CN111769949A - Management/execution method/system, medium, management/agent terminal for mutual authentication - Google Patents
Management/execution method/system, medium, management/agent terminal for mutual authentication Download PDFInfo
- Publication number
- CN111769949A CN111769949A CN202010582386.7A CN202010582386A CN111769949A CN 111769949 A CN111769949 A CN 111769949A CN 202010582386 A CN202010582386 A CN 202010582386A CN 111769949 A CN111769949 A CN 111769949A
- Authority
- CN
- China
- Prior art keywords
- certificate
- server
- client
- management
- accessed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000007726 management method Methods 0.000 claims abstract description 120
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 56
- 238000004891 communication Methods 0.000 claims abstract description 25
- 238000013475 authorization Methods 0.000 claims abstract description 22
- 238000012545 processing Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 7
- 238000012423 maintenance Methods 0.000 abstract description 5
- 238000011084 recovery Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000002699 waste material Substances 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a management/execution method/system, a medium and a management/agent end of bidirectional authentication, wherein the management method of the bidirectional authentication is suitable for a management server end in communication connection with at least one client; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management method of the bidirectional authentication comprises the following steps: deploying a public key infrastructure management platform for providing a certificate application and a certificate download link; and issuing a certification authorization certificate and a server certificate for the service end to be accessed and issuing a client certificate for the client through a public key infrastructure management platform according to the domain name of the service end to be accessed and the name of the client defined by different projects. After the NGINX front-end agent EMQTT is used, the bidirectional authentication of a plurality of domain names can be realized by a single server. The communication safety is guaranteed, meanwhile, the throughput of the EMQTT is improved, the utilization rate of resources is improved, and in addition, the maintenance and deployment cost and difficulty are also reduced.
Description
Technical Field
The invention belongs to the technical field of information security, relates to a management/execution method and a system, and particularly relates to a bidirectional authentication management/execution method/system, a medium and a management/proxy end.
Background
Currently, for security reasons, each item access emqtt requires a different domain name, but the mutual authentication mechanism provided by emqtt only supports certificates for a single domain name. To deploy a new domain name certificate, the emqtt can only be redeployed on the new machine. With the increase of projects, the maintenance and deployment cost becomes difficult to control, and the emqtt of a single domain name has certain performance waste and low resource utilization rate.
Therefore, how to provide a management/execution method/system, medium, and management/proxy for mutual authentication to solve the problem that in the prior art, when each item accesses the emqtt, only a certificate of a single domain name is supported, so that when the number of items is increased, the emqtt of the single domain name has the defects of performance waste, low resource utilization rate, and the like, and thus, the method/system becomes a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a bidirectional authentication management/execution method/system, a medium, and a management/proxy end, which are used to solve the problems that in the prior art, when each item accesses an emqtt, only certificates of a single domain name are supported, so that when the number of items is increased, the emqtt of the single domain name has performance waste and a resource utilization rate is low.
In order to achieve the above and other related objects, an aspect of the present invention provides a bidirectional authentication management method, which is applied to a management server communicatively connected to at least one client; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management method of the bidirectional authentication comprises the following steps: deploying a public key infrastructure management platform for providing a certificate application and a certificate download link; and issuing a certification authorization certificate and a server certificate for the service end to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the service end to be accessed and the name of the client defined by different projects.
In an embodiment of the present invention, the certificate authority is a security certificate for verifying whether a certificate authority is legal; the server side certificate is a security certificate issued by a certificate authority for a domain name of a server side to be accessed; the client certificate is a security certificate issued by a certificate authority for the client.
In an embodiment of the present invention, the client applies for the client certificate by using an application programming interface of the public key infrastructure management platform, and provides a client certificate download link.
The invention provides a method for executing bidirectional authentication, which is suitable for an agent server, wherein the agent server is respectively connected with at least one client, a management server and at least one server to be accessed; the execution method of the bidirectional authentication comprises the following steps: receiving an authentication and authorization certificate and a server certificate issued by the management server; adding information included by the authentication authorization certificate and the server certificate to configuration parameters for bidirectional authentication; after receiving an access request sent by a client, requiring the client to show a client certificate of the client to verify whether the identity of the client is legal or not, and after the identity of the client passes the verification, forwarding the access request to the server to be accessed; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
In an embodiment of the present invention, a load balancing device is further added to the front end of the proxy server; the load balancing equipment is used for acting a plurality of agent servers; the bidirectional authentication execution method further comprises the steps of analyzing the domain name of the service end (emqtt) to be accessed by using the added load balancing equipment, and adding the domain name of the service end to be accessed and the IP address of the load balancing equipment on the proxy service end.
The invention also provides a management system of the mutual authentication, which is suitable for a management server side in communication connection with at least one client side; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management system for mutual authentication comprises: the deployment module is used for deploying a public key infrastructure management platform for providing certificate application and a certificate downloading link; and the issuing module is used for issuing a certification authorization certificate and a server certificate for the server to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the server to be accessed and the name of the client defined by different projects.
The invention also provides a bidirectional authentication execution system, which is suitable for an agent server, wherein the agent server is respectively connected with at least one client, a management server and at least one server to be accessed; the execution system of the mutual authentication comprises: the receiving module is used for receiving a certificate of authority issued by the service end to be accessed and issued by the management service end and a service end certificate; the adding module is used for adding information included by the authentication authorization certificate and the server certificate to configuration parameters for bidirectional authentication; the processing module is used for requiring the client to show a client certificate after the receiving module receives the access request sent by the client so as to verify whether the identity of the client is legal or not, and forwarding the access request to the server to be accessed after the verification is passed; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
A further aspect of the present invention provides a medium on which a computer program is stored, which when executed by a processor implements the management method of mutual authentication or implements the execution method of mutual authentication.
The present invention also provides a management terminal, including: a processor and a memory; the memory is used for storing computer programs, and the processor is used for executing the computer programs stored by the memory so as to enable the management server to execute the bidirectional authentication management method.
A final aspect of the present invention provides a proxy, including: a processor and a memory; the memory is used for storing computer programs, and the processor is used for executing the computer programs stored by the memory so as to enable the agent end to execute the execution method of the mutual authentication.
As described above, the bidirectional authentication management/execution method/system, medium, management/agent terminal according to the present invention have the following advantages:
after the management/execution method/system, medium and management/agent end of the bidirectional authentication use the NGINX front-end agent EMQTT, a single server can realize the bidirectional authentication of a plurality of domain names. The communication safety is guaranteed, meanwhile, the throughput of the EMQTT is improved, and the resource utilization rate is improved. In addition, the cost and difficulty of maintenance and deployment are reduced.
Drawings
Fig. 1 is a schematic view of a real scene to which the present invention is applied.
Fig. 2 is a flowchart illustrating a bidirectional authentication management method according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating a method for performing mutual authentication according to an embodiment of the present invention.
Fig. 4A is a schematic structural diagram of a bidirectional authentication management system according to an embodiment of the invention.
Fig. 4B is a schematic structural diagram of a bidirectional authentication execution system according to an embodiment of the invention.
Description of the element reference numerals
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
The technical principles of the management/execution method/system, the medium and the management/agent end of the bidirectional authentication of the invention are as follows:
1. establishing a private PKI certificate management system;
2. defining an EMQTT service end domain name and a client end name required by a corresponding project, and issuing a corresponding certificate to the EMQTT service end domain name and the client end name by using a PKI system;
3. deploying the CA certificate and the server certificate corresponding to the domain name to an NGINX server, starting a TLS bidirectional authentication option, and pointing the rear end of the NGINX to an EMQTT;
4. automatically applying for certificates of clients of different projects online by using a PKI system API interface, and importing a CA certificate and a client certificate into a local certificate list;
5. adding load balancing equipment such as F5 or LVS and the like to the NGINX front end;
6. resolving the EMQTT domain name to a front-end load balancing address;
7. when the client accesses different domain names, the NGINX returns the server certificate corresponding to the domain names and requires the client to show the certificate, thereby realizing the two-way authentication of the multiple domain names.
Example one
The embodiment provides a management method of bidirectional authentication, which is suitable for a management server side in communication connection with at least one client side; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management method of the bidirectional authentication comprises the following steps:
deploying a public key infrastructure management platform for providing a certificate application and a certificate download link;
and issuing a certification authorization certificate and a server certificate for the service end to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the service end to be accessed and the name of the client defined by different projects.
The embodiment also provides a bidirectional authentication execution method, which is applicable to an agent server, wherein the agent server is respectively connected with at least one client, a management server and at least one server to be accessed; the execution method of the bidirectional authentication comprises the following steps:
receiving an authentication and authorization certificate and a server certificate issued by the management server;
adding information included by the authentication authorization certificate and the server certificate to configuration parameters for bidirectional authentication;
after receiving an access request sent by a client, requiring the client to show a client certificate of the client to verify whether the identity of the client is legal or not, and after the identity of the client passes the verification, forwarding the access request to the server to be accessed; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
The management method of mutual authentication and the execution method of mutual authentication provided in the present embodiment will be described in detail below with reference to the drawings. The management method of mutual authentication and the execution method of mutual authentication described in the present embodiment are applied to the communication network 1 shown in fig. 1. The communication network 1 includes at least one client 11, a management server 12 in communication connection with the at least one client 11, an agent server 13 in communication connection with the management server 12, and a to-be-accessed server 14 in communication connection with the agent server 13 and corresponding to at least one item. In this embodiment, the proxy server 13 adopts an NGINX server, and the to-be-accessed server 14 adopts an EMQTT server.
Please refer to fig. 2, which is a flowchart illustrating a bidirectional authentication management method according to an embodiment. As shown in fig. 2, the management method of mutual authentication includes the following steps:
s21, deploying a public key infrastructure management platform for providing certificate application and certificate download links. In this embodiment, the public key infrastructure management platform (PKI certificate management platform) includes a certificate authority CA, a registration authority RA, and a certificate issue
A complete PKI system must have basic components such as an authoritative Certification Authority (CA), a digital certificate repository, a key backup and recovery system, a certificate revocation system, an application interface (API), etc., and building PKI will also be initiated around these five major systems.
The underlying technologies of PKI include encryption, digital signatures, data integrity mechanisms, digital envelopes, double digital signatures, and the like. A typical, complete, and efficient PKI application system should have at least the following:
and managing public key password certificates.
And issuing and managing the blacklist.
Backup and recovery of keys.
The key is automatically updated.
The history key is automatically managed.
Cross-certification is supported.
Certification Authority (CA): namely, the issuing and applying authority of the digital certificate, the CA must have authority characteristics;
digital certificate library: the system is used for storing the issued digital certificate and the public key, and the user can obtain the required certificates and public keys of other users;
key backup and recovery system: if the user loses the key to decrypt the data, the data will not be decrypted, which will result in legitimate data loss. To avoid this, PKI provides a mechanism to backup and restore keys. It should be noted, however, that the key backup and recovery must be done by a trusted authority. Moreover, the key backup and recovery only can be performed on the decryption key, and the signature private key cannot be backed up to ensure the uniqueness of the key.
Certificate revocation system: the certificate revocation processing system is an essential component of PKI. Like various identity documents in daily life, the certificate may need to be invalidated within the validity period, because of the loss of the key medium or the change of the user's identity. To achieve this, PKI must provide a series of mechanisms to revoke certificates.
Application interface (API): PKI is valuable in enabling users to conveniently use security services such as encryption, digital signatures, etc., and therefore a complete PKI must provide a good system of application interfaces so that a wide variety of applications can interact with the PKI in a secure, consistent, and trusted manner, ensuring the integrity and ease of use of the secure network environment.
Generally, a CA is the issuing authority of certificates, which is the core of a PKI. It is well known how to build the core content of a cryptographic service system to implement key management. The public key system relates to a pair of secret keys (namely a private key and a public key), the private key is only independently mastered by a user and does not need to be transmitted on the network, and the public key is public and needs to be transmitted on the network, so the secret key management of the public key system mainly aims at the management problem of the public key, and a better solution at present is a digital certificate mechanism.
And S22, issuing a certification authority certificate and a server certificate for the server to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the server to be accessed and the name of the client defined by different projects.
In this embodiment, the domain name of the to-be-accessed server and the name of the client defined by different items are predefined.
For example, for the c62 project, the domain name of the service end to be accessed is predefined to be c62emq.ppp.com.cn; the name of the client is predefined as ppp.
In the present embodiment, the certificate authority certificate (CA certificate) is a security certificate that verifies whether or not a certificate authority is legitimate. The server side certificate is a security certificate issued by a certificate authority for a domain name of a to-be-accessed server side (emqtt) and is used for verifying whether the identity of the to-be-accessed server side is legal or not. The client certificate is a security certificate issued by a certificate authority for the client and used for verifying whether the identity of the client is legal or not.
In this embodiment, the client applies for the client certificate by using an application programming interface (API interface) of the public key infrastructure management platform, and provides a client certificate download link.
Please refer to fig. 3, which is a flowchart illustrating a bidirectional authentication method according to an embodiment of the present invention. As shown in fig. 3, the method for executing mutual authentication specifically includes the following steps:
s31, receiving the certificate of Certification Authority (CA) and the server certificate issued by the management server, and deploying the certificate of Certification Authority (CA) and the server certificate on the NGINX server.
S32, adding the information included in the authentication authorization certificate and the server certificate to the configuration parameters for bidirectional authentication. Wherein the configuration parameters are used to initiate TLS mutual authentication options. In this embodiment, the information included in the authentication authorization certificate includes identification information of a public key and a private key owner, where authentication of the identity of the certificate holder is implemented by verifying authenticity of the identification information. The information included in the server certificate includes a domain name corresponding to the server certificate, valid information, an issuing organization of the server certificate, and the like.
And S33, analyzing the domain name of the service end to be accessed (emqtt) by using the added load balancing equipment, and adding the domain name of the service end to be accessed and the IP address of the load balancing equipment on the proxy service end. In this embodiment, the load balancing device (e.g., a load balancing device such as F5 or LVS) is used for proxying a plurality of proxy servers.
For example, the emqtt domain name is emq.ppp.com.cn, and the IP address of the load balancing device is 1.2.3.4.
Adding a domain name of the service end to be accessed and an IP address of the load balancing equipment on the service end to be accessed (emqtt), wherein the parameters are 1.2.3.4. The client will find 1.2.3.4 upon accessing emq.
S34, after receiving an access request sent by a client, requiring the client to show a client certificate to verify whether the identity of the client is legal, and after the identity of the client is verified, forwarding the access request to the server to be accessed, namely an EMQTT server; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
After the management method and the execution method of the bidirectional authentication are finished, when the client accesses different domain names, the NGINX returns the server certificate of the corresponding domain name and requires the client to show the certificate, thereby realizing the bidirectional authentication of multiple domain names
The access request execution flow is as follows:
first, the client initiates an access request to the nginx server (the client will send the client certificate to the nginx server).
And then, the nginx server verifies whether the identity of the client is legal or not by verifying the client certificate, meanwhile, the nginx sends the server certificate to the client (the client verifies whether the identity of the server is legal or not), and after the authentication is passed, the nginx server forwards the request to the emqtt server.
Finally, the emqtt server processes the request from the nginx server, and returns the result to the client after processing.
In this embodiment, after the NGINX front-end agent EMQTT is used, a single server can implement bidirectional authentication of multiple domain names. The communication safety is guaranteed, meanwhile, the throughput of the EMQTT is improved, and the resource utilization rate is improved. In addition, the cost and difficulty of maintenance and deployment are reduced.
Example two
The present embodiment provides a bidirectional authentication management system, which is adapted to a management server communicatively connected to at least one client; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management system for mutual authentication comprises:
the deployment module is used for deploying a public key infrastructure management platform for providing certificate application and a certificate downloading link;
and the issuing module is used for issuing a certification authorization certificate and a server certificate for the server to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the server to be accessed and the name of the client defined by different projects.
A bidirectional authentication execution system is suitable for an agent server, wherein the agent server is respectively connected with at least one client, a management server and at least one server to be accessed; the execution system of the mutual authentication comprises:
the receiving module is used for receiving a certificate of authority issued by the service end to be accessed and issued by the management service end and a service end certificate;
the adding module is used for adding information included by the authentication authorization certificate and the server certificate to configuration parameters for bidirectional authentication;
the processing module is used for requiring the client to show a client certificate after the receiving module receives the access request sent by the client so as to verify whether the identity of the client is legal or not, and forwarding the access request to the server to be accessed after the verification is passed; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
The management system of mutual authentication and the execution system of mutual authentication provided in the present embodiment will be described in detail below with reference to the drawings. Please refer to fig. 4A and 4B, which are schematic structural diagrams of a bidirectional authentication management system and a bidirectional authentication execution system in an embodiment, respectively.
As shown in fig. 4A, the bidirectional authentication management system 41 includes a deployment module 411 and an issuance module 412.
The deployment module 411 is used to deploy a public key infrastructure management platform for providing certificate application and certificate download links. In this embodiment, the PKI mainly comprises four parts: a certificate (x.509v3) and a certificate revocation list CRL (x.509v2) in x.509 format; a CA operation protocol; a CA management protocol; and (5) CA policy making. A typical, complete, and efficient PKI application system should have at least the following five components; a complete PKI system must have basic components such as an authoritative Certification Authority (CA), a digital certificate repository, a key backup and recovery system, a certificate revocation system, an application interface (API), etc., and building PKI will also be initiated around these five major systems.
The issuing module 412 is configured to issue an authentication authorization certificate and a server certificate for the to-be-accessed server and issue a client certificate for the client through the public key infrastructure management platform according to the domain name of the to-be-accessed server and the name of the client defined in different projects.
In this embodiment, the domain name of the to-be-accessed server and the name of the client defined by different items are predefined.
In the present embodiment, the certificate authority certificate (CA certificate) is a security certificate that verifies whether or not a certificate authority is legitimate. The server side certificate is a security certificate issued by a certificate authority for a domain name of a to-be-accessed server side (emqtt) and is used for verifying whether the identity of the to-be-accessed server side is legal or not. The client certificate is a security certificate issued by a certificate authority for the client and used for verifying whether the identity of the client is legal or not.
As shown in fig. 4B, the mutual authentication execution system 42 includes a receiving module 421, an adding module 422, a parsing module 423, and a processing module 424.
The receiving module 421 is configured to receive an authentication authorization certificate and a server certificate issued by the management server, and deploy the authentication authorization (CA) certificate and the server certificate on the NGINX server.
The adding module 422 coupled to the receiving module 421 is configured to add the information included in the certificate of the authentication authority and the certificate of the server to the configuration parameters for bidirectional authentication. Wherein the configuration parameters are used to initiate TLS mutual authentication options. In this embodiment, the information included in the authentication authorization certificate includes identification information of a public key and a private key owner, where authentication of the identity of the certificate holder is implemented by verifying authenticity of the identification information. The information included in the server certificate includes a domain name corresponding to the server certificate, valid information, an issuing organization of the server certificate, and the like.
The analyzing module 423 coupled to the adding module 422 is configured to analyze a domain name of a service end to be accessed (emqtt) by using a load balancing device added thereto, and add the domain name of the service end to be accessed and an IP address of the load balancing device to the proxy service end. In this embodiment, the load balancing device (e.g., a load balancing device such as F5 or LVS) is used for proxying a plurality of proxy servers.
The processing module 424 coupled to the adding module 422 and the parsing module 423 is configured to, after the receiving module 421 receives an access request sent by a client, request the client to present a client certificate of the client to verify whether the identity of the client is legal, and after the client passes the verification, forward the access request to the server to be accessed, that is, an EMQTT server; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
It should be noted that the division of the modules of the above system is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And the modules can be realized in a form that all software is called by the processing element, or in a form that all the modules are realized in a form that all the modules are called by the processing element, or in a form that part of the modules are called by the hardware. For example: the x module can be a separately established processing element, and can also be integrated in a certain chip of the system. In addition, the x-module may be stored in the memory of the system in the form of program codes, and may be called by one of the processing elements of the system to execute the functions of the x-module. Other modules are implemented similarly. All or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software. These above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), one or more microprocessors (DSPs), one or more Field Programmable Gate Arrays (FPGAs), and the like. When a module is implemented in the form of a processing element scheduler code, the processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. These modules may be integrated together and implemented in the form of a System-on-a-chip (SOC).
EXAMPLE III
The present embodiment provides a medium (also referred to as a computer-readable storage medium) on which a computer program is stored, which when executed by a processor implements the management method of the mutual authentication or implements the execution method of the mutual authentication.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the above method embodiments may be performed by hardware associated with a computer program. The aforementioned computer program may be stored in a computer readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Example four
The embodiment provides a management side (management server side) and an agent side (agent server side), wherein the management side and the agent side both comprise: a processor, memory, transceiver, communication interface, or/and system bus; the memory is used for storing computer programs, the communication interface is used for communicating with other devices, and the processor and the transceiver are used for running the computer programs, so that the management end executes each step of the management method of the mutual authentication and the agent end executes each step of the execution method of the mutual authentication.
The above-mentioned system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The communication interface is used for realizing communication between the database access device and other equipment (such as a client, a read-write library and a read-only library). The Memory may include a Random Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components.
The protection scope of the bidirectional authentication management/execution method of the present invention is not limited to the execution sequence of the steps listed in this embodiment, and all the schemes of adding, subtracting, and replacing the steps in the prior art according to the principles of the present invention are included in the protection scope of the present invention.
The present invention also provides a bidirectional authentication management/execution system, which can implement the bidirectional authentication management/execution method of the present invention, but the implementation apparatus of the bidirectional authentication management/execution method of the present invention includes, but is not limited to, the structure of the bidirectional authentication management/execution system described in this embodiment, and all the structural modifications and substitutions of the prior art made according to the principles of the present invention are included in the protection scope of the present invention.
In summary, after the management/execution method/system, medium, and management/agent end of bidirectional authentication of the present invention use the NGINX front-end agent EMQTT, a single server can implement bidirectional authentication of multiple domain names. The communication safety is guaranteed, meanwhile, the throughput of the EMQTT is improved, and the resource utilization rate is improved. In addition, the cost and difficulty of maintenance and deployment are reduced. The invention effectively overcomes various defects in the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (10)
1. A management method of mutual authentication is characterized in that the management method is suitable for a management server side which is in communication connection with at least one client side; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management method of the bidirectional authentication comprises the following steps:
deploying a public key infrastructure management platform for providing a certificate application and a certificate download link;
and issuing a certification authorization certificate and a server certificate for the service end to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the service end to be accessed and the name of the client defined by different projects.
2. The method for managing mutual authentication according to claim 1,
the certificate authority certificate is a security certificate for verifying whether a certificate authority is legal or not;
the server side certificate is a security certificate issued by a certificate authority for a domain name of a server side to be accessed;
the client certificate is a security certificate issued by a certificate authority for the client.
3. The method for managing mutual authentication according to claim 2,
and the client applies for the client certificate by using an application programming interface of the public key infrastructure management platform and provides a client certificate downloading link.
4. A bidirectional authentication execution method is characterized in that the method is suitable for an agent server, and the agent server is respectively connected with at least one client, a management server and at least one server to be accessed; the execution method of the bidirectional authentication comprises the following steps:
receiving an authentication and authorization certificate and a server certificate issued by the management server;
adding information included by the authentication authorization certificate and the server certificate to configuration parameters for bidirectional authentication;
after receiving an access request sent by a client, requiring the client to show a client certificate of the client to verify whether the identity of the client is legal or not, and after the identity of the client passes the verification, forwarding the access request to the server to be accessed; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
5. The method for performing mutual authentication according to claim 3, wherein the front end of the proxy server further joins a load balancing device; the load balancing equipment is used for acting a plurality of agent servers; the bidirectional authentication execution method further comprises the steps of analyzing the domain name of the service end (emqtt) to be accessed by using the added load balancing equipment, and adding the domain name of the service end to be accessed and the IP address of the load balancing equipment on the proxy service end.
6. The management system of a kind of mutual authentication, characterized by, is suitable for the management server end in communication connection with at least one customer end; the management server is in communication connection with a proxy server; the proxy server is connected with a server to be accessed corresponding to at least one project; the management system for mutual authentication comprises:
the deployment module is used for deploying a public key infrastructure management platform for providing certificate application and a certificate downloading link;
and the issuing module is used for issuing a certification authorization certificate and a server certificate for the server to be accessed and issuing a client certificate for the client through the public key infrastructure management platform according to the domain name of the server to be accessed and the name of the client defined by different projects.
7. A bidirectional authentication execution system is characterized by being applicable to an agent server, wherein the agent server is respectively connected with at least one client, a management server and at least one server to be accessed; the execution system of the mutual authentication comprises:
the receiving module is used for receiving a certificate of authority issued by the service end to be accessed and issued by the management service end and a service end certificate;
the adding module is used for adding information included by the authentication authorization certificate and the server certificate to configuration parameters for bidirectional authentication;
the processing module is used for requiring the client to show a client certificate after the receiving module receives the access request sent by the client so as to verify whether the identity of the client is legal or not, and forwarding the access request to the server to be accessed after the verification is passed; and meanwhile, the server certificate is forwarded to the client so that the client can verify whether the server to be accessed is legal or not.
8. A medium on which a computer program is stored, characterized in that the program, when being executed by a processor, implements a method of managing mutual authentication according to any one of claims 1 to 3 or implements a method of executing mutual authentication according to any one of claims 4 and 5.
9. A management terminal, comprising: a processor and a memory;
the memory is used for storing computer programs, and the processor is used for executing the computer programs stored by the memory so as to enable the management service end to execute the management method of the mutual authentication according to any one of claims 1 to 3.
10. A proxy side, comprising: a processor and a memory;
the memory is used for storing computer programs, and the processor is used for executing the computer programs stored by the memory so as to enable the agent end to execute the bidirectional authentication execution method according to any one of claims 4 and 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010582386.7A CN111769949A (en) | 2020-06-23 | 2020-06-23 | Management/execution method/system, medium, management/agent terminal for mutual authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010582386.7A CN111769949A (en) | 2020-06-23 | 2020-06-23 | Management/execution method/system, medium, management/agent terminal for mutual authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111769949A true CN111769949A (en) | 2020-10-13 |
Family
ID=72721976
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010582386.7A Pending CN111769949A (en) | 2020-06-23 | 2020-06-23 | Management/execution method/system, medium, management/agent terminal for mutual authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111769949A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113242239A (en) * | 2021-05-10 | 2021-08-10 | 广州欢网科技有限责任公司 | Method, device and system for realizing https bidirectional authentication |
| CN114070588A (en) * | 2021-11-01 | 2022-02-18 | 上海派拉软件股份有限公司 | Method and device for updating domain name certificate based on nginx |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1510872A (en) * | 2002-12-24 | 2004-07-07 | 中联绿盟信息技术(北京)有限公司 | Method for opposing refuse service attack with DNS and applied agency combination |
| CN106068639A (en) * | 2014-03-04 | 2016-11-02 | 思科技术公司 | The Transparent Proxy certification processed by DNS |
| CN106156128A (en) * | 2015-04-08 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of realize website multi-lingual mention multiple domain name service method and device |
| US20170126664A1 (en) * | 2015-10-28 | 2017-05-04 | Citrix Systems, Inc. | Systems and methods for policy driven fine grain validation of servers' ssl certificate for clientless sslvpn access |
| CN107438111A (en) * | 2016-05-27 | 2017-12-05 | 中兴通讯股份有限公司 | Method, server and the system of method and the domain name agency of inquiry of the domain name |
| CN109151092A (en) * | 2018-10-11 | 2019-01-04 | 深圳互联先锋科技有限公司 | A kind of domain name analytic method |
-
2020
- 2020-06-23 CN CN202010582386.7A patent/CN111769949A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1510872A (en) * | 2002-12-24 | 2004-07-07 | 中联绿盟信息技术(北京)有限公司 | Method for opposing refuse service attack with DNS and applied agency combination |
| CN106068639A (en) * | 2014-03-04 | 2016-11-02 | 思科技术公司 | The Transparent Proxy certification processed by DNS |
| CN106156128A (en) * | 2015-04-08 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of realize website multi-lingual mention multiple domain name service method and device |
| US20170126664A1 (en) * | 2015-10-28 | 2017-05-04 | Citrix Systems, Inc. | Systems and methods for policy driven fine grain validation of servers' ssl certificate for clientless sslvpn access |
| CN107438111A (en) * | 2016-05-27 | 2017-12-05 | 中兴通讯股份有限公司 | Method, server and the system of method and the domain name agency of inquiry of the domain name |
| CN109151092A (en) * | 2018-10-11 | 2019-01-04 | 深圳互联先锋科技有限公司 | A kind of domain name analytic method |
Non-Patent Citations (2)
| Title |
|---|
| L. P. GONCALVES PIRES等: "High Availability: A Approach with DNS and Reverse Proxy in Multi-Cloud", 《IEEE LATIN AMERICA TRANSACTIONS》 * |
| 孙晓林等: "基于Nginx的网站安全优化方案", 《网络安全技术与应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113242239A (en) * | 2021-05-10 | 2021-08-10 | 广州欢网科技有限责任公司 | Method, device and system for realizing https bidirectional authentication |
| CN114070588A (en) * | 2021-11-01 | 2022-02-18 | 上海派拉软件股份有限公司 | Method and device for updating domain name certificate based on nginx |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11475137B2 (en) | Distributed data storage by means of authorisation token | |
| Lim et al. | Blockchain technology the identity management and authentication service disruptor: a survey | |
| US11032252B2 (en) | Distributed authentication between network nodes | |
| WO2020143470A1 (en) | Method for issuing digital certificate, digital certificate issuing center, and medium | |
| US9621355B1 (en) | Securely authorizing client applications on devices to hosted services | |
| Bessani et al. | DepSpace: a Byzantine fault-tolerant coordination service | |
| CN111144881A (en) | Selective access to asset transfer data | |
| CN111213350A (en) | System and method for creating decentralized identity | |
| CN115758444A (en) | Method and system for realizing block chain | |
| JP2022545627A (en) | Decentralized data authentication | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| CN101527634B (en) | System and method for binding account information with certificates | |
| KR20170106515A (en) | Multi-factor certificate authority | |
| US11121876B2 (en) | Distributed access control | |
| US10516653B2 (en) | Public key pinning for private networks | |
| CN113255014B (en) | Data processing method based on block chain and related equipment | |
| CN113901432A (en) | Block chain identity authentication method, equipment, storage medium and computer program product | |
| CN115796871A (en) | Resource data processing method and device based on block chain and server | |
| CN111769949A (en) | Management/execution method/system, medium, management/agent terminal for mutual authentication | |
| CN115473648A (en) | Certificate signing and issuing system and related equipment | |
| Tuan et al. | A blockchain-based authentication and access control for smart devices in sdn-enabled networks for metaverse | |
| Lim et al. | AuthChain: a decentralized blockchain-based authentication system | |
| Durán et al. | An architecture for easy onboarding and key life-cycle management in blockchain applications | |
| CN114978698B (en) | Network access method, target terminal, credential management network element and verification network element | |
| US11647020B2 (en) | Satellite service for machine authentication in hybrid environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201013 |
|
| WD01 | Invention patent application deemed withdrawn after publication |