CN112653672A - Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm - Google Patents
Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm Download PDFInfo
- Publication number
- CN112653672A CN112653672A CN202011444441.2A CN202011444441A CN112653672A CN 112653672 A CN112653672 A CN 112653672A CN 202011444441 A CN202011444441 A CN 202011444441A CN 112653672 A CN112653672 A CN 112653672A
- Authority
- CN
- China
- Prior art keywords
- server
- client
- certificate
- cryptographic algorithm
- browser
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000006854 communication Effects 0.000 claims abstract description 30
- 238000004891 communication Methods 0.000 claims abstract description 29
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 23
- 230000006978 adaptation Effects 0.000 claims abstract description 15
- 238000012795 verification Methods 0.000 claims abstract description 15
- 238000004590 computer program Methods 0.000 claims description 9
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000008676 import Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 150000001844 chromium Chemical class 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 1
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 1
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 1
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 229910052804 chromium Inorganic materials 0.000 description 1
- 239000011651 chromium Substances 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a two-way authentication method based on a cryptographic algorithm, which comprises the following steps: adding adaptation to a national cryptographic algorithm certificate under a communication module directory of a browser kernel, and generating a browser based on the modified browser kernel; generating a plurality of client certificates on the basis of a state cryptographic algorithm at a plurality of clients, generating a server certificate on the basis of the state cryptographic algorithm at a server, and uploading the plurality of client certificates and the server certificate to a proxy server; accessing a server based on a browser at a client, and sending a client certificate to a server; verifying the client certificate on the server side based on the proxy server, and returning the server certificate and the public key to the client side if the client certificate passes the verification; and verifying the server certificate based on the public key at the client, and if the server certificate passes the verification, confirming that the bidirectional authentication between the client and the server passes and communicating the client and the server. The invention realizes the national password bidirectional authentication and fills the vacancy that no browser supporting the national password bidirectional certificate exists in the market at present.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a two-way authentication method, a device, equipment and a readable medium based on a cryptographic algorithm.
Background
The digital certificate has great significance in the current network communication security, can realize the functions of identity authentication, data integrity authentication, data confidentiality and the like, and is an indispensable important link. A single server certificate can only guarantee the authenticity of the server website, and a single username password can only be used for preliminarily identifying the identity of the visitor. The real secure and reliable network environment requires that the website, the user and the information transmission must be secure and trusted at the same time. Currently, most of the mutual authentication is generated by adopting an RSA algorithm, and the mutual authentication of the certificate generated by using an SM2 cryptographic algorithm is not supported for a while.
In the existing bidirectional authentication technology, generally generated certificates are algorithms such as RSA and DSA, SM2 and SM4 cryptographic algorithms are not supported, the security of the certificates cannot be ensured, and some domestic confidential information can be stolen if the algorithms are used for transmission.
At present, a common browser in the market only supports a national cryptographic algorithm in a small quantity, is unidirectional authentication and does not support bidirectional authentication of a browser client certificate.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a bidirectional authentication method, apparatus, device and readable medium based on a cryptographic algorithm, which adds support to the cryptographic algorithm by modifying the configuration of a kernel engine of a browser, so that the cryptographic algorithm supports the import and data transmission of a cryptographic algorithm certificate, thereby implementing the cryptographic bidirectional authentication and filling the gap that no browser supporting the cryptographic bidirectional certificate exists in the market at present.
Based on the above purpose, an aspect of the embodiments of the present invention provides a bidirectional authentication method based on a cryptographic algorithm, including the following steps: adding adaptation to a national cryptographic algorithm certificate under a communication module directory of a browser kernel, and generating a browser based on the modified browser kernel; generating a plurality of client certificates on the basis of a state cryptographic algorithm at a plurality of clients, generating a server certificate on the basis of the state cryptographic algorithm at a server, and uploading the plurality of client certificates and the server certificate to a proxy server; accessing a server based on a browser at a client, and sending a client certificate to a server; verifying the client certificate on the server side based on the proxy server, and returning the server certificate and the public key to the client side if the client certificate passes the verification; and verifying the server certificate based on the public key at the client, and if the server certificate passes the verification, confirming that the bidirectional authentication between the client and the server passes and communicating the client and the server.
In some embodiments, adding an adaptation to the cryptographic certificate under the communication module directory of the browser kernel, and generating the browser based on the modified browser kernel comprises: modifying a source code of a browser kernel, adding adaptation to a cryptographic algorithm certificate in an SSL communication module, and generating a browser based on the modified browser kernel, wherein the browser kernel is a chrome, and the browser comprises a 360-speed browser and/or a QQ browser and/or a dog searching high-speed browser.
In some embodiments, uploading the number of client certificates and the server certificate to the proxy server comprises: uploading root certificates of the client certificates and root certificates of the server certificates to a configuration file of a proxy server, wherein the proxy server is an nginx proxy server.
In some embodiments, sending the client certificate to the server comprises: and sending the version number of the Chinese secret SSL protocol of the client certificate, the encryption algorithm type and the random number information to the server.
In some embodiments, verifying the server certificate based on the public key at the client comprises: verifying whether the certificate of the server side is expired; verifying whether an issuing authority issuing the server side certificate is reliable or not; and verifying whether the public key can correctly unlock the digital signature of the server certificate.
In some embodiments, the client communicating with the server includes: the method comprises the steps that an encryption scheme supported by a client is obtained at a server, the encryption scheme with the highest encryption degree supported by the server is selected as a first encryption scheme from the encryption schemes supported by the client, the first encryption scheme is encrypted based on a public key of the server, and an encrypted ciphertext is sent to the client; receiving the ciphertext at the client, and decrypting the ciphertext based on a private key of the client to obtain a first encryption scheme; the client and the server communicate based on a first encryption scheme.
In another aspect of the embodiments of the present invention, a bidirectional authentication apparatus based on a cryptographic algorithm is further provided, including: the initial module is configured to increase adaptation to the cryptographic algorithm certificate under a communication module directory of the browser kernel, and generate a browser based on the modified browser kernel; the certificate generation module is configured for generating a plurality of client certificates on the basis of a state secret algorithm at a plurality of clients, generating a server certificate on the basis of the state secret algorithm at a server, and uploading the client certificates and the server certificates to the proxy server; the first authentication module is configured to access the server based on a browser at the client and send a client certificate to the server; the second authentication module is configured to verify the client certificate on the server side based on the proxy server, and return the server certificate and the public key to the client side if the client certificate passes the verification; and the communication module is configured to verify the server certificate based on the public key at the client, and if the server certificate passes the verification, the client and the server are confirmed to pass the two-way authentication, and the client and the server communicate.
In some embodiments, the communication module is further configured to: the method comprises the steps that an encryption scheme supported by a client is obtained at a server, the encryption scheme with the highest encryption degree supported by the server is selected as a first encryption scheme from the encryption schemes supported by the client, the first encryption scheme is encrypted based on a public key of the server, and an encrypted ciphertext is sent to the client; receiving the ciphertext at the client, and decrypting the ciphertext based on a private key of the client to obtain a first encryption scheme; the client and the server communicate based on a first encryption scheme.
In another aspect of the embodiments of the present invention, there is also provided a computer device, including: at least one processor; and a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of the method.
In a further aspect of the embodiments of the present invention, a computer-readable storage medium is also provided, in which a computer program for implementing the above method steps is stored when the computer program is executed by a processor.
The invention has the following beneficial technical effects: by configuration modification of a browser kernel engine, support for a national cryptographic algorithm is added, so that the national cryptographic algorithm supports import of a national cryptographic algorithm certificate and data transmission, the national cryptographic bidirectional authentication is realized, and the vacancy that no browser supporting the national cryptographic bidirectional certificate exists in the market at present is filled.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
FIG. 1 is a schematic diagram of an embodiment of a mutual authentication method based on a cryptographic algorithm according to the present invention;
FIG. 2 is a schematic diagram of an embodiment of a mutual authentication device based on a cryptographic algorithm according to the present invention;
FIG. 3 is a schematic diagram of an embodiment of a computer device provided by the present invention;
FIG. 4 is a schematic diagram of an embodiment of a computer-readable storage medium provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the above-mentioned objectives, the first aspect of the embodiments of the present invention proposes an embodiment of a bidirectional authentication method based on a cryptographic algorithm. Fig. 1 is a schematic diagram illustrating an embodiment of a bidirectional authentication method based on a cryptographic algorithm according to the present invention. As shown in fig. 1, the embodiment of the present invention includes the following steps performed at the maintenance device side:
s01, adding adaptation to the national cryptographic algorithm certificate under the communication module directory of the browser kernel, and generating the browser based on the modified browser kernel;
s02, generating a plurality of client certificates at a plurality of clients based on a cryptographic algorithm, generating a server certificate at a server based on the cryptographic algorithm, and uploading the plurality of client certificates and the server certificates to the proxy server;
s03, accessing the server at the client based on the browser, and sending the client certificate to the server;
s04, verifying the client certificate at the server side based on the proxy server, and returning the server certificate and the public key to the client side if the client certificate passes the verification; and
and S05, verifying the server certificate based on the public key at the client, and if the server certificate passes the verification, confirming that the bidirectional authentication between the client and the server passes and communicating the client and the server.
In this embodiment, the core is to add support to the cryptographic algorithm by modifying the configuration of the kernel engine of the chromium, so that the support supports the import of the cryptographic algorithm certificate and the data transmission. And using a GMSSL project to generate a CA certificate, a client certificate and a server certificate by using a cryptographic algorithm. Meanwhile, the CA certificate and the server certificate are configured in the NGINX, the support for the national cryptographic algorithm is opened, and the national cryptographic certificate of the client can be identified. When a user needs to access the server, the user certificate is imported into the modified chromium browser on the computer of the user, and the address of the server is accessed, so that the national password bidirectional authentication is realized.
In some embodiments of the present invention, adding an adaptation to the cryptographic certificate under the directory of the communication module of the browser kernel, and generating the browser based on the modified browser kernel includes: modifying a source code of a browser kernel, adding adaptation to a cryptographic algorithm certificate in an SSL communication module, and generating a browser based on the modified browser kernel, wherein the browser kernel is a chrome, and the browser comprises a 360-speed browser and/or a QQ browser and/or a dog searching high-speed browser.
In this embodiment, adaptation to the cryptographic algorithm certificate is added under the communication module directory of the browser kernel, and the browser is generated based on the modified browser kernel. Taking a chroma as an example, the chroma is a free source-opening software project started by google for developing the google, and source codes are issued and opened by several licenses such as a BSD license agreement, and the like, such as a 360-speed browser, a QQ browser, a dog-searching high-speed browser, and the like, which are commonly found in China, are all developed based on the chroma. Therefore, the kernel can be used for developing the cryptographic mutual authentication support. And modifying the chroma source code, adjusting the SSL communication module, and increasing the adaptation to the national password certificate.
In some embodiments, uploading the number of client certificates and the server certificate to the proxy server comprises: uploading root certificates of the client certificates and root certificates of the server certificates to a configuration file of a proxy server, wherein the proxy server is an nginx proxy server.
In the present embodiment, the CA root of the national secret client certificate is generated using the cryptographic tool GMSSL; using GMSSL to generate different country secret client certificates, and using CA to sign the certificates; the GMSSL is used to generate a server certificate containing the national symmetries. The GMSL is an open-source password tool box, supports the national password (national commercial password) algorithms such as SM2/SM3/SM4/SM9/ZUC, the SM2 national password digital certificate and the SSL/TLS secure communication protocol based on the SM2 certificate, supports the national password hardware password equipment, provides a programming interface and a command line tool which conform to the national password specification, and can be used for constructing the security applications conforming to the national password standard such as PKI/CA, secure communication, data encryption and the like. The GMSSL project is a branch of the OpenSSL project and is compatible with the OpenSSL retention interface. OpenSSL is a software library package of open source code, which can be used by applications to perform secure communications, avoiding eavesdropping, while confirming the identity of the conner at the other end. This package is widely used on web servers on the internet. Therefore, GMSSL can replace OpenSSL component in application, and the application is automatically provided with security capability based on national password. The GmSSL project employs BSD-like open-source licenses that are friendly to business applications, open-source, and can be used for closed-source business applications.
In the present embodiment, taking nginn as an example, nginn is a lightweight Web server/reverse proxy server and email (IMAP/POP3) proxy server. Modifying the nginx compiling configuration of the proxy server, and adjusting the compiling configuration according to the installation position of the GMSL; deploying nginx, modifying a configuration file of the nginx, and configuring a CA root of a server certificate and a client certificate into the configuration file of the nginx; and finally running nginx.
In some embodiments, sending the client certificate to the server comprises: and sending the version number of the Chinese secret SSL protocol of the client certificate, the encryption algorithm type and the random number information to the server.
In this embodiment, the user copies the client certificate to the user computer and imports the certificate into the browser; and the user opens the modified chromium browser and inputs the address of the server. And the client sends information such as the version number of the national password SSL protocol, the type of the encryption algorithm, the random number and the like to the server.
In some embodiments, verifying the server certificate based on the public key at the client comprises: verifying whether the certificate of the server side is expired; verifying whether an issuing authority issuing the server side certificate is reliable or not; and verifying whether the public key can correctly unlock the digital signature of the server certificate.
In this embodiment, the server returns information such as a version number of a secure SSL protocol, a type of an encryption algorithm, a random number, and the like to the client, and also returns a certificate of the server, that is, a public key certificate; the client side uses the information returned by the server side to verify the validity of the server, and the method comprises the following steps: whether the certificate is expired, whether the CA of the hairstyle server certificate is reliable, whether the returned public key can correctly solve the digital signature in the returned certificate, and whether the domain name on the server certificate is matched with the actual domain name of the server. And after the verification is passed, continuing to perform communication, otherwise, terminating the communication.
In some embodiments, the client communicating with the server includes: the method comprises the steps that an encryption scheme supported by a client is obtained at a server, the encryption scheme with the highest encryption degree supported by the server is selected as a first encryption scheme from the encryption schemes supported by the client, the first encryption scheme is encrypted based on a public key of the server, and an encrypted ciphertext is sent to the client; receiving the ciphertext at the client, and decrypting the ciphertext based on a private key of the client to obtain a first encryption scheme; the client and the server communicate based on a first encryption scheme.
In this embodiment, the client sends a symmetric encryption scheme that the client can support to the server for the server to select; the server side selects an encryption mode with the highest encryption degree from encryption schemes provided by the client side; encrypting the encryption scheme by using the previously acquired public key, and returning the encrypted scheme to the client; after receiving an encryption scheme ciphertext returned by the server, the client decrypts by using a private key of the client to obtain a specific encryption mode, then generates a random code of the encryption mode to be used as a secret key in an encryption process, encrypts by using a public key obtained from a server certificate before, and sends the encrypted public key to the server; after receiving the message sent by the client, the server decrypts the message by using the private key of the server to obtain the symmetric encryption key, and in the next session, the server and the client use the password to perform symmetric encryption, so that the information security in the communication process is ensured.
It should be particularly noted that, the steps in the embodiments of the bidirectional authentication method based on the cryptographic algorithm may be mutually intersected, replaced, added, and deleted, so that the reasonable permutation and combination transformation of the bidirectional authentication method based on the cryptographic algorithm also belongs to the protection scope of the present invention, and should not limit the protection scope of the present invention on the embodiments.
In view of the above object, according to a second aspect of the embodiments of the present invention, a bidirectional authentication apparatus based on a cryptographic algorithm is provided. Fig. 2 is a schematic diagram illustrating an embodiment of a bidirectional authentication device based on a cryptographic algorithm according to the present invention. As shown in fig. 2, the embodiment of the present invention includes the following modules: an initial module S11, configured to add adaptation to the cryptographic algorithm certificate under the communication module directory of the browser kernel, and generate a browser based on the modified browser kernel; the certificate generation module S12 is configured to generate a plurality of client certificates at a plurality of clients based on a cryptographic algorithm, generate a server certificate at a server based on the cryptographic algorithm, and upload the plurality of client certificates and the server certificate to the proxy server; a first authentication module S13, configured to access the server at the client based on the browser, and send the client certificate to the server; the second authentication module S14 is configured to verify the client certificate at the server based on the proxy server, and if the client certificate passes the verification, return the server certificate and the public key to the client; and a communication module S15, configured to verify the server certificate based on the public key at the client, and if the server certificate passes the verification, confirm that the client and the server pass the mutual authentication, and communicate between the client and the server.
In some embodiments of the invention, the communication module S15 is further configured to: the method comprises the steps that an encryption scheme supported by a client is obtained at a server, the encryption scheme with the highest encryption degree supported by the server is selected as a first encryption scheme from the encryption schemes supported by the client, the first encryption scheme is encrypted based on a public key of the server, and an encrypted ciphertext is sent to the client; receiving the ciphertext at the client, and decrypting the ciphertext based on a private key of the client to obtain a first encryption scheme; the client and the server communicate based on a first encryption scheme.
In view of the above object, a third aspect of the embodiments of the present invention provides a computer device. Fig. 3 is a schematic diagram of an embodiment of a computer device provided by the present invention. As shown in fig. 3, an embodiment of the present invention includes the following means: at least one processor S21; and a memory S22, the memory S22 storing computer instructions S23 executable on the processor, the instructions when executed by the processor implementing the steps of the above method.
The invention also provides a computer readable storage medium. FIG. 4 is a schematic diagram illustrating an embodiment of a computer-readable storage medium provided by the present invention. As shown in fig. 4, the computer readable storage medium stores S31 a computer program that, when executed by a processor, performs the method as described above S32.
Finally, it should be noted that, as one of ordinary skill in the art can appreciate, all or part of the processes of the methods of the above embodiments may be implemented by a computer program to instruct related hardware, and the program of the mutual authentication method based on the cryptographic algorithm may be stored in a computer readable storage medium, and when executed, may include the processes of the embodiments of the methods as described above. The storage medium of the program may be a magnetic disk, an optical disk, a Read Only Memory (ROM), a Random Access Memory (RAM), or the like. The embodiments of the computer program may achieve the same or similar effects as any of the above-described method embodiments.
Furthermore, the methods disclosed according to embodiments of the present invention may also be implemented as a computer program executed by a processor, which may be stored in a computer-readable storage medium. Which when executed by a processor performs the above-described functions defined in the methods disclosed in embodiments of the invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A two-way authentication method based on a cryptographic algorithm is characterized by comprising the following steps:
adding adaptation to a cryptographic algorithm certificate under a communication module directory of a browser kernel, and generating a browser based on the modified browser kernel;
generating a plurality of client certificates based on the state cryptographic algorithm at a plurality of clients, generating a server certificate based on the state cryptographic algorithm at a server, and uploading the plurality of client certificates and the server certificate to a proxy server;
accessing the server at the client based on the browser and sending the client certificate to the server;
the server verifies the client certificate based on the proxy server, and if the client certificate passes the verification, the server certificate and the public key are returned to the client; and
and verifying the server certificate based on the public key at the client, and if the server certificate passes the verification, confirming that the bidirectional authentication between the client and the server passes, and communicating the client and the server.
2. The mutual authentication method based on the cryptographic algorithm of claim 1, wherein the step of adding the adaptation of the cryptographic algorithm certificate under the directory of the communication module of the browser kernel, and the step of generating the browser based on the modified browser kernel comprises the steps of:
modifying a source code of a browser kernel, adding adaptation to a cryptographic algorithm certificate in an SSL communication module, and generating a browser based on the modified browser kernel, wherein the browser kernel is a chrome, and the browser comprises a 360-speed browser and/or a QQ browser and/or a dog searching high-speed browser.
3. The cryptographic algorithm-based mutual authentication method according to claim 1, wherein uploading the plurality of client certificates and the server certificate to a proxy server comprises:
uploading root certificates of the client certificates and root certificates of the server certificates to a configuration file of a proxy server, wherein the proxy server is an nginx proxy server.
4. The cryptographic algorithm-based mutual authentication method according to claim 1, wherein sending the client certificate to the server comprises:
and sending the information of the version number of the Chinese secret SSL protocol, the encryption algorithm type and the random number of the client certificate to the server.
5. The mutual authentication method based on the cryptographic algorithm of claim 1, wherein verifying the server certificate based on the public key at the client comprises:
verifying whether the server certificate is expired;
verifying whether an issuing authority issuing the server side certificate is reliable or not;
and verifying whether the public key can correctly unlock the digital signature of the server certificate.
6. The mutual authentication method based on the cryptographic algorithm of claim 1, wherein the communication between the client and the server comprises:
acquiring the encryption schemes supported by the client at the server, selecting the encryption scheme with the highest encryption degree supported by the server as a first encryption scheme from the encryption schemes supported by the client, encrypting the first encryption scheme based on the public key of the server, and sending the encrypted ciphertext to the client;
receiving the ciphertext at the client, and decrypting the ciphertext based on a private key of the client to obtain the first encryption scheme;
the client and the server communicate based on the first encryption scheme.
7. A bidirectional authentication device based on a cryptographic algorithm is characterized by comprising:
the initial module is configured to increase adaptation of a cryptographic algorithm certificate under a communication module directory of a browser kernel, and generate a browser based on the modified browser kernel;
the certificate generating module is configured to generate a plurality of client certificates based on the cryptographic algorithm at a plurality of clients, generate a server certificate based on the cryptographic algorithm at a server, and upload the plurality of client certificates and the server certificate to the proxy server;
the first authentication module is configured to access the server based on the browser at the client and send the client certificate to the server;
the second authentication module is configured to verify the client certificate at the server based on the proxy server, and return the server certificate and the public key to the client if the client certificate passes the verification; and
and the communication module is configured to verify the server certificate based on the public key at the client, and if the server certificate passes the verification, the client and the server are confirmed to pass the two-way authentication, and the client and the server communicate.
8. The cryptographic algorithm-based mutual authentication device according to claim 7, wherein the communication module is further configured to:
acquiring the encryption schemes supported by the client at the server, selecting the encryption scheme with the highest encryption degree supported by the server as a first encryption scheme from the encryption schemes supported by the client, encrypting the first encryption scheme based on the public key of the server, and sending the encrypted ciphertext to the client;
receiving the ciphertext at the client, and decrypting the ciphertext based on a private key of the client to obtain the first encryption scheme;
the client and the server communicate based on the first encryption scheme.
9. A computer device, comprising:
at least one processor; and
a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of any of the methods 1-6.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011444441.2A CN112653672A (en) | 2020-12-11 | 2020-12-11 | Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011444441.2A CN112653672A (en) | 2020-12-11 | 2020-12-11 | Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112653672A true CN112653672A (en) | 2021-04-13 |
Family
ID=75350968
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011444441.2A Withdrawn CN112653672A (en) | 2020-12-11 | 2020-12-11 | Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112653672A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113452522A (en) * | 2021-06-28 | 2021-09-28 | 杭州云象网络技术有限公司 | Hardware security module software implementation method based on state password, storage medium and device |
| CN113992702A (en) * | 2021-09-16 | 2022-01-28 | 深圳市证通电子股份有限公司 | Storage state encryption reinforcing method and system for ceph distributed file system |
| CN114363073A (en) * | 2022-01-07 | 2022-04-15 | 中国联合网络通信集团有限公司 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
| CN114499897A (en) * | 2022-04-14 | 2022-05-13 | 成都边界元科技有限公司 | Self-adaptive verification method and verification system for SM2 security certificate |
| CN114826570A (en) * | 2022-03-30 | 2022-07-29 | 微位(深圳)网络科技有限公司 | Certificate acquisition method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102946314A (en) * | 2012-11-08 | 2013-02-27 | 成都卫士通信息产业股份有限公司 | Client-side user identity authentication method based on browser plug-in |
| CN104735068A (en) * | 2015-03-24 | 2015-06-24 | 江苏物联网研究发展中心 | SIP security authentication method based on commercial passwords |
| CN106936790A (en) * | 2015-12-30 | 2017-07-07 | 上海格尔软件股份有限公司 | The method that client and server end carries out two-way authentication is realized based on digital certificate |
| CN111740844A (en) * | 2020-06-24 | 2020-10-02 | 上海缔安科技股份有限公司 | SSL communication method and device based on hardware cryptographic algorithm |
| CN112003843A (en) * | 2020-08-12 | 2020-11-27 | 中电科技(北京)有限公司 | SSL authentication method and device for domestic BMC server |
-
2020
- 2020-12-11 CN CN202011444441.2A patent/CN112653672A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102946314A (en) * | 2012-11-08 | 2013-02-27 | 成都卫士通信息产业股份有限公司 | Client-side user identity authentication method based on browser plug-in |
| CN104735068A (en) * | 2015-03-24 | 2015-06-24 | 江苏物联网研究发展中心 | SIP security authentication method based on commercial passwords |
| CN106936790A (en) * | 2015-12-30 | 2017-07-07 | 上海格尔软件股份有限公司 | The method that client and server end carries out two-way authentication is realized based on digital certificate |
| CN111740844A (en) * | 2020-06-24 | 2020-10-02 | 上海缔安科技股份有限公司 | SSL communication method and device based on hardware cryptographic algorithm |
| CN112003843A (en) * | 2020-08-12 | 2020-11-27 | 中电科技(北京)有限公司 | SSL authentication method and device for domestic BMC server |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113452522A (en) * | 2021-06-28 | 2021-09-28 | 杭州云象网络技术有限公司 | Hardware security module software implementation method based on state password, storage medium and device |
| CN113452522B (en) * | 2021-06-28 | 2022-09-13 | 杭州云象网络技术有限公司 | Hardware security module software implementation method based on state password, storage medium and device |
| CN113992702A (en) * | 2021-09-16 | 2022-01-28 | 深圳市证通电子股份有限公司 | Storage state encryption reinforcing method and system for ceph distributed file system |
| CN113992702B (en) * | 2021-09-16 | 2023-11-03 | 深圳市证通电子股份有限公司 | Ceph distributed file system storage state password reinforcement method and system |
| CN114363073A (en) * | 2022-01-07 | 2022-04-15 | 中国联合网络通信集团有限公司 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
| CN114826570A (en) * | 2022-03-30 | 2022-07-29 | 微位(深圳)网络科技有限公司 | Certificate acquisition method, device, equipment and storage medium |
| CN114499897A (en) * | 2022-04-14 | 2022-05-13 | 成都边界元科技有限公司 | Self-adaptive verification method and verification system for SM2 security certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112653672A (en) | Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm | |
| CN109120639B (en) | Data cloud storage encryption method and system based on block chain | |
| US7992194B2 (en) | Methods and apparatus for identity and role management in communication networks | |
| EP3149887B1 (en) | Method and system for creating a certificate to authenticate a user identity | |
| KR100568233B1 (en) | Device Authentication Method using certificate and digital content processing device using the method | |
| CN110598422A (en) | Trusted identity authentication system and method based on mobile digital certificate | |
| EP2553894B1 (en) | Certificate authority | |
| US11968302B1 (en) | Method and system for pre-shared key (PSK) based secure communications with domain name system (DNS) authenticator | |
| CN113572740A (en) | Cloud management platform authentication encryption method based on state password | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| US12015721B1 (en) | System and method for dynamic retrieval of certificates with remote lifecycle management | |
| JP7211519B2 (en) | Owner identity confirmation system, terminal and owner identity confirmation method | |
| JP7251633B2 (en) | Owner Identity Confirmation System, Certificate Authority Server and Owner Identity Confirmation Method | |
| RU2707398C1 (en) | Method and system for secure storage of information in file storages of data | |
| CN115361147A (en) | Device registration method and device, computer device and storage medium | |
| Easttom | SSL/TLS | |
| Karamanian et al. | PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks | |
| US20240323026A1 (en) | System and method for pre-shared key (psk) based supply chain tamper resistance | |
| US20240322996A1 (en) | System and method for pre-shared key (psk) based selective encryption of partial sections of messages | |
| US20240323685A1 (en) | System and method for pre-shared key (psk) based secure communications with mobile service provider authenticator | |
| US20240323686A1 (en) | System and method for pre-shared key (psk) based wireless access point authentication | |
| US20240323027A1 (en) | System and method for pre-shared key (psk) based content signing for tamper resistance | |
| US20240323034A1 (en) | System and method for extended attributes in certificates for dynamic authorization | |
| Natusch | Authentication in mTLS with Decentralized Identifiers and Verifiable Credentials | |
| Loconsolo | Securing digital identities: from the deployment to the analysis of a PKI ecosystem with virtual HSMs leveraging open-source tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210413 |