CN111800402B - Method for realizing full link encryption proxy by using event certificate - Google Patents
Method for realizing full link encryption proxy by using event certificate Download PDFInfo
- Publication number
- CN111800402B CN111800402B CN202010599085.5A CN202010599085A CN111800402B CN 111800402 B CN111800402 B CN 111800402B CN 202010599085 A CN202010599085 A CN 202010599085A CN 111800402 B CN111800402 B CN 111800402B
- Authority
- CN
- China
- Prior art keywords
- proxy server
- client
- ssl
- certificate
- ssl proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0471—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for realizing full link encryption proxy by utilizing event certificate, which comprises the steps of establishing an SSL encryption tunnel based on a digital certificate between a browser and an SSL proxy server, then dynamically generating an event certificate in the SSL proxy server in linkage with a CA server, associating the event certificate with the SSL session and completing the SSL encryption tunnel with a back-end application server, so that the back-end application server can perform secondary identity authentication on a user and further perform fine-grained access control and single sign-on. The event certificate is utilized to realize one-time session encryption between the SSL proxy server and the application server, the authentication identification of the SSL proxy server is consistent with the user identity identification of the original visitor, and meanwhile, the characteristics of timely issuing, no need of storage, short validity period and the like of the event certificate are fully utilized in the session. The SSL proxy server can realize micro-isolation from the user to the application by adopting an event certificate mode, and simultaneously improves the access control capability and the auditing transparency of the whole system.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for realizing full link encryption proxy by using an event certificate for identity authentication and link encryption of network communication.
Background
Traditional network security considers that an attacker mainly comes from an external network, and strict monitoring equipment such as a firewall, a VPN (virtual private network), anti-virus equipment and the like is arranged at a network entrance, so that the attack from the external network can be reduced. The network is considered secure in intranet because it shields most external hacker attacks.
In order to protect the secure transmission of enterprise sensitive data in the internet, a digital authentication and access control system is generally used at the boundary of a network to provide services to the outside, such as internet banking, mobile office, etc. The client and the SSL proxy server complete the operations of identity authentication, key agreement, and link encryption service as shown in fig. 1. The SSL proxy server decrypts the flow, then identifies, filters and controls the access to the content, and only the request of a legal user can complete plaintext communication with the application server of the intranet. However, in recent years, many of the security events and high-level persistent threat activity information which occur frequently initiate penetration attacks from the intranet to acquire data, and the intranet is no longer an absolutely secure network. However, the existing application server generally only performs simple authentication means such as IP address based authentication on the SSL proxy server, and this insecure communication may be utilized by an attacker.
In order to improve the security of the whole network, an end-to-end full link encryption method is needed to solve the problems of identity authentication, confidentiality and integrity. At present, the method can be generally solved by the following methods:
1. the scheme can realize the identity authentication and link encryption functions of the user by the application server, but boundary security supervision personnel cannot manage the access behavior and flow monitoring audit of the external network user.
2. The method can realize the secondary identity authentication and link encryption of the user by the application server, but once an attacker acquires the identity information of the user, the identity of the user can still be forged for attack.
3. The method adopts a mode of intermediate proxy certificate to realize cross-domain access, and the scheme is that a user uses a personal certificate and an SSL proxy server to finish identity authentication and link encryption, and the SSL proxy server uses the intermediate proxy certificate and an application system to finish identity authentication and link encryption. The scheme can realize full link encryption and avoid the counterfeiting of the identity information of the user, but the identified identity is the identity of the proxy server instead of the identity of the original access user in the authentication process. The bounds are now unclear for access control and regulatory auditing of the application server.
Disclosure of Invention
Aiming at the defects and shortcomings in the background technology, the invention provides a method for realizing the full-link encryption proxy by using an event certificate, wherein the event certificate is adopted on an SSL proxy server to perform SSL handshake with an application server. The method only needs to adopt a standard SSL protocol for application, can realize the audit of the application server on the terminal user and the SSL proxy server without other services, and also solves the cross-trust domain problem in interconnection among different CAs. Independent supervision and audit of the external network users can be realized by adopting the same PKI system, secondary access control and supervision of the external network terminal users can be conveniently performed by the application server, and the external network users can obtain the same access experience as the internal network by cross-domain identity authentication and full link encryption service.
The event certificate is a digital certificate provided for a certain event or behavior, the event certificate should be a dedicated digital certificate, and the event certificate includes a key element possessed by the current event or behavior, which is not usable in other events or behaviors. The event certificate has the characteristics of short validity period, no need of considering identity revocation, one-time pad and the like. The validity duration of the event certificate in the invention is the duration of one SSL session.
A method for implementing a full link cryptographic proxy using event certificates, comprising the steps of:
the method comprises the following steps: the external network user uses the user certificate to access the SSL proxy server, and after the user completes the identity authentication, a pair of asymmetric key pairs is dynamically generated and associated to the session of the user;
step two: the SSL proxy server constructs a PKCS #10 format certificate request based on the information of the authenticated user and the temporary key pair;
step three: the SSL proxy server sends the certificate request to a CA service, and requests the CA service to issue an event certificate with the same validity period as the current user session validity period;
step four: after the SSL proxy server obtains the event certificate returned by the CA service, the SSL proxy server initiates SSL handshake to the application server by using the event certificate and the corresponding temporary private key;
step five: the application server verifies the event certificate in the process of handshake with the SSL proxy server to obtain the identity of the original access user, but not the identity of the proxy server, so that the application server can perform secondary access control on the user, and the auditing transparency of the whole system is improved.
In a preferred embodiment of the present invention, in step three, the event certificate issued in time in conjunction with the CA server is the same as the identifier of the user certificate.
In a preferred embodiment of the present invention, in step five, the event certificate and the application server complete the identity authentication and the SSL link encryption, so that the full link encryption from the user to the application server is realized, and the SSL proxy server and the application server both obtain the identity information of the user, thereby improving the transparency of the whole system.
The invention solves the communication safety problem between the agent and the application, ensures that the authentication identification of the agent is consistent with the identity identification of the original access user, and simultaneously fully utilizes the characteristics of timely issuing of the event certificate, no need of storage, short validity period and the like in the session. And the security of access control and audit of the whole system is improved by adopting an event certificate mechanism.
Drawings
The invention is further described below in conjunction with the appended drawings and the detailed description.
Fig. 1 is a flowchart illustrating a method for implementing a full link encryption agent using an event certificate according to the present invention.
Fig. 2 is a flow chart of the browser using its own algorithm to complete the handshake protocol with the SSL proxy.
Fig. 3 is a network topology diagram.
Fig. 4 is a flowchart of an event certificate issuance process.
Fig. 5 is a flow chart of the whole access process among the client, the SSL proxy server, the CA server and the application server.
Detailed Description
In order to make the technical means, the creation features, the achievement purposes and the effects of the invention easy to understand, the following description is further provided with specific drawings to explain how to implement the invention.
Digital certificate issuing and trust domain
And the root CA is used for signing and issuing a secondary user certificate CA and an event certificate CA, wherein the user certificate CA is used for signing and issuing a user certificate, and the event CA server is used for signing and issuing an event certificate. The user certificate CA and the event CA certificate chain are trusted by the application server in the enterprise intranet. The user certificate CA is trusted on the SSL proxy server.
(II) user access flow
Referring to fig. 3, a forward or reverse SSL proxy server is deployed at the network boundary, a CA server is used to issue event certificates, an atomic clock provides a time source, and the SSL proxy server, the CA server and the application server synchronize time to the atomic clock. The client or the browser completes SSL handshake with the SSL proxy server, the SSL proxy server and the CA server are linked to issue an event certificate which is the same as the user certificate DN, and the SSL proxy server uses the event certificate to complete SSL handshake with the application server. The overall network topology is shown in fig. 4.
1) Referring to fig. 2, a user uses a browser or a client to complete a real SSL handshake with an SSL proxy server, and the SSL proxy server performs identity authentication on the user, which includes the following specific steps:
1.1) the client sends a client Hello message to the SSL proxy server, wherein the client Hello message is a cryptographic algorithm supported by the client;
1.2) the SSL proxy server returns ServerHello to the client to select a corresponding cryptographic algorithm;
1.3) the SSL proxy server returns a ServerCertification, namely a site certificate of the SSL proxy server to the client, and the client authenticates the site certificate of the server at the moment;
1.4) the SSL proxy server returns ServerKeyExchange to the client, and sends the key exchange parameters according to the key exchange algorithm;
1.5) the SSL proxy server returns a CertificateRequest to the client, and the client is required to submit a certificate for identity authentication;
1.6) the SSL proxy server returns ServerHelloDone to the client, which indicates that the SSL proxy server completes the operation of the stage;
1.7) the client sends a client certificate and a client digital certificate to the SSL proxy server;
1.8) the client sends ClientKeyExchange to the SSL proxy server, and the client key exchanges data information;
1.9) the client sends a client certificate verify to the SSL proxy server, and the client signs a result;
1.10) the client sends ChangeCipherSpec and Finish to the SSL proxy server, and the client completes the operation of the handshake at the stage;
1.11) the SSL proxy server returns ChangeCipherSpec and Finish to the client to complete the handshake processing.
2) The SSL proxy server checks the format content and the authority of the accessed user, and only the legal user allows the access.
3) As shown in fig. 4, the SSL proxy server invokes a server crypto-engine or crypto-card to dynamically generate an asymmetric key pair and associate it into this SSL session.
4) The SSL proxy server generates an event certificate P10 request based on the key pair and the user certificate.
5) The SSL proxy server and the event CA server are linked to issue an event certificate with the same validity period as the session time and issue the event certificate to the SSL proxy server.
6) Referring to fig. 5, the SSL proxy associates the event certificate with the SSL session, and completes an SSL handshake with the application server using the event certificate, which includes the following specific steps:
6.1) the SSL proxy server sends a client Hello message to the application server, wherein the message is a cryptographic algorithm supported by the SSL proxy server;
6.2) the application server returns ServerHello to the SSL proxy server to select a corresponding cryptographic algorithm;
6.3) the application server returns a Servercertificate, and sends a site certificate of the application server, and the SSL proxy server authenticates the application server by using a CA certificate chain of the intranet;
6.4) the application server returns ServerKeyExchange to the SSL proxy server, and sends the key exchange parameters according to the key exchange algorithm;
6.5) the application server returns CertificateRequest to the SSL proxy server, and requires the SSL proxy server to submit a certificate for identity authentication;
6.6) the application server returns ServerHelloDone to the SSL proxy server, which indicates that the application server completes the operation of the stage;
6.7) the SSL proxy server sends a ClientCertification to the application server, and the certificate is an event certificate issued by the event CA server;
6.8) the SSL proxy server sends ClientKeyExchange to the application server for key exchange data information;
6.9) the SSL proxy server sends a ClientCertificateVerify to the application server, and the ClientCertificateVerify is the signature of the event certificate;
6.10) the SSL proxy server sends ChangeCipherSpec and Finish to the application server, and the SSL proxy server completes the handshake at this stage;
6.11) the application server returns ChangeCipherSpec and Finish to the SSL proxy server to complete the handshake processing.
7) And the application server performs secondary access control checking authority and single sign-on.
8) The SSL proxy server performs flow monitoring examination and encryption of a link between the SSL proxy server and the application server.
9) The SSL proxy server destroys the event certificate after finishing the SSL session.
The foregoing shows and describes the general principles and features of the present invention, together with the advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (1)
1. A method for implementing a full link cryptographic proxy using event certificates, comprising the steps of:
the method comprises the following steps: the external network user uses the user certificate to access the SSL proxy server, and after the user is authenticated, a pair of asymmetric key pairs is dynamically generated and associated to the session of the user; the method comprises the following steps:
the method comprises the following steps that a user uses a browser or a client to complete a real SSL handshake with an SSL proxy server, and the SSL proxy server performs identity authentication on the user:
1.1) the client sends a client Hello message to the SSL proxy server, wherein the client Hello message is a cryptographic algorithm supported by the client;
1.2) the SSL proxy server returns ServerHello to the client to select a corresponding cryptographic algorithm;
1.3) the SSL proxy server returns a ServerCertification, namely a site certificate of the SSL proxy server to the client, and the client authenticates the site certificate of the server at the moment;
1.4) the SSL proxy server returns ServerKeyExchange to the client, and sends the key exchange parameters according to the key exchange algorithm;
1.5) the SSL proxy server returns a CertificateRequest to the client, and the client is required to submit a certificate for identity authentication;
1.6) the SSL proxy server returns ServerHelloDone to the client, which indicates that the SSL proxy server completes the operation of the stage;
1.7) the client sends a client certificate and a client digital certificate to the SSL proxy server;
1.8) the client sends ClientKeyExchange to the SSL proxy server, and the client key exchanges data information;
1.9) the client sends a client certificate verify to the SSL proxy server, and the client signs a result;
1.10) the client sends ChangeCipherSpec and Finish to the SSL proxy server, and the client completes the operation of the handshake at the stage;
1.11) the SSL proxy server returns ChangeCipherSpec and Finish to the client to complete the handshake processing;
step two: the SSL proxy server constructs a certificate request based on the information of the authenticated user and the temporary key pair;
step three: the SSL proxy server sends the certificate request to a CA service, and requests the CA service to issue an event certificate with the same validity period as the SSL session validity period of the current user; in the third step, the event certificate linked with the CA server and issued in time is the same as the identifier of the user certificate;
step four: after the SSL proxy server obtains the event certificate returned by the CA service, the SSL proxy server initiates SSL handshake to the application server by using the event certificate and the corresponding temporary private key;
step five: and the application server verifies the event certificate in the handshake process of the SSL proxy server, obtains the identity of the original access user, and performs access control and audit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010599085.5A CN111800402B (en) | 2020-06-28 | 2020-06-28 | Method for realizing full link encryption proxy by using event certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010599085.5A CN111800402B (en) | 2020-06-28 | 2020-06-28 | Method for realizing full link encryption proxy by using event certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111800402A CN111800402A (en) | 2020-10-20 |
| CN111800402B true CN111800402B (en) | 2022-08-09 |
Family
ID=72803924
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010599085.5A Active CN111800402B (en) | 2020-06-28 | 2020-06-28 | Method for realizing full link encryption proxy by using event certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111800402B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347206B (en) * | 2021-06-30 | 2023-05-09 | 建信金融科技有限责任公司 | Network access method and device |
| CN115361188A (en) * | 2022-08-11 | 2022-11-18 | 北京国领科技有限公司 | SSL system for performing one-way and two-way authentication switching according to user attributes |
| CN115499181A (en) * | 2022-09-06 | 2022-12-20 | 北京国领科技有限公司 | SSL gateway self-adaptive one-way and two-way authentication method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1512378A (en) * | 2002-12-30 | 2004-07-14 | 成都三零盛安信息系统有限公司 | Tunnel transmission method of SSL intermediate surrogate user certification |
| CN1738255A (en) * | 2004-08-17 | 2006-02-22 | 迈普(四川)通信技术有限公司 | Access control method and safety proxy server |
| CN101383820A (en) * | 2008-07-07 | 2009-03-11 | 上海安融信息系统有限公司 | Design and implementing method for SSL connection and data monitoring |
| CN101860546A (en) * | 2010-06-18 | 2010-10-13 | 杭州电子科技大学 | Method for improving SSL handshake protocol |
| CN102546572A (en) * | 2010-12-31 | 2012-07-04 | 上海格尔软件股份有限公司 | Realizing method for dynamic selection of certificates of SSL (Security Socket Layer) server |
| CN102811225A (en) * | 2012-08-22 | 2012-12-05 | 神州数码网络(北京)有限公司 | Method and switch for security socket layer (SSL) intermediate agent to access web resource |
| CN106656505A (en) * | 2016-11-16 | 2017-05-10 | 航天信息股份有限公司 | Mobile terminal electronic signature system based on event certificate and mobile terminal electronic signature method thereof |
| CN107135233A (en) * | 2017-06-28 | 2017-09-05 | 百度在线网络技术(北京)有限公司 | Safe transmission method and device, the server and storage medium of information |
| JP2018121328A (en) * | 2017-01-10 | 2018-08-02 | トラストニック リミテッド | Event certificate for electronic device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108650227B (en) * | 2018-03-30 | 2021-03-30 | 苏州科达科技股份有限公司 | Handshaking method and system based on datagram secure transmission protocol |
-
2020
- 2020-06-28 CN CN202010599085.5A patent/CN111800402B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1512378A (en) * | 2002-12-30 | 2004-07-14 | 成都三零盛安信息系统有限公司 | Tunnel transmission method of SSL intermediate surrogate user certification |
| CN1738255A (en) * | 2004-08-17 | 2006-02-22 | 迈普(四川)通信技术有限公司 | Access control method and safety proxy server |
| CN101383820A (en) * | 2008-07-07 | 2009-03-11 | 上海安融信息系统有限公司 | Design and implementing method for SSL connection and data monitoring |
| CN101860546A (en) * | 2010-06-18 | 2010-10-13 | 杭州电子科技大学 | Method for improving SSL handshake protocol |
| CN102546572A (en) * | 2010-12-31 | 2012-07-04 | 上海格尔软件股份有限公司 | Realizing method for dynamic selection of certificates of SSL (Security Socket Layer) server |
| CN102811225A (en) * | 2012-08-22 | 2012-12-05 | 神州数码网络(北京)有限公司 | Method and switch for security socket layer (SSL) intermediate agent to access web resource |
| CN106656505A (en) * | 2016-11-16 | 2017-05-10 | 航天信息股份有限公司 | Mobile terminal electronic signature system based on event certificate and mobile terminal electronic signature method thereof |
| JP2018121328A (en) * | 2017-01-10 | 2018-08-02 | トラストニック リミテッド | Event certificate for electronic device |
| CN107135233A (en) * | 2017-06-28 | 2017-09-05 | 百度在线网络技术(北京)有限公司 | Safe transmission method and device, the server and storage medium of information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111800402A (en) | 2020-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9055107B2 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| JP3877640B2 (en) | Computer network security system using portable storage device | |
| US7305705B2 (en) | Reducing network configuration complexity with transparent virtual private networks | |
| US20170302644A1 (en) | Network user identification and authentication | |
| CN111800402B (en) | Method for realizing full link encryption proxy by using event certificate | |
| US20090025080A1 (en) | System and method for authenticating a client to a server via an ipsec vpn and facilitating a secure migration to ssl vpn remote access | |
| Sun et al. | Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures | |
| US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
| CN114615328A (en) | Safety access control system and method | |
| US20060294366A1 (en) | Method and system for establishing a secure connection based on an attribute certificate having user credentials | |
| WO2017001133A1 (en) | Method, a system and computer program products for securely enabling in-network functionality over encrypted data sessions | |
| WO2006044151A2 (en) | Single-use password authentication | |
| Badra et al. | Phishing attacks and solutions | |
| Ranjan et al. | Security analysis of TLS authentication | |
| Alsaid et al. | Preventing phishing attacks using trusted computing technology | |
| Kohlar et al. | Secure bindings of SAML assertions to TLS sessions | |
| Mei et al. | Research and Defense of Cross-Site WebSocket Hijacking Vulnerability | |
| Dietz et al. | Hardening Persona-Improving Federated Web Login. | |
| Mittal et al. | Enabling trust in single sign-on using DNS based authentication of named entities | |
| You et al. | Research and design of web single sign-on scheme | |
| Lasheng et al. | Three-Tier Security Model for E-Business: Building Trust and Security for Internet Banking Services | |
| Garimella et al. | Secure Shell-Its significance in Networking (SSH) | |
| Hosseyni et al. | Formal security analysis of the OpenID FAPI 2.0 Security Profile with FAPI 2.0 Message Signing, FAPI-CIBA, Dynamic Client Registration and Management: technical report | |
| Kohlar et al. | On cryptographically strong bindings of SAML assertions to transport layer security | |
| Dong et al. | Security Analysis of Real World Protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230627 Address after: Room 1008, Floor 10, Block A, No. 11, Dongzhimen South Street, Dongcheng District, Beijing 100027 Patentee after: Beijing Geer Guoxin Technology Co.,Ltd. Address before: 200436 Room 601, Lane 299, Lane 299, JIANGCHANG West Road, Jingan District, Shanghai Patentee before: KOAL SOFTWARE Co.,Ltd. |