CN111510302B - Method and system for improving certificate verification efficiency in secure communication protocol - Google Patents

Method and system for improving certificate verification efficiency in secure communication protocol Download PDF

Info

Publication number
CN111510302B
CN111510302B CN202010291613.0A CN202010291613A CN111510302B CN 111510302 B CN111510302 B CN 111510302B CN 202010291613 A CN202010291613 A CN 202010291613A CN 111510302 B CN111510302 B CN 111510302B
Authority
CN
China
Prior art keywords
certificate
cache list
signature value
value
handshake
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010291613.0A
Other languages
Chinese (zh)
Other versions
CN111510302A (en
Inventor
朱东明
乔海权
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD, Beijing Infosec Technologies Co Ltd filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN202010291613.0A priority Critical patent/CN111510302B/en
Publication of CN111510302A publication Critical patent/CN111510302A/en
Application granted granted Critical
Publication of CN111510302B publication Critical patent/CN111510302B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention discloses a method for improving certificate verification efficiency in a secure communication protocol, which comprises the following steps: the first device receives the certificate from the second device and judges whether a cache list exists in the first device, if so, the first device judges whether the digest value of the certificate exists in the cache list, if not, the first device checks whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, and handshake/negotiation is continued by utilizing the result, and the process is ended. The invention can solve the technical problems that the operation time of a processor is quite occupied, the operation cost of a system is increased, and the efficiency of certificate verification in a secure communication protocol is reduced because the certificate verification in the prior secure communication protocol aims at the same certificate and the certificate validity verification is required to be carried out in each handshake/negotiation process.

Description

Method and system for improving certificate verification efficiency in secure communication protocol
Technical Field
The invention belongs to the technical fields of information security and Internet communication, and particularly relates to a method and a system for improving certificate verification efficiency in a secure communication protocol.
Background
The existing secure communication protocol mainly comprises a secure socket layer (Secure Sockets Layer, SSL for short) and a successor transport layer security (Transport Layer Security, TLS for short) protocol and an IPSec protocol, wherein SSL/TLS is a security protocol for providing security and data integrity for network communication, and comprises a handshake protocol, a password specification change protocol, an alarm protocol and a recording layer protocol, so that confidentiality and integrity of data and identity authentication and replay attack resistance of a data source are provided for a network communication process; whereas the internet security protocol (Internet ProtocolSecurity, IPSec for short), protects the network transport protocol family of the IP protocol (a collection of some interrelated protocols) by encrypting and authenticating packets of the IP protocol.
In certificate verification of the existing secure communication protocol, RFC specifications issued by the internet engineering task force (The InternetEngineering Task Force, abbreviated as IETF) specify that a client (initiator) or a server (responder) needs to perform validity verification on the same signature certificate sent by the counterpart in each handshake/negotiation process of the counterpart, while the national password administration in China specifies that the client (initiator) or the server (responder) needs to perform validity verification on the same signature certificate and the same encrypted certificate sent by the counterpart in each handshake/negotiation process of the counterpart in GM/T0024-2014 SSL VPN technical specification and GM/T0022-2014 IPSec VPN technical specification issued by the national password administration in 2014.
However, the above procedure of verifying the validity of the certificate is performed in each handshake/negotiation procedure for the same certificate, which takes a relatively long time, increases the operation overhead of the system, and reduces the efficiency of verifying the certificate of the secure communication protocol.
Disclosure of Invention
Aiming at the above defects or improvement demands of the prior art, the invention provides a method and a system for improving the certificate verification efficiency in a secure communication protocol, which aim to solve the technical problems that the operation time of a processor is quite occupied, the operation cost of the system is increased and the efficiency of the handshake/negotiation process in the secure communication protocol is reduced because the validity verification of the certificate is required to be carried out in each handshake/negotiation process aiming at the same certificate in the conventional secure communication protocol.
To achieve the above object, according to one aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
the method comprises the steps that (1) a first device receives a certificate from a second device, judges whether a cache list exists in the first device, and if the cache list does not exist, the step (2) is carried out, and if the cache list does not exist, the step (3) is carried out;
(2) The first equipment builds a cache list, checks whether the certificate signature value is legal, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, and continues to handshake/negotiate by using the certificate signature value validity verification result, and the process ends, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiations with the second equipment, and the process ends.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list, if so, enters the step (4), otherwise, enters the step (5);
(4) The first device obtains a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and continues handshake/negotiation by using the result, and the process is ended.
(5) The first device checks whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
Preferably, after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the validity verification result of the certificate signature value are added into the cache list, and handshake/negotiation is continued by using the result, and the process ends, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process ends.
Preferably, the secure communication protocol may be an SSL/TLS protocol or an IPSec protocol;
when the secure communication protocol is SSL/TLS protocol, the first device and the second device may be clients or servers, when the first device is a client, the second device is a server, and when the first device is a server, the second device is a client;
when the secure communication protocol is the IPSec protocol, the first device and the second device may be an initiator or a responder, when the first device is an initiator, the second device is a responder, and when the first device is a responder, the second device is an initiator.
Preferably, the process of constructing the storage list specifically stores the digest value of the certificate and the certificate signature value validity verification result in the form of key-value pairs in the table.
Preferably, other attributes of the certificate include the state of the certificate, the issuer of the certificate, the expiration date of the certificate, the serial number of the certificate, the user of the certificate, the key usage of the certificate, etc.
According to another aspect of the present invention, there is provided a system for improving certificate verification efficiency in a secure communication protocol, comprising:
the first module is arranged in the first equipment and is used for receiving the certificate from the second equipment, judging whether a cache list exists in the first equipment or not, entering the second module if the cache list does not exist, and entering the third module if the cache list does not exist;
and the second module is arranged in the first equipment and used for constructing a cache list and checking whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, the process is finished by utilizing the certificate signature value validity verification result to continue to handshake/negotiate, otherwise, alarm information is sent to the second equipment, handshake/negotiation with the second equipment is disconnected, and the process is finished.
The third module is arranged in the first equipment and is used for calculating the digest value of the certificate received by the first module, judging whether the digest value of the certificate exists in the cache list, entering the fourth module if the digest value of the certificate exists, and entering the fifth module if the digest value of the certificate exists;
and a fourth module, which is arranged in the first device and is used for obtaining the validity verification result of the certificate signature value from the cache list according to the digest value of the certificate, continuing handshake/negotiation by using the result, and ending the process.
And a fifth module, which is arranged in the first device and is used for checking whether the certificate signature value is legal, if so, adding the digest value of the certificate and the certificate signature value validity verification result into a cache list, continuing handshake/negotiation by using the result, ending the process, otherwise, sending alarm information to the second device, disconnecting handshake/negotiation with the second device, and ending the process.
According to still another aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, comprising the steps of:
the method comprises the steps that (1) a first device receives a certificate from a second device, judges whether a cache list exists in the first device, and if the cache list does not exist, the step (2) is carried out, and if the cache list does not exist, the step (3) is carried out;
(2) The first equipment builds a cache list, checks whether the certificate signature value is legal, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, and continues to handshake/negotiate by using the certificate signature value validity verification result, and the process ends, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiations with the second equipment, and the process ends.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list, if so, enters the step (4), otherwise, enters the step (6);
(4) The first device obtains a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) The first device calculates the difference between the current timestamp and the duration of the preset timer, judges whether the difference is larger than or equal to the corresponding storage time of the certificate in the cache list, if so, enters the step (6), otherwise, continues to handshake/negotiate by using the certificate signature value validity verification result obtained in the step (4), and the process is ended;
(6) The first device checks whether the certificate signature value is legal, if so, adds/updates the digest value of the certificate and the certificate signature value validity verification result into a cache list, and continues handshake/negotiation by using the result, and the process ends, otherwise, sends alarm information to the second device, and disconnects handshake/negotiation with the second device, and the process ends.
Preferably, when the difference value in the step (5) is smaller than the corresponding storage time of the certificate in the cache list, the first device checks whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the certificate signature value corresponding to the certificate in the cache list is updated by using the certificate signature value of the certificate, the corresponding storage time of the certificate in the cache list is replaced by using the current timestamp, the process is ended, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process is ended.
Preferably, after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the validity verification result of the certificate signature value are added into the cache list, and handshake/negotiation is continued by using the result, and the process ends, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process ends.
According to yet another aspect of the present invention, there is provided a system for improving certificate verification efficiency in a secure communication protocol, comprising:
the first module is arranged in the first equipment and is used for receiving the certificate from the second equipment, judging whether a cache list exists in the first equipment or not, entering the second module if the cache list does not exist, and entering the third module if the cache list does not exist;
and the second module is arranged in the first equipment and used for constructing a cache list and checking whether the certificate signature value is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, the process is finished by utilizing the certificate signature value validity verification result to continue to handshake/negotiate, otherwise, alarm information is sent to the second equipment, handshake/negotiation with the second equipment is disconnected, and the process is finished.
The third module is arranged in the first equipment and is used for calculating the digest value of the certificate received by the first module, judging whether the digest value of the certificate exists in the cache list, entering the fourth module if the digest value of the certificate exists, and entering the sixth module if the digest value of the certificate exists;
a fourth module, which is arranged in the first device and is used for obtaining a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and entering the fifth module;
a fifth module, configured to be disposed in the first device, and configured to calculate a difference between the current timestamp and a duration of the preset timer, and determine whether the difference is greater than or equal to a storage time of the certificate corresponding to the storage time in the cache list, if yes, enter the sixth module, or continue to handshake/negotiate using the certificate signature value validity verification result obtained in the fourth module, and end the process;
and a sixth module, which is arranged in the first device and is used for checking whether the certificate signature value is legal, if so, adding the digest value of the certificate and the certificate signature value validity verification result into the cache list, continuing handshake/negotiation by using the result, ending the process, otherwise, sending alarm information to the second device, disconnecting handshake/negotiation with the second device, and ending the process.
In general, the above technical solutions conceived by the present invention, compared with the prior art, enable the following beneficial effects to be obtained:
(1) The invention uses the buffer list to store the signature value of the certificate, and only performs validity check on other attributes of the certificate except the signature value of the certificate in the subsequent validity check process of the certificate, thereby reducing the operation time of a processor, reducing the system overhead and improving the efficiency of certificate verification.
(2) Because the invention utilizes the timer mechanism to dynamically update the cache list, after a configured timing time period is started from a certain time point, the timer mechanism can check each item in the cache list, the item containing the time when the certificate is added into the cache list, whether the storage time when the certificate is added into the cache list plus the timing time period is smaller than the current time stamp or not is checked again, and the digest value of the certificate and the validity verification result of the certificate signature value are updated into the cache list if yes, otherwise, no processing is carried out on the digest value and the certificate signature value validity verification result. Therefore, the verification state of the certificate can be updated regularly in the handshake/negotiation process of the secure communication protocol, and the flexibility and the correctness are improved.
Drawings
FIG. 1 is a flow chart of a method for improving certificate verification efficiency in a secure communication protocol in accordance with a first embodiment of the present invention;
FIG. 2 is a flow chart of a method for improving certificate verification efficiency in a secure communication protocol in accordance with a second embodiment of the present invention;
fig. 3 is a schematic diagram of the cache list constructed in step (2) of the method of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The invention has the basic idea that a certificate verification caching mechanism is established through a certificate verification link in the handshake/negotiation process of a secure communication protocol, the verified opposite-end certificate is added into a certificate verification caching list according to a certificate attribute combination and a time stamp configured by a user, and the validity period of the certificate verification caching is set. When the same certificate is handshake/negotiated again next time, firstly inquiring a certificate checking cache list, if the certificate checking cache list exists and the certificate checking cache time is valid, skipping a certificate signature value verification step, and checking other attributes of the certificate; if the certificate verification cache list does not exist, the certificate is verified, the verification result is added into the certificate verification cache list according to the certificate attribute combination and the time stamp configured by the user, and then the subsequent handshake/negotiation process is performed.
For the purpose of facilitating understanding of the present invention, technical terms of the present invention will be explained and explained below first:
client (Client): and the users exchanging information for the first time are sent in the SSL protocol operation process.
Server: users who send first-round exchange information are not in the SSL protocol operation.
Initiator (Initiator): and the users who exchange information for the first time are sent in the IPSec protocol operation process.
Responder (Responder): users who send first round exchange information are not involved in IPSec protocol operations.
The invention is applied in the verification certificate process of the handshake phase of the client and the server of the SSL/TLS protocol or the negotiation phase of the initiator and the responder of the IPSec protocol.
As shown in fig. 1, according to an aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, including the steps of:
the method comprises the steps that (1) a first device receives a certificate from a second device, judges whether a cache list exists in the first device, and if the cache list does not exist, the step (2) is carried out, and if the cache list does not exist, the step (3) is carried out;
in particular, the secure communication protocol of the present invention may be the SSL/TLS protocol or the IPSec protocol.
When the secure communication protocol of the present invention is SSL/TLS protocol, the first device and the second device may be clients or servers, when the first device is a client, the second device is a server, and when the first device is a server, the second device is a client.
When the secure communication protocol of the present invention is an IPSec protocol, the first device and the second device may be an Initiator (Initiator) or a Responder (Responder), when the first device is an Initiator, the second device is a Responder, and when the first device is a Responder, the second device is an Initiator.
In the present invention, the certificate is a signed certificate, or a signed certificate and an encrypted certificate.
(2) The first equipment builds a cache list, checks whether the certificate signature value is legal, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, and continues to handshake/negotiate by using the certificate signature value validity verification result, and the process ends, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiations with the second equipment, and the process ends.
The process of constructing the storage list specifically stores the digest value of the certificate and the validity verification result of the signature value of the certificate in a form of key-value pairs.
Specifically, other attributes of the certificate include the state of the certificate, the issuer of the certificate, the expiration date of the certificate, the serial number of the certificate, the user of the certificate, the key usage of the certificate, and the like.
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list, if so, enters the step (4), otherwise, enters the step (5);
(4) The first device obtains a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and continues handshake/negotiation by using the result, and the process is ended;
(5) The first device checks whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
As a further preferred aspect, the method of the present invention may further include, after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes than the certificate signature value in the attributes of the certificate are legal, if so, adding the digest value of the certificate and the validity verification result of the certificate signature value to the cache list, continuing handshake/negotiation with the result, ending the process, or else sending alarm information to the second device, disconnecting handshake/negotiation with the second device, and ending the process.
For example, if the serial number of the certificate or the user verifies it, this is done by sending the serial number or the user information to the authentication center (Certificate authority, CA for short), giving the verification result, or by looking up the locally stored CA certificate.
As shown in fig. 2, according to another aspect of the present invention, there is provided a method for improving certificate verification efficiency in a secure communication protocol, including the steps of:
the method comprises the steps that (1) a first device receives a certificate from a second device, judges whether a cache list exists in the first device, and if the cache list does not exist, the step (2) is carried out, and if the cache list does not exist, the step (3) is carried out;
(2) The first equipment builds a cache list, checks whether the certificate signature value is legal, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, and continues to handshake/negotiate by utilizing the certificate signature value validity verification result, and the process ends, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiations with the second equipment, and the process ends;
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list, if so, enters the step (4), otherwise, enters the step (6);
(4) The first device obtains a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) The first device calculates the difference between the current timestamp and the duration of the preset timer, judges whether the difference is larger than or equal to the corresponding storage time of the certificate in the cache list, if so, enters the step (6), otherwise, continues to handshake/negotiate by using the certificate signature value validity verification result obtained in the step (4), and the process is ended;
specifically, the duration of the preset timer is between 1 minute and 60 minutes.
The purpose of this step is to dynamically update the cache list using a timer mechanism, after a configured time period has elapsed since a certain point in time, the timer mechanism will check that each item in the cache list contains an entry for the time when the certificate was added to the cache list, use the storage time when the certificate was added to the cache list plus whether the time period is less than the current timestamp, if so, recheck the certificate, and update the digest value of the certificate and the validity verification result of the certificate signature value to the cache list, otherwise, do no processing.
(6) The first device checks whether the certificate signature value is legal, if so, adds/updates the digest value of the certificate and the certificate signature value validity verification result into a cache list, and continues handshake/negotiation by using the result, and the process ends, otherwise, sends alarm information to the second device, and disconnects handshake/negotiation with the second device, and the process ends.
As a further preferred aspect, the method of the present invention further includes, when the difference value in step (5) is smaller than the corresponding storage time of the certificate in the cache list, the first device checking whether other attributes than the certificate signature value in the attributes of the certificate are legal, if so, updating the certificate signature value corresponding to the certificate in the cache list by using the certificate signature value of the certificate, and replacing the corresponding storage time of the certificate in the cache list by using the current timestamp, and ending the process, otherwise, sending alarm information to the second device, and disconnecting handshake/negotiation with the second device, and ending the process.
As a further preferred aspect, the method of the present invention further includes, after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes than the certificate signature value in the attributes of the certificate are legal, if so, adds the digest value of the certificate and the validity verification result of the certificate signature value to the cache list, and uses the result to continue the handshake/negotiation, and the process ends, otherwise, sends alarm information to the second device, and disconnects the handshake/negotiation with the second device, and the process ends.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (9)

1. A method for improving certificate verification efficiency in a secure communication protocol, characterized in that during a handshake phase between a first device and a second device of an SSL/TLS protocol and a certificate verification phase between the first device and the second device of an IPSec protocol, the method comprises the following steps:
the method comprises the steps that (1) a first device receives a certificate from a second device, judges whether a cache list exists in the first device, and if the cache list does not exist, the step (2) is carried out, and if the cache list does not exist, the step (3) is carried out;
(2) The first equipment builds a cache list, checks whether the certificate signature value of the certificate is legal, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, and continues to handshake/negotiate by utilizing the certificate signature value validity verification result, and the process ends, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiations with the second equipment, and the process ends; the process of constructing the cache list is to store the summary value of the certificate and the validity verification result of the signature value of the certificate in a form in a key value pair mode;
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list, if so, enters the step (4), otherwise, enters the step (5);
(4) The first device obtains a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and continues handshake/negotiation by using the result, and the process is ended; the continuing handshake/negotiation with this result comprises: skipping verification of the certificate signature value, and carrying out validity verification on other attributes except the certificate signature value in the certificate;
(5) The first device checks whether the certificate signature value is legal, if so, the digest value of the certificate and the certificate signature value validity verification result are added into a cache list, and handshake/negotiation is continued by using the result, and the process is ended, otherwise, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is ended.
2. The method according to claim 1, wherein the method further comprises after the first device verifies that the certificate signature value is legal in step (2) and/or step (5), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the validity verification result of the certificate signature value are added to the cache list, and handshake/negotiation is continued by using the result, and the process ends, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process ends.
3. The method for improving certificate verification efficiency in a secure communication protocol as set forth in claim 1,
the secure communication protocol is SSL/TLS protocol or IPSec protocol;
when the secure communication protocol is the SSL/TLS protocol, the first device and the second device are clients or servers, when the first device is a client, the second device is a server, and when the first device is a server, the second device is a client;
when the secure communication protocol is the IPSec protocol, the first device and the second device are the initiator or the responder, when the first device is the initiator, the second device is the responder, and when the first device is the responder, the second device is the initiator.
4. The method of claim 2, wherein the other attributes of the certificate include certificate status, certificate issuer, certificate validity period, serial number of the certificate, user of the certificate, and key usage of the certificate.
5. A system for improving certificate verification efficiency in a secure communication protocol, wherein the system is applied to a handshake phase between a first device and a second device of an SSL/TLS protocol and a certificate verification process between the first device and the second device of an IPSec protocol, and comprises:
the first module is arranged in the first equipment and is used for receiving the certificate from the second equipment, judging whether a cache list exists in the first equipment or not, entering the second module if the cache list does not exist, and entering the third module if the cache list does not exist;
the second module is arranged in the first equipment and used for constructing a cache list and checking whether the certificate signature value of the certificate is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, the process is finished by utilizing the certificate signature value validity verification result to continue to hold hands/negotiate, otherwise, alarm information is sent to the second equipment, handshake/negotiation with the second equipment is disconnected, and the process is finished; the process of constructing the cache list is to store the summary value of the certificate and the validity verification result of the signature value of the certificate in a form in a key value pair mode;
the third module is arranged in the first equipment and is used for calculating the digest value of the certificate received by the first module, judging whether the digest value of the certificate exists in the cache list, entering the fourth module if the digest value of the certificate exists, and entering the fifth module if the digest value of the certificate exists;
a fourth module, configured to be disposed in the first device, and configured to obtain a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and use the result to continue handshake/negotiation, where the process ends; wherein, in the process of continuing handshake/negotiation by using the result, the fourth module is specifically configured to: skipping verification of the certificate signature value, and carrying out validity verification on other attributes except the certificate signature value in the certificate;
and a fifth module, which is arranged in the first device and is used for checking whether the certificate signature value is legal, if so, adding the digest value of the certificate and the certificate signature value validity verification result into a cache list, continuing handshake/negotiation by using the result, ending the process, otherwise, sending alarm information to the second device, disconnecting handshake/negotiation with the second device, and ending the process.
6. A method for improving certificate verification efficiency in a secure communication protocol, characterized in that during a handshake phase between a first device and a second device of an SSL/TLS protocol and a certificate verification phase between the first device and the second device of an IPSec protocol, the method comprises the following steps:
the method comprises the steps that (1) a first device receives a certificate from a second device, judges whether a cache list exists in the first device, and if the cache list does not exist, the step (2) is carried out, and if the cache list does not exist, the step (3) is carried out;
(2) The first equipment builds a cache list, checks whether the certificate signature value of the certificate is legal, if so, adds the digest value of the certificate and the certificate signature value validity verification result into the cache list, and continues to handshake/negotiate by utilizing the certificate signature value validity verification result, and the process ends, otherwise, sends alarm information to the second equipment, and disconnects handshake/negotiations with the second equipment, and the process ends; the process of constructing the cache list is to store the summary value of the certificate and the validity verification result of the signature value of the certificate in a form in a key value pair mode;
(3) The first equipment calculates the digest value of the certificate received in the step (1), judges whether the digest value of the certificate exists in a cache list, if so, enters the step (4), otherwise, enters the step (6);
(4) The first device obtains a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then enters the step (5);
(5) The first device calculates the difference between the current timestamp and the duration of the preset timer, judges whether the difference is larger than or equal to the corresponding storage time of the certificate in the cache list, if so, enters the step (6), otherwise, continues to handshake/negotiate by using the certificate signature value validity verification result obtained in the step (4), and the process is ended; the continuing handshake/negotiation using the certificate signature value validity verification result obtained in the step (4) includes: skipping verification of the certificate signature value, and carrying out validity verification on other attributes except the certificate signature value in the certificate;
(6) The first device checks whether the certificate signature value is legal, if so, adds/updates the digest value of the certificate and the certificate signature value validity verification result into a cache list, and continues handshake/negotiation by using the result, and the process ends, otherwise, sends alarm information to the second device, and disconnects handshake/negotiation with the second device, and the process ends.
7. The method according to claim 6, wherein the method further comprises checking, when the difference value in step (5) is smaller than the corresponding storage time of the certificate in the cache list, by the first device whether the other attribute than the certificate signature value in the attribute of the certificate is legal, if so, updating the certificate signature value corresponding to the certificate in the cache list by using the certificate signature value of the certificate, and replacing the corresponding storage time of the certificate in the cache list by using the current timestamp, ending the process, otherwise sending alarm information to the second device, and disconnecting handshake/negotiation with the second device, and ending the process.
8. The method according to claim 6, further comprising after the first device verifies that the certificate signature value is legal in step (2) and/or step (6), the first device verifies whether other attributes except the certificate signature value in the attributes of the certificate are legal, if so, the digest value of the certificate and the validity verification result of the certificate signature value are added to the cache list, and handshake/negotiation is continued by using the result, and the process ends, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process ends.
9. A system for improving certificate verification efficiency in a secure communication protocol, wherein the system is applied to a handshake phase between a first device and a second device of an SSL/TLS protocol and a certificate verification process between the first device and the second device of an IPSec protocol, and comprises:
the first module is arranged in the first equipment and is used for receiving the certificate from the second equipment, judging whether a cache list exists in the first equipment or not, entering the second module if the cache list does not exist, and entering the third module if the cache list does not exist;
the second module is arranged in the first equipment and used for constructing a cache list and checking whether the certificate signature value of the certificate is legal or not, if so, the digest value of the certificate and the certificate signature value validity verification result are added into the cache list, the process is finished by utilizing the certificate signature value validity verification result to continue to hold hands/negotiate, otherwise, alarm information is sent to the second equipment, handshake/negotiation with the second equipment is disconnected, and the process is finished; the process of constructing the cache list is to store the summary value of the certificate and the validity verification result of the signature value of the certificate in a form in a key value pair mode;
the third module is arranged in the first equipment and is used for calculating the digest value of the certificate received by the first module, judging whether the digest value of the certificate exists in the cache list, entering the fourth module if the digest value of the certificate exists, and entering the sixth module if the digest value of the certificate exists;
a fourth module, which is arranged in the first device and is used for obtaining a certificate signature value validity verification result from the cache list according to the digest value of the certificate, and then entering the fifth module;
a fifth module, configured to be disposed in the first device, and configured to calculate a difference between the current timestamp and a duration of the preset timer, and determine whether the difference is greater than or equal to a storage time of the certificate corresponding to the storage time in the cache list, if yes, enter the sixth module, or continue to handshake/negotiate using the certificate signature value validity verification result obtained in the fourth module, and end the process; the fifth module is specifically configured to: skipping verification of the certificate signature value, and carrying out validity verification on other attributes except the certificate signature value in the certificate;
and a sixth module, which is arranged in the first device and is used for checking whether the certificate signature value is legal, if so, adding the digest value of the certificate and the certificate signature value validity verification result into the cache list, continuing handshake/negotiation by using the result, ending the process, otherwise, sending alarm information to the second device, disconnecting handshake/negotiation with the second device, and ending the process.
CN202010291613.0A 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol Active CN111510302B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010291613.0A CN111510302B (en) 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010291613.0A CN111510302B (en) 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol

Publications (2)

Publication Number Publication Date
CN111510302A CN111510302A (en) 2020-08-07
CN111510302B true CN111510302B (en) 2023-11-14

Family

ID=71864016

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010291613.0A Active CN111510302B (en) 2020-04-14 2020-04-14 Method and system for improving certificate verification efficiency in secure communication protocol

Country Status (1)

Country Link
CN (1) CN111510302B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556738A (en) * 2021-07-23 2021-10-26 广州鲁邦通物联网科技有限公司 Key negotiation method between DTU (data transfer unit) equipment and node equipment, DTU equipment, node equipment and key negotiation system
CN117176347B (en) * 2023-11-02 2024-02-06 深圳市亲邻科技有限公司 Mobile application certificate verification method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279880A (en) * 2011-07-28 2011-12-14 深圳市五巨科技有限公司 Method and system for updating cache in real time
CN106603229A (en) * 2016-12-26 2017-04-26 北京小米移动软件有限公司 Method and device for generating signature information
CN106911477A (en) * 2015-12-23 2017-06-30 上海格尔软件股份有限公司 The accelerated method of its result is cached for digital certificate authentication equipment at a slow speed
CN107026738A (en) * 2016-02-01 2017-08-08 阿里巴巴集团控股有限公司 Digital certificate updating method, digital signature verification method and digital authentication device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965215B (en) * 2017-05-26 2019-12-24 中国科学院沈阳自动化研究所 Dynamic security method and system for multi-fusion linkage response

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279880A (en) * 2011-07-28 2011-12-14 深圳市五巨科技有限公司 Method and system for updating cache in real time
CN106911477A (en) * 2015-12-23 2017-06-30 上海格尔软件股份有限公司 The accelerated method of its result is cached for digital certificate authentication equipment at a slow speed
CN107026738A (en) * 2016-02-01 2017-08-08 阿里巴巴集团控股有限公司 Digital certificate updating method, digital signature verification method and digital authentication device
CN106603229A (en) * 2016-12-26 2017-04-26 北京小米移动软件有限公司 Method and device for generating signature information

Also Published As

Publication number Publication date
CN111510302A (en) 2020-08-07

Similar Documents

Publication Publication Date Title
JP5090354B2 (en) Method and system for verifying network resource usage records
US7702899B2 (en) Method and apparatus for verifying revocation status of a digital certificate
JP4770227B2 (en) SIP message encryption method and encrypted SIP communication system
US20020035685A1 (en) Client-server system with security function intermediary
US20140298037A1 (en) Method, apparatus, and system for securely transmitting data
KR101405509B1 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
US20060230265A1 (en) Cookie-based acceleration of an authentication protocol
CN111756529B (en) Quantum session key distribution method and system
CN111510302B (en) Method and system for improving certificate verification efficiency in secure communication protocol
WO2011026296A1 (en) Method for authenticating entities by introducing an on-line trusted third party
CN110808829A (en) SSH authentication method based on key distribution center
CN113676452B (en) Replay attack resisting method and system based on one-time key
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN112968910A (en) Replay attack prevention method and device
JP4472920B2 (en) Method for establishing end-to-end security for transactions between a mobile terminal and an Internet server at the application level and proxy server used for the method
CN108932425B (en) Offline identity authentication method, authentication system and authentication equipment
JP2004194196A (en) Packet communication authentication system, communication controller and communication terminal
CN213938340U (en) 5G application access authentication network architecture
Shaikh et al. Specifying authentication using signal events in CSP
Pagani QUIC Bitcoin: Fast and Secure Peer-to-Peer Payments and Payment Channels
KR20130036523A (en) Apparatus and method for transmitting/receiving remote authentication dial in user service packets in a network system
CN110881026B (en) Method and system for authenticating identity of information acquisition terminal user
CN115296847B (en) Flow control method, flow control device, computer equipment and storage medium
Muñoz et al. ℋ-OCSP: A protocol to reduce the processing burden in online certificate status validation
Kim et al. Improved hash and transmission method for larger packets in the RADIUS protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant