page is returned to the client based on the SSL connection.
It should be noted that, in this step, the authentication page returned to the client by the authentication device based on the SSL connection may be in a form of a page that requires the user to input an account password for authentication, or a page that requires the user to input an authentication code for authentication, and the like, and is not limited in this respect. In addition, according to different actual communication authentication scenarios, different authentication pages may be returned for accesses initiated by the authentication device to different server sites from the client, or the same authentication page may be returned for accesses initiated by the authentication device to different server sites from the client, which is not specifically limited herein.
According to the communication authentication method, after an HTTPS request initiated by a client is received, an authentication device certificate generated based on a root certificate and identity parameters of a server site carried in the HTTPS request is obtained, SSL connection is established between the HTTPS request and the client through the authentication device certificate, and an authentication page is returned to the client based on the SSL connection so that a user of the client can perform identity authentication. Because the authentication equipment certificate used for establishing the SSL connection with the client is generated according to the identity parameters of the server station carried in the HTTPS request, the SSL connection with the server and the identity parameters of the server station are not required to be established in the communication authentication process, the overall occupation degree of the operation resources in the authentication process is relatively reduced, the jumping speed of the authentication page when the client accesses the server through the HTTPS request can be relatively ensured, and the overall efficiency of the communication authentication process is relatively ensured.
Referring to fig. 2, an embodiment of the present application discloses a communication authentication method, including:
step S20: and receiving an HTTPS request initiated by a client.
Step S21: and reading the identity parameters of the server site carried in the HTTPS request, and acquiring a root certificate.
It should be noted that, in this embodiment, the identity information of the server site carried in the HTTPS request is read, where the reading mode referred to herein may be in a network communication recv system call, and it should be noted that, regardless of whether the client or the server application can receive data incoming from another end device based on TCP access through a recv function, by setting the parameter flags to MSG _ PEEK, the content of a packet received by the current socket of the HTTPS request can be checked, but the operation does not delete the packet from the receiving queue of the TCP, and when the recv is called again, the data just received can still be read.
Step S22: and adding the identity parameters to the target field of the root certificate to generate the certificate of the authentication equipment.
After reading the identity parameters of the server site carried in the HTTPS request, further adding the identity parameters to the target field of the root certificate to generate the authentication device certificate, where adding the identity parameters to the target field of the root certificate means filling the identity parameters into the target field, and then generating the authentication device certificate in this way. In a practical application scenario, the target field may be an "issued to" field in the root certificate.
Step S23: an SSL connection is established with the client through an HTTPS request and an authentication device certificate.
Step S24: an authentication page is returned to the client based on the SSL connection.
In the embodiment, the identity parameter of the server site accessed by the client is filled in the target field, and then the field of the certificate of the authentication device generated in this way carries the identity parameter of the server site, so that the client can be regarded as an integer provided by the server site, and therefore, the client can be relatively ensured to normally establish SSL connection with the authentication device according to the certificate of the authentication device, and the overall reliability of communication authentication is relatively ensured.
On the basis of the foregoing embodiment, as a preferred implementation manner, the acquiring a root certificate may specifically include: and acquiring a root certificate which is generated in a self-signature mode and is pre-imported into the client, or acquiring a root certificate applied to a server site, or acquiring a root certificate applied to other server sites except the server site.
In this embodiment, the root certificate may be generated in a self-signed manner by the authentication device and is pre-imported into the client, and since the root certificate self-signed by the authentication device is pre-imported into the client, when the client initiates an HTTPS request, the browser can be prevented from generating a relevant warning for certificate authentication, and reliability and overall efficiency of a communication authentication process are ensured; in addition, the root certificate can also be obtained by applying for the server site, in this case, the root certificate is a legal root certificate provided by the server site, and the browser can also be prevented from generating related warning for certificate authentication, so that the reliability and the overall efficiency of the communication authentication process are ensured; in this case, although the browser generates a warning about certificate authentication, the user can further ensure normal communication authentication by selecting a mode of ignoring the warning in the browser.
Referring to fig. 3, an embodiment of the present application discloses a communication authentication method, including:
step S30: and receiving an HTTPS request initiated by a client.
Step S31: and judging whether the client is not authenticated, if so, executing the steps S320 to S322, and otherwise, executing the step S33.
Step S320: and acquiring an authentication equipment certificate, wherein the authentication equipment certificate is generated according to the root certificate and the identity parameter of the server site carried in the HTTPS request.
Step S321: an SSL connection is established with the client through an HTTPS request and an authentication device certificate.
Step S322: an authentication page is returned to the client based on the SSL connection.
Step S33: the HTTPS request is redirected to the server site.
It should be noted that, the important point of this embodiment is to first determine whether the client has not been authenticated before receiving an HTTPS request initiated by the client and performing communication authentication on the client, where the passing authentication means that the client has completed authentication of a user identity and obtained a right of communication access. In a specific scenario, after the client performs communication authentication and passes, the authentication device marks the client as an authentication passing state, and further, when the client initiates an HTTPS request to the server again, the client can learn that the client has passed authentication according to the marked state. If the client side is not authenticated, the step of obtaining the certificate of the authentication equipment is executed, if the client side is authenticated, the HTTPS request is redirected to the server site, and the situation that the efficiency of the client side for accessing the server site is reduced due to repeated client sides is avoided.
Referring to fig. 4, an embodiment of the present application discloses a communication authentication method, including:
step S40: and receiving an HTTPS request initiated by a client.
Step S41: and acquiring an authentication equipment certificate, wherein the authentication equipment certificate is generated according to the root certificate and the identity parameter of the server site carried in the HTTPS request.
Step S42: an SSL connection is established with the client through an HTTPS request and an authentication device certificate.
Step S43: an authentication page is returned to the client based on the SSL connection.
Step S44: and acquiring identity authentication information transmitted by the authentication page.
Step S45: and judging whether the identity authentication information is matched with standard identity information, wherein the standard identity information is the identity information of the user with the communication authority.
Step S46: if the authentication information matches the standard identity information, the HTTPS request is redirected to the server site.
It should be noted that, in this embodiment, after the authentication page is returned to the client based on the SSL connection, the identity authentication information returned by the authentication page, that is, the identity authentication information input by the user of the client in the authentication page, is further received. The authentication equipment judges whether the identity authentication information is matched with standard identity information, the standard identity information is identity information of a user with communication authority, and if the identity authentication information is matched with the standard identity information, the HTTPS request is redirected to the server site. In this embodiment, after the authentication page is returned to the client, it is further determined whether the identity authentication information transmitted by the client has the authority to perform communication access to the server site, and only when the identity authentication information transmitted by the client is the identity information of the user having the communication authority, the HTTPS request is further redirected to the server site, so that the overall reliability of the authentication process is relatively ensured.
In order to deepen understanding of the technical solution of the present application, a scene embodiment in a specific scene is provided below for further explanation.
Fig. 5 is a schematic diagram of a device topology based on a communication authentication method in a specific application scenario. For convenience of description, please refer to the device topology diagram shown in fig. 5.
The client is C, the tool for the client C to initiate the HTTPS request is browser B, and the authentication server is S. Meanwhile, the password authentication (authentication mode of inputting user name and password information through a web page) is opened for the client C on the authentication server S, the client C is required to have further network access right after passing the authentication on the authentication server, and otherwise, the network access right of the client is limited. There is a self-signed root certificate Cert on the authentication server and there is an HTTPS service P listening to the 8443 port.
The first step is as follows: client C opens browser B and enters HTTPS:// www.abc.com in browser B to trigger a new HTTPS connection R.
The second step is that: and the TCP handshake packet connected with the R reaches the authentication server S, the authentication server S checks the authentication strategy, and finds that the user can carry out subsequent operation only after password authentication. Then, a DNAT tag is marked on the connection R, indicating that the destination address of the connection R is converted to the address of the authentication server S, and the connection R DNAT is connected to 8443 port of the authentication server S (considering that 443 port of the authentication server is generally used for a management port to the authentication server, where 443 port is not used for a port after the DNAT). And then connecting the R and the authentication server to complete TCP handshake, wherein the DNAT is called destination network Address Translation, namely destination Address Translation, and the destination Address Translation is used for mapping a group of local internal addresses to a group of global addresses.
The third step: and the client C sends a client hello handshake package through the connection R, wherein the server name field is www.abc.com.
The fourth step: after the application layer monitors 8443 port service P, the authentication server S first reads the client hello data packet from the corresponding connection R after learning the arrival event of the client hello packet of the connection R, and analyzes the server name field of the client hello data packet according to the taken client hello data packet, wherein the server name is www.abc.com (which is consistent with the website domain name https:// www.abc.com accessed by the browser B). Com, the "grant" field of the server S root certificate Cert is populated with www.abc.com, i.e., when the root certificate Cert is a website certificate issued to domain name www.abc.com. The application layer service P of the server S then uses the constructed certificate to perform SSL handshake on the client hello packet (in practice, to invoke an SSL _ accept system call).
The fifth step: browser B pops up a certificate alarm (as shown in fig. 2, since the root certificate Cert of the authentication server S is a self-signed certificate and is not trusted by browser B), clicks continue to access, and browser B will issue an encrypted GET request.
And a sixth step: after the server S monitors 8443 port service P in the application layer and knows that the GET request arrives at the event, the server S reads the request through SSL _ read, and after reading the request, the service P returns the content of the password authentication page to the browser B through SSL _ write.
The seventh step: and the browser B receives the encrypted password authentication page, decrypts the encrypted password authentication page and displays a web authentication page requiring the user to fill in the user name and the password.
Up to this point, the entire web authentication process for HTTPS requests is implemented.
It can be seen that the client C interacts with the authentication server S only in the whole process, and does not involve the interaction between the authentication server and the domain name www.abc.com, so that the web authentication performance of the HTTPS request is greatly improved.
Referring to fig. 6, an embodiment of the present application discloses a communication authentication apparatus, including:
a request receiving module 10, configured to receive an HTTPS request initiated by a client;
a certificate acquisition module 11, configured to acquire an authentication device certificate, where the authentication device certificate is generated according to a root certificate and an identity parameter of a server site carried in the HTTPS request;
a connection establishing module 12, configured to establish an SSL connection with the client through the HTTPS request and the authentication device certificate;
and a page returning module 13, configured to return an authentication page to the client based on the SSL connection.
The communication authentication device provided by the application obtains an authentication equipment certificate generated based on a root certificate and identity parameters of a server site carried in an HTTPS request after receiving the HTTPS request initiated by a client, establishes SSL connection with the client through the HTTPS request and the authentication equipment certificate, and returns an authentication page to the client based on the SSL connection so as to enable a user of the client to perform identity authentication. Because the authentication equipment certificate used for establishing the SSL connection with the client is generated according to the identity parameters of the server station carried in the HTTPS request, the SSL connection with the server and the identity parameters of the server station are not required to be established in the communication authentication process, the overall occupation degree of the operation resources in the authentication process is relatively reduced, the jumping speed of the authentication page when the client accesses the server through the HTTPS request can be relatively ensured, and the overall efficiency of the communication authentication process is relatively ensured.
On the basis of the foregoing embodiments, the embodiments of the present application further describe and optimize a communication authentication apparatus, specifically:
in a specific embodiment, the certificate obtaining module 11 includes:
a reading module, configured to read the identity parameter of the server site carried in the HTTPS request, and obtain the root certificate;
and the field adding module is used for adding the identity parameters to the target field of the root certificate to generate the certificate of the authentication equipment.
In one embodiment, obtaining a root certificate includes:
obtain a root certificate generated by a self-signature manner and pre-imported to a client, or
Obtain a root certificate applied to the server site, or
Obtaining root certificates applied to other server sites except the server site.
In one embodiment, the apparatus further comprises:
the first judging module is used for judging whether the client side is not authenticated, and if the client side is not authenticated, the certificate obtaining module 11 is called.
In one embodiment, the apparatus further comprises:
and the authentication passing module is used for redirecting the HTTPS request to the server site if the client passes the authentication.
In one embodiment, the apparatus further comprises:
the authentication information acquisition module is used for acquiring the identity authentication information transmitted by the authentication page;
the second judgment module is used for judging whether the identity authentication information is matched with standard identity information, and the standard identity information is identity information of a user with communication authority;
and the redirection module is used for redirecting the HTTPS request to the server site if the identity authentication information is matched with the standard identity information.
In one embodiment, the identity parameter comprises a site domain name parameter.
In addition, this embodiment also discloses a communication authentication device, including:
a memory for storing a computer program;
a processor for implementing the steps of the communication authentication method as described above when executing the computer program.
The communication authentication device provided by the application acquires an authentication device certificate generated based on a root certificate and an identity parameter of a server site carried in an HTTPS request after receiving the HTTPS request initiated by a client, establishes SSL connection with the client through the HTTPS request and the authentication device certificate, and returns an authentication page to the client based on the SSL connection so as to enable a user of the client to perform identity authentication. Because the authentication equipment certificate used for establishing the SSL connection with the client is generated according to the identity parameters of the server station carried in the HTTPS request, the SSL connection with the server and the identity parameters of the server station are not required to be established in the communication authentication process, the overall occupation degree of the operation resources in the authentication process is relatively reduced, the jumping speed of the authentication page when the client accesses the server through the HTTPS request can be relatively ensured, and the overall efficiency of the communication authentication process is relatively ensured.
Further, the present application also provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the communication authentication method as described above. As to the specific steps of the method, reference may be made to the communication authentication method disclosed in the foregoing embodiment. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
According to the computer-readable storage medium, after an HTTPS request initiated by a client is received, an authentication device certificate generated based on a root certificate and identity parameters of a server site carried in the HTTPS request is obtained, SSL connection is established between the HTTPS request and the client through the authentication device certificate, and an authentication page is returned to the client based on the SSL connection so that a user of the client can perform identity authentication. Because the authentication equipment certificate used for establishing the SSL connection with the client is generated according to the identity parameters of the server station carried in the HTTPS request, the SSL connection with the server and the identity parameters of the server station are not required to be established in the communication authentication process, the overall occupation degree of the operation resources in the authentication process is relatively reduced, the jumping speed of the authentication page when the client accesses the server through the HTTPS request can be relatively ensured, and the overall efficiency of the communication authentication process is relatively ensured.
The above provides a detailed description of a communication authentication method, apparatus, device and storage medium provided by the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method of communication authentication, comprising:
receiving an HTTPS request initiated by a client;
acquiring an authentication equipment certificate, wherein the authentication equipment certificate is generated according to a root certificate and an identity parameter of a server site carried in the HTTPS request;
establishing an SSL connection with the client through the HTTPS request and the authentication device certificate;
returning an authentication page to the client based on the SSL connection.
2. The communication authentication method according to claim 1, wherein the acquiring of the authentication device certificate includes:
reading the identity parameters of the server site carried in the HTTPS request, and acquiring the root certificate;
and adding the identity parameters to a target field of the root certificate to generate the certificate of the authentication equipment.
3. The communication authentication method according to claim 2, wherein the obtaining the root certificate includes:
obtain the root certificate generated by self-signature and pre-imported into the client, or
Obtain a root certificate applied to the server site, or
Obtaining the root certificate applied to other server sites except the server site.
4. The communication authentication method according to claim 1, wherein before the acquiring of the authentication device certificate, the method further comprises:
judging whether the client side is not authenticated;
and if the client is not authenticated, executing the step of obtaining the certificate of the authentication equipment.
5. The communication authentication method according to claim 4, wherein after said determining whether the client has not been authenticated, the method further comprises:
redirecting the HTTPS request to the server site if the client has been authenticated.
6. The communication authentication method of claim 1, wherein after the returning of the authentication page to the client based on the SSL connection, the method further comprises:
acquiring identity authentication information transmitted by the authentication page;
judging whether the identity authentication information is matched with standard identity information or not, wherein the standard identity information is identity information of a user with communication authority;
if the identity authentication information is matched with the standard identity information, redirecting the HTTPS request to the server site.
7. The communication authentication method according to any one of claims 1 to 6, wherein the identity parameter comprises a site domain name parameter.
8. A communication authentication apparatus, comprising:
the request receiving module is used for receiving an HTTPS request initiated by a client;
the certificate acquisition module is used for acquiring an authentication equipment certificate, and the authentication equipment certificate is generated according to a root certificate and the identity parameters of the server site carried in the HTTPS request;
a connection establishment module for establishing an SSL connection with the client through the HTTPS request and the authentication device certificate;
and the page returning module is used for returning the authentication page to the client based on the SSL connection.
9. A communication authentication apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the communication authentication method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the communication authentication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911013801.0A CN110730189B (en) | 2019-10-23 | 2019-10-23 | Communication authentication method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911013801.0A CN110730189B (en) | 2019-10-23 | 2019-10-23 | Communication authentication method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110730189A true CN110730189A (en) | 2020-01-24 |
| CN110730189B CN110730189B (en) | 2022-06-21 |
Family
ID=69222977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911013801.0A Active CN110730189B (en) | 2019-10-23 | 2019-10-23 | Communication authentication method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110730189B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111541682A (en) * | 2020-04-17 | 2020-08-14 | 北京天融信网络安全技术有限公司 | Data security detection method and device, storage medium and electronic equipment |
| CN113179323A (en) * | 2021-04-29 | 2021-07-27 | 杭州迪普科技股份有限公司 | HTTPS request processing method, device and system for load balancing equipment |
| CN113660091A (en) * | 2021-07-28 | 2021-11-16 | 北京宝兰德软件股份有限公司 | Request authentication method, device, equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911398A (en) * | 2018-01-04 | 2018-04-13 | 世纪龙信息网络有限责任公司 | Authentication method, device and the system of identity information |
| CN108011888A (en) * | 2017-12-15 | 2018-05-08 | 东软集团股份有限公司 | A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct |
| US20180131521A1 (en) * | 2016-11-04 | 2018-05-10 | A10 Networks, Inc. | Verification of Server Certificates Using Hash Codes |
| CN109951487A (en) * | 2019-03-22 | 2019-06-28 | 杭州迪普科技股份有限公司 | A kind of portal authentication method and device |
-
2019
- 2019-10-23 CN CN201911013801.0A patent/CN110730189B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180131521A1 (en) * | 2016-11-04 | 2018-05-10 | A10 Networks, Inc. | Verification of Server Certificates Using Hash Codes |
| CN108011888A (en) * | 2017-12-15 | 2018-05-08 | 东软集团股份有限公司 | A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct |
| CN107911398A (en) * | 2018-01-04 | 2018-04-13 | 世纪龙信息网络有限责任公司 | Authentication method, device and the system of identity information |
| CN109951487A (en) * | 2019-03-22 | 2019-06-28 | 杭州迪普科技股份有限公司 | A kind of portal authentication method and device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111541682A (en) * | 2020-04-17 | 2020-08-14 | 北京天融信网络安全技术有限公司 | Data security detection method and device, storage medium and electronic equipment |
| CN113179323A (en) * | 2021-04-29 | 2021-07-27 | 杭州迪普科技股份有限公司 | HTTPS request processing method, device and system for load balancing equipment |
| CN113179323B (en) * | 2021-04-29 | 2023-07-04 | 杭州迪普科技股份有限公司 | HTTPS request processing method, device and system for load balancing equipment |
| CN113660091A (en) * | 2021-07-28 | 2021-11-16 | 北京宝兰德软件股份有限公司 | Request authentication method, device, equipment and readable storage medium |
| CN113660091B (en) * | 2021-07-28 | 2023-09-15 | 北京宝兰德软件股份有限公司 | Request authentication method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110730189B (en) | 2022-06-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790194B (en) | Access control method and device based on SSL (secure socket layer) protocol | |
| EP2702726B1 (en) | System and method for data interception and authentication with reverse proxy | |
| WO2016127914A1 (en) | Redirection method, apparatus, and system | |
| CN103685187B (en) | Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control | |
| CN110730189B (en) | Communication authentication method, device, equipment and storage medium | |
| US20150188779A1 (en) | Split-application infrastructure | |
| WO2022056996A1 (en) | Method and device for securely accessing intranet application | |
| US20160380999A1 (en) | User Identifier Based Device, Identity and Activity Management System | |
| US10257171B2 (en) | Server public key pinning by URL | |
| WO2019178942A1 (en) | Method and system for performing ssl handshake | |
| CN105554098A (en) | Device configuration method, server and system | |
| US20130007867A1 (en) | Network Identity for Software-as-a-Service Authentication | |
| CN107786515B (en) | Certificate authentication method and equipment | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| WO2022057002A1 (en) | Abnormal request processing method and device | |
| CN112994897A (en) | Certificate query method, device, equipment and computer readable storage medium | |
| CN109495362B (en) | Access authentication method and device | |
| CN103716280A (en) | Data transmission method, server and system | |
| US11463429B2 (en) | Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow | |
| CN105656854B (en) | A kind of method, equipment and system for verifying Wireless LAN user sources | |
| CN111371775A (en) | Single sign-on method, device, equipment, system and storage medium | |
| Yu et al. | SALVE: server authentication with location verification | |
| CN114006724B (en) | Method and system for discovering and authenticating encryption DNS resolver | |
| Wang et al. | A framework for formal analysis of privacy on SSO protocols | |
| CN102195979B (en) | Method for performing network acceleration based on acceleration KEY, and acceleration KEY |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |