CN111245616A

CN111245616A - Authentication method, device, equipment and storage medium for network communication

Info

Publication number: CN111245616A
Application number: CN202010162755.7A
Authority: CN
Inventors: 刘德文
Original assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Current assignee: Apollo Zhilian Beijing Technology Co Ltd
Priority date: 2020-03-10
Filing date: 2020-03-10
Publication date: 2020-06-05
Anticipated expiration: 2040-03-10
Also published as: CN111245616B

Abstract

The application discloses an authentication method, an authentication device, authentication equipment and a storage medium for network communication, and relates to the technical field of computer networks. The specific implementation scheme is as follows: the method comprises the following steps: if the first electronic equipment is determined to receive the security authentication request sent by the second electronic equipment, authenticating the current state of the operating system of the first electronic equipment; if the current state of the operating system of the first electronic equipment passes the authentication, acquiring a private key protection password of the first electronic equipment, and sealing the private key protection password of the first electronic equipment in a first fixed storage area of the security chip; acquiring a first electronic equipment private key according to a first electronic equipment private key protection password, wherein the first electronic equipment private key is sealed in a second fixed storage area of the security chip; and encrypting the target data by adopting a private key of the first electronic equipment, and sending the encrypted first encrypted data to the second electronic equipment so that the second electronic equipment can carry out security authentication on the first electronic equipment according to the first encrypted data.

Description

Authentication method, device, equipment and storage medium for network communication

Technical Field

The application relates to the technical field of computers, in particular to a communication authentication computer network technology.

Background

With the development of the internet, security of network communication between a client and a server is receiving more and more attention. In order to ensure the security of the communication between the client and the server, security authentication is usually performed during network communication, for example, unidirectional/bidirectional authentication using SSL/TLS.

In the prior art, when performing SSL/TLS authentication between a client and a server, the respective private keys are usually stored in the form of files. If a hacker intrudes into a client or server by tampering with the operating system, the client or server becomes untrusted, and the opposing side does not perceive the intrusion. A hacker will hijack a client or server to intrude or steal data.

Therefore, in the prior art, the SSL/TLS authentication method between the client and the server cannot be perceived when a hacker hijacks the client or the server to perform intrusion or steal data, and further, the hacker cannot achieve secure communication connection between the client and the server when invading the operating system, so that the security of network communication between the client and the server is poor.

Disclosure of Invention

The embodiment of the application provides an authentication method, an authentication device, authentication equipment and an authentication storage medium for network communication, and solves the technical problems that in the prior art, a hacker cannot perceive the phenomenon of invading or stealing data by hijacking a client or a server, so that the hacker cannot realize secure communication connection between the client and the server when invading an operating system, and the security of the network communication between the client and the server is poor.

A first aspect of the embodiments of the present application provides an authentication method for network communication, where the method is applied to a first electronic device, where a security chip is mounted on the first electronic device, and the method includes:

if it is determined that the first electronic equipment receives a security authentication request sent by the second electronic equipment, authenticating the current state of the operating system of the first electronic equipment; if the current state of the operating system of the first electronic equipment passes authentication, acquiring a private key protection password of the first electronic equipment, wherein the private key protection password of the first electronic equipment is sealed in a first fixed storage area of the security chip; acquiring a first electronic equipment private key according to the first electronic equipment private key protection password, wherein the first electronic equipment private key is sealed in a second fixed storage area of the security chip; and encrypting target data by using the private key of the first electronic equipment, and sending the encrypted first encrypted data to second electronic equipment so that the second electronic equipment performs security authentication on the first electronic equipment according to the first encrypted data.

In the embodiment of the application, whether hackers invade the client or the server is determined by judging whether the current state of the operating system of the client or the server is a normal state. Moreover, in order to ensure the security of the private key of the client or the server, a security chip may be mounted in the client and/or the server, and the client private key and/or the server private key may be stored in the security chip. When the protection password is obtained, the protection password can be obtained only when the current state of the operating system of the client and/or the server is a normal state, namely the current state of the operating system of the client and/or the server passes the authentication. And then when the client private key and/or the server private key are obtained, the authentication process corresponding to the operating system state is carried out. When a hacker hijacks a client or a server to invade or steal data, the corresponding private key cannot be obtained, and further the security authentication cannot be passed, so that the security of network communication between the client and the server is effectively improved.

Further, the method as described above, before authenticating the current state of the operating system of the first electronic device, further includes:

acquiring a private key of the first electronic equipment; importing the private key of the first electronic equipment into a second fixed storage area of the security chip, and setting a protection password when the private key of the first electronic equipment is acquired; and sealing the protection password in a first fixed storage area of the security chip, and setting an authentication strategy when the protection password is acquired, wherein the authentication strategy is a strategy for authenticating the current state of the operating system of the first electronic equipment.

In the embodiment of the application, the first electronic device private key and the protection password for the first electronic device private key are respectively stored in the fixed storage area of the security chip, the password needs to be protected when the client private key and/or the server private key are obtained, and the protection password can be obtained only when the current state of the operating system of the client and/or the server is a normal state when the protection password is obtained. And then when the client private key and/or the server private key are obtained, the authentication process corresponding to the operating system state is carried out. The method and the device ensure that a hacker cannot acquire the corresponding private key when the hacker hijacks a client or a server to invade or steal data, and further cannot pass security authentication. And after the private key of the first electronic device is obtained, the target data can be encrypted in the security chip, and the private key of the first electronic device can not be separated from the security chip, so that the security of the private key of the first electronic device is ensured.

Further, the method as described above, the authenticating the current state of the operating system of the first electronic device includes:

acquiring at least one state reference data when the operating system of the first electronic equipment is started currently; calculating the current hash value of each state reference data; acquiring a standard hash value of each state reference data, wherein each standard hash value is stored in a third fixed storage area of the security chip; and authenticating the current state of the operating system of the first electronic equipment according to each current hash value and the corresponding standard hash value.

In the embodiment of the application, when the current state of the operating system of the first electronic device is authenticated, since the state reference data can show whether the current state of the operating system is abnormal or not after the operating system of the first electronic device is started, the current hash value of each state reference data is calculated by acquiring at least one state reference data when the operating system is started currently, and the current hash value and the corresponding standard hash value are authenticated for the current state of the operating system of the first electronic device, so that whether the current state of the operating system of the first electronic device is abnormal or not can be accurately identified.

acquiring reference data of each state of the first electronic equipment in a normal state of an operating system; signing each of the state reference data; calculating a standard hash value of each signed state reference data; and storing each standard hash value in a third fixed storage area of the security chip.

In the embodiment of the application, the reference data of each state of the first electronic device operating system in the normal state is acquired, the standard hash value is calculated after signature, and the standard hash value is stored in the security chip, so that double guarantee can be performed on the standard hash value, and the security of the standard hash value is effectively guaranteed.

Further, the method as described above, the acquiring at least one state reference data when the operating system of the first electronic device is currently started includes:

acquiring at least one state reference data signed when the operating system of the first electronic equipment is started currently;

the calculating the current hash value of each state reference data includes:

checking the signed state reference data;

and if the signed state reference data pass the signature verification, calculating the current hash value of the signed state reference data.

In the embodiment of the application, when the current hash value of the state reference data is determined, firstly, the signed state reference data is checked, and then the signed state reference data is checked after the signature passes, so that the state reference data is not easy to be tampered, and the accuracy of the state reference data is effectively ensured.

Further, the method as described above, the authenticating the current state of the operating system of the first electronic device according to each current hash value and the corresponding standard hash value includes:

comparing each current hash value with a corresponding standard hash value; if the current hash values are equal to the corresponding standard hash values, determining that the current state of the operating system of the first electronic equipment passes authentication; and if at least one current hash value is not equal to the corresponding standard hash value, determining that the current state of the operating system of the first electronic equipment is not authenticated.

In the embodiment of the application, the current hash values are compared with the corresponding standard hash values, and whether the current states of the operating system of the first electronic device pass the authentication can be determined more accurately by judging whether all the current hash values are equal to the corresponding standard hash values.

Further, according to the method, the first electronic device and the second electronic device adopt SSL/TLS security authentication, and the target data is a handshake message and a hash value of a master key during a handshake between two parties;

the encrypting the target data by adopting the private key of the first electronic equipment comprises the following steps:

and asymmetrically encrypting the handshake messages and the hash value of the master key during the handshake of the two parties by adopting the private key of the first electronic equipment.

In the embodiment of the application, since the hash values of the handshake message and the master key during the handshake between the two parties are data that can be more easily obtained by the two parties, the target data is set as the hash values of the handshake message and the master key during the handshake between the two parties. And the asymmetric encryption algorithm is adopted to encrypt the handshake messages and the hash value of the master key when the two parties handshake, so that the encrypted data is more difficult to crack, and the safety of the data in the transmission process is effectively ensured.

Further, the method as described above, the sending the encrypted first encrypted data to the second electronic device includes:

carrying the first encrypted data into a first electronic device certificate check message; and sending the first electronic equipment certificate verification message to the second electronic equipment.

In the embodiment of the application, the first encrypted data is carried to the certificate verification message and sent to the second electronic device, and the first encrypted data does not need to be independently sent to the second electronic device, so that the interaction times are reduced, and the data transmission efficiency is improved.

Further, according to the method described above, the second electronic device is mounted with a security chip, and the method further includes:

if the first electronic equipment receives second encrypted data which are sent by the second electronic equipment and are encrypted, decrypting the second encrypted data by adopting the public key of the second electronic equipment;

and performing security authentication on the second electronic equipment according to the decrypted target data and the prestored target data.

In the embodiment of the application, if the second electronic device also has the security chip, the first electronic device can also complete security authentication on the second electronic device, so that any one of the first electronic device and the second electronic device can be found by being hijacked by a hacker, and the security of the SSL/TLS/mutual authentication is improved.

A second aspect of the embodiments of the present application provides an authentication apparatus for network communication, where the apparatus is located in a first electronic device, and the first electronic device is loaded with a security chip, and the apparatus includes:

the state authentication module is used for authenticating the current state of the operating system of the first electronic equipment if the first electronic equipment is determined to receive the security authentication request sent by the second electronic equipment; the password obtaining module is used for obtaining a first electronic equipment private key protection password if the current state of the first electronic equipment operating system passes authentication, and the first electronic equipment private key protection password is sealed in a first fixed storage area of the security chip; the private key obtaining module is used for obtaining a private key of the first electronic equipment according to the private key protection password of the first electronic equipment, and the private key of the first electronic equipment is sealed in a second fixed storage area of the security chip; and the data encryption module is used for encrypting the target data by adopting the private key of the first electronic equipment and sending the encrypted first encrypted data to the second electronic equipment so that the second electronic equipment can carry out security authentication on the first electronic equipment according to the first encrypted data.

Further, the apparatus as described above, a private key storage module, configured to obtain a private key of the first electronic device; and importing the private key of the first electronic equipment into a second fixed storage area of the security chip, and setting a protection password when the private key of the first electronic equipment is acquired. A password storage module 1202, configured to seal the protected password in a first fixed storage area of the security chip, and set an authentication policy when the protected password is obtained, where the authentication policy is a policy for authenticating a current state of the operating system of the first electronic device.

Further, in the apparatus as described above, the status authentication module is specifically configured to:

Further, the apparatus as described above, the hash value storage module is configured to:

Further, in the apparatus as described above, the state authentication module, when obtaining at least one state reference data when the operating system of the first electronic device is currently started, is specifically configured to:

and acquiring at least one state reference datum signed when the operating system of the first electronic equipment is started currently.

Correspondingly, when the current hash value of each state reference data is calculated, the state authentication module is specifically configured to:

checking the signed state reference data; and if the signed state reference data pass the signature verification, calculating the current hash value of the signed state reference data.

Further, in the apparatus as described above, the state authentication module, when authenticating the current state of the operating system of the first electronic device according to each of the current hash values and the corresponding standard hash value, is specifically configured to:

Further, according to the above apparatus, the first electronic device and the second electronic device use SSL/TLS security authentication, and the target data is a handshake message and a hash value of a master key during a handshake between two parties.

Correspondingly, when the target data is encrypted by using the private key of the first electronic device, the data encryption module is specifically configured to:

Further, in the apparatus as described above, the data encryption module, when sending the encrypted first encrypted data to the second electronic device, is specifically configured to:

Further, in the above-described apparatus, the second electronic device is mounted with a security chip. A security authentication module to:

if the first electronic equipment receives second encrypted data which are sent by the second electronic equipment and are encrypted, decrypting the second encrypted data by adopting the public key of the second electronic equipment; and performing security authentication on the second electronic equipment according to the decrypted target data and the prestored target data.

A third aspect of the embodiments of the present application provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of the first aspects.

A fourth aspect of embodiments of the present application provides a non-transitory computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of the first aspects.

A fifth aspect of embodiments of the present application provides a computer program comprising program code for performing the method according to the first aspect when the computer program is run by a computer.

Drawings

The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:

fig. 1 is a first application view of an authentication method for network communication that can implement an embodiment of the present application;

fig. 2 is a second application scenario diagram of an authentication method for network communication, where the authentication method according to an embodiment of the present application may be implemented;

fig. 3 is a flowchart illustrating an authentication method for network communication according to a first embodiment of the present application;

fig. 4 is a flowchart illustrating an authentication method for network communication according to a second embodiment of the present application;

fig. 5 is a flowchart illustrating step 205 of the authentication method for network communication according to the second embodiment of the present application;

fig. 6 is a flowchart illustrating step 2052 in the authentication method for network communication according to the second embodiment of the present application;

fig. 7 is a flowchart illustrating step 2054 in the authentication method for network communication according to the second embodiment of the present application;

fig. 8 is a flowchart illustrating step 208 of the authentication method for network communication according to the second embodiment of the present application;

fig. 9 is a signaling flow diagram of an authentication method for network communication according to a third embodiment of the present application;

fig. 10 is a signaling flow diagram of an authentication method for network communication according to a fourth embodiment of the present application;

fig. 11 is a schematic structural diagram of an authentication apparatus for network communication according to a fifth embodiment of the present application;

fig. 12 is a schematic structural diagram of an authentication apparatus for network communication according to a sixth embodiment of the present application;

fig. 13 is a block diagram of an electronic device for implementing an authentication method for network communication according to an embodiment of the present application.

Detailed Description

The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

For a clear understanding of the technical solutions of the present application, a detailed description of the prior art solutions is first provided. The SSL/TLS unidirectional authentication performed by the server on the client in the prior art is taken as an example for explanation. To secure each client in a network connection with a server. The server needs SSL/TLS authentication for each client to be secure. First, the server obtains a client certificate, which includes the public key of the client. And then the client acquires a client private key from a file for storing the client, encrypts the target data by adopting the client private key, and sends the encrypted target data to the server so that the server decrypts the encrypted target data and performs security authentication on the client according to the decrypted target data.

If a hacker intrudes into the client by tampering with the operating system before or during the security authentication with the server, the client becomes untrusted. If the hacker does not tamper with the public key and the private key of the client, the server can still decrypt the encrypted target data through the public key. The server is not aware. A hacker may hijack the client. And the server can be invaded after the network connection is established between the client and the server.

Similarly, in the security authentication of the server by the client, if a hacker invades the server, the client cannot sense the intrusion, and the hacker can hijack the server and the client.

In order to solve the problems in the prior art, the inventor finds, through research, that whether an opposite end is invaded by a hacker can be obtained when a client performs security authentication on a server or the server performs security authentication on the client, the behavior of monitoring whether the hacker is invaded can be combined with the process of security authentication, and on the premise that the opposite end is not invaded by the hacker, subsequent security authentication is performed on the opposite end.

The inventor further researches and discovers that when a hacker invades a client or a server, the hacker needs to tamper with the operating system of the client or the server to complete the invasion. It is possible to determine whether hacking has been done by determining whether the current state of the operating system of the client or the server is a normal state. Moreover, in order to ensure the security of the private key of the client or the server, a security chip may be mounted in the client and/or the server, and the client private key and/or the server private key may be stored in the security chip. When the protection password is obtained, the protection password can be obtained only when the current state of the operating system of the client and/or the server is a normal state, namely the current state of the operating system of the client and/or the server passes the authentication. And then when the client private key and/or the server private key are obtained, the authentication process corresponding to the operating system state is carried out. When a hacker hijacks a client or a server to invade or steal data, the corresponding private key cannot be obtained, and further the security authentication cannot be passed, so that the security of network communication between the client and the server is effectively improved.

An application scenario of the authentication method for network communication provided in the embodiment of the present application is described below. As shown in fig. 1, an application scenario corresponding to the authentication method for network communication provided in the embodiment of the present application includes: a first electronic device and a second electronic device. One of the first electronic device and the second electronic device is a client, and the other one of the first electronic device and the second electronic device is a server. The application scenario will be described by taking the first electronic device as the client 1 and the second electronic device as the server 2 as an example. In this application scenario, when the server 2 performs only one-way authentication with respect to the client 1, the secure chip 3 is mounted on the client 1, and the operating system is installed on the client 1. The operating system may be a windows operating system, a MacOS operating system, or the like. When the user has a service requirement for accessing the server 2, the service website of the server 2 can be input in the browser of the client 1, or a corresponding client is installed on the client 1, and the client is opened to access the server 2. When the client 1 accesses the server 2, the server 2 performs security authentication on the client 1. The server 2 obtains the certificate of the client 1 including the client public key in the certificate. The server 2 sends a security authentication request to the client 1. And if the security authentication request sent by the server 2 is determined to be received, authenticating the current state of the client operating system. And if the current state of the client operating system passes the authentication, acquiring a client private key protection password, wherein the client private key protection password is sealed in a first fixed storage area of the security chip. And acquiring the client private key according to the client private key protection password, wherein the client private key is sealed in a second fixed storage area of the security chip. The target data is encrypted by using the client private key, and the encrypted first encrypted data is sent to the server 2. The server 2 is performing security authentication on the client 1 based on the first encrypted data. When the client is authenticated for security, the first encrypted data is decrypted, the decrypted target data is compared with the prestored target data, and if the decrypted target data is identical with the prestored target data, the client is a valid client, and the client 1 can access the server 2 through security authentication. If the decrypted target data does not match the target data stored in advance, it is determined that the client 1 is an unauthorized client and the client 1 is not allowed to access the server 2.

As shown in fig. 2, in this application scenario, the first electronic device is taken as the client 1, and the second electronic device is taken as the server 2, for example, to describe the application scenario. In this application scenario, not only the server 2 authenticates the client 1, but also the client 1 authenticates the server 2. The secure chip 3 is loaded in both the client 1 and the server 2. Operating systems are installed in both the client and the server. When the user has a service requirement for accessing the server, the user can access the server by inputting the service website of the server 2 in the browser of the client, or installing a corresponding client on the client 1 and opening the client. When the client 1 accesses the server 2, the server 2 performs security authentication on the client 1, and the client 1 performs security authentication on the server 2. The process of the server 2 for secure authentication of the client 1 is the same as described in fig. 1. After the server 2 passes the security authentication of the client 1. The client 1 performs security authentication with the server 2. Specifically, the client 2 acquires a certificate of the server 1, in which the server public key is included. The client 1 sends a security authentication request to the server 2. And if the security authentication request sent by the client is determined to be receivable, authenticating the current state of the server operating system. And if the current state of the server operating system passes the authentication, acquiring a server private key protection password, wherein the server private key protection password is sealed in a first fixed storage area of the server security chip. And acquiring a client private key according to the server private key protection password, wherein the server private key is sealed in a second fixed storage area of the server security chip. And encrypting the target data by adopting a server private key, and sending the encrypted second encrypted data to the server. The client performs security authentication on the server according to the second encrypted data. And when the server is subjected to security authentication, decrypting the second encrypted data, comparing the decrypted target data with the prestored target data, and if the decrypted target data is consistent with the prestored target data, indicating that the server is a legal server and passes the security authentication. After both the client and the server are securely authenticated, the client may access the server.

Embodiments of the present application will be described below in detail with reference to the accompanying drawings.

Example one

Fig. 3 is a flowchart illustrating a method for authenticating network communication according to a first embodiment of the present application, and as shown in fig. 3, an implementation subject of the embodiment of the present application is an authentication apparatus for network communication, which may be integrated in a first electronic device. The first electronic device is mounted with a security chip, and may be a client or a server. The authentication method for network communication provided by the present embodiment includes the following steps.

Step 101, if it is determined that the first electronic device receives the security authentication request sent by the second electronic device, authenticating the current state of the operating system of the first electronic device.

In this embodiment, when the first electronic device performs security authentication with the second electronic device, the security authentication may be a one-way authentication or a two-way authentication of SSL/TLS. If the first electronic device is a client and the second electronic device is a server, in this embodiment, the server performs SSL/TLS unidirectional authentication on the client. If the first electronic device is a server and the second electronic device is a client, in this embodiment, the client performs the one-way SSL/TLS authentication on the server.

Specifically, in this embodiment, if the second electronic device performs security authentication on the first electronic device, the first electronic device receives a security authentication request sent by the second electronic device, and after it is determined that the security authentication request sent by the second electronic device is received, acquires the current state of the operating system of the first electronic device, and authenticates the current state of the operating system of the first electronic device.

In this embodiment, when the current state of the operating system of the first electronic device is authenticated, it is determined whether the current state of the operating system of the first electronic device is a normal state. And if the state is the normal state, determining that the operating system of the first electronic equipment is not invaded by a hacker, and if the state is the abnormal state, determining that the operating system of the first electronic equipment is invaded by the hacker.

It should be noted that, after receiving the security authentication request sent by the second electronic device, the certificate and the public key of the first electronic device may also be sent to the second electronic device, so that the second electronic device subsequently authenticates the first electronic device according to the certificate and the public key of the first electronic device.

Step 102, if the current state of the operating system of the first electronic device passes the authentication, a private key protection password of the first electronic device is obtained, and the private key protection password of the first electronic device is sealed in a first fixed storage area of the security chip.

In this embodiment, a security chip (TPM) is a trusted platform module, and is a device capable of independently generating, encrypting, and decrypting a secret key, where a first electronic device private key protection password is first sealed in a first fixed storage area of the security chip, and the first electronic device private key protection password in the first fixed storage area can be obtained only after a current state of an operating system of the first electronic device passes authentication. And if the current state of the operating system of the first electronic equipment is not authenticated, the first electronic equipment private key protection password in the first fixed storage area cannot be acquired.

And 103, acquiring a first electronic equipment private key according to the first electronic equipment private key protection password, wherein the first electronic equipment private key is sealed in a second fixed storage area of the security chip.

Specifically, in this embodiment, the first electronic device private key is imported into the second fixed storage area in the security chip, and a protection password for obtaining the first electronic device private key is set when the first electronic device private key is imported. And storing the protection password of the private key of the first electronic equipment into the first fixed storage area. Therefore, the private key of the first electronic device can be acquired only when the protection password is the protection password in the first fixed storage area. Since the first electronic device private key protection password is obtained from the first fixed storage area in step 102, the first electronic device private key is obtained by using the first electronic device private key protection password.

And 104, encrypting the target data by using a private key of the first electronic equipment, and sending the encrypted first encrypted data to the second electronic equipment so that the second electronic equipment can perform security authentication on the first electronic equipment according to the first encrypted data.

Specifically, in this embodiment, the first electronic device private key may be used to encrypt the target data in the security chip. The specific encryption method is not limited in this embodiment. Such as asymmetric encryption, symmetric encryption, etc. Specifically, the encryption can be directly performed in the security chip. And the encrypted target data is first encrypted data, and the first encrypted data is sent to the second electronic equipment. The second electronic device acquires the first electronic device certificate and the public key in advance. Therefore, the public key is used for decrypting the first encrypted data, and if the decryption is successful, the private key of the first electronic device is the correct private key. And comparing the decrypted first encrypted data with the prestored first encrypted data, and if the decrypted first encrypted data is consistent with the prestored first encrypted data, the first encrypted data indicates that the first encrypted private key is not tampered in the transmission process, and the first electronic device passes the authentication.

The target data may be data that is known in advance by both the first electronic device and the second electronic device, for example, the target data may be a handshake message hash value and/or a master key hash value of the first electronic device and the second electronic device before authentication, which is not limited in this embodiment.

In the authentication method for network communication provided in this embodiment, if it is determined that the first electronic device receives the security authentication request sent by the second electronic device, the current state of the operating system of the first electronic device is authenticated; if the current state of the operating system of the first electronic equipment passes the authentication, acquiring a private key protection password of the first electronic equipment, and sealing the private key protection password of the first electronic equipment in a first fixed storage area of the security chip; acquiring a first electronic equipment private key according to a first electronic equipment private key protection password, wherein the first electronic equipment private key is sealed in a second fixed storage area of the security chip; and encrypting the target data by adopting a private key of the first electronic equipment, and sending the encrypted first encrypted data to the second electronic equipment so that the second electronic equipment can carry out security authentication on the first electronic equipment according to the first encrypted data. And determining whether the hacker invades by judging whether the current state of the operating system of the client or the server is a normal state. Moreover, in order to ensure the security of the private key of the client or the server, a security chip may be mounted in the client and/or the server, and the client private key and/or the server private key may be stored in the security chip. When the protection password is obtained, the protection password can be obtained only when the current state of the operating system of the client and/or the server is a normal state. And then when the client private key and/or the server private key are obtained, the authentication process corresponding to the operating system state is carried out. When a hacker hijacks a client or a server to invade or steal data, the corresponding private key cannot be obtained, and further the security authentication cannot be passed, so that the security of network communication between the client and the server is effectively improved.

Example two

Fig. 4 is a flowchart illustrating a network communication authentication method according to a second embodiment of the present application, and as shown in fig. 4, the network communication authentication method according to the present embodiment is further detailed in steps 101 and 104 based on the network communication authentication method according to the first embodiment of the present application. And further comprising the step of storing the first electronic device private key and the first electronic device private key protection password in the secure chip. The authentication method for network communication provided by the present embodiment includes the following steps.

Step 201, a first electronic device private key is obtained.

Specifically, after the first electronic device obtains a certificate of the first electronic device from a Certificate Authority (CA), a public-private key pair may be generated. And further acquiring a private key of the first electronic device.

Step 202, importing the private key of the first electronic device into a second fixed storage area of the security chip, and setting a protection password when the private key of the first electronic device is obtained.

Further, in this embodiment, the first electronic device private key is imported into the second fixed storage area of the security chip, and when the first electronic device private key is imported, a protection password for obtaining the first electronic device private key is set, and when the first electronic device private key is obtained, only when the protection password is the set protection password corresponding to the first electronic device private key, the first electronic device private key can be obtained from the second fixed storage area. On the contrary, when the protection password is not the set protection password corresponding to the private key of the first electronic device, the private key of the first electronic device cannot be acquired.

The specific setting mode of the protection password is not limited, for example, the protection password may be a mode of adding a number to a letter, or a mode of adding a special symbol to a number, which is not limited in this embodiment.

Wherein the second fixed storage area is different from the first fixed storage area.

Step 203, the protection password is sealed in the first fixed storage area of the security chip, and an authentication strategy when the protection password is acquired is set, wherein the authentication strategy is a strategy for authenticating the current state of the operating system of the first electronic device.

Further, in this embodiment, the first electronic device private key protection password is sealed in the first fixed storage area of the security chip, and an authentication mechanism for obtaining the first electronic device private key protection password is set when the first electronic device private key protection password is sealed, for example, the authentication mechanism may be policy pcr. The first electronic equipment private key protection password can be obtained only after the policyPCR authentication is passed.

When the poliyPCR is authenticated, the current state of the operating system of the first electronic device is obtained, the current state of the operating system of the first electronic device is authenticated, if the current state of the operating system of the first electronic device is normal, the authentication is passed, and if the current state is abnormal, the authentication is not passed.

Step 204, acquiring reference data of each state of the first electronic equipment operating system in a normal state; signing the reference data of each state; calculating a standard hash value of each signed state reference data; and storing each standard hash value in a third fixed storage area of the security chip.

Further, in this embodiment, in order to authenticate the current state of the operating system of the first electronic device, data in the normal state of the operating system of the first electronic device needs to be stored in the secure chip, and may be specifically stored in the third fixed storage area of the secure chip.

Wherein the third fixed storage area is distinct from the first fixed storage area and the second fixed storage area.

Specifically, first, state reference data in a normal state of an operating system of the first electronic device is obtained, where the state reference data may include any one or more of: basic Input Output System (BIOS) data, multiple operating system boot manager (GRUB) data, command line parameters, kernel data, and initialization mirror data.

And then signing the state reference data of the first electronic equipment operating system in the normal state to form signed state reference data, performing hash calculation on the signed state reference data by adopting a hash algorithm, wherein each calculated hash value is a standard hash value, and the standard hash value represents the hash value of the signed state reference data in the normal state of the first electronic equipment operating system. Each hash value is then stored into a third fixed storage area of the secure chip.

Step 205, if it is determined that the first electronic device receives the security authentication request sent by the second electronic device, authenticating the current state of the operating system of the first electronic device.

As an optional implementation manner, as shown in fig. 5, in this embodiment, the authenticating the current state of the operating system of the first electronic device in step 205 includes:

step 2051, at least one state reference datum when the operating system of the first electronic device is currently started is obtained.

Further, in this embodiment, step 2051 specifically includes:

at least one signed state reference data when the first electronic device operating system is currently started is acquired.

Specifically, in this embodiment, a log file of the operating system is formed when the first electronic device is started each time, and if a log file of the operating system after the first electronic device is started this time is obtained, each state reference data after the current start can be obtained in the log file, and after the state reference data is signed by a preset signature algorithm, each signed state reference data can be obtained.

Step 2052, calculate the current hash value of each state reference data.

Further, as shown in fig. 6, step 2052 specifically includes:

and step 2052a, verifying the signed state reference data.

And step 2052b, if each signed state reference data passes the signature verification, calculating a current hash value of each signed state reference data.

Specifically, in this embodiment, a signature verification algorithm corresponding to a preset signature algorithm is adopted to verify the signed state reference data. And if each signed state reference data passes the signature verification, calculating the current hash value of each signed state reference data by adopting a hash algorithm.

And step 2053, acquiring standard hash values of the state reference data, wherein the standard hash values are stored in a third fixed storage area of the security chip.

Further, in this embodiment, a standard hash value of each state reference data is obtained from a third fixed storage area of the secure chip, where the standard hash value is a hash value of each signed state reference data in a normal state of the operating system of the first electronic device.

And step 2054, authenticating the current state of the operating system of the first electronic device according to each current hash value and the corresponding standard hash value.

As an alternative embodiment, as shown in fig. 7, step 2054 includes the steps of:

step 2054a, compare each current hash value with the corresponding standard hash value.

And step 2054b, if each current hash value is equal to the corresponding standard hash value, determining that the current state of the operating system of the first electronic device passes the authentication.

Step 2054c, if the at least one current hash value is not equal to the corresponding standard hash value, it is determined that the current state of the operating system of the first electronic device fails to be authenticated.

Further, in this embodiment, each current hash value is compared with a corresponding standard hash value, and if each current hash value is equal to the corresponding standard hash value, it indicates that the current state of the first electronic device operating system is a normal state, and it is determined that the current state of the first electronic device operating system passes the authentication. If one or more of the current hash values are not equal to the corresponding standard hash values, it is indicated that a hacker invades the operating system of the first electronic device, and the current state of the operating system of the first electronic device is abnormal, and it is determined that the current state of the operating system of the first electronic device is not authenticated.

And step 206, if the current state of the operating system of the first electronic device passes the authentication, acquiring a private key protection password of the first electronic device, and sealing the private key protection password of the first electronic device in a first fixed storage area of the security chip.

And step 207, acquiring a first electronic equipment private key according to the first electronic equipment private key protection password, wherein the first electronic equipment private key is sealed in a second fixed storage area of the security chip.

In this embodiment, the implementation manners of steps 206 to 207 are similar to the implementation manners of steps 102 to 103 in the first embodiment of the present application, and are not described herein again.

And step 208, encrypting the target data by using a private key of the first electronic device, and sending the encrypted first encrypted data to the second electronic device, so that the second electronic device performs security authentication on the first electronic device according to the first encrypted data.

Optionally, the first electronic device and the second electronic device use SSL/TLS security authentication, and the target data is a handshake message and a hash value of the master key during handshake between the two parties.

As an alternative, as shown in fig. 8, in this embodiment, step 208 includes the following steps:

step 2081, the first electronic device private key is used to asymmetrically encrypt the handshake message and the hash value of the master key during the handshake between the two parties.

Further, the asymmetric encryption algorithm and the first electronic device private key are adopted to asymmetrically encrypt the handshake messages and the hash value of the main key during the handshake of the two parties, and an encryption result is obtained. The encryption result is first encrypted data.

Step 2082, the first encrypted data is carried to the first electronic device certificate check message.

Step 2083, sending the certificate verification message of the first electronic device to the second electronic device.

Further, in this embodiment, since the first electronic device sends the certificate check message to the second electronic device when the security authentication of SSL/TLS is adopted between the first electronic device and the second electronic device, the first encrypted data may be carried in the certificate check message of the first electronic device, and may be marked to send the first encrypted data to the second electronic device.

After the second electronic device receives the first encrypted data, the first encrypted data can be decrypted by adopting a corresponding asymmetric decryption algorithm, the decrypted hash values of the handshake message and the master key during the handshake of the two parties are compared with the prestored hash values of the handshake message and the master key during the handshake of the two parties, and if the two hash values are consistent, the first electronic device passes the authentication. If the two hash values are inconsistent, it is indicated that the first electronic device is not authenticated.

EXAMPLE III

Fig. 9 is a signaling flowchart of an authentication method for network communication according to a third embodiment of the present application, where as shown in fig. 9, the authentication method for network communication provided by this embodiment adopts SSL/TLS security authentication, where a first electronic device is a client, a second electronic device is a server, and the server performs SSL/TLS authentication on the client. The client is loaded with a secure chip. The method comprises the following steps:

step 301, the server sends a certificate request message to the client.

Among other things, it is understood that the certificate request message is a form of a secure authentication request.

Step 302, the client obtains the client certificate and calculates the handshake message and the hash value of the master key when the two parties handshake.

Further, when the client and the server perform handshake, the client stores the handshake messages of the two parties and the master key, and performs hash calculation on the handshake messages of the two parties and the master key by using a hash algorithm to obtain hash values of the handshake messages and the master key during handshake of the two parties.

Step 303, the client sends the client certificate to the server.

The client certificate carries the public key of the client, the handshake information of the two parties in the handshake and the hash value of the master key.

At step 304, the client authenticates the current state of the operating system.

Step 305, if the current state of the operating system passes the authentication, the client acquires a client private key protection password from the security chip.

In this embodiment, the client private key protection password is sealed in the first fixed storage area of the security chip, so that the client private key protection password is obtained from the first fixed storage area of the security chip.

Step 306, the client obtains the client private key from the security chip according to the client private key protection password.

In this embodiment, the client private key is imported into the second fixed storage area of the security chip, so that the client private key is obtained from the second fixed storage area of the security chip.

And 307, the client encrypts the handshake message and the hash value of the master key during the handshake of the two parties by using the private key of the client.

In this embodiment, the client performs asymmetric encryption on the handshake message and the hash value of the master key during handshake between the two parties by using an asymmetric algorithm and a client private key to form first encrypted data.

Step 308, the client certificate verification message is sent to the server.

Wherein the first encrypted data is carried in the certificate check message.

In this embodiment, the implementation manners of steps 304 to 308 are similar to the implementation manners of the related steps in the second embodiment of the present application, and are not described in detail here.

Step 309, the server decrypts the first encrypted data, and compares the decrypted hash values of the handshake message and the master key during the handshake between the two parties with the pre-stored hash values of the handshake message and the master key during the handshake between the two parties, so as to authenticate the client.

In this embodiment, the server compares the decrypted hash values of the handshake message and the master key during the handshake between the two parties with the hash values of the handshake message and the master key during the handshake between the two parties, which are stored in advance, and if the two hash values are consistent, it indicates that the client passes the authentication. If the two hash values are inconsistent, the client is not authenticated.

Example four

Fig. 10 is a signaling flowchart of an authentication method for network communication according to a fourth embodiment of the present application, where as shown in fig. 10, the authentication method for network communication provided by this embodiment adopts SSL/TLS security authentication, where a first electronic device is a server, a second electronic device is a client, and the client performs SSL/TLS authentication on the server. The server is loaded with a security chip. The method comprises the following steps:

in step 401, the client sends a certificate request message to the server.

Step 402, the server obtains the server certificate, and calculates the hash value of the handshake message and the master key during the handshake between the two parties.

Further, when the server and the client perform handshake, the server stores the handshake messages of the two parties and the master key, and performs hash calculation on the handshake messages of the two parties and the master key by using a hash algorithm to obtain hash values of the handshake messages and the master key during handshake of the two parties.

The server sends a server certificate to the client, step 403.

The server certificate carries a public key of the server, handshake information during handshake between the two parties, and a hash value of the master key.

At step 404, the server authenticates the current state of the operating system.

Step 405, if the current state of the operating system passes the authentication, the server acquires a server private key protection password from the security chip.

In this embodiment, the server private key protection password is sealed in the first fixed storage area of the security chip, so that the server private key protection password is obtained from the first fixed storage area of the security chip.

And 406, the server acquires the server private key from the security chip according to the server private key protection password.

In this embodiment, the server private key is imported into the second fixed storage area of the security chip, so that the server private key is obtained from the second fixed storage area of the security chip.

Step 407, the server encrypts the handshake message and the hash value of the master key during the handshake between the two parties by using the server private key.

In this embodiment, the server performs asymmetric encryption on the handshake message and the hash value of the master key during handshake between the two parties by using an asymmetric algorithm and a server private key to form second encrypted data.

It can be understood that, in this embodiment, the data obtained by encrypting, by the server, the hash value of the master key and the handshake message in the handshake of the two parties by using the server private key is the second encrypted data. The method is different from the method that the client adopts the private key of the client to encrypt the handshake message and the hash value of the master key during the handshake of the two parties

Step 408, the server certificate check message is sent to the client.

Wherein the second encrypted data is carried in the certificate check message.

In this embodiment, the implementation manners of steps 404 to 408 are similar to the implementation manners of the related steps in the second embodiment of the present application, and are not described in detail here.

And 409, the client decrypts the second encrypted data, and compares the decrypted handshake message and the hash value of the master key during the handshake between the two parties with the prestored handshake message and hash value of the master key during the handshake between the two parties so as to authenticate the server.

Specifically, if the client receives the encrypted second encrypted data sent by the server, the server public key is adopted to decrypt the second encrypted data; and performing security authentication on the server according to the decrypted target data and the prestored target data.

And if the two hash values are consistent, the server passes the authentication. If the two hash values are not consistent, the server is not authenticated.

It is worth noting that the linking of steps 301-308 and steps 401-408 is the SSL/TLS mutual authentication between the client and the server.

EXAMPLE five

Fig. 11 is a schematic structural diagram of an authentication device for network communication according to a fifth embodiment of the present application, and as shown in fig. 11, the authentication device for network communication according to the present embodiment is located in a first electronic device, and the first electronic device is equipped with a security chip. The authentication apparatus 1100 for network communication includes: a status authentication module 1101, a password acquisition module 1102, a private key acquisition module 1103 and a data encryption module 1104.

The state authentication module 1101 is configured to authenticate a current state of an operating system of the first electronic device if it is determined that the first electronic device receives a security authentication request sent by the second electronic device. The password obtaining module 1102 is configured to obtain a first electronic device private key protection password if the current state of the first electronic device operating system passes authentication, where the first electronic device private key protection password is sealed in a first fixed storage area of the security chip. The private key obtaining module 1103 is configured to obtain a private key of the first electronic device according to the first electronic device private key protection password, where the first electronic device private key is sealed in the second fixed storage area of the security chip. The data encryption module 1104 is configured to encrypt target data by using a private key of the first electronic device, and send the encrypted first encrypted data to the second electronic device, so that the second electronic device performs security authentication on the first electronic device according to the first encrypted data.

The authentication apparatus for network communication provided in this embodiment may implement the technical solution of the method embodiment shown in fig. 3, and the implementation principle and technical effect thereof are similar to those of the method embodiment shown in fig. 3, and are not described in detail herein.

EXAMPLE six

Fig. 12 is a schematic structural diagram of an authentication apparatus for network communication according to a sixth embodiment of the present application, and as shown in fig. 12, an authentication apparatus 1200 for network communication according to the present embodiment is based on an authentication apparatus 1100 for network communication according to a fifth embodiment of the present application, where the authentication apparatus 1200 for network communication includes: a private key storage module 1201, a password storage module 1202, a hash value storage module 1203 and a security authentication module 1204.

Further, the private key storage module 1201 is configured to obtain a private key of the first electronic device; and importing the private key of the first electronic equipment into a second fixed storage area of the security chip, and setting a protection password when the private key of the first electronic equipment is acquired. The password storage module 1202 is configured to seal the protection password in the first fixed storage area of the security chip, and set an authentication policy when the protection password is acquired, where the authentication policy is a policy for authenticating a current state of the operating system of the first electronic device.

Further, the state authentication module 1101 is specifically configured to:

acquiring at least one state reference data when a first electronic equipment operating system is started currently; calculating the current hash value of each state reference data; acquiring standard hash values of the state reference data, wherein the standard hash values are stored in a third fixed storage area of the security chip; and authenticating the current state of the operating system of the first electronic equipment according to each current hash value and the corresponding standard hash value.

Further, the hash value storage module 1203 is configured to:

acquiring reference data of each state of a first electronic equipment operating system in a normal state; signing the reference data of each state; calculating a standard hash value of each signed state reference data; and storing each standard hash value in a third fixed storage area of the security chip.

Further, when acquiring at least one state reference data when the operating system of the first electronic device is currently started, the state authentication module 1101 is specifically configured to:

Accordingly, when calculating the current hash value of each state reference data, the state authentication module 1101 is specifically configured to:

Further, when authenticating the current state of the operating system of the first electronic device according to each current hash value and the corresponding standard hash value, the state authentication module 1101 is specifically configured to:

comparing each current hash value with a corresponding standard hash value; if the current hash values are equal to the corresponding standard hash values, determining that the current state of the operating system of the first electronic equipment passes authentication; and if the at least one current hash value is not equal to the corresponding standard hash value, determining that the current state of the operating system of the first electronic equipment is not authenticated.

Further, security authentication of SSL/TLS is adopted between the first electronic device and the second electronic device, and the target data is a handshake message and a hash value of the master key during handshake between the two parties.

Correspondingly, when the first electronic device private key is used to encrypt the target data, the data encryption module 1104 is specifically configured to:

and adopting a private key of the first electronic equipment to asymmetrically encrypt the handshake messages and the hash value of the master key during the handshake of the two parties.

Further, when the encrypted first encrypted data is sent to the second electronic device, the data encryption module 1104 is specifically configured to:

carrying the first encrypted data into a first electronic device certificate verification message; and sending the first electronic equipment certificate verification message to the second electronic equipment.

Further, the second electronic device is mounted with a security chip. A security authentication module 1204 to:

if the first electronic equipment receives second encrypted data which are sent by second electronics and are encrypted, decrypting the second encrypted data by adopting a public key of the second electronic equipment; and performing security authentication on the second electronic equipment according to the decrypted target data and the prestored target data.

The authentication apparatus for network communication provided in this embodiment may execute the technical solutions of the method embodiments shown in fig. 4 to 10, and the implementation principle and technical effects thereof are similar to those of the method embodiments shown in fig. 4 to 10, and are not described in detail here.

According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.

As shown in fig. 13, the electronic device is a block diagram of an authentication method for network communication according to an embodiment of the present application. The electronic device is a first electronic device. Electronic devices are intended for various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, clients, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.

As shown in fig. 13, the electronic apparatus includes: one or more processors 1301, memory 1302, and interfaces for connecting the various components, including high speed interfaces and low speed interfaces. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). Fig. 13 illustrates an example of a processor 1301.

Memory 1302 is a non-transitory computer readable storage medium as provided herein. The memory stores instructions executable by the at least one processor to cause the at least one processor to perform the method for authenticating network communications provided herein. The non-transitory computer-readable storage medium of the present application stores computer instructions for causing a computer to execute the authentication method of network communication provided by the present application.

The memory 1302, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the authentication method for network communication in the embodiment of the present application (for example, the state authentication module 1101, the password acquisition module 1102, the private key acquisition module 1103, and the data encryption module 1104 shown in fig. 11). The processor 1301 executes various functional applications of the server and data processing, that is, implements the authentication method of network communication in the above-described method embodiments, by running non-transitory software programs, instructions, and modules stored in the memory 1302.

The memory 1302 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the electronic device of fig. 13, and the like. Further, the memory 1302 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 1302 may optionally include memory located remotely from processor 1301, which may be connected to the electronic device of FIG. 13 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The electronic device of fig. 13 may further include: an input device 1303 and an output device 1304. The processor 1301, the memory 1302, the input device 1303 and the output device 1304 may be connected by a bus or other means, and fig. 13 illustrates the bus connection.

The input device 1303 may receive input voice, numeric, or character information and generate key signal inputs related to user settings and function control of the electronic apparatus of fig. 13, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointing stick, one or more mouse buttons, a track ball, a joystick, or other input devices. The output devices 1304 may include a voice playing device, a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.

Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.

These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.

The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

According to the technical scheme of the embodiment of the application, whether hackers invade the client or the server is determined by judging whether the current state of the operating system of the client or the server is a normal state. Moreover, in order to ensure the security of the private key of the client or the server, a security chip may be mounted in the client and/or the server, and the client private key and/or the server private key may be stored in the security chip. When the protection password is obtained, the protection password can be obtained only when the current state of the operating system of the client and/or the server is a normal state. And then when the client private key and/or the server private key are obtained, the authentication process corresponding to the operating system state is carried out. When a hacker hijacks a client or a server to invade or steal data, the corresponding private key cannot be obtained, and further the security authentication cannot be passed, so that the security of network communication between the client and the server is effectively improved.

It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and the present invention is not limited thereto as long as the desired results of the technical solutions disclosed in the present application can be achieved.

The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims

1. An authentication method for network communication, the method being applied to a first electronic device having a security chip mounted thereon, the method comprising:

if it is determined that the first electronic equipment receives a security authentication request sent by the second electronic equipment, authenticating the current state of the operating system of the first electronic equipment;

if the current state of the operating system of the first electronic equipment passes authentication, acquiring a private key protection password of the first electronic equipment, wherein the private key protection password of the first electronic equipment is sealed in a first fixed storage area of the security chip;

acquiring a first electronic equipment private key according to the first electronic equipment private key protection password, wherein the first electronic equipment private key is sealed in a second fixed storage area of the security chip;

and encrypting target data by using the private key of the first electronic equipment, and sending the encrypted first encrypted data to second electronic equipment so that the second electronic equipment performs security authentication on the first electronic equipment according to the first encrypted data.

2. The method of claim 1, wherein prior to authenticating the current state of the operating system of the first electronic device, further comprising:

acquiring a private key of the first electronic equipment;

importing the private key of the first electronic equipment into a second fixed storage area of the security chip, and setting a protection password when the private key of the first electronic equipment is acquired;

and sealing the protection password in a first fixed storage area of the security chip, and setting an authentication strategy when the protection password is acquired, wherein the authentication strategy is a strategy for authenticating the current state of the operating system of the first electronic equipment.

3. The method of claim 1 or 2, wherein authenticating the current state of the operating system of the first electronic device comprises:

acquiring at least one state reference data when the operating system of the first electronic equipment is started currently;

calculating the current hash value of each state reference data;

acquiring a standard hash value of each state reference data, wherein each standard hash value is stored in a third fixed storage area of the security chip;

and authenticating the current state of the operating system of the first electronic equipment according to each current hash value and the corresponding standard hash value.

4. The method of claim 3, wherein before authenticating the current state of the operating system of the first electronic device, further comprising:

acquiring reference data of each state of the first electronic equipment in a normal state of an operating system;

signing each of the state reference data;

calculating a standard hash value of each signed state reference data;

and storing each standard hash value in a third fixed storage area of the security chip.

5. The method of claim 4, wherein the obtaining at least one state reference datum when the operating system of the first electronic device is currently started comprises:

the calculating the current hash value of each state reference data includes:

checking the signed state reference data;

6. The method of claim 5, wherein authenticating the current state of the operating system of the first electronic device according to each of the current hash values and the corresponding standard hash value comprises:

comparing each current hash value with a corresponding standard hash value;

if the current hash values are equal to the corresponding standard hash values, determining that the current state of the operating system of the first electronic equipment passes authentication;

and if at least one current hash value is not equal to the corresponding standard hash value, determining that the current state of the operating system of the first electronic equipment is not authenticated.

7. The method according to claim 1 or 2, wherein security authentication by SSL/TLS is adopted between the first electronic device and the second electronic device, and the target data is a hash value of a handshake message and a master key in a two-way handshake;

8. The method of claim 7, wherein sending the encrypted first encrypted data to the second electronic device comprises:

carrying the first encrypted data into a first electronic device certificate check message;

and sending the first electronic equipment certificate verification message to the second electronic equipment.

9. The method according to claim 1 or 2, wherein the second electronic device is loaded with a security chip, the method further comprising:

10. An authentication apparatus for network communication, the apparatus being located in a first electronic device having a security chip mounted thereon, the apparatus comprising:

the state authentication module is used for authenticating the current state of the operating system of the first electronic equipment if the first electronic equipment is determined to receive the security authentication request sent by the second electronic equipment;

the password obtaining module is used for obtaining a first electronic equipment private key protection password if the current state of the first electronic equipment operating system passes authentication, and the first electronic equipment private key protection password is sealed in a first fixed storage area of the security chip;

the private key obtaining module is used for obtaining a private key of the first electronic equipment according to the private key protection password of the first electronic equipment, and the private key of the first electronic equipment is sealed in a second fixed storage area of the security chip;

and the data encryption module is used for encrypting the target data by adopting the private key of the first electronic equipment and sending the encrypted first encrypted data to the second electronic equipment so that the second electronic equipment can carry out security authentication on the first electronic equipment according to the first encrypted data.

11. The apparatus of claim 10, further comprising:

the private key storage module is used for acquiring a private key of the first electronic equipment; importing the private key of the first electronic equipment into a second fixed storage area of the security chip, and setting a protection password when the private key of the first electronic equipment is acquired;

and the password storage module is used for sealing the protection password in a first fixed storage area of the security chip and setting an authentication strategy when the protection password is acquired, wherein the authentication strategy is a strategy for authenticating the current state of the operating system of the first electronic equipment.

12. The apparatus according to claim 10 or 11, wherein the status authentication module is specifically configured to:

13. The apparatus of claim 12, further comprising: a hash value storage module to:

14. The apparatus according to claim 13, wherein the state authentication module, when acquiring at least one state reference data when the operating system of the first electronic device is currently started, is specifically configured to:

the state authentication module, when calculating the current hash value of each state reference data, is specifically configured to:

15. The apparatus of claim 14, wherein the state authentication module, when authenticating the current state of the operating system of the first electronic device according to each of the current hash values and the corresponding standard hash value, is specifically configured to:

16. The apparatus according to claim 10 or 11, wherein security authentication by SSL/TLS is adopted between the first electronic device and the second electronic device, and the target data is a hash value of a handshake message and a master key in a two-way handshake;

the data encryption module, when encrypting the target data by using the first electronic device private key, is specifically configured to:

17. The apparatus according to claim 16, wherein the data encryption module, when sending the encrypted first encrypted data to the second electronic device, is specifically configured to:

18. The apparatus according to claim 10 or 11, wherein the second electronic device is mounted with a security chip, the apparatus further comprising: a security authentication module to:

19. An electronic device, comprising:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-9.

20. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-9.