CN112769854A - Security protocol authentication method and system supporting multiple kinds of digital identity information - Google Patents

Security protocol authentication method and system supporting multiple kinds of digital identity information Download PDF

Info

Publication number
CN112769854A
CN112769854A CN202110081096.9A CN202110081096A CN112769854A CN 112769854 A CN112769854 A CN 112769854A CN 202110081096 A CN202110081096 A CN 202110081096A CN 112769854 A CN112769854 A CN 112769854A
Authority
CN
China
Prior art keywords
certificate
identity information
digital identity
equipment
ended
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110081096.9A
Other languages
Chinese (zh)
Inventor
郑军
朱东明
胡进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD, Beijing Infosec Technologies Co Ltd filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN202110081096.9A priority Critical patent/CN112769854A/en
Publication of CN112769854A publication Critical patent/CN112769854A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses a security protocol authentication method and a system supporting various digital identity information, comprising the following steps: (1) the method comprises the steps that a first device receives an identity authentication request from a second device and analyzes the identity authentication request to obtain a digital identity information type identifier of the second device and digital identity information corresponding to the digital identity information type identifier; (2) the first equipment analyzes the digital identity information of the second equipment by using an analysis mode corresponding to the digital identity information type identification of the second equipment, and verifies the analyzed digital identity information to obtain a verification result; (3) and the first equipment acquires the public key information required by key negotiation at the next stage of the secure communication protocol from the digital identity information passing the verification, and the process is ended. The invention can solve the technical problem that the existing security protocol can not support the certificate of the new standard format and the compatibility of the certificate of the new standard format and the original standard certificate when the certificate is deployed.

Description

Security protocol authentication method and system supporting multiple kinds of digital identity information
Technical Field
The invention belongs to the technical field of information security and the field of communication of the Internet of things, and particularly relates to a security protocol authentication method and system supporting various digital identity information.
Background
With the continuous improvement of the informatization degree, each government department or enterprise and public institution has deployed a large amount of business systems on the internet and carries out business data exchange with other branch institutions or partners in various regions through the internet. These traffic data transmitted over the network are important digital assets of government departments or enterprises and public institutions, and need to ensure confidentiality, authenticity, integrity and non-repudiation, and these requirements are currently mainly satisfied by adopting PKI technology.
The PKI system is a combination of computer hardware and software, authorities, and application systems, and it provides basic security services for implementing e-commerce, e-government, office automation, etc., so that users who are not aware of each other or are far away from each other can securely transmit data through a chain of trust. The existing security protocol based on PKI technology mainly adopts the certificate in the X.509 certificate format.
However, the existing security protocols have some non-negligible technical problems in the use process: firstly, only certificate in X.509 certificate format is supported, and certificate in new standard format, such as IEEE1609.2 certificate format of Internet of things, cannot be supported; secondly, the certificate in the new standard format needs to use the existing security protocol, and must be compatible with the standard system of the original x.509 certificate under the new PKI system, thereby increasing the complexity of system deployment.
Disclosure of Invention
In view of the above defects or improvement requirements of the prior art, the present invention provides a security protocol authentication method and system supporting multiple kinds of digital identity information, and aims to solve the technical problem that the existing security protocol cannot support a new standard format certificate and the compatibility with the original standard certificate when the new standard format certificate is deployed.
In order to achieve the above object, according to an aspect of the present invention, there is provided a security protocol authentication method supporting multiple kinds of digital identity information, including the following steps:
(1) the method comprises the steps that a first device receives an identity authentication request from a second device and analyzes the identity authentication request to obtain a digital identity information type identifier of the second device and digital identity information corresponding to the digital identity information type identifier;
(2) the first equipment analyzes the digital identity information of the second equipment by using an analysis mode corresponding to the digital identity information type identification of the second equipment obtained in the step (1), and verifies the analyzed digital identity information to obtain a verification result;
(3) and the first equipment acquires the public key information required by key negotiation at the next stage of the secure communication protocol from the digital identity information passing the verification, and the process is ended.
Preferably, the identity authentication request in step (1) includes a digital identity information type identifier and digital identity information, where the digital identity information type identifier indicates which digital identity information is specifically used by the second device, and the digital identity information may be digital identity information in an x.509 certificate format, or digital identity information in an IEEE1609.2 certificate format, or digital identity information in a GB/T37376 certificate format, or digital identity information in a certificateless format.
Preferably, when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an x.509 certificate format, step (2) specifically includes:
(2-1) the first device parsing the digital identity information from the second device using the x.509 certificate standard to obtain the validity period of the certificate, the certificate signature, the certificate issuer, and the online service address in the extension of the certificate;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the certificate authority certificate, the step (2-4) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-4) the first equipment judges whether the state of the certificate is normal or not according to the online service address in the extension item of the certificate obtained by analyzing in the step (2-1), if so, the process is ended, otherwise, the first equipment sends alarm information to the second equipment, and the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, the process of determining whether the certificate status is normal according to the online service address is to search the certificate status according to the online service address, and if the certificate status is normal, the verification is passed, otherwise, the verification is not passed.
Preferably, when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an x.509 certificate format, step (2) specifically includes:
(2-1) the first device parsing the digital identity information from the second device using the x.509 certificate standard to obtain a validity period of the certificate, a certificate signature, and a certificate issuer of the certificate;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the certificate authority certificate, the step (2-4) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-4) the first equipment acquires a locally stored certificate revocation list file, judges whether the state of the certificate analyzed in the step (2-1) is normal or not by using the certificate revocation list file, if so, the process is ended, otherwise, the first equipment sends alarm information to the second equipment, and the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an IEEE1609.2 certificate format, step (2) specifically includes:
(2-1) the first device parsing the digital identity information from the second device using IEEE1609.2 certificate standard to obtain the validity period of the certificate, the certificate type, the certificate signature, and the certificate issuer;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first equipment acquires a locally stored certificate revocation list file, judges whether the state of the certificate analyzed in the step (2-1) is normal or not by using the certificate revocation list file, if so, the step (2-4) is carried out, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended;
(2-4) the first equipment judges whether the certificate type obtained by the analysis in the step (2-1) is an explicit certificate, if so, the step (2-5) is carried out, otherwise, the step (2-6) is carried out;
(2-5) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the certificate authority certificate, the process is finished, otherwise, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is finished;
(2-6) the first device acquires a locally stored certificate of the certificate authority, the certificate authority certificate obtained through analysis in the step (2-1) is verified by using the certificate of the certificate authority, if the certificate authority is the same as the issuer of the certificate authority, the step (2-7) is carried out, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-7) the first equipment performs digest operation on the certificate obtained by analysis in the step (2-1) to obtain a digest value, the digest value is matched and compared with the locally stored digest, if the digest value is consistent with the locally stored digest value, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, the process of determining whether the certificate status is normal by using the certificate revocation list file is to determine whether the certificate status includes a serial number of the certificate in the certificate revocation list file, and if not, it indicates that the certificate status is normal, which indicates that the certificate is verified, otherwise, it indicates that the certificate is not verified.
Preferably, when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts a GB/T37376 certificate format, step (2) specifically is:
(2-1) the first device parsing the digital identity information from the second device using the GB/T37376 certificate standard to obtain a validity period of the certificate, a certificate signature, and a certificate issuer;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can pass the verification and the certificate issuer is the same as the issuer of the certificate authority certificate, the step (2-4) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-4) the first equipment acquires a locally stored certificate revocation list file, judges whether the state of the certificate analyzed in the step (2-1) is normal or not by using the certificate revocation list file, if so, the process is ended, otherwise, the first equipment sends alarm information to the second equipment, and the handshake/negotiation with the second equipment is disconnected, and the process is ended.
Preferably, when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) is in a certificateless format, step (2) specifically comprises:
(2) the first device analyzes the digital identity information from the second device by using a certificateless mode, then performs abstract operation on the analyzed digital identity information to obtain an abstract value, matches and compares the abstract value with an locally stored abstract, if the abstract value is consistent with the locally stored abstract value, the process is finished, otherwise, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is finished.
According to another aspect of the present invention, there is provided a security protocol authentication system supporting multiple kinds of digital identity information, including the following modules:
the first module is used for receiving an identity authentication request from the second equipment by the first equipment and analyzing the identity authentication request to obtain a digital identity information type identifier of the second equipment and digital identity information corresponding to the digital identity information type identifier;
the second module is used for the first equipment to analyze the digital identity information of the second equipment by using an analysis mode corresponding to the digital identity information type identifier of the second equipment obtained by the first module and verify the analyzed digital identity information to obtain a verification result;
and the third module is used for acquiring public key information required by key negotiation at the next stage of the secure communication protocol from the digital identity information which passes the verification by the first equipment, and ending the process.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) the invention provides a method for realizing the data transmission between the first equipment and the second equipment, which uses the security protocol to support various digital identity information, solves the limitation of the security protocol, deploys various digital identity information at the same time, solves the problem of compatibility with the original certificate format and reduces the complexity of system deployment;
(2) the multiple digital identity information provided by the invention enables the security protocol to meet the requirements of the existing security protocol, and is convenient to expand so as to be compatible with the actual application requirements of the new technology;
(3) in the digital identity information in the IEEE1609.2 certificate format and the certificateless format, the verification mode of comparing the digest value with the locally stored digest is used, so that the efficiency of identity authentication can be improved;
(4) the invention identifies and distinguishes the digital identity information through the digital identity information type identification, reduces the dependence on the professional analysis process of the digital certificate format, and has efficient and visual identification and distinguishing process;
(5) the invention provides the verification aiming at the digital certificates in the IEEE1609.2 certificate format, the GB/T37376 certificate format and the certificateless format, and improves the safety of authentication.
Drawings
Fig. 1 is a flowchart of a security protocol authentication method supporting multiple kinds of digital identity information according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The specific idea of the present invention is to add a digital identity information type identifier and corresponding digital identity information on the basis of an existing standard certificate in a secure communication protocol used for data transmission between a first device and a second device, where the digital identity information may be digital identity information in an x.509 certificate format, or digital identity information in an IEEE1609.2 certificate format, or digital identity information in a GB/T37376 certificate format, or digital identity information in a certificateless format, and the digital identity information is parsed and verified in a parsing and verifying manner corresponding to the digital identity information type identifier, thereby completing identity authentication between the first device and the second device.
As shown in fig. 1, the present invention provides a Security Protocol authentication method supporting multiple types of digital identity information, which is applied in a Security communication system that includes a first device and a second device and uses a Security communication Protocol to ensure data transmission Security between the first device and the second device, wherein the Security communication Protocol is a Secure Socket Layer (SSL)/Transport Layer Security (TLS) Protocol or Internet Protocol Security (IPSec), when the Security communication Protocol is the SSL/TLS Protocol, the first device and the second device may be clients or servers, when the first device is a client, the second device is a server, and when the first device is a server, the second device is a client; the first device and the second device may be an initiator or a responder when the secure communication protocol is the IPSec protocol, the second device is a responder when the first device is an initiator, and the second device is an initiator when the first device is a responder. The security protocol authentication method of the invention specifically comprises the following steps:
(1) the method comprises the steps that a first device receives an identity authentication request from a second device and analyzes the identity authentication request to obtain a digital identity information type identifier of the second device and digital identity information corresponding to the digital identity information type identifier;
specifically, the identity authentication request includes a digital identity information type identifier and digital identity information, where the digital identity information type identifier indicates which digital identity information is specifically used by the second device, and the digital identity information may be digital identity information in an x.509 certificate format, or digital identity information in an IEEE1609.2 certificate format, or digital identity information in a GB/T37376 certificate format, or digital identity information in a certificateless format;
for digital identity information in an x.509 certificate format, the corresponding type identifier of the digital identity information is X509, and the digital identity information is, for example, X509 Cert; for digital identity information adopting an IEEE1609.2 certificate format, the corresponding type of digital identity information is identified as IEEE1609, and the digital identity information is, for example, V2 IEEE eceert; for digital identity information adopting a GB/T37376 certificate format, the corresponding type of the digital identity information is identified as GB37376, and the digital identity information is, for example, V2 XBCert; for digital identity information in a certificateless format, the type identifier of the corresponding digital identity information is noCert, and the digital identity information is, for example, noCert;
the step has the advantages that when data is transmitted between the first device and the second device, the used security protocol adopts a digital identity information mode, not only supports the original X.509 certificate format, but also supports other various digital identity information, and solves the limitation of the security protocol; and the digital identity information can be conveniently expanded and is compatible with the application requirements of new technologies.
(2) The first equipment analyzes the digital identity information of the second equipment by using an analysis mode corresponding to the digital identity information type identification of the second equipment obtained in the step (1), and verifies the analyzed digital identity information to obtain a verification result;
specifically, when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an x.509 certificate format, step (2) specifically includes:
(2-1) the first device parsing the digital identity information from the second device using the x.509 certificate standard to obtain the validity period of the certificate, the certificate signature, the certificate issuer, and the online service address in the extension of the certificate;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the certificate passes the verification, the step (2-3) is carried out, otherwise, the certificate fails the verification, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a Certificate Authority (CA) certificate stored locally, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the CA certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the CA certificate, the second verification is passed, the step (2-4) is entered, otherwise, the second verification is not passed, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is ended;
(2-4) the first device judges whether the state of the certificate is normal according to the online service address in the extension item of the certificate obtained by analyzing in the step (2-1), if so, the third verification is passed, the process is finished, otherwise, the third verification is not passed, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is finished;
specifically, the process of judging whether the certificate state is normal according to the online service address is to search the certificate state according to the online service address, if the certificate state is normal, the verification is passed, otherwise, the verification is not passed;
as another embodiment, step (2-4) may be replaced with (2-4'):
(2-4') the first device obtaining a Certificate Revocation List (CRL) file stored locally, determining whether the state of the Certificate analyzed in step (2-1) is normal by using the CRL file, if so, indicating that the third verification is passed, ending the process, otherwise, indicating that the third verification is not passed, sending alarm information to the second device, disconnecting the handshake/negotiation with the second device, and ending the process;
specifically, the process of judging whether the certificate state is normal by using the CRL file is to judge whether the serial number of the certificate is contained in the CRL file, if not, the certificate state is normal, which indicates that the certificate passes the verification, otherwise, the certificate does not pass the verification;
when the digital identity information corresponding to the digital identity information type identifier obtained in the step (1) adopts an IEEE1609.2 certificate format, the step (2) is specifically as follows:
(2-1) the first device parsing the digital identity information from the second device using IEEE1609.2 certificate standard to obtain the validity period of the certificate, the certificate type, the certificate signature, and the certificate issuer;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the certificate passes the verification, the step (2-3) is carried out, otherwise, the certificate fails the verification, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored CRL file, judges whether the state of the certificate analyzed in the step (2-1) is normal by using the CRL file, if so, indicates that the secondary verification is passed, and enters the step (2-4), otherwise, indicates that the secondary verification is not passed, sends alarm information to the second device, and disconnects handshake/negotiation with the second device, and the process is ended;
specifically, the process of judging whether the certificate state is normal by using the CRL file is to judge whether the serial number of the certificate is not contained in the CRL file, if not, the certificate state is normal, which indicates that the certificate passes the verification, otherwise, the certificate state is not passed;
(2-4) the first equipment judges whether the certificate type obtained by the analysis in the step (2-1) is an explicit certificate, if so, the step (2-5) is carried out, otherwise, the certificate is an implicit certificate, and the step (2-6) is carried out;
(2-5) the first device acquires a locally stored CA certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the CA certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the CA certificate, the third verification is passed, and the process is finished, otherwise, the third verification is not passed, alarm information is sent to the second device, and the handshake/negotiation with the second device is disconnected, and the process is finished;
(2-6) the first device acquires a locally stored CA certificate, the CA certificate is used for verifying the certificate issuer analyzed in the step (2-1), if the certificate issuer is the same as the issuer of the CA certificate, the third verification is passed, the step (2-7) is carried out, otherwise, the third verification is not passed, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-7) the first equipment performs digest operation on the certificate obtained by analysis in the step (2-1) to obtain a digest value, the digest value is matched and compared with the locally stored digest, if the digest value is consistent with the locally stored digest value, the verification of the first equipment is passed, the process is finished, otherwise, the verification of the second equipment is failed, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is finished;
the steps (2-2) to (2-7) have the advantages that the first device adopts a verification mode of certificate validity period, certificate type, certificate signature, certificate issuer and certificate state aiming at the digital identity information in the IEEE1609.2 certificate format, so that the accuracy of identity authentication can be improved, the security of data transmission is improved, and the efficiency of identity authentication can be accelerated by adopting a verification mode of comparing a digest value with a local digest.
When the digital identity information corresponding to the digital identity information type identifier obtained in the step (1) adopts a GB/T37376 certificate format, the step (2) specifically comprises the following steps:
(2-1) the first device parsing the digital identity information from the second device using the GB/T37376 certificate standard to obtain a validity period of the certificate, a certificate signature, and a certificate issuer;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the certificate passes the verification, the step (2-3) is carried out, otherwise, the certificate fails the verification, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored CA certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the CA certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the CA certificate, the second verification is passed, the step (2-4) is entered, otherwise, the second verification is not passed, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-4) the first device acquires a locally stored CRL file, judges whether the state of the certificate analyzed in the step (2-1) is normal by using the CRL file, if so, indicates that the three-time verification is passed and the process is finished, otherwise, indicates that the three-time verification is not passed, sends alarm information to the second device, disconnects handshake/negotiation with the second device and finishes the process;
specifically, the process of judging whether the certificate state is normal by using the CRL file is to judge whether the CRL file contains the last ten bytes of the digest value in the certificate, if not, the certificate state is normal, which indicates that the certificate passes the verification, otherwise, the certificate does not pass the verification;
when the digital identity information corresponding to the digital identity information type identifier obtained in the step (1) adopts a certificateless format, the step (2) specifically comprises the following steps:
(2) the method comprises the steps that a first device analyzes digital identity information from a second device by using a certificateless mode, then performs abstract operation on the analyzed digital identity information to obtain an abstract value, the abstract value is matched and compared with an locally stored abstract, if the abstract value is consistent with the locally stored abstract value, verification is passed, the process is finished, otherwise, verification is not passed, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process is finished;
(3) and the first equipment acquires the public key information required by key negotiation at the next stage of the secure communication protocol from the digital identity information passing the verification, and the process is ended.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A security protocol authentication method supporting multiple kinds of digital identity information is characterized by comprising the following steps:
(1) the method comprises the steps that a first device receives an identity authentication request from a second device and analyzes the identity authentication request to obtain a digital identity information type identifier of the second device and digital identity information corresponding to the digital identity information type identifier;
(2) the first equipment analyzes the digital identity information of the second equipment by using an analysis mode corresponding to the digital identity information type identification of the second equipment obtained in the step (1), and verifies the analyzed digital identity information to obtain a verification result;
(3) and the first equipment acquires the public key information required by key negotiation at the next stage of the secure communication protocol from the digital identity information passing the verification, and the process is ended.
2. The method according to claim 1, wherein the identity authentication request in step (1) includes a digital identity information type identifier and digital identity information, wherein the digital identity information type identifier indicates which digital identity information is specifically used by the second device, and the digital identity information may be digital identity information in an x.509 certificate format, or digital identity information in an IEEE1609.2 certificate format, or digital identity information in a GB/T37376 certificate format, or digital identity information in a certificateless format.
3. The method for authenticating security protocol supporting multiple types of digital identity information according to claim 2, wherein when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an x.509 certificate format, step (2) specifically comprises:
(2-1) the first device parsing the digital identity information from the second device using the x.509 certificate standard to obtain the validity period of the certificate, the certificate signature, the certificate issuer, and the online service address in the extension of the certificate;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the certificate authority certificate, the step (2-4) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-4) the first equipment judges whether the state of the certificate is normal or not according to the online service address in the extension item of the certificate obtained by analyzing in the step (2-1), if so, the process is ended, otherwise, the first equipment sends alarm information to the second equipment, and the handshake/negotiation with the second equipment is disconnected, and the process is ended.
4. The method for supporting multiple kinds of digital identity information according to claim 3, wherein the process of determining whether the certificate status is normal according to the online service address is to search the certificate status in the online service address, and if the certificate status is normal, the verification is passed, otherwise, the verification is not passed.
5. The method for authenticating security protocol supporting multiple types of digital identity information according to claim 2, wherein when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an x.509 certificate format, step (2) specifically comprises:
(2-1) the first device parsing the digital identity information from the second device using the x.509 certificate standard to obtain a validity period of the certificate, a certificate signature, and a certificate issuer of the certificate;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the certificate authority certificate, the step (2-4) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-4) the first equipment acquires a locally stored certificate revocation list file, judges whether the state of the certificate analyzed in the step (2-1) is normal or not by using the certificate revocation list file, if so, the process is ended, otherwise, the first equipment sends alarm information to the second equipment, and the handshake/negotiation with the second equipment is disconnected, and the process is ended.
6. The method for authenticating security protocol supporting multiple types of digital identity information according to claim 2, wherein when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts an IEEE1609.2 certificate format, step (2) specifically comprises:
(2-1) the first device parsing the digital identity information from the second device using IEEE1609.2 certificate standard to obtain the validity period of the certificate, the certificate type, the certificate signature, and the certificate issuer;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first equipment acquires a locally stored certificate revocation list file, judges whether the state of the certificate analyzed in the step (2-1) is normal or not by using the certificate revocation list file, if so, the step (2-4) is carried out, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended;
(2-4) the first equipment judges whether the certificate type obtained by the analysis in the step (2-1) is an explicit certificate, if so, the step (2-5) is carried out, otherwise, the step (2-6) is carried out;
(2-5) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can be verified to pass and the certificate issuer is the same as the issuer of the certificate authority certificate, the process is finished, otherwise, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is finished;
(2-6) the first device acquires a locally stored certificate of the certificate authority, the certificate authority certificate obtained through analysis in the step (2-1) is verified by using the certificate of the certificate authority, if the certificate authority is the same as the issuer of the certificate authority, the step (2-7) is carried out, otherwise, alarm information is sent to the second device, handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-7) the first equipment performs digest operation on the certificate obtained by analysis in the step (2-1) to obtain a digest value, the digest value is matched and compared with the locally stored digest, if the digest value is consistent with the locally stored digest value, the process is ended, otherwise, alarm information is sent to the second equipment, the handshake/negotiation with the second equipment is disconnected, and the process is ended.
7. The method according to claim 5 or 6, wherein the step of determining whether the certificate status is normal by using the certificate revocation list file is to determine whether the certificate status includes a serial number of the certificate, and if not, the certificate status is normal, which indicates that the verification is passed, otherwise, the certificate status is not passed.
8. The method for authenticating security protocol supporting multiple types of digital identity information according to claim 2, wherein when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) adopts a GB/T37376 certificate format, step (2) specifically comprises:
(2-1) the first device parsing the digital identity information from the second device using the GB/T37376 certificate standard to obtain a validity period of the certificate, a certificate signature, and a certificate issuer;
(2-2) the first device judges whether the effective time of the certificate in the valid period of the certificate analyzed in the step (2-1) is less than the current time and the invalid time is greater than the current time, if so, the step (2-3) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
(2-3) the first device acquires a locally stored certificate authority certificate, verifies the certificate signature and the certificate issuer analyzed in the step (2-1) by using the certificate authority certificate, if the certificate signature can pass the verification and the certificate issuer is the same as the issuer of the certificate authority certificate, the step (2-4) is carried out, otherwise, alarm information is sent to the second device, the handshake/negotiation with the second device is disconnected, and the process is ended;
and (2-4) the first equipment acquires a locally stored certificate revocation list file, judges whether the state of the certificate analyzed in the step (2-1) is normal or not by using the certificate revocation list file, if so, the process is ended, otherwise, the first equipment sends alarm information to the second equipment, and the handshake/negotiation with the second equipment is disconnected, and the process is ended.
9. The method for authenticating a security protocol supporting multiple types of digital identity information according to claim 2, wherein when the digital identity information corresponding to the digital identity information type identifier obtained in step (1) is in a certificateless format, step (2) specifically comprises:
(2) the first device analyzes the digital identity information from the second device by using a certificateless mode, then performs abstract operation on the analyzed digital identity information to obtain an abstract value, matches and compares the abstract value with an locally stored abstract, if the abstract value is consistent with the locally stored abstract value, the process is finished, otherwise, alarm information is sent to the second device, and handshake/negotiation with the second device is disconnected, and the process is finished.
10. A security protocol authentication system supporting multiple kinds of digital identity information is characterized by comprising the following modules:
the first module is used for receiving an identity authentication request from the second equipment by the first equipment and analyzing the identity authentication request to obtain a digital identity information type identifier of the second equipment and digital identity information corresponding to the digital identity information type identifier;
the second module is used for the first equipment to analyze the digital identity information of the second equipment by using an analysis mode corresponding to the digital identity information type identifier of the second equipment obtained by the first module and verify the analyzed digital identity information to obtain a verification result;
and the third module is used for acquiring public key information required by key negotiation at the next stage of the secure communication protocol from the digital identity information which passes the verification by the first equipment, and ending the process.
CN202110081096.9A 2021-01-21 2021-01-21 Security protocol authentication method and system supporting multiple kinds of digital identity information Pending CN112769854A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110081096.9A CN112769854A (en) 2021-01-21 2021-01-21 Security protocol authentication method and system supporting multiple kinds of digital identity information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110081096.9A CN112769854A (en) 2021-01-21 2021-01-21 Security protocol authentication method and system supporting multiple kinds of digital identity information

Publications (1)

Publication Number Publication Date
CN112769854A true CN112769854A (en) 2021-05-07

Family

ID=75702181

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110081096.9A Pending CN112769854A (en) 2021-01-21 2021-01-21 Security protocol authentication method and system supporting multiple kinds of digital identity information

Country Status (1)

Country Link
CN (1) CN112769854A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292683A (en) * 2022-08-08 2022-11-04 国网江苏省电力有限公司泰州供电分公司 Power distribution automation terminal encryption certificate management system
WO2023279959A1 (en) * 2021-07-08 2023-01-12 飞天诚信科技股份有限公司 Implementation method and apparatus for increasing number of certificates supported by piv application

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611683A (en) * 2011-12-14 2012-07-25 上海聚力传媒技术有限公司 Method, device, equipment and system for executing third-party authentication
CN109040149A (en) * 2018-11-02 2018-12-18 美的集团股份有限公司 Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system
CN109560931A (en) * 2018-11-30 2019-04-02 江苏恒宝智能系统技术有限公司 A kind of equipment remote upgrade method based on no Certification system
CN110912693A (en) * 2019-11-22 2020-03-24 福建金密网络安全测评技术有限公司 Digital certificate format compliance detection system
CN111147259A (en) * 2019-12-26 2020-05-12 华为技术有限公司 Authentication method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611683A (en) * 2011-12-14 2012-07-25 上海聚力传媒技术有限公司 Method, device, equipment and system for executing third-party authentication
CN109040149A (en) * 2018-11-02 2018-12-18 美的集团股份有限公司 Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system
CN109560931A (en) * 2018-11-30 2019-04-02 江苏恒宝智能系统技术有限公司 A kind of equipment remote upgrade method based on no Certification system
CN110912693A (en) * 2019-11-22 2020-03-24 福建金密网络安全测评技术有限公司 Digital certificate format compliance detection system
CN111147259A (en) * 2019-12-26 2020-05-12 华为技术有限公司 Authentication method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023279959A1 (en) * 2021-07-08 2023-01-12 飞天诚信科技股份有限公司 Implementation method and apparatus for increasing number of certificates supported by piv application
CN115292683A (en) * 2022-08-08 2022-11-04 国网江苏省电力有限公司泰州供电分公司 Power distribution automation terminal encryption certificate management system
CN115292683B (en) * 2022-08-08 2024-01-23 国网江苏省电力有限公司泰州供电分公司 Distribution automation terminal encryption certificate management system

Similar Documents

Publication Publication Date Title
US8274401B2 (en) Secure data transfer in a communication system including portable meters
US7743248B2 (en) System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components
CN108566361B (en) Security parameter negotiation method and system based on SSL/TLS protocol
US7120793B2 (en) System and method for electronic certificate revocation
EP2327240B1 (en) Method and device for confirming authenticity of a public key infrastructure (pki) transaction event
US20050138365A1 (en) Mobile device and method for providing certificate based cryptography
WO2003003329A1 (en) Data originality validating method and system
CN114338242B (en) Cross-domain single sign-on access method and system based on block chain technology
CN108701308B (en) System for issuing public certificate based on blockchain, and method for issuing public certificate based on blockchain using same
CN101122977A (en) Contract electronic signing and checking system and method
CN112769854A (en) Security protocol authentication method and system supporting multiple kinds of digital identity information
US20220094542A1 (en) Methods and devices for public key management using a blockchain
US11962698B2 (en) Token node locking with fingerprints authenticated by digital certificates
CN112311779B (en) Data access control method and device applied to block chain system
CN111683060B (en) Communication message verification method, device and computer storage medium
CN114978635A (en) Cross-domain authentication method and device, and user registration method and device
CN113129008B (en) Data processing method, device, computer readable medium and electronic equipment
Vigil et al. The Notary Based PKI: A Lightweight PKI for Long-Term Signatures on Documents
CN111651745A (en) Application authorization signature method based on password equipment
US9641343B1 (en) Efficient unified certificate revocation lists
US7424608B1 (en) Mechanism for layered authentication
CN111510302A (en) Method and system for improving certificate verification efficiency in secure communication protocol
CN113660632B (en) V2X identity management method and management system based on blockchain
CN115115360A (en) Cross-chain resource transfer method, device, medium and electronic equipment
CN113746916A (en) Block chain-based third-party service providing method, system and related node

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination