CN111786783B - Public key certificate acquisition method and related equipment - Google Patents

Public key certificate acquisition method and related equipment Download PDF

Info

Publication number
CN111786783B
CN111786783B CN202010625092.8A CN202010625092A CN111786783B CN 111786783 B CN111786783 B CN 111786783B CN 202010625092 A CN202010625092 A CN 202010625092A CN 111786783 B CN111786783 B CN 111786783B
Authority
CN
China
Prior art keywords
certificate
public key
fingerprint
key certificate
ith
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010625092.8A
Other languages
Chinese (zh)
Other versions
CN111786783A (en
Inventor
雷雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202010625092.8A priority Critical patent/CN111786783B/en
Publication of CN111786783A publication Critical patent/CN111786783A/en
Application granted granted Critical
Publication of CN111786783B publication Critical patent/CN111786783B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a public key certificate acquisition method and related equipment, wherein the method comprises the following steps: when a user triggers a public key certificate application request through a service client, firstly, the service client sends the public key certificate application request to a service server, and after receiving a public key certificate to be verified, the public key certificate to be verified and a service server identifier are sent to a management server. Then, the management server generates a fingerprint of the certificate to be verified according to the public key certificate to be verified, determines a standard certificate fingerprint according to the service server identifier and the preset mapping relation, and sends the standard public key certificate corresponding to the standard certificate fingerprint to the service client when determining that the fingerprint of the certificate to be verified is different from the standard certificate fingerprint, so that the service client communicates with the service server by using the standard public key certificate. Therefore, adverse effects caused by the attack of the middle man of the http can be effectively overcome, and the communication safety can be improved.

Description

Public key certificate acquisition method and related equipment
Technical Field
The present application relates to the field of security technologies, and in particular, to a public key certificate acquisition method and related devices.
Background
With the development of the internet, network attack events (e.g., http man-in-the-middle attacks) occurring on the internet are increasingly frequent, so that the user internet surfing experience is seriously affected.
A hypertext Transfer Protocol over secure session Layer (http) man-in-the-middle attack is a common network attack. In addition, as shown in fig. 1, in the http man-in-the-middle attack process, an attacker can attack in a way of forging the Https public key certificate of the server, so that the client can mistakenly assume that the forged Https public key certificate of the server is a legal certificate, and thus after the client encrypts the information to be transmitted by using the forged Https public key certificate of the server, the attacker can easily steal the information to be transmitted, thereby achieving the purpose of stealing the information.
Disclosure of Invention
In order to solve the technical problems in the prior art, the application provides a public key certificate acquisition method and related equipment, which can overcome adverse effects caused by http man-in-the-middle attacks, and thus can improve communication security.
In order to achieve the above object, the embodiments of the present application provide the following technical solutions:
the embodiment of the application provides a public key certificate acquisition method, which is applied to a management server and comprises the following steps:
receiving a public key certificate to be verified and a service server identification sent by a service client; the service client side sends a public key certificate application request to a service server, and the service client side receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
generating a fingerprint of the certificate to be verified according to the public key certificate to be verified;
determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending the standard public key certificate corresponding to the fingerprint of the standard certificate to the service client, so that the service client communicates with the service server by using the standard public key certificate.
Optionally, when the preset mapping relationship includes a corresponding relationship between an ith to-be-backed-up server identifier and an ith public key certificate, where the ith to-be-backed-up server identifier is used to uniquely identify an ith to-be-backed-up server, i is a positive integer, i is not greater than N, N is a positive integer, and N is the number of servers to be backed-up, the generation process of the preset mapping relationship includes:
receiving the ith server identifier to be backed up and the ith public key certificate sent by the ith server to be backed up;
generating an ith certificate fingerprint according to the ith public key certificate;
establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
Optionally, the method further includes:
when the certificate fingerprint to be verified and the standard certificate fingerprint are determined to be different, generating first prompt information, and sending the first prompt information to the service client for displaying;
and/or the presence of a gas in the gas,
and when the certificate fingerprint to be verified is determined to be different from the standard certificate fingerprint, generating a preset control instruction, and sending the preset control instruction to the service client so as to disconnect the communication connection between the service client and the service server.
Optionally, the method further includes:
and when the fingerprint of the certificate to be verified is determined to be the same as the fingerprint of the standard certificate, generating second prompt information, and sending the second prompt information to the service client so that the service client communicates with the service server by using the public key certificate to be verified.
Optionally, the method further includes:
receiving updating information sent by the service server; the updating information comprises server identification updating information and/or public key certificate updating information;
and updating the preset mapping relation according to the updating information.
The embodiment of the application also provides a public key certificate acquisition method, which is applied to a service client and comprises the following steps:
sending a public key certificate application request to the service server;
receiving a public key certificate to be verified;
sending the public key certificate to be verified and the service server identification to a management server so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and after receiving the standard public key certificate sent by the management server, communicating with the service server by using the standard public key certificate.
Optionally, the method further includes:
after first prompt information sent by the management server is received, displaying the first prompt information; the first prompt message is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving a preset control instruction sent by the management server, disconnecting the communication connection with the service server; the preset control instruction is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving second prompt information sent by the management server, communicating with the service server by using the public key certificate to be verified; and the second prompt message is generated by the management server when the fingerprint of the certificate to be verified and the fingerprint of the standard certificate are determined to be the same.
An embodiment of the present application further provides a public key certificate obtaining apparatus, including:
the first receiving unit is used for receiving a public key certificate to be verified and a service server identifier sent by a service client; the service client sends a public key certificate application request to a service server, and the service client receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
the first generating unit is used for generating a fingerprint of the certificate to be verified according to the public key certificate to be verified;
the first determining unit is used for determining a standard certificate fingerprint according to the service server identifier and a preset mapping relation; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and the first sending unit is used for sending the standard public key certificate corresponding to the standard certificate fingerprint to the service client when the to-be-verified certificate fingerprint and the standard certificate fingerprint are determined to be different, so that the service client communicates with the service server by using the standard public key certificate.
An embodiment of the present application further provides a public key certificate obtaining apparatus, where the apparatus includes:
a second sending unit, configured to send a public key certificate application request to the service server;
the second receiving unit is used for receiving the public key certificate to be verified;
a third sending unit, configured to send the public key certificate to be verified and the service server identifier to a management server, so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and the first encryption unit is used for communicating with the service server by using the standard public key certificate after receiving the standard public key certificate sent by the management server.
An embodiment of the present application further provides an apparatus, where the apparatus includes a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to execute any implementation manner of the public key certificate acquisition method provided by the embodiment of the present application according to the computer program.
An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium is used to store a computer program, and the computer program is used to execute any implementation manner of the public key certificate acquisition method provided in the embodiment of the present application.
Compared with the prior art, the embodiment of the application has at least the following advantages:
in the method for acquiring a public key certificate provided in the embodiment of the present application, when a user triggers a public key certificate application request through a service client, the service client first sends the public key certificate application request to a service server, and after receiving a public key certificate to be verified, sends the public key certificate to be verified and a service server identifier to a management server. Then, the management server generates a fingerprint of the certificate to be verified according to the public key certificate to be verified, then determines a standard certificate fingerprint according to the service server identifier and the preset mapping relation, and sends the standard public key certificate corresponding to the standard certificate fingerprint to the service client when determining that the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, so that the service client communicates with the service server by using the standard public key certificate.
Therefore, after the service client receives the public key certificate to be verified, the management server firstly checks whether the public key certificate to be verified is a forged certificate or not, and after the fact that the public key certificate to be verified is the forged certificate is determined, the standard public key certificate which is backed up in advance is sent to the service client, so that the service client can communicate with the service server by using the standard public key certificate, the service client is prevented from communicating by using the forged certificate, adverse effects caused by man-in-the-middle attack of Https can be effectively overcome, and the communication safety can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of an http man-in-the-middle attack provided in an embodiment of the present application;
fig. 2 is a schematic view of an application scenario of a public key certificate acquisition method according to an embodiment of the present application;
fig. 3 is a flowchart of a public key certificate acquisition method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a public key certificate acquisition apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of another public key certificate acquisition apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus provided in an embodiment of the present application.
Detailed Description
In order to facilitate understanding of the public key certificate obtaining method provided in the embodiment of the present application, the following description is made with reference to an application scenario shown in fig. 2. Fig. 2 is a schematic view of an application scenario of the public key certificate obtaining method according to the embodiment of the present application. As shown in fig. 2, when a user 101 wants to establish a communication connection between a service client 102 and a service server 103,
the user 101 triggers a public key certificate application request on the service client 102, so that the service client 102 sends the public key certificate application request to the service server 103.
However, since an http man-in-the-middle attack occurs during the process in which the service server 103 sends the public key certificate 1 to the service client 102, the attacker replaces the public key certificate 1 sent by the service server 103 with the public key certificate 2 (i.e., forges the certificate), and sends the public key certificate 2 to the service client 102.
After the service client 102 receives the public key certificate 2, the service client 102 transmits the public key certificate 2 and the service server identification of the service server 103 to the management server 104.
The management server 104 generates a to-be-verified certificate fingerprint according to the public key certificate 2, determines a standard certificate fingerprint (that is, the certificate fingerprint generated by the public key certificate 1) according to the service server identifier and the preset mapping relationship, and sends a standard public key certificate corresponding to the standard certificate fingerprint (that is, the public key certificate 1 backed up in the block chain) to the service client 102 when determining that the to-be-verified certificate fingerprint is different from the standard certificate fingerprint, so that the subsequent service client 102 can communicate with the service server 103 based on the standard public key certificate.
It should be noted that, in order to improve the security of the preset mapping relationship and the standard public key certificate, the preset mapping relationship and the standard public key certificate may be stored in the blockchain in advance, so that the management server 104 can obtain the preset mapping relationship and the standard public key certificate from the blockchain when executing the public key certificate obtaining method.
It should be further noted that the embodiment of the present application is not limited to the service server 103 and the service client 102, for example, the service server 103 may be a bank server, and the service client 102 may be a bank client.
It should be noted that, the embodiment of the present application is not limited to the management server 104, and the management server 104 may be any server capable of executing the public key certificate acquisition method. In one possible implementation, the management server 104 may be any node server in the blockchain that is capable of performing the public key certificate acquisition method.
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Method embodiment
Referring to fig. 3, this figure is a flowchart of a public key certificate acquisition method provided in an embodiment of the present application.
The method for acquiring the public key certificate provided by the embodiment of the application comprises the following steps of S1-S6:
s1: and the service client sends a public key certificate application request to the service server.
The public key certificate application request is used for requesting a public key certificate, and the public key certificate application request is triggered by a user through a service client.
S2: and the service client receives the public key certificate to be verified and sends the public key certificate to be verified and the service server identifier to the management server.
The public key certificate to be verified refers to a public key certificate received by the service client, and the public key certificate to be verified may be a public key certificate sent by the service server or a forged certificate sent by an attacker who initiates http man-in-the-middle attack. For example, as shown in fig. 1, if the attacker does not launch the http man-in-the-middle attack, the public key certificate to be verified received by the service client 102 is the public key certificate 1; if the attacker launches the http man-in-the-middle attack, the public key certificate to be verified received by the service client 102 is the public key certificate 2 (i.e., a forged certificate).
The service server identifier is used to uniquely identify the service server, and the embodiment of the present application does not limit the service server identifier, for example, the service server identifier may be an IP address of the service server.
Based on the above content, after the service client receives the public key certificate to be verified, the service client may send the public key certificate to be verified and the service server identifier to the management server, so that the management server can perform authenticity identification on the public key certificate to be verified.
S3: and the management server generates a fingerprint of the certificate to be verified according to the public key certificate to be verified, and determines a standard certificate fingerprint according to the service server identifier and a preset mapping relation.
The fingerprint of the certificate to be verified is used for representing the public key certificate to be verified. It should be noted that the present embodiment does not limit the fingerprint generation method, and may be any existing or future fingerprint generation method.
The preset mapping relationship comprises a corresponding relationship between a service server identifier and a standard certificate fingerprint, and the preset mapping relationship can be used for recording the corresponding relationship between the certificate fingerprint of the public key certificate uploaded by each service server and the service server.
The preset mapping relationship may be stored in the blockchain in advance, and the preset mapping relationship may be generated in advance based on the public key certificate stored in each server. Based on this, the embodiment of the present application further provides a generation method of the preset mapping relationship, which is described below with reference to an example.
As an example, when the preset mapping relationship includes a corresponding relationship between an ith to-be-backed-up server identifier and an ith public key certificate, where the ith to-be-backed-up server identifier is used to uniquely identify an ith to-be-backed-up server, i is a positive integer, i is not greater than N, N is a positive integer, and N is the number of to-be-backed-up servers, the generation process of the preset mapping relationship specifically includes the following four steps:
step 1, a management server receives an ith server identifier to be backed up and an ith public key certificate which are sent by an ith server to be backed up. The server identification to be backed up is used for uniquely identifying the server to be backed up; the ith public key certificate is a public key certificate stored in the ith server to be backed up.
And 2, the management server generates an ith certificate fingerprint according to the ith public key certificate. Wherein the ith certificate fingerprint is used to characterize the ith public key certificate.
And 3, the management server establishes a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
And 4, the management server generates a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
It should be noted that, for the ith server to be backed up, when the ith server to be backed up acquires the ith public key certificate issued by the relevant organization, the ith server to be backed up should actively send the ith server identifier to be backed up and the ith public key certificate to the management server, so that the management server completes the update of the preset mapping relationship by executing the steps 1 to 4.
It should be further noted that any corresponding relationship in the preset mapping relationships is constructed according to the foregoing steps 1-3, and for the sake of brevity, details are not repeated here.
Based on the relevant content of the preset mapping relationship, the management server can construct the preset mapping relationship according to the server identifier and the public key certificate actively provided by each service server, so that the preset mapping relationship can record the relevant information of the public key certificate stored in each service server in the network, and the purpose of backing up the public key certificate stored in each service server can be realized.
Based on the related content of S2, after the management server receives the public key certificate to be verified and the service server identifier, the management server first generates a certificate fingerprint to be verified according to the public key certificate to be verified by using a preset fingerprint algorithm, and then queries a certificate fingerprint corresponding to the service server identifier from a preset mapping relationship stored in the blockchain, as a standard certificate fingerprint. The standard certificate fingerprint and the to-be-verified certificate fingerprint are generated by the same fingerprint generation method, so that when the standard certificate fingerprint and the to-be-verified certificate fingerprint are determined to be the same, the to-be-verified public key certificate and the standard public key certificate corresponding to the standard certificate fingerprint can be determined to be the same; however, when the standard certificate fingerprint and the to-be-verified certificate fingerprint are determined to be different, it may be determined that the standard public key certificate corresponding to the to-be-verified public key certificate and the standard certificate fingerprint are different.
S4: the management server judges whether the fingerprint of the certificate to be verified is the same as the fingerprint of the standard certificate, if so, S5 is executed; if not, executing S6.
After the management server acquires the standard certificate fingerprint, the fingerprint of the certificate to be verified and the fingerprint of the standard certificate are compared, if the two fingerprints are the same, the public key certificate to be verified is determined to be the same as the public key certificate stored in the service server backed up in the block chain, so that the public key certificate to be verified received by the service client is determined to be a legal public key certificate, the public key certificate to be verified received by the service client is determined not to be tampered by an attacker who initiates an Https middle man attack, and the service client can communicate with the service server by using the received public key certificate to be verified; if the two are different, the public key certificate to be verified is determined to be different from the public key certificate stored in the service server backed up in the blockchain, so that the public key certificate to be verified received by the service client is determined to be a forged certificate, the fact that the public key certificate to be verified received by the service client is really tampered by an attacker who initiates an http man-in-the-middle attack is determined, and thus the standard public key certificate backed up in the blockchain can be sent to the service client, so that the service client can communicate with the service server by using the standard public key certificate.
S5: and the management server generates second prompt information and sends the second prompt information to the service client so that the service client communicates with the service server by using the public key certificate to be verified. The second prompt message is used for describing that the public key certificate to be verified received by the service client is a legal certificate.
S6: and the management server sends the standard public key certificate corresponding to the standard certificate fingerprint to the service client so that the service client communicates with the service server by using the standard public key certificate.
It should be noted that, in the embodiment of the present application, a specific process of a service client communicating with a service server by using a public key certificate is not limited.
Based on the relevant contents of S1 to S6, in the method for obtaining a public key certificate provided in the embodiment of the present application, when a user triggers a public key certificate application request through a service client, the service client first sends the public key certificate application request to a service server, and after receiving a public key certificate to be verified, sends the public key certificate to be verified and a service server identifier to a management server. Then, the management server generates a fingerprint of the certificate to be verified according to the public key certificate to be verified, then determines a standard certificate fingerprint according to the service server identifier and the preset mapping relation, and sends the standard public key certificate corresponding to the standard certificate fingerprint to the service client when determining that the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, so that the service client communicates with the service server by using the standard public key certificate.
Therefore, after the service client receives the public key certificate to be verified, the management server firstly checks whether the public key certificate to be verified is a forged certificate or not, and after the fact that the public key certificate to be verified is the forged certificate is determined, the standard public key certificate which is backed up in advance is sent to the service client, so that the service client can communicate with the service server by using the standard public key certificate, the service client is prevented from communicating by using the forged certificate, adverse effects caused by man-in-the-middle attack of Https can be effectively overcome, and the communication safety can be improved.
In some cases, the user may be alerted as to whether an http man-in-the-middle attack has occurred. Based on this, the present application provides a possible implementation manner of the public key certificate obtaining method, in which the public key certificate obtaining method includes, in addition to the foregoing S1 to S6, S7:
s7: and when determining that the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, the management server generates first prompt information and sends the first prompt information to the service client for displaying. The first prompt message is used for describing that the service client and the service server encounter an http man-in-the-middle attack in the process of establishing the communication connection.
Based on the related content of S7, when the management server determines that the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, the management server may send the standard public key certificate backed up in the block chain to the service client, and may also send the first prompt information to the service client for display, so that the user may know that the service client and the service server are attacked by the Https middleman in the process of establishing the communication connection.
In addition, in order to completely eliminate adverse effects caused by the http man-in-the-middle attack, the communication connection with the service server can be disconnected. Based on this, an embodiment of the present application further provides a possible implementation manner of the public key certificate obtaining method, where in this implementation manner, the public key certificate obtaining method further includes, in addition to the foregoing S1 to S5, S8:
s8: and when the management server determines that the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, generating a preset control instruction, and sending the preset control instruction to the service client so as to disconnect the communication connection between the service client and the service server. The preset instruction is used for controlling the service client to disconnect the communication connection with the service server.
Based on the related content of S8, when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different, the management server may send the generated preset control instruction to the service client, so that the service client disconnects the communication connection with the service server based on the preset control instruction, and thus, adverse effects caused by the http man-in-the-middle attack can be completely eradicated.
In some cases, when the public key certificate stored by the service server is updated or the identity of the service server is updated, the service server may send the update information to the management server, so that the management server can update the relevant information (such as the preset mapping relationship and the certificate fingerprint) stored in the blockchain based on the update information. Based on this, the embodiments of the present application further provide a possible implementation manner of the public key certificate obtaining method, in which the public key certificate obtaining method further includes, in addition to the above-mentioned part or all of the steps, S9-S10:
s9: and the management server receives the updating information sent by the service server.
The update information includes server identification update information and/or public key certificate update information. The server identification updating information comprises a server identification before updating and a server identification after updating. The public key certificate update information includes the updated public key certificate.
S10: and the management server updates the preset mapping relation according to the updating information.
When the update information comprises server identification update information, the management server replaces the server identification before update in the preset mapping relation with the updated server identification; when the update information comprises public key certificate update information, the management server generates a new certificate fingerprint according to the updated public key certificate, takes the certificate fingerprint corresponding to the service server identification in the preset mapping relation as a certificate fingerprint to be replaced, replaces the public key certificate corresponding to the certificate fingerprint to be replaced and stored in the block chain with the updated public key certificate, and replaces the certificate fingerprint to be replaced in the preset mapping relation with the new certificate fingerprint. Therefore, the updating of the preset mapping relation can be realized, so that the preset mapping relation and the public key certificate stored in the block chain are always consistent with the public key certificate information stored in each server in the network.
Based on the above method for acquiring a public key certificate, the embodiment of the present application further provides two apparatuses for acquiring a public key certificate, which are explained and illustrated below with reference to the accompanying drawings. It should be noted that, for details of technical contents of the public key certificate acquisition apparatus, reference may be made to related contents of the public key certificate acquisition method, and for the sake of brevity, detailed descriptions are omitted here.
Apparatus embodiment one
Referring to fig. 4, this figure is a schematic structural diagram of a public key certificate acquisition apparatus according to an embodiment of the present application.
The public key certificate acquisition apparatus 400 provided in the embodiment of the present application includes:
a first receiving unit 401, configured to receive a public key certificate to be verified and a service server identifier sent by a service client; the service client side sends a public key certificate application request to a service server, and the service client side receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
a first generating unit 402, configured to generate a certificate to be verified fingerprint according to the public key certificate to be verified;
a first determining unit 403, configured to determine a standard certificate fingerprint according to the service server identifier and a preset mapping relationship; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
a first sending unit 404, configured to send, when it is determined that the to-be-verified certificate fingerprint is different from the standard certificate fingerprint, the standard public key certificate corresponding to the standard certificate fingerprint to the service client, so that the service client communicates with the service server by using the standard public key certificate.
In a possible implementation manner, when the preset mapping relationship includes a corresponding relationship between an ith to-be-backed-up server identifier and an ith public key certificate, where the ith to-be-backed-up server identifier is used to uniquely identify an ith to-be-backed-up server, i is a positive integer, i is less than or equal to N, N is a positive integer, and N is the number of to-be-backed-up servers, the generating process of the preset mapping relationship includes:
receiving the ith server identifier to be backed up and the ith public key certificate sent by the ith server to be backed up;
generating an ith certificate fingerprint according to the ith public key certificate;
establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
In a possible implementation, the public key certificate obtaining apparatus 400 further includes:
the second generation unit is used for generating first prompt information when the certificate fingerprint to be verified and the standard certificate fingerprint are determined to be different, and sending the first prompt information to the service client side for displaying;
and/or the presence of a gas in the gas,
and the third generating unit is used for generating a preset control instruction when the to-be-verified certificate fingerprint is determined to be different from the standard certificate fingerprint, and sending the preset control instruction to the service client so as to disconnect the communication connection between the service client and the service server.
In a possible implementation manner, the public key certificate obtaining apparatus 400 further includes:
and the fourth generating unit is used for generating second prompt information when the fingerprint of the certificate to be verified is determined to be the same as the fingerprint of the standard certificate, and sending the second prompt information to the service client so that the service client communicates with the service server by using the public key certificate to be verified.
In a possible implementation manner, the public key certificate obtaining apparatus 400 further includes:
a third receiving unit, configured to receive update information sent by the service server; wherein the update information comprises server identification update information and/or public key certificate update information;
and the updating unit is used for updating the preset mapping relation according to the updating information.
Based on the related content of the public key certificate acquisition apparatus 400, after the service client receives the public key certificate to be verified, the management server first checks whether the public key certificate to be verified is a forged certificate, and after it is determined that the public key certificate to be verified is the forged certificate, sends the standard public key certificate backed up in advance to the service client, so that the service client can communicate with the service server using the standard public key certificate, thereby avoiding the service client from communicating using the forged certificate, and thus effectively overcoming the adverse effect caused by Https man-in-the-middle attack, and thus improving the communication security.
It should be noted that the public key certificate acquisition apparatus 400 provided in the first apparatus embodiment may be deployed in a management server, so that the management server can execute the above public key certificate acquisition method.
Device embodiment II
Referring to fig. 5, this figure is a schematic structural diagram of another public key certificate acquisition apparatus according to an embodiment of the present application.
The public key certificate acquisition apparatus 500 provided in the embodiment of the present application includes:
a second sending unit 501, configured to send a public key certificate application request to the service server;
a second receiving unit 502, configured to receive a public key certificate to be verified;
a third sending unit 503, configured to send the public key certificate to be verified and the service server identifier to a management server, so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
a first encryption unit 504, configured to communicate with the service server by using the standard public key certificate after receiving the standard public key certificate sent by the management server.
In a possible implementation, the public key certificate obtaining apparatus 500 further includes:
the display unit is used for displaying the first prompt message after receiving the first prompt message sent by the management server; the first prompt message is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
the disconnection unit is used for disconnecting the communication connection with the service server after receiving a preset control instruction sent by the management server; the preset control instruction is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
the communication unit is used for communicating with the service server by using the public key certificate to be verified after receiving second prompt information sent by the management server; and the second prompt information is generated when the management server determines that the to-be-verified certificate fingerprint is the same as the standard certificate fingerprint.
Based on the related content of the public key certificate acquisition apparatus 500, after the service client receives the public key certificate to be verified, the management server first checks whether the public key certificate to be verified is a forged certificate, and after it is determined that the public key certificate to be verified is the forged certificate, sends the standard public key certificate backed up in advance to the service client, so that the service client can communicate with the service server using the standard public key certificate, thereby avoiding the service client from communicating using the forged certificate, and thus effectively overcoming the adverse effect caused by Https man-in-the-middle attack, and thus improving the communication security.
It should be noted that the public key certificate obtaining apparatus 400 provided in the first apparatus embodiment may be deployed in a service client, so that the management server can execute the public key certificate obtaining method.
Based on the method for acquiring the public key certificate provided by the above method embodiment, the embodiment of the present application further provides a device, which is explained and explained below with reference to the accompanying drawings.
Apparatus embodiment
Please refer to the above method embodiment for the device technical details provided by the device embodiment.
Referring to fig. 6, the drawing is a schematic structural diagram of an apparatus provided in the embodiment of the present application.
The device 600 provided by the embodiment of the application comprises: a processor 601 and a memory 602;
the memory 602 is used for storing computer programs;
the processor 601 is configured to execute any implementation of the public key certificate acquisition method provided by the above method embodiments according to the computer program. That is, the processor 601 is configured to perform the following steps:
receiving a public key certificate to be verified and a service server identification sent by a service client; the service client side sends a public key certificate application request to a service server, and the service client side receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
generating a fingerprint of the certificate to be verified according to the public key certificate to be verified;
determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and when the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, sending the standard public key certificate corresponding to the fingerprint of the standard certificate to the service client so that the service client communicates with the service server by using the standard public key certificate.
Optionally, when the preset mapping relationship includes a corresponding relationship between an ith to-be-backed-up server identifier and an ith public key certificate, where the ith to-be-backed-up server identifier is used to uniquely identify an ith to-be-backed-up server, i is a positive integer, i is not greater than N, N is a positive integer, and N is the number of servers to be backed-up, the generation process of the preset mapping relationship includes:
receiving the ith server identifier to be backed up and the ith public key certificate sent by the ith server to be backed up;
generating an ith certificate fingerprint according to the ith public key certificate;
establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
Optionally, the method further includes:
when the certificate fingerprint to be verified and the standard certificate fingerprint are determined to be different, generating first prompt information, and sending the first prompt information to the service client for displaying;
and/or the presence of a gas in the atmosphere,
and when the certificate fingerprint to be verified is different from the standard certificate fingerprint, generating a preset control instruction, and sending the preset control instruction to the service client so as to disconnect the communication connection between the service client and the service server.
Optionally, the method further includes:
and when the fingerprint of the certificate to be verified is determined to be the same as the fingerprint of the standard certificate, generating second prompt information, and sending the second prompt information to the service client so that the service client communicates with the service server by using the public key certificate to be verified.
Optionally, the method further includes:
receiving the updating information sent by the service server; wherein the update information comprises server identification update information and/or public key certificate update information;
and updating the preset mapping relation according to the updating information.
Alternatively, the processor 601 is configured to perform the following steps:
sending a public key certificate application request to the service server;
receiving a public key certificate to be verified;
sending the public key certificate to be verified and the service server identification to a management server so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and after receiving the standard public key certificate sent by the management server, communicating with the service server by using the standard public key certificate.
Optionally, the method further includes:
after first prompt information sent by the management server is received, displaying the first prompt information; the first prompt message is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving a preset control instruction sent by the management server, disconnecting the communication connection with the service server; the preset control instruction is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving second prompt information sent by the management server, communicating with the service server by using the public key certificate to be verified; and the second prompt information is generated when the management server determines that the to-be-verified certificate fingerprint is the same as the standard certificate fingerprint.
The above is related to the apparatus 600 provided in the embodiment of the present application.
Based on the method for acquiring the public key certificate provided by the method embodiment, the embodiment of the application also provides a computer readable storage medium.
Media embodiments
Media embodiments provide technical details of computer-readable storage media, please refer to method embodiments.
An embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium is configured to store a computer program, where the computer program is configured to execute any implementation manner of the public key certificate acquisition method provided in the foregoing method embodiment. That is, the computer program is for performing the steps of:
receiving a public key certificate to be verified and a service server identifier sent by a service client; the service client sends a public key certificate application request to a service server, and the service client receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
generating a fingerprint of the certificate to be verified according to the public key certificate to be verified;
determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending the standard public key certificate corresponding to the fingerprint of the standard certificate to the service client, so that the service client communicates with the service server by using the standard public key certificate.
Optionally, when the preset mapping relationship includes a corresponding relationship between an ith to-be-backed-up server identifier and an ith public key certificate, where the ith to-be-backed-up server identifier is used to uniquely identify an ith to-be-backed-up server, i is a positive integer, i is not greater than N, N is a positive integer, and N is the number of the to-be-backed-up servers, the generation process of the preset mapping relationship includes:
receiving the ith server identifier to be backed up and the ith public key certificate sent by the ith server to be backed up;
generating an ith certificate fingerprint according to the ith public key certificate;
establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
Optionally, the method further includes:
when the certificate fingerprint to be verified and the standard certificate fingerprint are determined to be different, generating first prompt information, and sending the first prompt information to the service client side for displaying;
and/or the presence of a gas in the gas,
and when the certificate fingerprint to be verified is determined to be different from the standard certificate fingerprint, generating a preset control instruction, and sending the preset control instruction to the service client so as to disconnect the communication connection between the service client and the service server.
Optionally, the method further includes:
and when the fingerprint of the certificate to be verified is determined to be the same as the fingerprint of the standard certificate, generating second prompt information, and sending the second prompt information to the service client so that the service client communicates with the service server by using the public key certificate to be verified.
Optionally, the method further includes:
receiving updating information sent by the service server; wherein the update information comprises server identification update information and/or public key certificate update information;
and updating the preset mapping relation according to the updating information.
Alternatively, the computer program is for performing the steps of:
sending a public key certificate application request to the service server;
receiving a public key certificate to be verified;
sending the public key certificate to be verified and the service server identification to a management server so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
and after receiving the standard public key certificate sent by the management server, communicating with the service server by using the standard public key certificate.
Optionally, the method further includes:
after first prompt information sent by the management server is received, displaying the first prompt information; the first prompt message is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving a preset control instruction sent by the management server, disconnecting the communication connection with the service server; the preset control instruction is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving second prompt information sent by the management server, communicating with the service server by using the public key certificate to be verified; and the second prompt message is generated by the management server when the fingerprint of the certificate to be verified and the fingerprint of the standard certificate are determined to be the same.
The above is related content of the computer readable storage medium provided in the embodiments of the present application.
It should be understood that, in this application, "at least one" means one or more, "a plurality" means two or more. "and/or" is used to describe the association relationship of the associated object, indicating that there may be three relationships, for example, "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
The foregoing is illustrative of the preferred embodiments of the present invention and is not to be construed as limiting the invention in any way. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Those skilled in the art can make numerous possible variations and modifications to the present teachings, or modify equivalent embodiments to equivalent variations, without departing from the scope of the present teachings, using the methods and techniques disclosed above. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present invention are still within the scope of the protection of the technical solution of the present invention, unless the contents of the technical solution of the present invention are departed.

Claims (10)

1. A public key certificate acquisition method applied to a management server, the method comprising:
receiving a public key certificate to be verified and a service server identification sent by a service client; the service client sends a public key certificate application request to a service server, and the service client receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
generating a fingerprint of the certificate to be verified according to the public key certificate to be verified;
determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint;
when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client so that the service client communicates with the service server by using the standard public key certificate; when the preset mapping relationship comprises a corresponding relationship between an ith server identifier to be backed up and an ith public key certificate, the ith server identifier to be backed up is used for uniquely identifying the ith server to be backed up, i is a positive integer, i is not more than N, N is a positive integer, and N is the number of servers to be backed up, the generation process of the preset mapping relationship comprises the following steps:
receiving the ith server to be backed up identifier and the ith public key certificate sent by the ith server to be backed up;
generating an ith certificate fingerprint according to the ith public key certificate;
establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint.
2. The method of claim 1, further comprising:
when the certificate fingerprint to be verified and the standard certificate fingerprint are determined to be different, generating first prompt information, and sending the first prompt information to the service client side for displaying;
and/or the presence of a gas in the gas,
and when the certificate fingerprint to be verified is determined to be different from the standard certificate fingerprint, generating a preset control instruction, and sending the preset control instruction to the service client so as to disconnect the communication connection between the service client and the service server.
3. The method of claim 1, further comprising:
and when the fingerprint of the certificate to be verified is determined to be the same as the fingerprint of the standard certificate, generating second prompt information, and sending the second prompt information to the service client so that the service client communicates with the service server by using the public key certificate to be verified.
4. The method of claim 1, further comprising:
receiving the updating information sent by the service server; wherein the update information comprises server identification update information and/or public key certificate update information;
and updating the preset mapping relation according to the updating information.
5. A public key certificate acquisition method is applied to a service client, and comprises the following steps:
sending a public key certificate application request to a service server;
receiving a public key certificate to be verified;
sending the public key certificate to be verified and the service server identifier to a management server so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to the service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint; when the preset mapping relationship comprises a corresponding relationship between an ith server identifier to be backed up and an ith public key certificate, the ith server identifier to be backed up is used for uniquely identifying the ith server to be backed up, i is a positive integer, i is not more than N, N is a positive integer, and N is the number of servers to be backed up, the generation process of the preset mapping relationship comprises the following steps: receiving the ith server to be backed up identifier and the ith public key certificate sent by the ith server to be backed up; generating an ith certificate fingerprint according to the ith public key certificate; establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint; generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and after receiving the standard public key certificate sent by the management server, communicating with the service server by using the standard public key certificate.
6. The method of claim 5, further comprising:
after first prompt information sent by the management server is received, displaying the first prompt information; the first prompt message is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving a preset control instruction sent by the management server, disconnecting the communication connection with the service server; the preset control instruction is generated when the management server determines that the certificate fingerprint to be verified and the standard certificate fingerprint are different;
after receiving second prompt information sent by the management server, communicating with the service server by using the public key certificate to be verified; and the second prompt message is generated by the management server when the fingerprint of the certificate to be verified and the fingerprint of the standard certificate are determined to be the same.
7. A public key certificate acquisition apparatus, characterized by comprising:
the first receiving unit is used for receiving a public key certificate to be verified and a service server identifier sent by a service client; the service client sends a public key certificate application request to a service server, and the service client receives the public key certificate to be verified; the service server identification is used for uniquely identifying the service server;
the first generating unit is used for generating a fingerprint of the certificate to be verified according to the public key certificate to be verified;
the first determining unit is used for determining a standard certificate fingerprint according to the service server identifier and a preset mapping relation; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint; when the preset mapping relationship comprises a corresponding relationship between an ith server identifier to be backed up and an ith public key certificate, the ith server identifier to be backed up is used for uniquely identifying the ith server to be backed up, i is a positive integer, i is not more than N, N is a positive integer, and N is the number of the servers to be backed up, the generation process of the preset mapping relationship comprises the following steps: receiving the ith server identifier to be backed up and the ith public key certificate sent by the ith server to be backed up; generating an ith certificate fingerprint according to the ith public key certificate; establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint; generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and the first sending unit is used for sending the standard public key certificate corresponding to the standard certificate fingerprint to the service client when the to-be-verified certificate fingerprint and the standard certificate fingerprint are determined to be different, so that the service client communicates with the service server by using the standard public key certificate.
8. An apparatus for obtaining a public key certificate, the apparatus comprising:
a second sending unit, configured to send a public key certificate application request to a service server;
the second receiving unit is used for receiving the public key certificate to be verified;
a third sending unit, configured to send the public key certificate to be verified and the service server identifier to a management server, so that the management server generates a fingerprint of the public key certificate to be verified according to the public key certificate to be verified; determining a standard certificate fingerprint according to the service server identification and a preset mapping relation; when the fingerprint of the certificate to be verified is determined to be different from the fingerprint of the standard certificate, sending a standard public key certificate corresponding to the fingerprint of the standard certificate to a service client; the service server identification is used for uniquely identifying the service server; the preset mapping relation comprises a corresponding relation between the service server identification and the standard certificate fingerprint; when the preset mapping relationship comprises a corresponding relationship between an ith to-be-backed-up server identifier and an ith public key certificate, the ith to-be-backed-up server identifier is used for uniquely identifying the ith to-be-backed-up server, i is a positive integer, i is not more than N, N is a positive integer, and N is the number of the to-be-backed-up servers, the generation process of the preset mapping relationship comprises the following steps: receiving the ith server to be backed up identifier and the ith public key certificate sent by the ith server to be backed up; generating an ith certificate fingerprint according to the ith public key certificate; establishing a corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint; generating a preset mapping relation according to the corresponding relation between the ith server identifier to be backed up and the ith certificate fingerprint;
and the first encryption unit is used for communicating with the service server by using the standard public key certificate after receiving the standard public key certificate sent by the management server.
9. An electronic device, comprising a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the method of any one of claims 1-4 or the method of any one of claims 5-6.
10. A computer-readable storage medium for storing a computer program which, when executed by a computer, causes the computer to implement the method of any one of claims 1-4 or the method of any one of claims 5-6.
CN202010625092.8A 2020-07-01 2020-07-01 Public key certificate acquisition method and related equipment Active CN111786783B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010625092.8A CN111786783B (en) 2020-07-01 2020-07-01 Public key certificate acquisition method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010625092.8A CN111786783B (en) 2020-07-01 2020-07-01 Public key certificate acquisition method and related equipment

Publications (2)

Publication Number Publication Date
CN111786783A CN111786783A (en) 2020-10-16
CN111786783B true CN111786783B (en) 2022-10-21

Family

ID=72757831

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010625092.8A Active CN111786783B (en) 2020-07-01 2020-07-01 Public key certificate acquisition method and related equipment

Country Status (1)

Country Link
CN (1) CN111786783B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113127840A (en) * 2021-05-19 2021-07-16 中国银行股份有限公司 Block chain-based certificate issuing method and device, computer equipment and medium
US20230160591A1 (en) * 2021-11-19 2023-05-25 Johnson Controls Tyco IP Holdings LLP Building management system with expired operational certificate recovery
CN115021938A (en) * 2022-06-27 2022-09-06 中国银行股份有限公司 Secure digital certificate application method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107800725A (en) * 2017-12-11 2018-03-13 公安部第研究所 A kind of digital certificate remote online managing device and method
CN108259406A (en) * 2016-12-28 2018-07-06 中国电信股份有限公司 Examine the method and system of SSL certificate
CN109714168A (en) * 2017-10-25 2019-05-03 阿里巴巴集团控股有限公司 Trusted remote method of proof, device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786344B (en) * 2017-10-30 2020-05-19 阿里巴巴集团控股有限公司 Method and device for realizing application and use of digital certificate

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259406A (en) * 2016-12-28 2018-07-06 中国电信股份有限公司 Examine the method and system of SSL certificate
CN109714168A (en) * 2017-10-25 2019-05-03 阿里巴巴集团控股有限公司 Trusted remote method of proof, device and system
CN107800725A (en) * 2017-12-11 2018-03-13 公安部第研究所 A kind of digital certificate remote online managing device and method

Also Published As

Publication number Publication date
CN111786783A (en) 2020-10-16

Similar Documents

Publication Publication Date Title
CN111786783B (en) Public key certificate acquisition method and related equipment
CA3008705C (en) System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same
WO2016184216A1 (en) Link-stealing prevention method, link-stealing prevention server, and client side
US10880306B2 (en) Verification information update
US9736150B2 (en) Authentication system and method
US10824744B2 (en) Secure client-server communication
US9490986B2 (en) Authenticating a node in a communication network
CN106453361A (en) A safety protection method and system for network information
CN111461720B (en) Identity verification method and device based on blockchain, storage medium and electronic equipment
CN104378379A (en) Encryption transmission method, equipment and system for digital content
CN108769029A (en) It is a kind of to application system authentication device, method and system
CN114944921A (en) Login authentication method and device, electronic equipment and storage medium
CN114173332B (en) Data encryption transmission method and device suitable for 5G intelligent power grid inspection robot
CN106789858A (en) A kind of access control method and device and server
CN111310187A (en) Malicious software detection method and device, electronic equipment and storage medium
CN108932425B (en) Offline identity authentication method, authentication system and authentication equipment
CN109120621B (en) Data processor
CN111510302A (en) Method and system for improving certificate verification efficiency in secure communication protocol
CN115883105A (en) Authentication connection method, system, electronic device and computer storage medium
CN113596147B (en) Message pushing method, device, equipment and storage medium
CN115801275A (en) API interface encryption signature method
CN113079506B (en) Network security authentication method, device and equipment
CN102014136A (en) Peer to peer (P2P) network secure communication method based on random handshake
CN111835713B (en) Security authentication method, device and storage medium
US11399092B2 (en) Method for preventing sip device from being attacked, calling device, and called device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant