CN113672897B

CN113672897B - Data communication method, device, electronic equipment and storage medium

Info

Publication number: CN113672897B
Application number: CN202110832735.0A
Authority: CN
Inventors: 翁迟迟
Original assignee: Beijing QIYI Century Science and Technology Co Ltd
Current assignee: Beijing QIYI Century Science and Technology Co Ltd
Priority date: 2021-07-22
Filing date: 2021-07-22
Publication date: 2024-03-08
Anticipated expiration: 2041-07-22
Also published as: CN113672897A

Abstract

The invention provides a data communication method, a data communication device, electronic equipment and a computer readable storage medium, and belongs to the technical field of computers. The method comprises the following steps: in the process of establishing data communication between the client and the server, when the client responds to the authentication operation, an authentication request can be sent to the server, the authentication request comprises certificate information, the certificate information comprises information corresponding to a client certificate issued after the client passes the authentication, then the server performs the authentication on the client certificate according to the certificate information and generates an authentication result aiming at the client to establish communication connection, so that the client certificate associated with the client identity information is transmitted in a bidirectional identity information transmission mode based on the client and the server in a bidirectional transmission mode through the certificate authentication mode, the bidirectional identity authentication of the data transmission is realized, the authentication mode can be flexibly configured, and the applicability of the authentication is improved.

Description

Data communication method, device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of internet technologies, and in particular, to a data communication method, a data communication device, an electronic apparatus, and a computer readable storage medium.

Background

With the development of internet technology, more and more offline services are gradually realized through online interaction. To achieve online interaction, users typically need to install an application on their terminals (e.g., cell phones, tablet computers, etc.), and then interact with the server through the application, or interact with users of other applications through the application. During the use of an application installed on its terminal, the server side verifies the identity of the user by the need. For example, before a user performs a business such as account login, message distribution, balance inquiry, online transaction, etc., the server needs to verify the identity of the user to ensure data security. In the authentication process, the client can only perform authentication of the identity information on the server in one direction, or the server performs one-way authentication of the identity information on the client, so that the risk of data tampering by a middle person is easy to occur no matter which side of the authentication, and data leakage is caused.

Disclosure of Invention

The invention provides a data communication method, a data communication device, electronic equipment and a computer readable storage medium, so as to solve the problem of low safety of identity verification in the data communication process in the prior art to a certain extent.

According to a first aspect of the present invention there is provided a data communication method, the method comprising:

the client responds to the identity verification operation and sends an identity verification request to a server, wherein the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the server performs identity verification on the client;

the server side carries out security verification on the client side certificate according to the certificate information, and generates a verification result aiming at the client side;

and if the verification result is that the client is trusted, the server establishes data communication with the client.

Optionally, the certificate information includes a certificate identifier corresponding to the client certificate and a user identifier of the client, and the server performs security verification on the client certificate according to the certificate information, and generates a verification result for the client, including:

the server side obtains an issuing user identifier corresponding to the certificate identifier, and compares the issuing user identifier with the using user identifier;

if the issuing user identification is the same as the using user identification, the server generates a trusted verification result aiming at the client;

And if the issuing user identification is different from the using user identification, the server generates an untrusted verification result aiming at the client.

Optionally, before the client sends the authentication request to the server in response to the authentication operation, the method further includes:

the method comprises the steps that a client side responds to equipment verification operation, acquires equipment verification information corresponding to the equipment verification operation, and sends the equipment verification information to a server side;

and if the server detects that the equipment verification information is the same as the preset verification information, the terminal to which the client belongs is used as a trusted terminal.

Optionally, after the target client takes the terminal as a trusted terminal, the method further includes:

the client responds to the client verification operation and sends an identity authentication request to a server, wherein the identity authentication request comprises the equipment verification information and the equipment fingerprint information of the trusted terminal;

the server side adopts the equipment verification information and the equipment fingerprint information to carry out identity authentication on the client side, generates a client side certificate aiming at the client side, and records an issuing user identifier corresponding to the client side certificate;

And the client receives the client certificate sent by the server.

Optionally, the method further comprises:

the server side obtains configuration parameters corresponding to the client side and judges the running state of the client side according to the configuration parameters;

if the configuration parameters represent that the running state of the client is a normal state, the server keeps the client certificate valid;

if the configuration parameters represent that the running state of the client is abnormal, the server side logs off the client certificate;

wherein the configuration parameters include at least one of interface access parameters, device parameters, and user parameters.

According to a second aspect of the present invention, there is provided a data communication method applied to a client, the method comprising:

in response to detection of the identity verification operation, sending an identity verification request to a server, wherein the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the server performs identity verification on the client;

receiving a verification result for the client certificate;

and if the verification result is that the client is trusted, establishing data communication with a server.

According to a third aspect of the present invention, there is provided a data communication method applied to a server, the method comprising:

acquiring an identity verification request sent by a client, wherein the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the client is subjected to identity authentication by the server;

performing security verification on the client certificate according to the certificate information, and generating a verification result aiming at the client;

and if the verification result is that the client is trusted, establishing data communication with the client.

According to a fourth aspect of the present invention there is provided a data communication apparatus for use with a client, the apparatus comprising:

the system comprises an identity verification request sending module, a server and a client, wherein the identity verification request sending module is used for responding to detection of identity verification operation and sending an identity verification request to the server, the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the server performs identity verification on the client;

the verification result receiving module is used for receiving a verification result aiming at the client certificate;

And the data communication module is used for establishing data communication with the server if the verification result is that the client is trusted.

According to a fifth aspect of the present invention, there is provided a data communication apparatus for application to a server, the apparatus comprising:

the system comprises an identity verification request acquisition module, a client and a server, wherein the identity verification request acquisition module is used for acquiring an identity verification request sent by the client, the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the client passes identity verification by the server;

the verification result generation module is used for carrying out security verification on the client certificate according to the certificate information to generate a verification result aiming at the client;

and the data communication module is used for establishing data communication with the client if the verification result is that the client is trusted.

According to a sixth aspect of the present invention, there is provided an electronic device comprising:

one or more processors; and

one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the electronic device to perform the data communication method as described above.

According to a seventh aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data communication method as described above.

Aiming at the prior art, the invention has the following advantages:

in the embodiment of the invention, in the process of establishing data communication between a client and a server, when the client responds to an authentication operation, the authentication request can be sent to the server, the authentication request comprises certificate information, the certificate information comprises information corresponding to a client certificate issued after the client passes the authentication by the server, then the server can perform the authentication on the client certificate according to the certificate information and generate an authentication result aiming at the client, if the authentication result is that the client is trusted, the server establishes data communication with the client, so that the client certificate associated with the client identity information is transmitted in a two-way manner based on the client-client and the server in a two-way manner of certificate authentication, the two-way authentication of data transmission is realized, the authentication mode can be flexibly configured, and the applicability of the authentication is improved.

The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.

Drawings

FIG. 1 is a flow chart of steps of an embodiment of a data communication method of the present invention;

FIG. 2 is a schematic flow chart of certificate issuance provided in an embodiment of the present invention;

FIG. 3 is a schematic diagram of certificate management provided in an embodiment of the present invention;

FIG. 4 is a schematic diagram of data processing provided in an embodiment of the invention;

FIG. 5 is a flow chart of steps of an embodiment of a data communication method of the present invention;

FIG. 6 is a flow chart of steps of an embodiment of a data communication method of the present invention;

FIG. 7 is a block diagram of an embodiment of a data communication system of the present invention;

FIG. 8 is a block diagram of an embodiment of a data communication device of the present invention;

FIG. 9 is a block diagram of an embodiment of a data communication device of the present invention;

fig. 10 is a block diagram of an electronic device of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

As an example, a user typically needs to install a client on his terminal (e.g., a cell phone, tablet computer, etc.), and then interact with the server through the client, or interact with users of other clients through the client. Before the user performs services such as account login, message sending, balance inquiry, online transaction, link access and the like, the client side performs unidirectional identity authentication by adopting http (HyperText Transfer Protocol ), performs identity authentication on the server side, and executes corresponding services after the authentication is successful; or the server performs one-way identity authentication on the client, performs identity authentication on the client, and executes corresponding service after authentication is successful; the two-way authentication can be performed between the client and the server, but only the one-way authentication can be performed by the client or the one-way authentication can be performed by the server in the two-way authentication process. Therefore, in the related art, no matter what identity verification mode is adopted, the identity information of the client can be unidirectionally transmitted to carry out unidirectionally authentication, namely, the risk that a man in the middle carries out data tampering easily exists by the identity information verification mode, so that data leakage is caused.

In this regard, one of the key points of the embodiments of the present invention is that before the client and the server establish data communication, the server may perform identity authentication on the client first, issue a corresponding client certificate, receive the client certificate and perform local storage, implement identity authentication on the client by the server, when the data communication needs to be established, the client sends the client certificate and corresponding certificate information to the server to perform identity authentication, and after the client authentication is successful, establish a corresponding data communication connection, thereby performing bidirectional identity information transmission of "server-client" and "client-server" on the client certificate associated with the client identity information under the condition that bidirectional transmission exists between the client and the server, so as to implement bidirectional identity authentication of data transmission, and may flexibly configure an authentication mode, thereby improving applicability of the identity authentication.

Specifically, referring to fig. 1, a step flow chart of an embodiment of a data communication method of the present invention is shown, and specifically may include the following steps:

step 101, a client responds to an identity verification operation and sends an identity verification request to a server, wherein the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the server performs identity verification on the client;

In the embodiment of the present invention, the client may be an application program running on a user terminal, including a life application program, an instant messaging application program, a game application program, a payment application program, etc., where the client is exemplified by the instant messaging application program, and a bidirectional encrypted channel may be established between the client and the server through bidirectional TLS (mTLS) to implement bidirectional transmission of data, so that in the present application, bidirectional identity verification may be performed on a client certificate associated with an identity of the client based on bidirectional transmission between the client and the server, which may be understood that the present invention is not limited in this respect.

When the client triggers the authentication operation, an authentication request may be sent to the server, where the authentication request may include certificate information, where the certificate information may include information corresponding to a client certificate issued after the server performs authentication on the client. Each user account logged in the client can correspond to one client certificate, so that the client certificate has uniqueness; the certificate information may be relevant identification information of the client certificate, etc.

In a specific implementation, before a client uses a client certificate, the client needs to pass through identity authentication of a server, and before the identity authentication is carried out, the client can carry out equipment authentication on the terminal equipment to which the client belongs, specifically, the client responds to equipment authentication operation, acquires equipment authentication information corresponding to the equipment authentication operation and sends the equipment authentication information to the server, and if the server detects that the equipment authentication information is the same as preset authentication information, the terminal to which the client belongs is taken as a trusted terminal; if the server detects that the equipment verification information is different from the preset verification information, prompting related risk information.

The device verification information may include a short message verification, a verification code verification, a user biometric feature verification, and the like, and the preset verification information may be information set according to a verification type, for example, a short message verification code, a graphic verification code, a digital verification code, fingerprint information and iris features stored in a local or service side, which are received by a terminal, so that when a user logs in a related user account in the client, the client may perform a device verification operation first, so that after verification is successful, the terminal to which the client belongs is used as a trusted terminal, so as to perform a corresponding service operation. For example, when a user wants to log in a related account, the application program can request to pass through a short message verification to verify whether the affiliated terminal is a trusted terminal, the terminal can receive a corresponding short message verification code, the user can input the short message verification code into the application program, the application program sends the short message verification code to a server for verification, and if the short message verification code is the same as the verification code in the short message sent by the server, the terminal is determined to be the trusted terminal; if the terminal is different, the verification failure is prompted, re-verification and the like are needed, so that whether the terminal is a trusted terminal can be verified through related equipment verification operation, and the trust chain basis of identity verification is ensured.

After the client side successfully verifies the affiliated terminal, the client side can respond to the client side verification operation and send an identity authentication request to the server side, wherein the identity authentication request can comprise equipment verification information and equipment fingerprint information of a trusted terminal, the server side responds to the identity authentication request and adopts the equipment verification information and the equipment fingerprint information to carry out identity authentication on the client side, a client side certificate aiming at the client side is generated, an issuing user identification corresponding to the client side certificate is recorded, then the client side certificate is issued to the corresponding client side, and the client side receives the client side certificate and carries out local encryption storage.

After the client judges that the affiliated terminal is a trusted terminal, the client can further perform a client verification operation, send an identity authentication request to the server, and perform identity verification on the client by the server to issue a corresponding client certificate. The device fingerprint information may include a unique identifier of the client, a MAC address, a WIFI list, an IDFA (Identifier For Identifier, an advertisement identifier), an IMEI (International Mobile Equipment Identity, an international equipment identification number), and the like, and after receiving the device authentication information and the device fingerprint information, the server may perform identity authentication on the client based on the device authentication information and the device fingerprint information, generate a client certificate, and issue a user identifier corresponding to the client certificate, where the issue user identifier may be a user identifier corresponding to an account logged in to the client, so as to ensure the uniqueness of the client certificate. After receiving the client certificate, the client can encrypt the client certificate and then store the client certificate locally so as to ensure the security of the client certificate.

In an example, referring to fig. 2, a schematic flow chart of certificate issuing provided in the embodiment of the present invention is shown, and a corresponding client is running in a terminal, so that the client and the server may determine whether the terminal to which the client belongs is a trusted terminal based on short message authentication, thereby implementing security authentication of the device. When the terminal is a trusted terminal, the client can initiate an identity authentication request to the server to realize the identity authentication of the server to the client. Specifically, the corresponding security wind control system can be operated in the server, after the security wind control system receives the short message verification information and the device fingerprint information sent by the client, the security wind control system can firstly judge whether the short message verification information is the short message verification information corresponding to the device verification process, if so, the corresponding client certificate is issued based on the device fingerprint information, the corresponding issued user identifier is recorded, and then the client certificate is issued to the client. After the client receives the client certificate, the client certificate can be locally encrypted and stored in a P12 mode, so that the client is authenticated through the server, the two-way authentication between the client and the server is realized, and the security of data transmission is ensured.

It should be noted that, in the embodiment of the present invention, the short message authentication is taken as an example for illustration, it is to be understood that the device authentication may also include fingerprint authentication, iris authentication, and the like, which is not limited in this aspect of the present invention.

After the client stores the corresponding client certificate, when the user performs corresponding service operation, the client can trigger corresponding authentication operation, send certificate information corresponding to the client certificate to the server to realize authentication, and allow the user to perform corresponding service operation, such as instant messaging, page access, online payment and the like after the server successfully authenticates the client.

Step 102, the server performs security verification on the client certificate according to the certificate information, and generates a verification result for the client;

in the embodiment of the invention, the certificate information can comprise a certificate identifier corresponding to the client certificate and a user identifier of the client, and the server can firstly acquire an issuing user identifier corresponding to the certificate identifier and then compare the issuing user identifier with the user identifier; if the issued user identifier is the same as the used user identifier, the server generates a trusted verification result aiming at the client; if the sign-on user identification is different from the use user identification, the server generates an untrusted verification result for the client.

The user identifier can be an identifier corresponding to a user account which is logged in by the client at present; the certificate identifier can be the serial number of the client certificate, different client certificates can correspond to different serial numbers, in the process of verifying the identity of the client certificate, the server side can acquire the issuing user identifier recorded by the certificate when issuing based on the certificate identifier, compare the issuing user identifier with the using user identifier, judge whether the issuing user identifier and the using user identifier are the same, and if so, judge that the client side is trusted; if the client-side and the server-side are different, the client-side is determined to be not trusted, and corresponding risk prompt is carried out, so that the two-way authentication between the client-side and the server-side is realized through verifying the certificate, and the safety of data transmission is ensured.

Alternatively, the validity period of the client certificate may be set when the client certificate is issued, and the state of the client may be determined by judging whether the validity period of the client certificate expires when the identity of the client is verified, except by comparing the user identifiers.

Step 103, if the verification result is that the client is trusted, the server establishes data communication with the client.

After the authentication of the client by the server is finished, a corresponding authentication result can be generated and sent to the client, and if the authentication result is trusted by the client, the server can establish data communication with the client so that the client can perform related business operation; if the verification result is that the client is not trusted, the client can carry out corresponding risk prompt, such as prompt verification failure, prompt re-verification and the like, so that the two-way identity authentication of data transmission between the client and the server can be realized in a certificate verification mode, the authentication mode can be flexibly configured, and the applicability of the identity authentication is improved.

In addition, the server can issue the corresponding client certificate and manage the client certificate so as to improve the security of certificate management. Specifically, after establishing a data communication connection with the client, the server may determine configuration parameters corresponding to the client, and determine an operation state of the client according to the configuration parameters; if the configuration parameters represent that the running state of the client is a normal state, the server keeps the client certificate valid; if the configuration parameters represent that the running state of the client is abnormal, the server side logs off the client certificate. The configuration parameters at least comprise one of interface access parameters, device parameters and user parameters.

Specifically, the server side can extract the access frequency of the client interface from the interface access parameters, and if the access frequency of the corresponding interface is greater than or equal to a preset threshold value, the server side can judge that the interface access is abnormal and perform corresponding risk prompt; the device authority state can be extracted from the device parameters, whether the terminal of the client is cracked or not is judged, if the terminal is in the cracked state, the device is judged to be abnormal, and the corresponding client certificate is cancelled; the device identification can be extracted from the device parameters, whether the terminal of the client is matched with the device identification or not is judged, if not, the device is judged to be abnormal, and secondary verification is prompted; the server can also acquire the corresponding user identifier from the user parameters and judge whether the user identifier is effective, specifically, the server can be connected with the corresponding user management system, the user identifier is stored in the user management system, and the effectiveness of the user identifier is classified, so that whether the client is abnormal or not can be judged by judging whether the user identifier is effective or not, the effectiveness of the client certificate is maintained, and the safety of the client certificate management is improved.

In an example, referring to fig. 3, a schematic diagram of certificate management provided in an embodiment of the present invention is shown, where two-way verification of mTLS may be started between a client and a server, after the client verifies that the terminal is a trusted terminal and obtains a corresponding client certificate, white-box encryption may be performed on the client certificate locally, and through load balancing of a server proxy ngnx, security wind control management of certificate verification in the client and transmitting corresponding configuration parameters to the server is started, for example, information such as device fingerprint information and certificate may be sent to the server through a Header such as an x-key, and identity verification and risk monitoring may be performed on the client by a security wind control management system. In the risk monitoring process of the client, the security wind control management may identify an operation state corresponding to the client based on the configuration parameter, and determine a risk level corresponding to the operation state, for example, determine whether a corresponding user identifier is valid according to a user identifier, determine a use state of an interface according to an interface configuration parameter, and determine a state of the device according to a device parameter. After determining the running state of the client, the security wind control management can determine corresponding risk levels including low risk, medium risk, high risk and the like, for example, if the user identification is invalid, the security wind control management can determine that the risk is high; if the interface configuration parameters characterize the interface to be frequently used, the interface configuration parameters can be judged to be high risk; if the equipment parameter characterization equipment is different from the equipment to which the client belongs, the equipment parameter characterization equipment can be judged to be a risk of wind; if the abnormality is not found, the abnormality can be judged to be low risk, the low risk can be not processed, the medium risk can be prompted to carry out secondary verification, and the certificate cancellation mode can be adopted for high risk, so that the safety of data transmission is ensured, on one hand, the bidirectional identity verification between the client and the server is realized in a certificate mode, and on the other hand, the safety of certificate management is improved by monitoring the client.

In addition, the clients may include a general client and a management client, different rights may be configured between different clients according to the logged-in user account, and both the general client and the management client have rights to use basic functions, except that the management client has rights to manage the general client, for example, the management client may obtain configuration parameters of the general client, use rights to manage the general client, and so on. In an example, the configuration parameters of the common client may be monitored by the management client, if the user to which the management client belongs finds that the common client may be abnormal, the management client may obtain the configuration parameters of the common client, send the configuration parameters to the server, and perform wind control management by the server to determine whether the common client is in an abnormal state, so as to ensure the security of data; in another example, a security detection mechanism may be configured in the common client, and when it is detected that there may be an abnormality in the use process of the client, the common client may obtain a corresponding configuration parameter, send the configuration parameter to the server, and perform wind control management by the server to determine whether the common client is in an abnormal state, so as to ensure security of data. Alternatively, in the above process, the above steps may be implemented separately or in combination, which is not limited by the present invention.

It should be noted that the embodiments of the present invention include, but are not limited to, the foregoing examples, and it will be understood that those skilled in the art may also set the embodiments according to actual needs under the guidance of the present invention, and the present invention is not limited thereto.

In the embodiment of the invention, in the process of establishing data communication between a client and a server, when the client responds to an authentication operation, the authentication request can be sent to the server, the authentication request at least comprises certificate information, the certificate information comprises information corresponding to a client certificate issued after the client passes through the authentication by the server, then the server can perform the authentication on the client certificate according to the certificate information and generate an authentication result aiming at the client, if the authentication result is that the client is trusted, the server establishes data communication with the client, so that the client certificate associated with the client identity information is transmitted in a two-way manner in a two-way transmission manner based on the client and the server by the certificate authentication, the two-way authentication of the data transmission is realized, the authentication mode can be flexibly configured, and the applicability of the authentication is improved.

In order to enable a person skilled in the art to better understand the technical solutions of the embodiments of the present invention, the following explanation is given by way of an example.

Referring to fig. 4, a schematic diagram of data processing provided in an embodiment of the present invention is shown, where, for a client, the client may be operated on a user side, and may apply for client certificate authentication to a server through a certificate acquisition interface, and after authentication is successful, acquire a client certificate issued by the server, and then may encrypt the client certificate with its own root certificate and store the encrypted client certificate in a local area.

The method comprises the steps that mTLS bidirectional authentication can be started between a client and a server through a URI (Uniform Resource Identifier ) so as to realize bidirectional identity authentication between the client and the server through a certificate mode.

For the server, the server may include a server certificate, so that the client performs identity verification on the server, and the server may perform security wind control by transferring information such as the client certificate through the Proxy-Header by using the Nignx, including certificate issue, certificate audit, and certificate management. For certificate issue, the server may issue an intermediate certificate according to a request message transmitted by the client, and take the intermediate certificate as a client certificate, specifically, the server may employ an offline root certificate to issue the intermediate certificate, then store the intermediate certificate as a client certificate, and issue the intermediate certificate to a corresponding client; for certificate audit, a corresponding certificate cancellation log, a certificate issuing log and the like can be recorded in the server; for certificate management, the server may perform inquiry management, revocation management, etc. of the corresponding client certificate.

By means of certificate verification, bidirectional identity authentication of data transmission between the client and the server can be achieved, the authentication mode can be flexibly configured, and applicability of the identity authentication is improved.

Referring to fig. 5, a flowchart illustrating steps of an embodiment of a data communication method of the present invention, applied to a client, may specifically include the following steps:

step 501, in response to detecting an authentication operation, sending an authentication request to a server, where the authentication request includes at least credential information, where the credential information includes information corresponding to a client credential issued after the server performs authentication on the client;

step 502, receiving a verification result for the client certificate;

and step 503, if the verification result is that the client is trusted, establishing data communication with the server.

In an optional embodiment of the invention, before the sending of the authentication request to the server in response to detecting the authentication operation, the method further comprises:

and responding to the detection of the equipment verification operation, acquiring equipment verification information corresponding to the equipment verification operation, and sending the equipment verification information to a server side so as to verify whether the user terminal to which the client belongs is a trusted terminal.

In an optional embodiment of the present invention, after the terminal to which the client belongs is used as a trusted terminal, the method further includes:

if the user terminal is a trusted terminal, an identity authentication request is sent to a server in response to detection of a client authentication operation, wherein the identity authentication request comprises the equipment authentication information and equipment fingerprint information of the trusted terminal;

and receiving a client certificate aiming at the identity authentication request, and storing the client certificate, wherein the client certificate is generated according to the equipment verification information and the equipment fingerprint information.

In the embodiment of the invention, in the process of establishing data communication between the client and the server, when the client responds to the authentication operation, the authentication request can be sent to the server, the authentication request can at least comprise certificate information, the certificate information comprises information corresponding to a client certificate issued after the client passes the authentication, then the server can perform the authentication on the client certificate according to the certificate information and generate an authentication result aiming at the client, if the authentication result is that the client is trusted, the server establishes data communication with the client, thereby performing bidirectional identity information transmission of a server-client and a client-server on the client certificate related to the client identity information in a mode of certificate authentication under the condition of bidirectional transmission based on the client and the server, realizing the bidirectional identity authentication of data transmission, flexibly configuring the authentication mode and improving the applicability of the authentication.

Referring to fig. 6, a flowchart illustrating steps of an embodiment of a data communication method of the present invention, applied to a server, may specifically include the following steps:

step 601, acquiring an authentication request sent by a client, wherein the authentication request at least comprises certificate information, and the certificate information comprises information corresponding to a client certificate issued after the client is subjected to identity authentication by the server;

step 602, performing security verification on the client certificate according to the certificate information, and generating a verification result for the client;

and step 603, if the verification result is that the client is trusted, establishing data communication with the client.

In an optional embodiment of the present invention, the security verifying the client certificate according to the certificate information, generating a verification result for the client, includes:

acquiring an issuing user identifier corresponding to the certificate identifier, and comparing the issuing user identifier with the using user identifier;

if the issuing user identification is the same as the using user identification, generating a trusted verification result aiming at the client, and sending the trusted verification result to the client;

If the issuing user identification is different from the using user identification, generating an untrusted verification result aiming at the client, and sending the untrusted verification result to the client.

In an optional embodiment of the present invention, before the obtaining the authentication request sent by the client, the method further includes:

acquiring equipment verification information sent by the client;

and if the equipment verification information is the same as the preset verification information, taking the user terminal to which the client belongs as a trusted terminal.

In an optional embodiment of the present invention, after the user terminal to which the client belongs is used as a trusted terminal, the method further includes:

acquiring an identity authentication request, wherein the identity authentication request comprises the equipment authentication information and the equipment fingerprint information of the trusted terminal;

and carrying out identity authentication on the client by adopting the equipment verification information and the equipment fingerprint information, generating a client certificate aiming at the client, and recording an issuing user identifier corresponding to the client certificate.

In an alternative embodiment of the present invention, further comprising:

acquiring configuration parameters corresponding to the client, and judging the running state of the client according to the configuration parameters;

If the configuration parameters represent that the running state of the client is a normal state, the client certificate is kept valid;

if the configuration parameters represent that the running state of the client is abnormal, the client certificate is revoked;

In the embodiment of the invention, in the process of establishing data communication between the client and the server, when the client responds to the authentication operation, the authentication request can be sent to the server, the authentication request can comprise certificate information, the certificate information comprises information corresponding to a client certificate issued after the client passes the authentication, then the server can perform the authentication on the client certificate according to the certificate information and generate an authentication result aiming at the client, if the authentication result is that the client is trusted, the server establishes data communication with the client, so that the client certificate associated with the client identity information is transmitted in a two-way manner based on the client and the server, the two-way identity information transmission of the client certificate of the client is realized, the two-way identity authentication of the data transmission is realized, the authentication mode can be flexibly configured, and the applicability of the identity authentication is improved.

It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.

Referring to fig. 7, there is shown a block diagram of an embodiment of a data communication system of the present invention, where the data communication system includes a client and a server, and the data communication system may specifically include:

an authentication request sending module 701 located at the client, configured to send an authentication request to a server in response to an authentication operation, where the authentication request includes at least credential information, where the credential information includes information corresponding to a client credential issued after the server performs authentication on the client and passes the authentication;

the verification result generating module 702 located at the server is configured to perform security verification on the client certificate according to the certificate information, and generate a verification result for the client;

And the data communication module 703 is located at the server, and is configured to establish data communication between the server and the client if the verification result is that the client is trusted.

In an optional embodiment of the present invention, the certificate information includes a certificate identifier corresponding to the client certificate and a user identifier of the client, and the verification result generating module 702 is specifically configured to:

if the issuing user identification is the same as the using user identification, generating a trusted verification result aiming at the client;

and if the issuing user identification is different from the using user identification, generating an untrusted verification result aiming at the client.

In an alternative embodiment of the invention, the system further comprises:

the device verification information acquisition module is positioned at the client and used for responding to the device verification operation, acquiring the device verification information corresponding to the device verification operation and transmitting the device verification information to the server;

and the equipment verification module is positioned at the server and is used for taking the terminal to which the client belongs as a trusted terminal if the equipment verification information is the same as the preset verification information.

In an alternative embodiment of the invention, the system further comprises:

the identity authentication request sending module is positioned at the client and used for responding to the client verification operation and sending an identity authentication request to a server, wherein the identity authentication request comprises the equipment verification information and the equipment fingerprint information of the trusted terminal;

the client certificate generation module is positioned at the server and is used for carrying out identity authentication on the client by adopting the equipment verification information and the equipment fingerprint information, generating a client certificate aiming at the client and recording an issuing user identifier corresponding to the client certificate;

and the client certificate receiving module is positioned at the client and used for receiving the client certificate sent by the server.

In an alternative embodiment of the present invention, further comprising:

the operation scene determining module is positioned at the server and is used for acquiring configuration parameters corresponding to the client, judging the operation state of the client according to the configuration parameters and acquiring an operation scene corresponding to the client;

the server side certificate holding module is used for holding the client side certificate to be valid if the configuration parameters represent that the running state of the client side is a normal state;

The certificate cancellation module is located at the server and is used for canceling the client certificate if the configuration parameters represent that the running state of the client is abnormal;

Referring to fig. 8, a block diagram of an embodiment of a data communication apparatus of the present invention is shown, and the data communication apparatus is applied to a client, and may specifically include the following modules:

an authentication request sending module 801, configured to send an authentication request to a server in response to detection of an authentication operation, where the authentication request includes at least credential information, where the credential information includes information corresponding to a client credential issued after the server performs authentication on the client;

a verification result receiving module 802, configured to receive a verification result for the client certificate;

and the data communication module 803 is configured to establish data communication with the server if the verification result is that the client is trusted.

In an alternative embodiment of the invention, the apparatus further comprises:

the device verification information acquisition module is used for responding to detection of device verification operation, acquiring device verification information corresponding to the device verification operation, and sending the device verification information to the server side so as to verify whether the user terminal to which the client side belongs is a trusted terminal or not.

In an alternative embodiment of the invention, the apparatus further comprises:

the identity authentication request sending module is used for responding to detection of a client authentication operation if the user terminal is a trusted terminal and sending an identity authentication request to a server, wherein the identity authentication request comprises the equipment authentication information and the equipment fingerprint information of the trusted terminal;

and the client certificate processing module is used for receiving a client certificate aiming at the identity authentication request and storing the client certificate, wherein the client certificate is generated according to the equipment verification information and the equipment fingerprint information.

Referring to fig. 9, a block diagram of an embodiment of a data communication apparatus of the present invention is shown, and the block diagram is applied to a server, and may specifically include the following modules:

the authentication request acquisition module 901 is configured to acquire an authentication request sent by a client, where the authentication request at least includes certificate information, and the certificate information includes information corresponding to a client certificate issued after the server performs identity authentication on the client;

a verification result generation module 902, configured to perform security verification on the client certificate according to the certificate information, and generate a verification result for the client;

And the data communication module 903 is configured to establish data communication with the client if the verification result is that the client is trusted.

In an optional embodiment of the present invention, the certificate information includes a certificate identifier corresponding to the client certificate and a user identifier of the client, and the verification result generating module 902 is specifically configured to:

In an alternative embodiment of the invention, the apparatus further comprises:

the device verification information acquisition module is used for acquiring the device verification information sent by the client;

and the terminal judging module is used for taking the user terminal to which the client belongs as a trusted terminal if the equipment verification information is the same as the preset verification information.

In an alternative embodiment of the invention, the apparatus further comprises:

the identity authentication request acquisition module is used for acquiring an identity authentication request, wherein the identity authentication request comprises the equipment authentication information and the equipment fingerprint information of the trusted terminal;

and the client certificate processing module is used for carrying out identity authentication on the client by adopting the equipment verification information and the equipment fingerprint information, generating a client certificate aiming at the client, and recording an issuing user identifier corresponding to the client certificate.

In an alternative embodiment of the present invention, further comprising:

the operation scene acquisition module is used for acquiring configuration parameters corresponding to the client, judging the operation state of the client according to the configuration parameters and acquiring an operation scene corresponding to the client;

the certificate holding module is used for holding the client certificate to be valid if the configuration parameters represent that the running state of the client is a normal state;

the certificate cancellation module is used for canceling the client certificate if the configuration parameters represent that the running state of the client is an abnormal state;

For the above-described device embodiments, the description is relatively simple, as it is substantially similar to the method embodiments, with reference to the description of the method embodiments in part.

In addition, the embodiment of the invention also provides an electronic device, as shown in fig. 10, which comprises a processor 1001, a communication interface 1002, a memory 1003 and a communication bus 1004, wherein the processor 1001, the communication interface 1002 and the memory 1003 complete communication with each other through the communication bus 1004,

a memory 1003 for storing a computer program;

the processor 1001 is configured to execute a program stored in the memory 1003, and implement the following steps:

In an optional embodiment of the present invention, the certificate information includes a certificate identifier corresponding to the client certificate and a user identifier of the client, and the server performs security verification on the client certificate according to the certificate information, and generates a verification result for the client, including:

In an optional embodiment of the invention, before the client sends the authentication request to the server in response to the authentication operation, the method further includes:

In an optional embodiment of the invention, after the target client takes the terminal as a trusted terminal, the method further includes:

and the client receives the client certificate sent by the server.

In an alternative embodiment of the present invention, further comprising:

Wherein the configuration parameters include at least one of interface access parameters, device parameters, and user parameters. The communication bus mentioned by the above terminal may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface is used for communication between the terminal and other devices.

The memory may include random access memory (Random Access Memory, RAM) or non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

In yet another embodiment of the present invention, a computer readable storage medium is provided, in which instructions are stored, which when run on a computer, cause the computer to perform the data communication method according to any of the above embodiments.

In yet another embodiment of the present invention, a computer program product comprising instructions which, when run on a computer, causes the computer to perform the data communication method of any of the above embodiments is also provided.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims

1. A method of data communication, comprising:

if the server detects that the equipment verification information is the same as the preset verification information, the terminal to which the client belongs is used as a trusted terminal;

the client responds to the client verification operation and sends an identity authentication request to the server, wherein the identity authentication request comprises the equipment verification information and the equipment fingerprint information of the trusted terminal;

the client receives a client certificate sent by the server;

The client responds to the authentication operation and sends an authentication request to the server, wherein the authentication request at least comprises certificate information, and the certificate information comprises information corresponding to the client certificate issued after the server performs authentication on the client;

2. The method according to claim 1, wherein the certificate information includes a certificate identifier corresponding to the client certificate and a user identifier of the client, and the server performs security verification on the client certificate according to the certificate information, and generates a verification result for the client, including:

3. The method as recited in claim 1, further comprising:

4. A method of data communication, for application to a client, the method comprising:

responding to equipment verification operation, acquiring equipment verification information corresponding to the equipment verification operation, and transmitting the equipment verification information to a server;

if the equipment verification information is the same as the preset verification information, the terminal to which the client belongs is a trusted terminal;

Responding to a client verification operation, and sending an identity authentication request to the server, wherein the identity authentication request comprises the equipment verification information and the equipment fingerprint information of the trusted terminal;

receiving a client certificate sent by the server;

in response to detection of the identity verification operation, sending an identity verification request to the server, wherein the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to the client certificate issued after the server performs identity verification on the client;

receiving a verification result for the client certificate;

5. A data communication method, applied to a server, the method comprising:

acquiring equipment verification information sent by a client, and taking a terminal to which the client belongs as a trusted terminal if the equipment verification information is detected to be the same as preset verification information;

acquiring an identity authentication request sent by the client, wherein the identity authentication request comprises the equipment verification information and the equipment fingerprint information of the trusted terminal;

Carrying out identity authentication on the client by adopting the equipment verification information and the equipment fingerprint information, generating a client certificate aiming at the client, and recording an issuing user identifier corresponding to the client certificate;

acquiring an identity verification request sent by the client, wherein the identity verification request at least comprises certificate information, and the certificate information comprises information corresponding to the client certificate issued after the client is subjected to identity authentication by the server;

6. A data communication apparatus for application to a client, the apparatus comprising:

the device verification information sending module is used for responding to device verification operation, obtaining device verification information corresponding to the device verification operation and sending the device verification information to the server;

the terminal verification result receiving module is used for judging that the terminal to which the client belongs is a trusted terminal if the equipment verification information is the same as the preset verification information;

The identity authentication request sending module is used for responding to the client authentication operation and sending an identity authentication request to the server, wherein the identity authentication request comprises the equipment authentication information and the equipment fingerprint information of the trusted terminal;

the client certificate receiving module is used for receiving the client certificate sent by the server;

the authentication request sending module is used for responding to the detection of the authentication operation and sending an authentication request to the server, wherein the authentication request at least comprises certificate information, and the certificate information comprises information corresponding to the client certificate issued after the server performs authentication on the client;

7. A data communication apparatus for use with a server, the apparatus comprising:

the device verification information acquisition module is used for acquiring device verification information sent by the client;

the terminal verification result generation module is used for taking the terminal to which the client belongs as a trusted terminal if the equipment verification information is detected to be the same as the preset verification information;

The identity authentication request acquisition module is used for acquiring an identity authentication request sent by the client, wherein the identity authentication request comprises the equipment verification information and the equipment fingerprint information of the trusted terminal;

the client certificate generation module is used for carrying out identity authentication on the client by adopting the equipment verification information and the equipment fingerprint information, generating a client certificate aiming at the client, and recording an issuing user identifier corresponding to the client certificate;

the authentication request acquisition module is used for acquiring an authentication request sent by the client, wherein the authentication request at least comprises certificate information, and the certificate information comprises information corresponding to the client certificate issued after the client passes the authentication by the server;

8. An electronic device, comprising:

One or more processors; and

one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the electronic device to perform the data communication method of any of claims 1-3 or 4 or 5.

9. A computer readable storage medium, characterized in that the computer readable storage medium stores thereon a computer program, which when executed by a processor implements the data communication method according to any of claims 1-3 or 4 or 5.