CN113014546B - Certificate-based authentication registration state management method and system - Google Patents

Certificate-based authentication registration state management method and system Download PDF

Info

Publication number
CN113014546B
CN113014546B CN202110127864.XA CN202110127864A CN113014546B CN 113014546 B CN113014546 B CN 113014546B CN 202110127864 A CN202110127864 A CN 202110127864A CN 113014546 B CN113014546 B CN 113014546B
Authority
CN
China
Prior art keywords
certificate
client
authentication
verification
attribute data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110127864.XA
Other languages
Chinese (zh)
Other versions
CN113014546A (en
Inventor
李泽民
詹晋川
张帆
芦伟
张俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Forward Industrial Co Ltd
Original Assignee
Shenzhen Forward Industrial Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Forward Industrial Co Ltd filed Critical Shenzhen Forward Industrial Co Ltd
Priority to CN202110127864.XA priority Critical patent/CN113014546B/en
Publication of CN113014546A publication Critical patent/CN113014546A/en
Application granted granted Critical
Publication of CN113014546B publication Critical patent/CN113014546B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a certificate-based authentication registration state management method and system, relating to the technical field of network security, wherein the method comprises the following steps: acquiring digital certificate attribute data of a client to be authenticated; the authentication server side inquires a certificate state from a local certificate authorization list according to the certificate attribute data and judges whether the authentication process of the client side to be authenticated is allowed or not according to the certificate state; if the certificate state of the digital certificate of the client to be authenticated is not inquired, selecting one from the network equipment which is subjected to access authentication as a certificate verification client, and inquiring the verification result of the digital certificate of the client to be authenticated from a certificate verification server; the authentication server side judges whether the authentication process of the client to be authenticated is allowed or not according to the inquiry result of the certificate verification client side; the dynamic election certificate verification client and the management control of the certificate provided by the invention provide good network scene expansibility and safety.

Description

Certificate-based authentication registration state management method and system
Technical Field
The invention relates to the technical field of network security, in particular to a certificate-based authentication registration state management method and system.
Background
Public Key Infrastructure (PKI) manages public keys by using certificates, and realizes user identity authentication through a trusted third party organization, thereby providing confidentiality, integrity, authenticity and non-repudiation services for online user data exchange.
An Online Certificate Status Protocol (OCSP) is one of related protocols based on PKI applications, and is an internet Protocol for checking a Certificate revocation Status. The OCSP protocol is generated to query the status of a digital certificate in place of a Certificate Revocation List (CRL) in a Public Key Infrastructure (PKI) system, and OCSP overcomes the major drawbacks of CRL: must be downloaded at the client often to ensure the update of the list. The messages transmitted by the OCSP protocol are encoded using the semantics of asn.1. The message types are divided into "request message" and "response message", so that the OCSP server is called an OCSP response side.
However, there are various threats in the network, such as when the OCSP request end is under a distributed denial of service attack, the OCSP request end may consume a large amount of resources and cannot provide normal services for the user.
In some network environments, the network device may not have direct access to the OCSP server, or some security devices may not allow access to the OCSP server in the internet, for which there are many solutions, but the network topology may be made more complex.
Disclosure of Invention
Aiming at the defects in the prior art, the certificate-based authentication registration state management method and system provided by the invention solve the problems that an OCSP request end cannot provide services for users due to attack, and some network devices cannot or cannot allow direct access to an OCSP server.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that: a certificate-based authentication registration state management method includes the following steps:
s1, acquiring the digital certificate attribute data of the client to be authenticated through the request of the authentication server;
s2, judging whether the authentication server can inquire the certificate state of the digital certificate of the client to be authenticated from the local certificate authorization list or not according to the attribute data of the digital certificate, if so, jumping to the step S3, and if not, jumping to the step S4;
s3, judging whether to allow the authentication process of the client to be authenticated based on the certificate state, and finishing the management of the authentication registration state;
s4, selecting one from the network devices which have completed access authentication as a certificate verification client;
s5, inquiring the verification result of the digital certificate attribute data of the client to be authenticated from the certificate verification server through the certificate verification client;
and S6, judging whether the authentication process of the client to be authenticated is allowed or not according to the verification result inquired by the certificate verification client, and finishing the management of the authentication registration state.
Further, step S1 is specifically: when the client to be authenticated is accessed to the authentication server, the digital certificate attribute data of the client to be authenticated is acquired through the request of the authentication server;
the digital certificate attribute data includes a digital certificate serial number and a digital certificate issuer.
Further, the certificate status in step S2 includes: a normal state, a revoked state, and an unknown state.
Further, step S3 is specifically: and judging whether the certificate state is a normal state, if so, allowing the authentication registration process of the client to be authenticated by the authentication server to finish the management of the authentication registration state, otherwise, allowing the certificate state to be a revocation state or an unknown state, and forbidding the authentication registration process of the client to be authenticated by the authentication server to finish the management of the authentication registration state.
Further, step S4 is specifically: and initiating a certificate verification proxy client authorization request to a certificate verification server through all network equipment which finishes access authentication, identifying client identity information through the certificate verification server according to request information of the network equipment, and selecting one authorized network equipment as the certificate verification client.
Further, step S5 includes the following substeps:
s51, reporting the digital certificate attribute data of the client to be authenticated through the authentication server;
s52, the digital certificate attribute data is forwarded to the certificate verification client through the network equipment which has completed access authentication;
s53, according to the digital certificate attribute data received by the certificate verification client, the certificate verification client requests the verification result of the digital certificate attribute data from the certificate verification server.
Further, in step S53, the information sent to the certificate verification server when the certificate verification client requests the verification result of the digital certificate attribute data from the certificate verification server includes: requesting verified digital certificate attribute data information, signature information, and a random number.
Further, the step S5 of querying the verification result of the digital certificate attribute data of the client to be authenticated includes: digital certificate attribute data and certificate status;
the verification result is kept in a local certificate authorization list of the authentication server for a period of time;
and after the access authentication is completed, the client to be authenticated can be used as an authentication server of other clients to be authenticated.
The beneficial effects of the above further scheme are: when the certificate verification client side is attacked or network faults occur, service can be quickly recovered by re-electing the certificate verification client side, and meanwhile, network equipment with high requirements on safety can be prevented from directly accessing the certificate verification server side.
A certificate-based authentication registration status management system, comprising: the system comprises a certificate checking server module, a certificate checking proxy client module, an authentication server module and an authentication client module;
the certificate checking server module is used for issuing and revoking the digital certificate, receiving and processing an agent client authorization request from the certificate checking agent client and a checking request for processing digital certificate attribute data of the authorized certificate checking agent client, and returning a checking result to the certificate checking agent client module;
the certificate checking proxy client module is used for initiating a proxy client authorization request to the certificate checking server module, requesting the certificate checking server module to check the digital certificate attribute data from the authentication client module after being authorized as the certificate checking proxy client by the certificate checking server module, and returning a checking result to the authentication server module after obtaining a checking result;
the authentication server module is used for managing and controlling the authentication process of the authentication client module; the authentication server module is used for acquiring digital certificate attribute data of the authentication client module, inquiring a last verification result of the digital certificate attribute data from a local certificate authorization list, if the last verification result is not inquired, informing the certificate verification proxy client module to request the certificate verification server module to verify the digital certificate attribute data and obtain a verification result, storing the verification result in the local certificate authorization list by the authentication server module, and judging whether the authentication process of the authentication client is allowed or not according to the verification result; if the authentication server module inquires the last verification result of the digital certificate attribute data from the local certificate authorization list, judging whether the authentication process of the authentication client is allowed according to the last verification result obtained by inquiry, and finishing authentication registration state management;
the authentication client module is used for returning local digital certificate attribute data to the authentication server module when receiving a digital certificate request message from the authentication server module; when the authentication server module is compliant with the authentication process of the authentication client module, the authentication client module initiates an authentication registration request to the authentication server module.
In conclusion, the beneficial effects of the invention are as follows: the invention provides a certificate-based authentication registration state management method and system, comprising the following steps: firstly, acquiring digital certificate attribute data of a client to be authenticated, then inquiring a certificate state from a local certificate authorization list by an authentication server according to the certificate attribute data, judging whether the authentication process of the client to be authenticated is allowed or not according to the certificate state, selecting one from network equipment which finishes access authentication as a certificate verification client if the certificate state of the digital certificate of the client to be authenticated is not inquired, inquiring a verification result of the digital certificate of the client to be authenticated from the certificate verification server, and finally judging whether the authentication process of the client to be authenticated is allowed or not by the authentication server according to the inquiry result of the certificate verification client. When one certificate verification client side works abnormally, other network equipment is reselected as the certificate verification client side, so that the problems that an OCSP request side cannot provide services for users due to attack and some network equipment cannot or cannot allow direct access to an OCSP server are solved through a mode of quickly recovering the services, and the services are kept and quickly recovered as far as possible under the condition of adapting to special application scenes
Drawings
FIG. 1 is a flow chart of a certificate-based authentication registration status management method;
FIG. 2 is an authentication registration flow diagram;
FIG. 3 is a diagram illustrating authentication registration phase transition of an authentication server;
fig. 4 is a schematic view of an application scenario of the certificate-based authentication registration status management method;
FIG. 5 is a certificate based authentication registration status management system;
fig. 6 is a system block diagram of an electronic device.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
Example 1: as shown in fig. 1, a certificate-based authentication registration status management method includes the following steps:
s1, acquiring the digital certificate attribute data of the client to be authenticated through the request of the authentication server;
the client to be authenticated and the authentication server are in wired connection, and a Media Access Control (MAC) address is used for communication and data information transmission.
Step S1 specifically includes: when the client to be authenticated is accessed to the authentication server, the digital certificate attribute data of the client to be authenticated is acquired through the request of the authentication server;
before initiating authentication registration, as shown in fig. 2, the client to be authenticated sends an identity authentication request message to the authentication server, where the identity authentication request message includes information such as a unique identity identification number and device hardware information of the client to be authenticated; after receiving the identity authentication request message, the authentication server identifies and stores the identity authentication request message of the client to be authenticated, then sends a digital certificate attribute data request message to the client to be authenticated, and then the authentication server enters an authentication registration preparation stage.
The digital certificate attribute data includes a digital certificate serial number and a digital certificate issuer.
S2, judging whether the authentication server can inquire the certificate state of the digital certificate of the client to be authenticated from the local certificate authorization list or not according to the attribute data of the digital certificate, if so, jumping to the step S3, and if not, jumping to the step S4;
the certificate status in step S2 includes: a normal state, a revoked state, and an unknown state.
In this embodiment, step S2 specifically includes: after receiving the digital certificate attribute data of the client to be authenticated, the authentication server retrieves the corresponding digital certificate state from the local certificate authorization list and returns a certificate attribute data result to the client to be authenticated, wherein the digital certificate attribute data comprises information such as a digital certificate serial number and a digital certificate issuer.
S3, judging whether to allow the authentication process of the client to be authenticated based on the certificate state, and finishing the management of the authentication registration state;
step S3 specifically includes: and judging whether the certificate state is a normal state, if so, allowing the authentication registration process of the client to be authenticated by the authentication server, and if not, forbidding the authentication registration process of the client to be authenticated by the authentication server to finish the authentication registration state management.
In this embodiment, step S3 specifically includes: if the certificate state obtained by retrieval is 'normal', the authentication server enters an 'authentication registration ready stage', then the authentication server allows the authentication registration process of the client to be authenticated, and then the authentication server enters an 'authentication registration stage' after authentication registration negotiation begins; if the certificate status is "revoked" or "unknown", the authentication server enters an "authentication registration denial stage", and then the authentication server will maintain the stage for a period of time, during which the authentication registration request of the client to be authenticated is denied until the authentication server updates the local certificate authorization list or the authentication server exits the "authentication registration denial stage", as shown in fig. 3, fig. 3 is a schematic diagram of transition of the authentication registration stage of the authentication server provided in the embodiment of the present invention.
If the authentication server does not retrieve the relevant information of the corresponding digital certificate from the local certificate authorization list, the authentication server returns that the state of the digital certificate is unknown, enters an authentication registration refusing stage, and informs the certificate verification client to request the certificate verification server to verify the legality and the current state of the digital certificate.
S4, selecting one from the network devices which have completed access authentication as a certificate verification client;
step S4 specifically includes: and initiating a certificate verification proxy client authorization request to a certificate verification server through all network equipment which finishes access authentication, identifying client identity information through the certificate verification server according to request information of the network equipment, and selecting one authorized network equipment as the certificate verification client.
The certificate verification client is typically assumed by a network device that has completed an authentication registration. All network devices that have completed authentication registration can act as certificate checking clients, and thus a "certificate checking client" is also referred to as a "certificate checking client authorization agent". The election of the certificate verification client is usually triggered by a certificate verification request message, optionally, according to the network condition of the client, a network device which can reach the certificate verification server route can also be set as a candidate device of the certificate verification client authorization agent, and when the election of the authorization agent is performed, the candidate device is prioritized. Specifically, in the absence of a certificate verification request message, the candidate device may also initiate a certificate verification client proxy authorization request to the certificate verification server, where the proxy authorization request includes information such as identity information of the client device, local digital certificate attribute data, and a digital signature.
The certificate verification server verifies the proxy authorization request message from the client, and after the verification is passed, the authorization client is a certificate verification client. The certificate verification server side authorizes the certificate verification client side, simultaneously informs the client side of the life cycle of the authorization agent, and when the certificate verification client side works abnormally or exceeds the authorization life cycle of the certificate verification client side, the certificate verification client side is elected again.
S5, inquiring the verification result of the digital certificate attribute data of the client to be authenticated from the certificate verification server through the certificate verification client;
the certificate verification client receives a certificate verification request from the authentication server, and the proxy requests the certificate verification server for a verification result of digital certificate attribute data of the authentication server and returns the verification result to the authentication server.
The step S5 of querying the verification result of the digital certificate attribute data of the client to be authenticated includes: digital certificate attribute data and certificate status.
Step S5 includes the following substeps:
s51, reporting the digital certificate attribute data of the client to be authenticated through the authentication server;
s52, the digital certificate attribute data is forwarded to the certificate verification client through the network equipment which has completed access authentication;
s53, according to the digital certificate attribute data received by the certificate verification client, the certificate verification client requests the verification result of the digital certificate attribute data from the certificate verification server.
In step S53, the information sent to the certificate verification server when the certificate verification client requests the verification result of the digital certificate attribute data from the certificate verification server includes: requesting verified digital certificate attribute data information, signature information, and a random number.
And S6, judging whether the authentication process of the client to be authenticated is allowed or not according to the verification result inquired by the certificate verification client, and finishing the management of the authentication registration state.
After receiving the new digital certificate verification result, the authentication server updates the verification result in a local certificate authorization list, and then the authentication server recovers to the initial stage of authentication registration to wait for the next identity authentication request message of the authentication client. The verification result is kept in a local certificate authorization list of the authentication server for a period of time, the period of time is the life cycle of the verification result, and the phenomenon that network pressure is increased by multiple authentication requests of the same client to be authenticated in a short period of time and excessive memory space is occupied by long-time certificate verification result accumulation is avoided.
After the access authentication is completed, the client to be authenticated can be used as an authentication server of other clients to be authenticated.
Fig. 4 is a schematic view of an application scenario of the certificate-based authentication registration status management method.
Example 2: the following is a system for certificate-based authentication registration status management, as shown in fig. 5, comprising: the system comprises a certificate checking server module, a certificate checking proxy client module, an authentication server module and an authentication client module;
the certificate checking server module is used for issuing and revoking the digital certificate, receiving and processing an agent client authorization request from the certificate checking agent client and a checking request for processing digital certificate attribute data of the authorized certificate checking agent client, and returning a checking result to the certificate checking agent client module;
the certificate checking proxy client module is used for initiating a proxy client authorization request to the certificate checking server module, requesting the certificate checking server module to check the digital certificate attribute data from the authentication client module after being authorized as the certificate checking proxy client by the certificate checking server module, and returning a checking result to the authentication server module after obtaining a checking result;
the authentication server module is used for managing and controlling the authentication process of the authentication client module; the authentication server module is used for acquiring digital certificate attribute data of the authentication client module, inquiring a last verification result of the digital certificate attribute data from a local certificate authorization list, if the last verification result is not inquired, informing the certificate verification proxy client module to request the certificate verification server module to verify the digital certificate attribute data and obtain a verification result, storing the verification result in the local certificate authorization list by the authentication server module, and judging whether the authentication process of the authentication client is allowed or not according to the verification result; if the authentication server module inquires the last verification result of the digital certificate attribute data from the local certificate authorization list, judging whether the authentication process of the authentication client is allowed according to the last verification result obtained by inquiry, and finishing authentication registration state management;
the authentication client module is used for returning local digital certificate attribute data to the authentication server module when receiving a digital certificate request message from the authentication server module; when the authentication server module is compliant with the authentication process of the authentication client module, the authentication client module initiates an authentication registration request to the authentication server module.
The certificate checking proxy client module, the authentication server module and the authentication client module are arranged on the network equipment, and the certificate checking server module is arranged on the certificate checking server.
A certificate-based authentication registration state management system improves the security of network authentication, provides a secure network environment for users, and improves the experience of the users.
Example 3: an electronic device is provided as shown in fig. 6, where the electronic device 6 includes a memory 61 and a processor 62, the memory 61 stores therein a computer program that is executable on the processor 62, and the processor 62 implements the steps of the method provided in embodiment 1 when executing the computer program.
As shown in fig. 6, the electronic device further includes: a bus 63 and a communication interface 64, the processor 62, the communication interface 64 and the memory 61 being connected by the bus 63; the processor 62 is arranged to execute executable modules, such as computer programs, stored in the memory 61.
The Memory 61 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 64 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
Bus 63 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 6, but that does not indicate only one bus or one type of bus.
The memory 61 is used for storing a program, and the processor 62 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 62, or implemented by the processor 62.
The processor 62 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 62. The Processor 62 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 61, and a processor 62 reads information in the memory 61 and completes the steps of the method in combination with hardware thereof.
Example 4:
an embodiment of the present invention provides a computer-readable medium having a non-volatile program code executable by a processor, where the program code causes the processor to execute the method provided in embodiment 1.
The method, apparatus, and computer program product for certificate-based authentication registration status management according to embodiments of the present invention include a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and are not described herein again.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Claims (9)

1. A certificate-based authentication registration state management method is characterized by comprising the following steps:
s1, acquiring the digital certificate attribute data of the client to be authenticated through the request of the authentication server;
s2, judging whether the authentication server can inquire the certificate state of the digital certificate of the client to be authenticated from the local certificate authorization list or not according to the attribute data of the digital certificate, if so, jumping to the step S3, and if not, jumping to the step S4;
s3, judging whether to allow the authentication process of the client to be authenticated based on the certificate state, and finishing the management of the authentication registration state;
s4, selecting one from the network devices which have completed access authentication as a certificate verification client;
s5, inquiring the verification result of the digital certificate attribute data of the client to be authenticated from the certificate verification server through the certificate verification client;
and S6, judging whether the authentication process of the client to be authenticated is allowed or not according to the verification result inquired by the certificate verification client, and finishing the management of the authentication registration state.
2. The certificate-based authentication registration status management method according to claim 1, wherein the step S1 specifically comprises: when the client to be authenticated is accessed to the authentication server, the digital certificate attribute data of the client to be authenticated is acquired through the request of the authentication server;
the digital certificate attribute data includes a digital certificate serial number and a digital certificate issuer.
3. The certificate-based authentication registration status management method according to claim 1, wherein the certificate status in step S2 includes: a normal state, a revoked state, and an unknown state.
4. The certificate-based authentication registration status management method according to claim 3, wherein the step S3 specifically comprises: and judging whether the certificate state is a normal state, if so, allowing the authentication registration process of the client to be authenticated by the authentication server to finish the management of the authentication registration state, otherwise, allowing the certificate state to be a revocation state or an unknown state, and forbidding the authentication registration process of the client to be authenticated by the authentication server to finish the management of the authentication registration state.
5. The certificate-based authentication registration status management method according to claim 1, wherein the step S4 specifically comprises: and initiating a certificate verification proxy client authorization request to a certificate verification server through all network equipment which finishes access authentication, identifying client identity information through the certificate verification server according to request information of the network equipment, and selecting one authorized network equipment as the certificate verification client.
6. The certificate-based authentication registration status management method according to claim 1, wherein the step S5 comprises the sub-steps of:
s51, reporting the digital certificate attribute data of the client to be authenticated through the authentication server;
s52, the digital certificate attribute data is forwarded to the certificate verification client through the network equipment which has completed access authentication;
s53, according to the digital certificate attribute data received by the certificate verification client, the certificate verification client requests the verification result of the digital certificate attribute data from the certificate verification server.
7. The certificate-based authentication registration status management method according to claim 6, wherein the information sent to the certificate verification service when the certificate verification client requests the verification result of the digital certificate attribute data from the certificate verification service in step S53 includes: requesting verified digital certificate attribute data information, signature information, and a random number.
8. The certificate-based authentication registration status management method according to claim 1, wherein the step S5 of querying the verification result of the digital certificate attribute data of the client to be authenticated comprises: digital certificate attribute data and certificate status;
the verification result is kept in a local certificate authorization list of the authentication server for a period of time;
and after the access authentication is completed, the client to be authenticated can be used as an authentication server of other clients to be authenticated.
9. A certificate-based authentication registration status management system, comprising: the system comprises a certificate checking server module, a certificate checking proxy client module, an authentication server module and an authentication client module;
the certificate checking server module is used for issuing and revoking the digital certificate, receiving and processing an agent client authorization request from the certificate checking agent client and a checking request for processing digital certificate attribute data of the authorized certificate checking agent client, and returning a checking result to the certificate checking agent client module;
the certificate checking proxy client module is used for initiating a proxy client authorization request to the certificate checking server module, requesting the certificate checking server module to check the digital certificate attribute data from the authentication client module after being authorized as the certificate checking proxy client by the certificate checking server module, and returning a checking result to the authentication server module after obtaining a checking result;
the authentication server module is used for managing and controlling the authentication process of the authentication client module; the authentication server module is used for acquiring digital certificate attribute data of the authentication client module, inquiring a last verification result of the digital certificate attribute data from a local certificate authorization list, if the last verification result is not inquired, informing the certificate verification proxy client module to request the certificate verification server module to verify the digital certificate attribute data and obtain a verification result, storing the verification result in the local certificate authorization list by the authentication server module, and judging whether the authentication process of the authentication client is allowed or not according to the verification result; if the authentication server module inquires the last verification result of the digital certificate attribute data from the local certificate authorization list, judging whether the authentication process of the authentication client is allowed according to the last verification result obtained by inquiry, and finishing authentication registration state management;
the authentication client module is used for returning local digital certificate attribute data to the authentication server module when receiving a digital certificate request message from the authentication server module; when the authentication server module is compliant with the authentication process of the authentication client module, the authentication client module initiates an authentication registration request to the authentication server module.
CN202110127864.XA 2021-01-29 2021-01-29 Certificate-based authentication registration state management method and system Active CN113014546B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110127864.XA CN113014546B (en) 2021-01-29 2021-01-29 Certificate-based authentication registration state management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110127864.XA CN113014546B (en) 2021-01-29 2021-01-29 Certificate-based authentication registration state management method and system

Publications (2)

Publication Number Publication Date
CN113014546A CN113014546A (en) 2021-06-22
CN113014546B true CN113014546B (en) 2022-04-15

Family

ID=76385406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110127864.XA Active CN113014546B (en) 2021-01-29 2021-01-29 Certificate-based authentication registration state management method and system

Country Status (1)

Country Link
CN (1) CN113014546B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114050899B (en) * 2022-01-11 2022-07-12 深圳市永达电子信息股份有限公司 Full life cycle monitoring method and system based on certificate distribution
CN114615309B (en) * 2022-01-18 2024-03-15 奇安信科技集团股份有限公司 Client access control method, device, system, electronic equipment and storage medium
CN115250195A (en) * 2022-03-14 2022-10-28 上海广升信息技术股份有限公司 Agent layer-based MQ connection expansion method and application thereof

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109168164A (en) * 2018-10-26 2019-01-08 电子科技大学 A kind of safety certifying method of the wireless self-networking applied to finite region

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030126433A1 (en) * 2001-12-27 2003-07-03 Waikwan Hui Method and system for performing on-line status checking of digital certificates
US9225525B2 (en) * 2010-02-26 2015-12-29 Red Hat, Inc. Identity management certificate operations
WO2016153423A1 (en) * 2015-03-25 2016-09-29 Sixscape Communications Pte Ltd Apparatus and method for managing digital certificates
US11837031B2 (en) * 2015-07-08 2023-12-05 Arthur Andrew Montgomery Scotson Distributed voting platform

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109168164A (en) * 2018-10-26 2019-01-08 电子科技大学 A kind of safety certifying method of the wireless self-networking applied to finite region

Also Published As

Publication number Publication date
CN113014546A (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN113014546B (en) Certificate-based authentication registration state management method and system
US11956361B2 (en) Network function service invocation method, apparatus, and system
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
US10678555B2 (en) Host identity bootstrapping
US9742757B2 (en) Identifying and destroying potentially misappropriated access tokens
US7475252B2 (en) System, method and program to filter out login attempts by unauthorized entities
US11201778B2 (en) Authorization processing method, device, and system
JP7421771B2 (en) Methods, application servers, IOT devices and media for implementing IOT services
CN108512845B (en) Interface calling verification method and device
CN107872445B (en) Access authentication method, device and authentication system
CN112583607A (en) Equipment access management method, device, system and storage medium
US20190268338A1 (en) Extended trust for onboarding
CN113726774A (en) Client login authentication method, system and computer equipment
CN113569210A (en) Distributed identity authentication method, equipment access method and device
US8990221B2 (en) Device and method for updating a certificate
CN113395249A (en) Client login authentication method, system and computer equipment
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
CN112532423A (en) Equipment access method, device and system
CN111866172A (en) Processing method and device of session ticket and electronic equipment
EP4002756B1 (en) Systems and methods of managing a certificate associated with a component located at a remote location
CN113992420B (en) Authority management method, system, electronic equipment and storage medium
TWI791905B (en) Authentication access system and method based on tokenization technology
CN116684113A (en) Service processing method and related device based on SDP (software defined boundary)
CN115967940A (en) Authentication method and authentication system for network slice
CN113961907A (en) Management method and device of memory cache service and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant