CN111447194A - Method for enhancing single sign-on security by using digital certificate - Google Patents
Method for enhancing single sign-on security by using digital certificate Download PDFInfo
- Publication number
- CN111447194A CN111447194A CN202010208157.9A CN202010208157A CN111447194A CN 111447194 A CN111447194 A CN 111447194A CN 202010208157 A CN202010208157 A CN 202010208157A CN 111447194 A CN111447194 A CN 111447194A
- Authority
- CN
- China
- Prior art keywords
- client
- single sign
- certificate
- application
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000002708 enhancing effect Effects 0.000 title claims abstract description 17
- 238000012795 verification Methods 0.000 claims description 13
- 238000013475 authorization Methods 0.000 claims description 9
- 239000000284 extract Substances 0.000 claims description 3
- 235000014510 cooky Nutrition 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses a method for enhancing single sign-on security by using a digital certificate, which uses a public and private key and the digital certificate to replace 1 master bill (login bill) and N slave bills (application bills) in the single sign-on process, and uses the digital certificate and an asymmetric key to verify whether a client is authorized to hold certain information, so as to solve the security problem that the application can still ensure whether the client is authorized to hold the bills when the single sign-on bill is hijacked or illegally obtained, so that the bills of the scheme have non-replicability, and the security of the single sign-on login is greatly improved.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a method for enhancing single sign-on security by using a digital certificate.
Background
Common single sign-on (SSO) protocols (e.g., OAuth2, CAS, etc.) employ tickets (Token or Ticket) as login credentials.
In the single sign-on process, 1+ N bills exist between the client and the SSO server and among the application services. The ticket used with the SSO server may be called a master ticket (or called a login ticket), for example, in the CAS protocol, the client will hold a Cookie named TGC to identify its logged-in status; whereas the Cookie of WebSession is typically used in the OAuth2 protocol to identify the logged on state.
When accessing an application, a client uses a slave Ticket (also called an application Ticket) issued by the SSO server, which is called st (service Ticket) in the CAS protocol and defined as Ticket in the OAuth2 protocol. Each application is accessed with a separate application ticket, which is N if there are N applications.
But both the master ticket (login ticket) and the slave ticket (application ticket) can be copied and thus impersonated by an attacker.
The main innovation point of the method is that a public and private key and a digital certificate are used for replacing 1 master bill (login bill) and N slave bills (application bills) in the single sign-on process, whether a client side has the right to hold certain information is verified by utilizing the digital certificate and an asymmetric key, and the safety problem that whether the client side has the right to hold the bills is still guaranteed to apply when the single sign-on bill is hijacked or illegally obtained is solved, so that the bills of the scheme have non-replicability, and the safety of the single sign-on login is greatly improved.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for enhancing single sign-on security by using digital certificate, aiming at the problem of using ticket as login certificate in the existing single sign-on protocol (such as OAuth2, CAS, etc.). The public and private keys and the digital certificate are used for replacing 1 master bill (login bill) and N slave bills (application bills) in the single sign-on process, and the method has the advantages of non-replicability and greatly improved single sign-on security.
The technical problem to be solved by the invention can be realized by the following technical scheme:
a method for enhancing single sign-on security using digital certificates, comprising the steps of:
the method comprises the following steps: before single sign-on, the client generates a pair of temporary asymmetric key pairs in the client;
step two: the client side submits the client side identification, the authentication information of the user and the public key of the pair of temporary asymmetric key pairs generated in the step one to the single sign-on server, and signs all submitted client side identifications and the authentication information of the user by the private key of the pair of temporary asymmetric key pairs generated in the step one to form sign-on information;
step three: the single sign-on server verifies the login information in the second step and obtains a user identifier, and after the verification is successful, a public key in a pair of temporary asymmetric key pairs generated in the first step in the login information is extracted to verify a signature of the login information submitted by the client;
step four: the single sign-on server transfers the public key in the pair of temporary asymmetric keys generated in the step one, the client identifier and the user identifier to a CA server, and the CA server signs a main certificate with the same validity period as the single sign-on session in the step to the single sign-on server after receiving the public key, the client identifier and the user identifier; the principal certificate contains login session information;
step five: after the single sign-on server completes the login verification of the client, the single sign-on server sends a main certificate containing login session information back to the client to complete the single sign-on service login;
step six: each time an application is newly logged in, a pair of temporary asymmetric key pairs is newly generated;
step seven: the client submits the master certificate obtained in the fifth step and a private key signature in a pair of temporary asymmetric key pairs generated in the sixth step to access the single sign-on server, and submits an application identifier of a new login application and a public key in the pair of temporary asymmetric key pairs generated in the first step;
step eight: the single sign-on server verifies the main certificate submitted by the client and the private key signature in the pair of temporary asymmetric key pairs generated in the sixth step, completes the sign-on verification, and checks whether the user has the authorization of accessing the application identifier submitted by the client;
step nine: the single sign-on server extracts the user identification and the client identification from the main certificate submitted by the client, and transmits the user identification and the application identification submitted by the client to the CA server, and the CA server signs a slave certificate with the same validity period as the single sign-on session validity period in the step to the single sign-on server after receiving the application identification;
step ten: after the single sign-on server completes the client sign-on verification and the application authorization, the single sign-on server sends a secondary certificate containing the application sign-on authorization back to the client;
step eleven: after the client obtains the slave certificate, the client initiates access to the application by using the slave certificate and the corresponding private key;
step twelve: after the client submits the slave certificate access application, the application or the application pre-gateway verifies the slave certificate submitted by the client and the corresponding private key signature, and sets the validity period of the application session based on the validity period of the slave certificate to complete application login.
In a preferred embodiment of the invention, the steps six to twelve are repeated every time a new application is accessed within the validity period of the main certificate; and when the main certificate fails or the single sign-on session fails, restarting from the first step.
In a preferred embodiment of the present invention, the host certificate contains a client identifier, a user identifier, and a session identifier; the slave certificate contains a client identification, user information and an application identification.
In a preferred embodiment of the present invention, the master certificate is a login certificate, and the slave certificate is an application certificate.
In a preferred embodiment of the present invention, the authentication information of the user includes one or a combination of any two or more of a password, a short message verification code, face information, and a usb key signature.
In a preferred embodiment of the invention, the temporary asymmetric key pair is generated by a memory or cryptographic module within the client.
Due to the adoption of the technical scheme, the invention uses the public and private keys and the digital certificate to replace 1 master bill (login bill) and N slave bills (application bills) in the SSO process, and even if the master bill and the slave bills are stolen, the master bill and the slave bills cannot be falsely used due to the lack of the private key. The private key can be isolated by using technologies such as a sandbox and the like, or the security is ensured by adopting a password device with better security, and the protection of the private key is out of the discussion range of the invention. The invention solves the problem of falsely using the single sign-on bill after being stolen, and greatly improves the safety of various single sign-on protocols.
Drawings
FIG. 1 is a flowchart illustrating a second step of the method for enhancing security of single sign-on by using a digital certificate according to the present invention.
FIG. 2 is a flowchart illustrating a fourth step of the method for enhancing single sign-on security using digital certificates according to the present invention.
FIG. 3 is a flowchart illustrating a fifth step of the method for enhancing security of single sign-on by using a digital certificate according to the present invention.
FIG. 4 is a flowchart illustrating a seventh step of the method for enhancing security of single sign-on by using a digital certificate according to the present invention.
FIG. 5 is a flowchart illustrating a ninth method step of using a digital certificate to enhance single sign-on security according to the present invention.
FIG. 6 is a flowchart illustrating a method step ten of the present invention for enhancing single sign-on security using digital certificates.
FIG. 7 is a flowchart illustrating eleventh method steps of the method for enhancing single sign-on security using digital certificates according to the present invention.
Detailed Description
The invention is further described below in conjunction with the appended drawings and detailed description.
A method for enhancing single sign-on security using digital certificates, comprising the steps of:
the method comprises the following steps: before single sign-on, the client generates a pair of temporary asymmetric key pairs in the client;
step two: referring to fig. 1, the client submits the client identifier, the authentication information of the user and the public key of the pair of temporary asymmetric key pairs generated in the step one to the single sign-on server, and signs all the submitted client identifiers and the authentication information of the user by the private key of the pair of temporary asymmetric key pairs generated in the step one to form the login information;
step three: the single sign-on server verifies the login information in the second step and obtains a user identifier, and after the verification is successful, a public key in a pair of temporary asymmetric key pairs generated in the first step in the login information is extracted to verify a signature of the login information submitted by the client;
step four: referring to fig. 2, the single sign-on server hands over the public key of a pair of temporary asymmetric key pairs generated in the extraction step one to the CA server together with the client identifier and the user identifier, and after receiving the public key, the CA server issues a main certificate (login certificate) with the same validity period as the single sign-on session validity period to the single sign-on server; the principal certificate contains login session information;
step five: referring to fig. 3, after the single sign-on server completes the client sign-on verification, it sends back the master certificate (sign-on certificate) containing the login session information to the client, and completes the single sign-on service login;
step six: each time an application is newly logged in, a pair of temporary asymmetric key pairs is newly generated;
step seven: referring to fig. 4, the client submits the master certificate (login certificate) obtained in step five and the private key signature in the pair of temporary asymmetric key pairs generated in step six to access the single sign-on server, and submits the application identifier of the newly logged-on application and the newly generated public key in step six;
step eight: the single sign-on server verifies the main certificate (sign-on certificate) submitted by the client and the private key signature in the pair of temporary asymmetric key pairs generated in the sixth step, completes the sign-on verification, and checks whether the user has the authorization of accessing the application identifier submitted by the client;
step nine: referring to fig. 5, the single sign-on server extracts the user identifier and the client identifier from the main certificate (login certificate) submitted by the client, and delivers the user identifier and the client identifier to the CA server together with the application identifier submitted by the client, and the CA server, after receiving the user identifier and the client identifier, issues a slave certificate (application certificate) with the same validity period as the single sign-on session validity period to the single sign-on server;
step ten: referring to fig. 6, after the single sign-on server completes the client sign-on authentication and application authorization, it sends a secondary certificate (application certificate) containing the application sign-on authorization back to the client;
step eleven: referring to fig. 7, after obtaining the slave certificate (application certificate), the client initiates access to the application using the slave certificate (application certificate) and the corresponding private key;
step twelve: after the client submits the slave certificate (application certificate) to access the application, the application or the application pre-gateway verifies the slave certificate (application certificate) submitted by the client and the private key signature, and sets the validity period of the application session based on the validity period of the slave certificate (application certificate), thereby completing application login.
And repeating the steps six to twelve once more when a new application is accessed within the validity period of the main certificate (login certificate). When the master certificate (login certificate) fails or the single sign-on session fails, the process is restarted from the first step.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (6)
1. A method for enhancing single sign-on security using digital certificates, comprising the steps of:
the method comprises the following steps: before single sign-on, the client generates a pair of temporary asymmetric key pairs in the client;
step two: the client side submits the client side identification, the authentication information of the user and the public key of the pair of temporary asymmetric key pairs generated in the step one to the single sign-on server, and signs all submitted client side identifications and the authentication information of the user by the private key of the pair of temporary asymmetric key pairs generated in the step one to form sign-on information;
step three: the single sign-on server verifies the login information in the second step and obtains a user identifier, and after the verification is successful, a public key in a pair of temporary asymmetric key pairs generated in the first step in the login information is extracted to verify a signature of the login information submitted by the client;
step four: the single sign-on server transfers the public key in the pair of temporary asymmetric keys generated in the step one, the client identifier and the user identifier to a CA server, and the CA server signs a main certificate with the same validity period as the single sign-on session in the step to the single sign-on server after receiving the public key, the client identifier and the user identifier; the principal certificate contains login session information;
step five: after the single sign-on server completes the login verification of the client, the single sign-on server sends a main certificate containing login session information back to the client to complete the single sign-on service login;
step six: each time an application is newly logged in, a pair of temporary asymmetric key pairs is newly generated;
step seven: the client submits the master certificate obtained in the fifth step and a private key signature in a pair of temporary asymmetric key pairs generated in the sixth step to access the single sign-on server, and submits an application identifier of a new login application and a public key in the pair of temporary asymmetric key pairs generated in the first step;
step eight: the single sign-on server verifies the main certificate submitted by the client and the private key signature in the pair of temporary asymmetric key pairs generated in the sixth step, completes the sign-on verification, and checks whether the user has the authorization of accessing the application identifier submitted by the client;
step nine: the single sign-on server extracts the user identification and the client identification from the main certificate submitted by the client, and transmits the user identification and the application identification submitted by the client to the CA server, and the CA server signs a slave certificate with the same validity period as the single sign-on session validity period in the step to the single sign-on server after receiving the application identification;
step ten: after the single sign-on server completes the client sign-on verification and the application authorization, the single sign-on server sends a secondary certificate containing the application sign-on authorization back to the client;
step eleven: after the client obtains the slave certificate, the client initiates access to the application by using the slave certificate and the corresponding private key;
step twelve: after the client submits the slave certificate access application, the application or the application pre-gateway verifies the slave certificate submitted by the client and the corresponding private key signature, and sets the validity period of the application session based on the validity period of the slave certificate to complete application login.
2. The method of claim 1, wherein steps six through twelve are repeated each time a new application is accessed within the validity period of the master certificate; and when the main certificate fails or the single sign-on session fails, restarting from the first step.
3. The method of claim 1, wherein the master certificate comprises a client identifier, a user identifier, and a session identifier; the slave certificate contains a client identification, user information and an application identification.
4. A method for enhancing single sign-on security using digital certificates as claimed in any one of claims 1 to 3, wherein said master certificate is a login certificate and said slave certificate is an application certificate.
5. The method for enhancing the security of single sign-on by using the digital certificate as claimed in claim 1, wherein the authentication information of the user comprises one or a combination of any two or more of a password, a short message verification code, face information and a USBKey signature.
6. The method for enhancing single sign-on security using digital certificates as claimed in claim 1, wherein in a preferred embodiment of the present invention, said temporary asymmetric key pair is generated by a memory or cryptographic module in the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010208157.9A CN111447194B (en) | 2020-03-23 | 2020-03-23 | Method for enhancing single sign-on security by using digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010208157.9A CN111447194B (en) | 2020-03-23 | 2020-03-23 | Method for enhancing single sign-on security by using digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111447194A true CN111447194A (en) | 2020-07-24 |
| CN111447194B CN111447194B (en) | 2022-03-29 |
Family
ID=71653386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010208157.9A Active CN111447194B (en) | 2020-03-23 | 2020-03-23 | Method for enhancing single sign-on security by using digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111447194B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020144119A1 (en) * | 2001-03-29 | 2002-10-03 | Ibm Corporation | Method and system for network single sign-on using a public key certificate and an associated attribute certificate |
| CN1547343A (en) * | 2003-12-17 | 2004-11-17 | 上海市高级人民法院 | A Single Sign On method based on digital certificate |
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| CN103560888A (en) * | 2013-11-05 | 2014-02-05 | 江苏先安科技有限公司 | Digital certificate-based unified authentication login method for integrating multiple application systems |
| CN107819564A (en) * | 2016-09-10 | 2018-03-20 | 湖南移商动力网络技术有限公司 | A kind of design method of the single-node login system based on Public Key Infrastructure |
-
2020
- 2020-03-23 CN CN202010208157.9A patent/CN111447194B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020144119A1 (en) * | 2001-03-29 | 2002-10-03 | Ibm Corporation | Method and system for network single sign-on using a public key certificate and an associated attribute certificate |
| CN1547343A (en) * | 2003-12-17 | 2004-11-17 | 上海市高级人民法院 | A Single Sign On method based on digital certificate |
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| CN103560888A (en) * | 2013-11-05 | 2014-02-05 | 江苏先安科技有限公司 | Digital certificate-based unified authentication login method for integrating multiple application systems |
| CN107819564A (en) * | 2016-09-10 | 2018-03-20 | 湖南移商动力网络技术有限公司 | A kind of design method of the single-node login system based on Public Key Infrastructure |
Non-Patent Citations (1)
| Title |
|---|
| 张旋: "一种基于证书的单点登录方案设计", 《信息技术》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111447194B (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1777096B (en) | Password protection method and device | |
| US7793340B2 (en) | Cryptographic binding of authentication schemes | |
| CN102017578B (en) | Network helper for authentication between a token and verifiers | |
| US6732270B1 (en) | Method to authenticate a network access server to an authentication server | |
| CN108616504B (en) | Sensor node identity authentication system and method based on Internet of things | |
| KR20190114434A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| US10263782B2 (en) | Soft-token authentication system | |
| US20090106548A1 (en) | Method for controlling secured transactions using a single physical device, corresponding physical device, system and computer program | |
| MX2012011105A (en) | Certificate authority. | |
| KR20190114433A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| CN107294725A (en) | A kind of three factor authentication methods under environment of multi-server | |
| KR20210095093A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| WO2014069985A1 (en) | System and method for identity-based entity authentication for client-server communications | |
| EP2827529B1 (en) | Method, device, and system for identity authentication | |
| KR20190114432A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| CN110636051A (en) | Block chain transaction method based on multi-user CA digital certificate | |
| CN111224784A (en) | Role separation distributed authentication and authorization method based on hardware trusted root | |
| CN112383401B (en) | User name generation method and system for providing identity authentication service | |
| KR20210095061A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| US20090055917A1 (en) | Authentication method and authentication system using the same | |
| EP2359525B1 (en) | Method for enabling limitation of service access | |
| CN111447194B (en) | Method for enhancing single sign-on security by using digital certificate | |
| EP3178073B1 (en) | Security management system for revoking a token from at least one service provider terminal of a service provider system | |
| CN108512832A (en) | A kind of safe Enhancement Method for OpenStack authentications | |
| CN111723347B (en) | Identity authentication method, identity authentication device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Lei Inventor after: Zhang Xiaoyu Inventor after: Gao Dongqi Inventor after: Zhang Qitao Inventor after: Zhu Litong Inventor after: Zhu Feng Inventor after: Qiu Yuan Inventor after: Zhao Weiming Inventor before: Chen Lei Inventor before: Zhang Xiaoyu Inventor before: Gao Dongqi Inventor before: Zhang Qitao |
|
| CB03 | Change of inventor or designer information |