CN114282237A

CN114282237A - Communication method, device, equipment and storage medium

Info

Publication number: CN114282237A
Application number: CN202111570982.4A
Authority: CN
Inventors: 曹京奇
Original assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Current assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Priority date: 2021-12-21
Filing date: 2021-12-21
Publication date: 2022-04-05
Anticipated expiration: 2041-12-21
Also published as: CN114282237B

Abstract

The disclosure provides a communication method, a communication device, communication equipment and a storage medium, relates to the technical field of block chains, and can be used for cloud computing or cloud services. The specific implementation scheme is as follows: when the service communication requirement exists, a connection request is initiated to a service providing end; establishing a secure channel with the service provider based on a first signature certificate fed back by the service provider in response to the connection request; receiving first certification information of the service provider sent by the service provider through the secure channel; the first attestation information is generated based on the first signed certificate; and verifying the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate, and carrying out service communication with the service provider under the condition that the verification is passed. According to the technology disclosed by the invention, a credible and safe channel can be established between the service demand end and the service providing end, and the safety of the communication process is greatly ensured.

Description

Communication method, device, equipment and storage medium

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a block chain technology, which can be used for cloud computing or cloud services, and in particular, to a communication method, apparatus, device, and storage medium.

Background

With the development and increasing openness of internet technology, data privacy becomes more and more important. In order to improve the security of the private data processing process, the private data is generally processed based on trusted computing and strictly according to a predetermined processing logic, so that the private data and the computing logic cannot be illegally read and damaged by anyone.

The current trusted computing technology is usually implemented based on Intel SGX (Intel software Guard Extensions) technology. Wherein, an enclave (enclave) program can be developed based on the Intel SGX technology.

Further, to be suitable for a wider range of scenarios, the enclave program is usually run in the remote server, which means that the service demand side needs to communicate with the enclave program running in the remote server, and how to ensure the communication security is important.

Disclosure of Invention

The disclosure provides a communication method, apparatus, device and storage medium.

According to an aspect of the present disclosure, there is provided a communication method including:

when the service communication requirement exists, a connection request is initiated to a service providing end;

establishing a secure channel with the service provider based on a first signature certificate fed back by the service provider in response to the connection request;

receiving first certification information of the service provider sent by the service provider through the secure channel; the first attestation information is generated based on the first signed certificate;

and verifying the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate, and carrying out service communication with the service provider under the condition that the verification is passed.

According to another aspect of the present disclosure, there is provided a communication method including:

responding to a connection request of a service demand end, and acquiring a first signature certificate of a service provider associated with the connection request;

establishing a secure channel with the service demand side based on the first signature certificate;

sending first certification information of the service provider to the service demand side through the secure channel, so that the service demand side verifies the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate, and performs service communication with the service provider under the condition that the verification is passed; the first certification information is generated based on the first signed certificate.

According to another aspect of the present disclosure, there is provided an electronic device including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a method of communication according to any embodiment of the present disclosure.

According to another aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a communication method according to any one of the embodiments of the present disclosure.

According to the technology disclosed by the invention, a credible and safe channel can be established between the service demand end and the service providing end, the safety of the communication process is greatly ensured, and the privacy of communication data is further ensured.

It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.

Drawings

The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:

fig. 1 is a flow chart of a communication method provided according to an embodiment of the present disclosure;

fig. 2 is a flow chart of another communication method provided in accordance with an embodiment of the present disclosure;

fig. 3 is a flow chart of yet another communication method provided in accordance with an embodiment of the present disclosure;

fig. 4 is a flow chart of yet another communication method provided in accordance with an embodiment of the present disclosure;

fig. 5 is a flow chart of yet another communication method provided in accordance with an embodiment of the present disclosure;

fig. 6A is a signaling diagram of a communication method provided in accordance with an embodiment of the present disclosure;

fig. 6B is a signaling diagram of yet another communication method provided in accordance with an embodiment of the present disclosure;

fig. 7 is a schematic structural diagram of a communication device provided in accordance with an embodiment of the present disclosure;

fig. 8 is a schematic structural diagram of another communication device provided according to an embodiment of the present disclosure;

fig. 9 is a block diagram of an electronic device for implementing the communication method of an embodiment of the present disclosure.

Detailed Description

Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

Trusted computing is a technology that can be pushed and developed by a trusted computing group (trusted computing cluster). Trusted computing is a trusted computing platform widely used in computing and communication systems and based on the support of a hardware security module, so as to improve the security of the whole system. Based on trusted computing, computing can be carried out strictly according to preset processing logic, so that protected private data and computing logic cannot be illegally read and damaged by anyone, and computing of the data is achieved on the premise of protecting privacy of the data.

At present, the trusted computing technology is relatively mature, trusted computing is realized based on CPU (Central Processing Unit) hardware, and in the field of cloud services or cloud computing, Intel SGX technology (hereinafter referred to as SGX technology for short) is typically adopted to realize general trusted computing.

Wherein, an enclave (enclave) program can be developed based on the Intel SGX technology. Because the integrity, the security and the like of the enclave program developed based on the Intel SGX technology can be protected by the hardware level of the CPU, and the remote verification of the authenticity of the enclave program is supported, the program can be developed into the enclave program under the condition that the execution process needs to be protected.

Further, to be suitable for a wider range of scenarios, the enclave program is usually run in the remote server, which means that the service demand side needs to communicate with the enclave program running in the remote server, and how to ensure the communication security is important. Based on this, the present disclosure provides a new communication method.

Fig. 1 is a flowchart of a communication method, which is applicable to a situation how to secure communication according to an embodiment of the present disclosure. The whole set of communication method can be executed by the service demand side and the service providing side in cooperation with each other. The service provider is an end capable of providing a service, and may preferably be an enclave program end; the service demand side is a side that needs to communicate with the service provider side to request the service provider side to provide the relevant business service, and may be a client side or another enclave program side.

The communication method provided by the embodiment can be applied to a service demand side. The method may be performed by a communication device, which may be implemented in software and/or hardware, and may be integrated in an electronic device. Optionally, the electronic device of this embodiment may be a computing device carrying a blockchain node. As shown in fig. 1, the communication method of the present embodiment may include:

s101, when the service communication requirement exists, a connection request is sent to a service providing end.

In this embodiment, the requirement for service communication is a requirement for service communication with the service provider. Optionally, there may be many ways to determine that there is a service communication requirement, which is not limited in this embodiment. For example, if the current time is monitored to meet a set service communication period, determining that a service communication requirement exists; for another example, if a service request initiated by a user is received, it is determined that a service communication requirement exists.

The connection request is a request initiated by the service demand side and used for establishing communication connection with the service provider side.

Optionally, when the service demand side determines that there is a service communication demand, the service demand side may determine, according to the service type, a service provider side that needs to interact, and initiate a connection request to the service provider side. Further, the service requirement side may initiate a connection request to the service provider side based on the set communication protocol. Since the Transport Layer Security (TLS) protocol is used to provide confidentiality and data integrity between two communication applications, in this embodiment, the service demander can initiate a connection request, i.e., a TLS connection request, to the service provider based on the TLS protocol. The TLS connection request is a request for instructing the service provider to establish a communication connection with the service provider based on the TLS protocol.

S102, establishing a secure channel with the service provider based on the first signature certificate fed back by the service provider responding to the connection request.

In this embodiment, the first signed certificate is a certificate that is fed back to the service demand side after the service provider side receives the connection request sent by the service demand side, so as to represent the identity of the service provider side. Optionally, the first signing certificate and the connection request have a one-to-one correspondence, that is, the first signing certificate adopted by the service provider each time the service provider responds to the connection request is different. This has the advantage that multiplexing of certificates and thus of the certification information generated on the basis of the certificates can be avoided, so that the probability of falsification of the certification information is reduced, etc.

Further, the first signed Certificate may be issued by a Certificate Authority (CA) center, or may be a self-signed Certificate generated by a service provider based on a self-signing tool (such as an opennssl tool). Since it is generally difficult for the CA center to generate a new certificate for each connection request, the first signed certificate in this embodiment is preferably a self-signed certificate of the service provider.

Further, the service provider may generate a first signing certificate based on the self-signing tool after receiving the connection request. Or after the service provider finishes the service communication with the service demand side every time, deleting the first signature certificate used for responding the connection request, and regenerating a new first signature certificate for the next use; further, the first signed certificate may also be pre-generated before the service provider receives the connection request.

The secure channel is a channel used for communication between the service demand side and the service provider side and cannot be intercepted by any third party. Optionally, the secure channel in this embodiment has a one-to-one correspondence with the first signature certificate. That is, different first signed certificates correspond to different secure channels.

In an implementation manner, the service demander may establish a secure channel with the service provider by using a remote authentication method provided by the Intel SGX based on the first signed certificate.

In another possible implementation manner, in the case that the connection request is a TLS connection request, the service provider may feed back the first signature certificate to the service demander based on the TLS protocol. Furthermore, the service demand side can complete TLS handshake connection with the service provider side according to the TLS protocol specification based on the first signature certificate, and thus a secure channel is established between the service demand side and the service provider side.

Optionally, the service requirement side completes TLS handshake connection with the service provider side according to the TLS protocol specification based on the first signature certificate, where: the service demand side verifies the first signature certificate and acquires a first public key from the first signature certificate under the condition that the first signature certificate passes the verification; generating a random character string (namely a first random character string), encrypting the first random character string by adopting the acquired first public key, and sending the encrypted character string to a service provider; the service provider decrypts the encrypted character string by using a first private key corresponding to the first public key to obtain a first random character string; then, both the service demand side and the service provider side use the same algorithm to generate the same session key based on the second random character string in the TLS connection request, the third random character string corresponding to the first signature certificate and the first random character string; and the service demand end and the service providing end mutually send completion information, and the service demand end and the service providing end complete TLS handshake connection.

The first public key and the first private key are an asymmetric key pair, and may specifically be keys used for generating the first signature certificate. And the third random character string corresponding to the first signature certificate is the random character string carried by the service provider when the service provider sends the first signature certificate to the service demand side.

S103, receiving first certification information of the service provider sent by the service provider through a secure channel.

In this embodiment, the first certification information is information provided by the service provider to the service consumer and used for certifying the authenticity of the service provider. The first certification information and the first signature certificate have a one-to-one correspondence relationship; optionally, the first certification information is generated based on the first signed certificate. Specifically, the hash operation is performed on the first signature certificate to obtain a first certificate hash; first certification information is generated according to the first certificate hash. The generating of the first certification information according to the first certificate hash may be, for example, generating the first certification information based on the first certificate hash by means of a remote authentication technology of intel sgx. Further, the first certification information includes a first certificate hash.

Specifically, after a secure channel is established between the service demand side and the service provider side, the service provider side can send the first certification information to the service demand side through the established secure channel, and then the service demand side can receive the first certification information sent by the service provider side through the secure channel.

And S104, verifying the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate, and carrying out service communication with the service provider under the condition that the verification is passed.

In this embodiment, the root certificate is a certificate that is trusted by both the service requiring side and the service providing side, specifically, the root certificate may be a certificate issued by an organization trusted by both the service requiring side and the service providing side, for example, a root certificate published by Intel.

Optionally, the authenticity of the service provider may be verified according to the root certificate, the first certification information, and the first signature certificate based on a preset verification logic. For example, the root certificate may be used to verify the first certification information, and the first signature certificate may be verified based on the first certification information, so as to determine the authenticity of the service provider based on the verification results of the root certificate and the first signature certificate. For another example, the root certificate, the first certification information, the first signature certificate, and the like may be input to a pre-trained verification model, and the authenticity of the service provider may be determined according to an output result of the verification model.

For example, if the verification passes, it indicates that the service provider connected to the service demander is authentic, so that the service demander can perform subsequent service communication with the service provider through the secure channel.

Further, if the verification fails, it indicates that the service provider connected to the service demander is not authentic (i.e., false), and the service demander may actively disconnect from the service provider.

According to the technical scheme provided by the embodiment of the disclosure, a secure channel is established with the service provider by responding to the first signature certificate fed back by the connection request based on the service provider, after the first certification information of the service provider is received through the secure channel, the authenticity of the service provider is verified according to the root certificate, the first certification information and the first signature certificate, and the service provider performs service communication with the service provider under the condition that the service provider passes the verification. According to the scheme, the first certification information is transmitted based on the safety channel between the service provider and the service demand side, so that the safety of the first certification information of the service provider is ensured; meanwhile, the authenticity of the service provider is verified under the condition that the first certification information is ensured to be safe, the reliability of a verification result can be ensured, and the credibility of the connected service provider is further ensured under the condition that the verification is passed. In addition, the scheme can establish a trusted and safe channel between the service demand side and the service providing side, greatly ensures the safety of the communication process, and further ensures the privacy of communication data.

Fig. 2 is a flowchart of another communication method provided according to an embodiment of the present disclosure, and this embodiment provides an alternative way to verify the authenticity of the service provider based on the above embodiment. As shown in fig. 2, the communication method of the present embodiment may include:

s201, when the service communication requirement exists, a connection request is sent to a service providing end.

S202, establishing a secure channel with the service provider based on the first signature certificate fed back by the service provider in response to the connection request.

S203, receiving the first certification information of the service provider sent by the service provider through the secure channel.

Optionally, the first certification information is generated based on the first signed certificate.

S204, verifying the first certification information by adopting the root certificate. If the verification is passed, executing S205; if the verification is not passed, S208 is performed.

Optionally, the first certification information includes a signature of a private key using the root certificate; and then, the public key of the root certificate can be adopted to verify the signature in the first certification information, and the verification result of the first certification information is determined according to the verification result. For example, if the signature verification result is that the signature verification passes, determining that the verification result of the first certification information is that the verification passes; otherwise, determining that the verification result of the first certification information is verification failure.

S205, extracting the first certificate hash from the first certification information, and performing consistency comparison on the extracted first certificate hash and the certificate hash obtained by performing hash operation on the first signature certificate to obtain a consistency comparison result.

Optionally, in a case that the verification of the first certification information passes, in order to ensure that the first certification information is sent by the currently connected service provider, the first certificate hash may be extracted from the first certification information; and performing hash operation on the first signature certificate by adopting a hash algorithm the same as that of the service provider, and performing consistency comparison on the certificate hash obtained by operation and the extracted first certificate hash to obtain a consistency comparison result.

In this embodiment, the consistency comparison result may be divided into two types, one type is consistency, that is, the certificate hash obtained by the operation is the same as the extracted first certificate hash; the other is inconsistency, i.e. the computed certificate hash is not the same as the extracted first certificate hash.

And S206, determining the authenticity of the service provider according to the consistency comparison result.

Optionally, if the consistency comparison result is consistent, determining that the service provider is real; and if the consistency comparison result is inconsistent, determining that the service provider is not authentic.

And S207, carrying out service communication with the service provider under the condition that the service provider is determined to be real.

And S208, disconnecting the service provider.

Optionally, the service requiring end may actively disconnect from the service providing end in a case that the verification of the first certification information is not passed.

It should be noted that, in the present embodiment, the first certification information is verified first, so that the authenticity of the first certification information can be ensured; under the condition that the first certification information passes the verification, the sender of the first certification information is ensured to be the same as the service provider connected currently by introducing certificate hash comparison, namely the sender of the first certification information is the same as the service provider establishing the secure channel. Namely, the authenticity of the service providing end is verified in a two-layer progressive mode, and the accuracy of the verification result is greatly guaranteed.

According to the technical scheme provided by the embodiment of the disclosure, a secure channel is established with the service provider by responding to the first signature certificate fed back by the connection request based on the service provider, the first certification information of the service provider is verified by adopting the root certificate after the first certification information is received through the secure channel, the authenticity of the service provider is determined by introducing certificate hash comparison under the condition that the verification is passed, and the service provider performs service communication under the condition that the authenticity of the service provider is determined. According to the scheme, the authenticity of the service provider is verified in a two-level progressive mode by combining the root certificate, the first certification information and the first signature certificate, and the accuracy of the authenticity verification result of the service provider is greatly guaranteed.

Optionally, on the basis of any of the above embodiments, when the service demander is another enclave program, the communication between the service demander and the service provider is substantially the communication between two enclave programs. To ensure security, when two enclave programs communicate, mutual authentication is required. That is, not only the service demander needs to verify the authenticity of the service provider, but also the service provider needs to verify the authenticity of the service demander.

Further, similar to the process of verifying the authenticity of the service provider by the service requirement side, in order to enable the service provider to verify the authenticity of the service requirement side, the service requirement side needs to provide the service provider with its self-signed certificate (i.e., the second signed certificate) and the corresponding certification information.

The service demand side may provide the second signing certificate to the service provider side after acquiring the first signing certificate of the service provider side; for another example, to reduce the number of interactions, the service requiring end may carry the second signing certificate in the connection request, so as to provide the second signing certificate to the service providing end.

In an implementation manner, the sending of the connection request to the service provider may be that a second signed certificate of the service demander is generated; and initiating a connection request comprising the second signature certificate to the service provider based on the secure transport layer protocol.

In this embodiment, the second signing certificates also correspond to the connection requests one to one, that is, the second signing certificates carried in the connection requests sent by the service requiring end to the service providing end each time are different. This has the advantage that multiplexing of certificates and thus of the certification information generated on the basis of the certificates can be avoided, so that the probability of falsification of the certification information is reduced, etc.

Further, the second signed certificate may be issued by a CA center, or may be a self-signed certificate generated by the service demander based on a self-signing tool (such as an opennssl tool). Since it is generally difficult for the CA center to generate a new certificate for each connection request, the second signed certificate in this embodiment is preferably a self-signed certificate of the service demand side.

Specifically, the service requirement side may generate a second signature certificate based on the self-signature tool, generate a connection request based on the second signature certificate according to the TLS protocol specification, and send the generated connection request to the service provider side.

It can be understood that the present embodiment provides data support for secure and trusted communication between two enclave programs.

It should be noted that the first and second embodiments in the present disclosure are only introduced for differentiation and are not limited in any number.

Fig. 3 is a flowchart of another communication method provided according to an embodiment of the present disclosure, where the embodiment is further optimized in the case that the service demand side is another enclave program side based on the foregoing embodiment. As shown in fig. 3, the communication method of the present embodiment may include:

s301, when the service communication requirement exists, a connection request is sent to the service providing terminal.

Optionally, the connection request may include a two-signed certificate of the service requirement side.

S302, establishing a secure channel with the service provider based on the first signature certificate fed back by the service provider in response to the connection request.

Optionally, in the case that the connection request includes the second signed certificate of the service demand side, a secure channel may be established with the service provider side based on the first signed certificate and the second signed certificate. That is, the secure channel has a one-to-one correspondence with the first signed certificate and also has a one-to-one correspondence with the second signed certificate.

S303, receiving the first certification information of the service provider sent by the service provider through the secure channel.

S304, verifying the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate.

S305, under the condition that the service provider is verified to be passed, sending second certification information of the service demand side to the service provider through the secure channel, so that the service provider verifies the authenticity of the service demand side according to the root certificate, the second certification information and the second signature certificate.

In this embodiment, the second certification information is information provided by the service demand side to the service provider side and used for certifying the authenticity of the service demand side. The second certification information and the second signature certificate have a one-to-one correspondence relationship; optionally, the second certification information is generated based on the second signed certificate; further, the second certificate hash generation may be based on a second signed certificate. Specifically, the hash operation is performed on the second signed certificate to obtain a second certificate hash; and generating second certification information according to the second certificate hash.

In an implementation manner, a hash operation may be performed on the second signed certificate to obtain a second certificate hash; sending a second certificate acquisition request comprising a second certificate hash to the verification server to request the verification server to generate second certificate information of the service demand side according to the second certificate hash; and acquiring second certification information fed back by the verification server. Wherein the second certification information includes a second certificate hash.

In this embodiment, the authentication server is a server provided by an intel sgx-based remote authentication technology. The second certification obtaining request is a request sent by the service demand side to the verification service side and is used for obtaining second certification information.

Specifically, performing hash operation on the second signature certificate to obtain a second certificate hash; and generating a second certificate acquisition request comprising the second certificate hash, sending the second certificate acquisition request to the verification server, and generating second certificate information by the verification server based on the second certificate hash according to the certificate generation logic and feeding back the second certificate information. And the service demand side can obtain the second certification information fed back by the verification service side.

It can be understood that, in the present embodiment, the second certification information is generated by the verification server, so that the reliability of the second certification information can be ensured.

Optionally, the service requiring end may actively disconnect from the service providing end in the case that the verification on the service providing end is not passed.

Optionally, when the service provider passes the verification, the second certification information of the service requirement end may be sent to the service provider through the secure channel, and the service provider verifies the authenticity of the service requirement end according to the root certificate, the second certification information, and the second signature certificate. For example, the service provider may verify the second certification information using the root certificate; and under the condition that the verification of the second certification information is passed, extracting the second certificate hash from the second certification information, and performing consistency comparison on the extracted second certificate hash and the certificate hash obtained by performing hash operation on the second signature certificate, so as to determine the authenticity of the service demand side according to the consistency comparison result.

And S306, under the condition that the service providing end passes the verification of the service demand end, carrying out service communication with the service providing end.

In this embodiment, there are various ways of determining that the verification result of the service providing end to the service requiring end is verification pass. For example, as in the verification of the service provider by the service provider, if the service provider determines that the service provider is not authentic, the connection with the service provider is actively disconnected; and the service demand side can send the second certification information to the service provider side, and after waiting for a set time length, if the connection with the service provider side is detected to still exist, the service provider side is determined that the service demand side is verified to pass. For another example, the service provider may send a communication start notification to the service provider when determining that the service provider is true, and then, if the service provider receives the communication start notification from the service provider, determine that the service provider passes the verification of the service provider.

Further, under the condition that the service providing end is confirmed to pass the verification of the service demand end, subsequent business communication is carried out with the service providing end.

According to the technical scheme provided by the embodiment of the disclosure, a security channel is established with the service provider by responding to the first signature certificate fed back by the connection request based on the service provider, and after first certification information of the service provider is received through the security channel, the authenticity of the service provider is verified according to the root certificate, the first certification information and the first signature certificate; under the condition that the service provider passes the verification, second certification information of the service demand side is sent to the service provider through the secure channel, and the service provider verifies the authenticity of the service demand side by combining the root certificate, the second certification information and the second signature certificate; and then, under the condition that the service providing end passes the verification of the service demand end, carrying out service communication with the service providing end. According to the scheme, the safety of communication between the service providing terminal and the service demand terminal is greatly guaranteed by introducing the mutual authentication process between the service providing terminal and the service demand terminal.

Fig. 4 is a flowchart of another communication method provided according to an embodiment of the present disclosure, which is applicable to a situation how to ensure communication security. The whole set of communication method can be executed by the service demand side and the service providing side in cooperation with each other. The communication method provided by the embodiment can be applied to a service provider. The service provider is an end capable of providing a service, and may preferably be an enclave program end. The method may be performed by a communication device, which may be implemented in software and/or hardware, and may be integrated in an electronic device. Optionally, the electronic device of this embodiment may be a computing device carrying a blockchain node. As shown in fig. 4, the communication method of the present embodiment may include:

s401, responding to the connection request of the service demand side, and acquiring a first signature certificate of the service provider side related to the connection request.

Optionally, when the service demand side determines that there is a service communication demand, the service demand side may determine, according to the service type, a service provider side that needs to interact, and initiate a connection request to the service provider side. Further, the service requirement terminal may initiate a connection request, i.e. a TLS connection request, to the service provider terminal based on the TLS protocol.

And the service provider acquires the connection request initiated by the service demand side and gives a response. Specifically, after acquiring the connection request of the service demand side, the service provider may generate the first signing certificate based on the self-signing tool, or may acquire a pre-generated self-signing certificate and use the acquired self-signing certificate as the first signing certificate responding to the connection request.

S402, establishing a secure channel with the service demand side based on the first signature certificate.

In an implementation manner, in a case that the connection request is a TLS connection request, the service provider may complete a TLS handshake with the service demander based on the first signature certificate, so that a secure channel is established between the service demander and the service provider.

Optionally, the secure channel in this embodiment has a one-to-one correspondence with the first signature certificate. That is, different first signed certificates correspond to different secure channels.

And S403, sending the first certification information of the service provider to the service demand side through the secure channel, so that the service demand side verifies the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate, and performs service communication with the service provider under the condition that the verification is passed.

First certification information is generated based on the first signed certificate; further, the first certificate hash generation may be based on the first signed certificate.

Specifically, after a secure channel is established between a service demand side and a service provider side, the service provider side can send first certification information to the service demand side through the established secure channel; and the service demand side verifies the authenticity of the service provider side according to the root certificate, the first certification information and the first signature certificate, and performs service communication with the service provider side under the condition that the verification is passed. For example, the service demander may verify the first certification information by using a root certificate; and under the condition that the verification of the first certification information is passed, extracting the first certificate hash from the first certification information, performing consistency comparison on the extracted first certificate hash and the certificate hash obtained by performing hash operation on the first signature certificate, and further determining the authenticity of the service provider according to the consistency comparison result. Further, if the consistency comparison result is consistent, it indicates that the service provider is real, and the service demand side can perform service communication with the service provider.

According to the technical scheme provided by the embodiment of the disclosure, after a connection request of a service demand end is received, a secure channel is established with the service demand end through a first signature certificate based on a response connection request, first certification information is sent to the service demand end through the secure channel, the service demand end verifies the authenticity of the service supply end according to a root certificate, the first certification information and the first signature certificate, and business communication is carried out with the service supply end under the condition that the verification of the service supply end is passed. According to the scheme, the first certification information is transmitted based on the safety channel between the service provider and the service demand side, so that the safety of the first certification information of the service provider is ensured; meanwhile, the authenticity of the service provider is verified under the condition that the first certification information is ensured to be safe, the reliability of a verification result can be ensured, and the credibility of the connected service provider is further ensured under the condition that the verification is passed. In addition, the scheme can establish a trusted and safe channel between the service demand side and the service providing side, greatly ensures the safety of the communication process, and further ensures the privacy of communication data.

The method can further include, for example, on the basis of the foregoing embodiments: performing hash operation on the first signature certificate to obtain a first certificate hash; sending a first certificate acquisition request comprising a first certificate hash to a verification server to request the verification server to generate first certificate information of a service provider according to the first certificate hash; and acquiring first certification information fed back by the verification server. In this embodiment, the first certificate acquisition request is a request sent by the service provider to the verification server, and is used to acquire the first certificate information.

Specifically, the hash operation is performed on the first signature certificate to obtain a first certificate hash; and generating a first certificate acquisition request comprising the first certificate hash, sending the first certificate acquisition request to a verification server, generating first certificate information by the verification server based on the first certificate hash according to certificate generation logic, and feeding back. And the service providing end can obtain the first certification information fed back by the verification service end.

It can be understood that, in the present embodiment, by generating the first certification information by means of the authentication server, the reliability of the first certification information can be ensured.

For example, when the service demander is another enclave program, the service demander may carry the second signing certificate in the connection request, so as to provide the second signing certificate to the service provider. Namely, the connection request is a connection request which is initiated by the service demand side to the service provider side and comprises the second signature certificate of the service demand side based on the secure transport layer protocol.

Further, when the connection request includes the second signed certificate of the service demander, establishing the secure channel with the service demander based on the first signed certificate may also be: and establishing a secure channel with the service demand side based on the first signature certificate and the second signature certificate.

Specifically, the service demand side and the service provider side complete TLS handshake connection based on the first signature certificate and the second signature certificate, so as to establish a secure channel between the service demand side and the service provider side. Namely, the secure channel has a one-to-one correspondence with the first signature certificate and also has a one-to-one correspondence with the second signature certificate.

It can be understood that, in this embodiment, the secure channel is bound to the first signature certificate and the second signature certificate, which lays a foundation for further verifying the service demand side and the service provider side based on the certificate hash.

Fig. 5 is a flowchart of another communication method provided according to an embodiment of the present disclosure, where the present embodiment adds a process of verifying the authenticity of the service demander in a case that the service demander is another enclave program. As shown in fig. 5, the communication method of the present embodiment may include:

s501, responding to a connection request of a service demand end, and acquiring a first signature certificate of a service provider associated with the connection request.

S502, a secure channel is established with the service demand side based on the first signature certificate.

S503, sending the first certification information of the service provider to the service provider through the secure channel, so that the service provider verifies the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate, and sends the second certification information of the service provider to the service provider under the condition that the verification is passed.

The second certification information is generated based on the second signed certificate.

S504, second certification information of the service demand side, which is sent by the service demand side, is received through the secure channel.

Optionally, in the case that the verification of the service provider is passed, the service requirement side may send the second certification information of the service requirement side to the service provider through the secure channel; and the service provider can receive the second certification information of the service demand side, which is sent by the service demand side, through the secure channel.

And S505, verifying the authenticity of the service demand side according to the root certificate, the second certification information and the second signature certificate, and performing service communication with the service demand side under the condition that the verification is passed.

Specifically, the service provider may verify the second certification information by using the root certificate; and under the condition that the verification of the second certification information is passed, extracting the second certificate hash from the second certification information, and performing consistency comparison on the extracted second certificate hash and the certificate hash obtained by performing hash operation on the second signature certificate, so as to determine the authenticity of the service demand side according to the consistency comparison result.

Further, if the consistency comparison result is consistent, it indicates that the service demand side is real; if the consistency comparison result is inconsistent, the service demand side is not true.

For example, in the case that it is determined that the service demander is not authentic, the service provider may actively disconnect the service demander.

In an implementation manner, in a case that it is determined that the service demander is authentic, the service provider may send a communication start notification or the like to the service demander, and then, if the service demander receives the communication start notification from the service provider, it is determined that the service demander passes the verification of the service demander. At this time, the service demand side and the service providing side carry out subsequent service communication.

According to the technical scheme provided by the embodiment of the disclosure, after a connection request of a service demand end is received, a security channel is established with the service demand end through a first signature certificate based on a response connection request, and first certification information is sent to the service demand end through the security channel; the service demand side verifies the authenticity of the service provider side according to the root certificate, the first certification information and the first signature certificate, and sends second certification information of the service demand side to the service provider side through a secure channel under the condition that the service provider side is verified to be passed; and the service providing end verifies the authenticity of the service demand end by combining the root certificate, the second certification information and the second signature certificate, and performs service communication with the service demand end under the condition that the verification of the service demand end is passed. According to the scheme, the mutual authentication process between the service providing terminal and the service demand terminal is introduced, so that the safety of communication between the service providing terminal and the service demand terminal is greatly guaranteed

Illustratively, the present embodiment provides a preferred example based on the above-described embodiments. Specifically, referring to fig. 6A, in a case that the service demand side is the client side, a process of the service demand side and the service provider side cooperatively implementing the communication method specifically includes:

the service providing end carries out Hash operation on the first signature certificate based on the first signature certificate generated by the self-signature tool to obtain a first certificate Hash, and sends a first certificate obtaining request comprising the first certificate Hash to the verification service end so as to request the verification service end to generate first certificate information of the service providing end according to the first certificate Hash; and acquiring first certification information fed back by the verification server. Wherein the first certification information includes a first certificate hash.

And when the service demand side has service communication demand, the service demand side initiates a TLS connection request to the service providing side.

The service provider responds to the TLS connection request of the service demander, acquires a first signature certificate of the service provider associated with the connection request, and may feed back the first signature certificate to the service demander.

Furthermore, the service demand side can complete TLS handshake connection with the service provider side based on the first signature certificate, so that a secure channel is established between the service demand side and the service provider side.

And the service providing end sends the first certification information of the service providing end to the service requiring end through the secure channel.

The service demand side receives first certification information of the service provider side, which is sent by the service provider side, through a secure channel; verifying the first certification information by adopting a root certificate; if the verification is passed, extracting a first certificate hash from the first certification information, and performing consistency comparison on the extracted first certificate hash and a certificate hash obtained by performing hash operation on the first signature certificate; if the consistency comparison result is consistent, determining that the service provider is real; and if the consistency comparison result is inconsistent, determining that the service provider is not authentic.

Further, the service demand side and the service provider side perform service communication under the condition that the service provider side is determined to be real.

Further, referring to fig. 6B, in a case that the service demand end is another enclave program end, a process of the service demand end and the service providing end cooperatively implementing the communication method is specifically as follows:

The service demand side carries out Hash operation on the second signature certificate based on the second signature certificate generated by the self-signature tool to obtain a second certificate Hash, and sends a second certificate obtaining request comprising the second certificate Hash to the verification service side so as to request the verification service side to generate second certificate information of the service provider according to the second certificate Hash; and acquiring second certification information fed back by the verification server. Wherein the first certification information includes a second certificate hash.

And when the service demand side has the service communication demand, initiating a TLS connection request comprising a second signature certificate to the service provider side.

Furthermore, the service demand side can complete TLS handshake connection with the service provider based on the first signature certificate and the second signature certificate, so that a secure channel is established between the service demand side and the service provider.

Further, under the condition that the service providing end is determined to be real, the service requiring end sends second certification information to the service providing end through the secure channel.

The service providing end receives second certification information of the service demand end sent by the service demand end through the safety channel; verifying the second certification information by adopting the root certificate; and under the condition that the verification of the second certification information is passed, extracting the second certificate hash from the second certification information, and performing consistency comparison on the extracted second certificate hash and the certificate hash obtained by performing hash operation on the second signature certificate, so as to determine the authenticity of the service demand side according to the consistency comparison result.

And the service demand end performs service communication with the service providing end under the condition that the service providing end is determined to pass the verification of the service demand end.

Fig. 7 is a schematic structural diagram of a communication device according to an embodiment of the present disclosure. The embodiment of the disclosure is suitable for the situation of how to ensure the communication safety. The device may be configured at a service requirement end, the device may be implemented by software and/or hardware, and the device may implement the communication method according to the embodiment of the present disclosure. As shown in fig. 7, the communication apparatus includes:

a connection request initiating module 701, configured to initiate a connection request to a service provider when there is a service communication requirement;

a first channel establishing module 702, configured to establish a secure channel with a service provider based on a first signed certificate fed back by the service provider in response to the connection request;

a first certification information receiving module 703, configured to receive, through a secure channel, first certification information of a service provider sent by the service provider; first certification information is generated based on the first signed certificate;

a first authenticity verifying module 704, configured to verify authenticity of the service provider according to the root certificate, the first certification information, and the first signature certificate;

and the service communication module 705 is configured to perform service communication with the service provider if the authentication is passed.

Illustratively, the first authenticity verification module 704 is specifically configured to:

verifying the first certification information by adopting a root certificate;

if the verification is passed, extracting a first certificate hash from the first certification information, and performing consistency comparison on the extracted first certificate hash and a certificate hash obtained by performing hash operation on the first signature certificate to obtain a consistency comparison result;

and determining the authenticity of the service provider according to the consistency comparison result.

Illustratively, the connection request initiating module 701 is specifically configured to:

generating a second signature certificate of the service demand side;

and initiating a connection request comprising the second signature certificate to the service provider based on the secure transport layer protocol.

Illustratively, the service communication module 705 is specifically configured to:

under the condition that the service providing end passes the verification, second certification information of the service requiring end is sent to the service providing end through the safety channel, so that the service providing end verifies the authenticity of the service requiring end according to the root certificate, the second certification information and the second signature certificate; second certification information is generated based on the second signed certificate;

and under the condition that the service providing end passes the verification of the service demand end, carrying out service communication with the service providing end.

Exemplarily, the apparatus further includes:

the second certificate hash determining module is used for carrying out hash operation on the second signature certificate to obtain a second certificate hash;

the second certification request sending module is used for sending a second certification obtaining request comprising a second certificate hash to the verification server so as to request the verification server to generate second certification information of the service demand side according to the second certificate hash;

and the second certification information acquisition module acquires second certification information fed back by the verification server.

Illustratively, the service provider is preferably an enclave program.

Fig. 8 is a schematic structural diagram of another communication device provided according to an embodiment of the present disclosure. The embodiment of the disclosure is suitable for the situation of how to ensure the communication safety. The apparatus may be configured at a service provider, and the apparatus may be implemented by software and/or hardware, and the apparatus may implement the communication method according to the embodiment of the disclosure. As shown in fig. 8, the communication apparatus includes:

a first signed certificate obtaining module 801, configured to, in response to a connection request of a service demand side, obtain a first signed certificate of a service provider side associated with the connection request;

a second channel establishing module 802, configured to establish a secure channel with the service requirement terminal based on the first signed certificate;

a first certification information sending module 803, configured to send first certification information of a service provider to a service demand side through a secure channel, so that the service demand side verifies authenticity of the service provider according to the root certificate, the first certification information, and the first signature certificate, and performs service communication with the service provider when the verification is passed; the first certification information is generated based on the first signed certificate.

Exemplarily, the apparatus further includes:

the first certificate hash determining module is used for carrying out hash operation on the first signature certificate to obtain a first certificate hash;

the first certificate request sending module is used for sending a first certificate obtaining request comprising a first certificate hash to the verification server so as to request the verification server to generate first certificate information of the service provider according to the first certificate hash;

the first certification information acquisition module acquires first certification information fed back by the verification server.

Illustratively, the connection request is a connection request initiated by the service demander to the service provider based on a secure transport layer protocol, and includes the second signed certificate of the service demander.

Illustratively, the second channel establishing module 802 is specifically configured to:

and establishing a secure channel with the service demand side based on the first signature certificate and the second signature certificate.

Exemplarily, the apparatus further includes:

the second certification information receiving module is used for receiving second certification information of the service demand side, which is sent by the service demand side, through the secure channel; second certification information is generated based on the second signed certificate;

and the second authenticity verification module is used for verifying the authenticity of the service demand end according to the root certificate, the second certification information and the second signature certificate and carrying out service communication with the service demand end under the condition of passing the verification.

Illustratively, the service provider is preferably an enclave program.

In the technical scheme of the disclosure, the acquisition, storage, application and the like of the data (such as the second signature certificate, the second certification information and the like) of the service demand side and the data (such as the first signature certificate, the second certification information and the like) of the service providing side meet the regulations of related laws and regulations, and do not violate the common customs of the public order.

The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.

FIG. 9 shows a schematic block diagram of an example electronic device 500 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.

As shown in fig. 9, the electronic apparatus 900 includes a computing unit 901, which can perform various appropriate actions and processes in accordance with a computer program stored in a Read Only Memory (ROM)902 or a computer program loaded from a storage unit 908 into a Random Access Memory (RAM) 903. In the RAM903, various programs and data required for the operation of the electronic device 900 can also be stored. The calculation unit 901, ROM902, and RAM903 are connected to each other via a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.

A number of components in the electronic device 900 are connected to the I/O interface 905, including: an input unit 906 such as a keyboard, a mouse, and the like; an output unit 907 such as various types of displays, speakers, and the like; a storage unit 908 such as a magnetic disk, optical disk, or the like; and a communication unit 909 such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 909 allows the electronic device 900 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.

The computing unit 901 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of the computing unit 901 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 901 performs the respective methods and processes described above, such as the communication method. For example, in some embodiments, the communication method may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 908. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 900 via the ROM902 and/or the communication unit 909. When the computer program is loaded into the RAM903 and executed by the computing unit 901, one or more steps of the communication method described above may be performed. Alternatively, in other embodiments, the computing unit 901 may be configured to perform the communication method by any other suitable means (e.g., by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.

Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.

The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.

Artificial intelligence is the subject of research that makes computers simulate some human mental processes and intelligent behaviors (such as learning, reasoning, thinking, planning, etc.), both at the hardware level and at the software level. Artificial intelligence hardware technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing, and the like; the artificial intelligence software technology mainly comprises a computer vision technology, a voice recognition technology, a natural language processing technology, a machine learning/deep learning technology, a big data processing technology, a knowledge map technology and the like.

Cloud computing (cloud computing) refers to a technology system that accesses a flexibly extensible shared physical or virtual resource pool through a network, where resources may include servers, operating systems, networks, software, applications, storage devices, and the like, and may be deployed and managed in a self-service manner as needed. Through the cloud computing technology, high-efficiency and strong data processing capacity can be provided for technical application and model training of artificial intelligence, block chains and the like.

It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.

The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.

Claims

1. A method of communication, comprising:

2. The method of claim 1, wherein the verifying the authenticity of the service provider based on the root certificate, the first attestation information, and the first signed certificate comprises:

verifying the first certification information by adopting a root certificate;

3. The method of claim 1, wherein the sending a connection request to a service provider comprises:

generating a second signature certificate of the service demand side;

and initiating a connection request comprising the second signature certificate to the service provider based on a secure transport layer protocol.

4. The method of claim 3, wherein the performing service communication with the service provider in case of passing the verification comprises:

under the condition that the service providing end passes the verification, second certification information of the service requiring end is sent to the service providing end through the secure channel, so that the service providing end verifies the authenticity of the service requiring end according to a root certificate, the second certification information and the second signature certificate; the second certification information is generated based on the second signed certificate;

5. The method of claim 4, further comprising:

performing hash operation on the second signature certificate to obtain a second certificate hash;

sending a second certificate acquisition request comprising the second certificate hash to a verification server to request the verification server to generate second certificate information of the service demand side according to the second certificate hash;

and acquiring second certification information fed back by the verification server.

6. The method according to any of claims 1-5, wherein the service provider is an enclave program.

7. A method of communication, comprising:

8. The method of claim 7, further comprising:

performing hash operation on the first signature certificate to obtain a first certificate hash;

sending a first certificate acquisition request comprising the first certificate hash to a verification server to request the verification server to generate first certificate information of the service provider according to the first certificate hash;

and acquiring first certification information fed back by the verification server.

9. The method of claim 7, wherein the connection request is a connection request initiated by the service demander to the service provider based on a secure transport layer protocol, and including a second signed certificate of the service demander.

10. The method of claim 9, wherein the establishing a secure channel with the service demander based on the first signed certificate comprises:

11. The method of claim 9, further comprising:

receiving second certification information of the service demand side, which is sent by the service demand side, through the secure channel; the second certification information is generated based on the second signed certificate;

and verifying the authenticity of the service demand side according to the root certificate, the second certification information and the second signature certificate, and carrying out service communication with the service demand side under the condition that the verification is passed.

12. The method according to any of claims 7-11, wherein the service provider is an enclave program.

13. A communication device, comprising:

the connection request initiating module is used for initiating a connection request to a service provider when the service communication requirement exists;

a first channel establishing module, configured to establish a secure channel with the service provider based on a first signature certificate fed back by the service provider in response to the connection request;

the first certification information receiving module is used for receiving first certification information of the service provider, which is sent by the service provider, through the secure channel; the first attestation information is generated based on the first signed certificate;

the first authenticity verification module is used for verifying the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate;

and the service communication module is used for carrying out service communication with the service providing terminal under the condition that the verification is passed.

14. A communication device, comprising:

the first signing certificate acquisition module is used for responding to a connection request of a service demand end and acquiring a first signing certificate of a service provider associated with the connection request;

the second channel establishing module is used for establishing a secure channel with the service demand side based on the first signature certificate;

the first certification information sending module is used for sending first certification information of the service provider to the service demand side through the secure channel so that the service demand side verifies the authenticity of the service provider according to the root certificate, the first certification information and the first signature certificate and performs service communication with the service provider under the condition that the verification is passed; the first certification information is generated based on the first signed certificate.

15. An electronic device, comprising:

at least one processor; and

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the communication method of any one of claims 1-6 or to perform the communication method of any one of claims 7-12.

16. A non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the communication method according to any one of claims 1 to 6 or the communication method according to any one of claims 7 to 12.

17. A computer program product comprising a computer program which, when executed by a processor, implements a communication method according to any one of claims 1-6, or performs a communication method according to any one of claims 7-12.