CN115021917A - Security verification method, system, device and medium based on certificate - Google Patents
Security verification method, system, device and medium based on certificate Download PDFInfo
- Publication number
- CN115021917A CN115021917A CN202210724037.3A CN202210724037A CN115021917A CN 115021917 A CN115021917 A CN 115021917A CN 202210724037 A CN202210724037 A CN 202210724037A CN 115021917 A CN115021917 A CN 115021917A
- Authority
- CN
- China
- Prior art keywords
- certificate
- client
- interface
- downloading
- updated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012795 verification Methods 0.000 title claims abstract description 82
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 18
- 238000010586 diagram Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002035 prolonged effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a security verification method, a system, equipment and a medium based on a certificate, which are used for solving the technical problem that a client is difficult to realize bidirectional authentication with a server after the certificate is invalid. The method comprises the following steps: the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the plurality of interfaces; the client checks the first certificate and the second certificate to obtain a corresponding checking result; and the client side determines that the updated second certificate is downloaded through the certificate downloading interface when the second certificate is invalid according to the verification result, so that bidirectional authentication is performed between the client side and the server through the updated second certificate and the updated first certificate.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, a system, a device, and a medium for security verification based on a certificate.
Background
The certificate can be encrypted for transmission and identity authentication, so that data is prevented from being stolen and changed in the transmission process, and the safety and integrity of the data are realized. The client and the server are authenticated bidirectionally through the certificate, so that the safety of interface data can be effectively protected.
However, the local certificate preset by the client is packaged into the installation package in a specific mode, the installation package cannot be modified after the application is online, the certificate cannot play a role in safety verification once the certificate fails as the validity period of the certificate becomes shorter gradually, and the fault tolerance rate is low.
Disclosure of Invention
In order to solve the above problem, the present application provides a security verification method based on a certificate, including: the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
the client verifies the first certificate and the second certificate to obtain a corresponding verification result;
and the client side determines that the updated second certificate is downloaded through the certificate downloading interface when the second certificate is invalid according to the verification result, so that bidirectional authentication is performed between the client side and the server through the updated second certificate and the first certificate.
In an implementation manner of the present application, before verifying the first certificate and the second certificate, the method further includes:
the server determines a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sends the certificate verification information to the client;
the certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface.
In an implementation manner of the present application, verifying the first certificate and the second certificate to obtain a corresponding verification result specifically includes:
the client matches the received certificate verification information with the first certificate and the second certificate respectively to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate respectively;
and if the first certificate and the second certificate are not consistent, determining that the first certificate and/or the second certificate are invalid.
In an implementation manner of the present application, determining that the updated second certificate is downloaded through the certificate download interface when the second certificate fails specifically includes:
the server receives a downloading instruction sent by the client, wherein the downloading instruction carries a domain name and a second certificate identifier of the client;
and acquiring an updated second certificate matched with the client according to the second certificate identifier, and issuing the updated second certificate to the client matched with the domain name.
In one implementation of the present application, the validity period of the first certificate is greater than the validity period of the second certificate.
In one implementation of the present application, the method further comprises:
under the condition that the time length between the current network time and the expiration time of the domain name where the client is located is less than a preset value, the server generates certificate failure prompt information and sends the certificate failure prompt information to the client; the expiration time of the domain name includes expiration times corresponding to the first certificate and the second certificate respectively.
In an implementation manner of the present application, the certificate verification information at least includes any one of the following items: public key information, certificate information;
the certificate information comprises any one or more of: serial number, version, issuer, expiration date.
The embodiment of the application provides a security verification system based on a certificate, which is characterized by comprising a client and a server;
the client is used for acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
the client is used for verifying the first certificate and the second certificate to obtain a corresponding verification result;
and the client is used for downloading the updated second certificate through the certificate downloading interface when the second certificate is determined to be invalid according to the verification result, so that bidirectional authentication is performed between the updated second certificate and the server through the updated first certificate.
The embodiment of the application provides a security check equipment based on certificate, its characterized in that is applied to the customer end, equipment includes: at least one processor;
and a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
verifying the first certificate and the second certificate to obtain corresponding verification results;
and according to the verification result, when the second certificate is determined to be invalid, downloading the updated second certificate through the certificate downloading interface, so that the server can perform mutual authentication through the updated second certificate and the first certificate.
An embodiment of the present application provides a non-volatile computer storage medium storing computer-executable instructions, which is applied to a client, where the computer-executable instructions are set to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
verifying the first certificate and the second certificate to obtain corresponding verification results;
and according to the verification result, when the second certificate is determined to be invalid, downloading the updated second certificate through the certificate downloading interface, so that bidirectional authentication is performed between the server and the updated second certificate and the first certificate.
The certificate-based security verification method provided by the application can bring the following beneficial effects:
according to the embodiment of the application, the client and the server are subjected to bidirectional authentication through the first certificate and the second certificate, the risk of packet capturing can be effectively avoided, the bidirectional authentication time is effectively prolonged due to the fact that the expiration times of the first certificate and the second certificate are different, and the robustness of a program is improved. The certificate downloading interface can be verified through the first certificate under the condition that the second certificate is invalid through the invalid time difference of the two certificates, and the updated second certificate is downloaded through the certificate downloading interface after the verification is passed, so that the automatic updating of the certificate is realized, the flexibility of the verification process is improved, and the fault-tolerant rate is higher.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart of a certificate-based security verification method according to an embodiment of the present application;
fig. 2 is a diagram of a client service architecture provided in an embodiment of the present application;
fig. 3 is a diagram illustrating an example of updating a client certificate according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a certificate-based security verification apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The digital certificate (such as SSL certificate) is issued by a trusted digital certificate authority, and by establishing an SSL secure channel between the client and the server, encrypted transmission of data information can be realized, and the security of information transmission between the client and the server is ensured. However, since the service life of the key is short, and the update speed of the organization information is continuously accelerated, the validity time of the certificate is gradually shortened, and if the local certificate fails, the bidirectional authentication between the client and the server cannot be realized. Therefore, a security verification scheme after the client SSL certificate fails is needed, which can make the local certificate and the server certificate be the same certificate, complete bidirectional authentication verification, and ensure that the application interface can normally obtain server data while completing identity authentication.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
As shown in fig. 1, a certificate-based security verification method provided in an embodiment of the present application includes:
s101: the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the plurality of interfaces.
After the APP of the client is started, the safety verification can be performed in a double-certificate mode. The client is provided with a plurality of interfaces, wherein the interfaces comprise a certificate downloading interface and an application interface except the certificate downloading interface, the first certificate is used for verifying the certificate downloading interface, the certificate can be used for downloading the latest version certificate through the certificate downloading interface after the certificate is invalid, the second certificate is used for verifying the application interface, and the application interface is used for realizing data transmission between the client and the server.
It should be noted that the validity period of the first certificate is longer than the validity period of the second certificate, so that when the second certificate is invalid, the certificate download interface can still be verified through the first certificate in the valid state, and the updated second certificate is downloaded again through the certificate download interface, so that the validity of the double certificates is ensured, the bidirectional authentication between the client and the server is realized, and the risk of packet capture is effectively avoided. Of course, the first certificate and the second certificate may have the same validity period, but the expiration time of the first certificate and the second certificate has a certain interval, so that after a certain certificate expires, authentication may be completed through another unexpired certificate, and compared with the authentication method of a document, the two-way authentication time may be effectively prolonged.
S102: and the client verifies the first certificate and the second certificate to obtain a corresponding verification result.
After acquiring the first certificate and the second certificate, the server needs to determine a domain name where the client is located and certificate verification information corresponding to the domain name, and then sends the acquired certificate verification information to the client, so that the client verifies the local first certificate and the local second certificate according to the local certificate information and the certificate verification information of the client, and obtains a corresponding verification result. The certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server side, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface. The certificate verification information includes at least any one of: public key information, certificate information; the credential information includes any one or more of: serial number, version, issuer, expiration date.
Specifically, the client matches the received certificate verification information with the first certificate and the second certificate, so as to determine whether the third certificate information and the fourth certificate information carried in the certificate verification information are consistent with the first certificate information contained in the first certificate and the second certificate information contained in the second certificate, respectively. If the first certificate and the second certificate are consistent, the first certificate and the second certificate are valid; if the first certificate and the second certificate are not consistent, the first certificate and/or the second certificate are invalid, and at the moment, the certificate needs to be updated, so that the security check between the client and the server is ensured.
S103: and the client side determines that the updated second certificate is downloaded through the certificate downloading interface when the second certificate is invalid according to the verification result, so that bidirectional authentication is performed between the client side and the server through the updated second certificate and the updated first certificate.
After the client obtains the verification result, the client can determine the current invalid certificate according to the verification result. As shown in a client service architecture diagram shown in fig. 2, in a case that a second certificate is not expired, if a first certificate is expired, after a server updates a corresponding third certificate, information such as public keys of the second certificate and the third certificate may not be matched, and when security verification is performed, error information may appear on a download certificate interface at this time, but error information on the download certificate interface does not affect certificate verification of an application interface, and because the second certificate is not expired at this time, a fourth certificate and the second certificate at a server side may be kept consistent, mutual authentication verification may pass, at this time, except for error information on the download certificate interface, all other interfaces are normally used, and an APP function of a client is normally used; if the first certificate is not expired, the third certificate of the server can be successfully matched with the public key and other information of the first certificate, the downloaded certificate interface can pass through the safety verification, the second certificate and the fourth certificate are kept consistent, the application interface can also pass through the safety verification, all interfaces are in a normal state at the moment, and the APP function is normally used. Under the condition that the second certificate is expired, if the first certificate is expired, both the download certificate interface and the application interface report errors, at the moment, the APP function cannot be normally used, and the first certificate and the second certificate need to be subjected to version updating in a manual updating mode; if the first certificate is not expired, the client sends a download instruction to the server, the download instruction carries a domain name and a second certificate identifier of the client, and after receiving the download instruction, the server obtains an updated second certificate (namely, a fourth certificate) matched with the client according to the second certificate identifier and issues the updated second certificate to the client matched with the domain name.
In one embodiment, the client can be reminded to update the certificate on time by generating prompt information in advance, so that the number of times of certificate verification is reduced when the client APP is started. Under the condition that the time length between the current network time and the expiration time of the domain name where the client is located is smaller than the preset value, the server generates certificate failure prompt information and sends the certificate failure prompt information to the client, so that the client is prompted to update the local certificate in time, and the starting time of the APP is further shortened. The expiration time of the domain name includes expiration times corresponding to the first certificate and the second certificate, and it can be understood that the expiration time of the domain name is a time point at which the expiration times in the first certificate and the second certificate are earlier.
Fig. 3 is a diagram of an example of updating a client certificate provided in the present application, and as shown in fig. 3, after a first certificate expires, the updated first certificate may be obtained in a manual updating manner. After the second certificate expires, the updated second certificate can be obtained in an automatic updating manner through the certificate downloading interface. And when the client has a new demand, the second certificate can be updated in a manual updating mode, so that the downloading times of the certificate can be reduced, and the starting speed of the APP is accelerated.
The above is the method embodiment proposed by the present application. Based on the same idea, one or more embodiments of the present specification further provide a system, an apparatus, and a medium corresponding to the above method.
The embodiment of the application provides a security verification system based on a certificate, which comprises a client and a server;
the client is used for acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the plurality of interfaces;
the client is used for verifying the first certificate and the second certificate to obtain a corresponding verification result;
and the client is used for downloading the updated second certificate through the certificate downloading interface when the second certificate is determined to be invalid according to the verification result so as to carry out bidirectional authentication with the server through the updated second certificate and the updated first certificate.
Fig. 4 is a security verification device based on a certificate according to an embodiment of the present application, which is applied to a client, and includes: at least one processor;
and a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to cause the at least one processor to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the plurality of interfaces;
verifying the first certificate and the second certificate to obtain corresponding verification results;
and according to the verification result, when the second certificate is determined to be invalid, downloading the updated second certificate through the certificate downloading interface, so that bidirectional authentication is performed between the server and the updated second certificate and the updated first certificate.
An embodiment of the present application provides a non-volatile computer storage medium, which stores computer-executable instructions and is applied to a client, where the computer-executable instructions are set to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the plurality of interfaces;
verifying the first certificate and the second certificate to obtain corresponding verification results;
and according to the verification result, when the second certificate is determined to be invalid, downloading the updated second certificate through the certificate downloading interface, so that bidirectional authentication is performed between the server and the updated second certificate and the updated first certificate.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the device and media embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for relevant points.
The device and the medium provided by the embodiment of the application correspond to the method one to one, so the device and the medium also have the similar beneficial technical effects as the corresponding method, and the beneficial technical effects of the method are explained in detail above, so the beneficial technical effects of the device and the medium are not repeated herein.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A certificate-based security verification method, the method comprising:
the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
the client verifies the first certificate and the second certificate to obtain a corresponding verification result;
and the client side determines that the updated second certificate is downloaded through the certificate downloading interface when the second certificate is invalid according to the verification result, so that bidirectional authentication is performed between the client side and the server through the updated second certificate and the first certificate.
2. A certificate-based security verification method according to claim 1, wherein before verifying the first and second certificates, the method further comprises:
the server determines a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sends the certificate verification information to the client;
the certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface.
3. The certificate-based security verification method according to claim 2, wherein verifying the first certificate and the second certificate to obtain corresponding verification results includes:
the client matches the received certificate verification information with the first certificate and the second certificate respectively to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate respectively;
and if the first certificate and the second certificate are not consistent, determining that the first certificate and/or the second certificate are invalid.
4. The certificate-based security verification method according to claim 1, wherein determining that the updated second certificate is downloaded through the certificate download interface when the second certificate fails specifically includes:
the server receives a downloading instruction sent by the client, wherein the downloading instruction carries a domain name and a second certificate identifier of the client;
and acquiring an updated second certificate matched with the client according to the second certificate identification, and issuing the updated second certificate to the client matched with the domain name.
5. A certificate-based security verification method according to claim 1, characterized in that the validity period of the first certificate is greater than the validity period of the second certificate.
6. The certificate-based security verification method of claim 1, further comprising:
under the condition that the time length between the current network time and the expiration time of the domain name where the client is located is less than a preset value, the server generates certificate failure prompt information and sends the certificate failure prompt information to the client; the expiration time of the domain name includes expiration times corresponding to the first certificate and the second certificate respectively.
7. The certificate-based security verification method according to claim 2, wherein the certificate verification information includes at least any one of the following items: public key information, certificate information;
the certificate information comprises any one or more of: serial number, version, issuer, expiration date.
8. A certificate-based security verification system, comprising a client and a server;
the client is used for acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
the client is used for verifying the first certificate and the second certificate to obtain a corresponding verification result;
and the client is used for downloading the updated second certificate through the certificate downloading interface when the second certificate is determined to be invalid according to the verification result, so that bidirectional authentication is performed between the updated second certificate and the server through the updated first certificate.
9. A certificate-based security verification device, for application to a client, the device comprising: at least one processor;
and a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
verifying the first certificate and the second certificate to obtain corresponding verification results;
and according to the verification result, when the second certificate is determined to be invalid, downloading the updated second certificate through the certificate downloading interface, so that bidirectional authentication is performed between the server and the updated second certificate and the first certificate.
10. A non-transitory computer storage medium storing computer-executable instructions, for application to a client, the computer-executable instructions configured to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is an interface except the certificate downloading interface in the plurality of interfaces;
verifying the first certificate and the second certificate to obtain corresponding verification results;
and according to the verification result, when the second certificate is determined to be invalid, downloading the updated second certificate through the certificate downloading interface, so that bidirectional authentication is performed between the server and the updated second certificate and the first certificate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210724037.3A CN115021917B (en) | 2022-06-24 | 2022-06-24 | Certificate-based security verification method, system, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210724037.3A CN115021917B (en) | 2022-06-24 | 2022-06-24 | Certificate-based security verification method, system, equipment and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115021917A true CN115021917A (en) | 2022-09-06 |
CN115021917B CN115021917B (en) | 2024-05-10 |
Family
ID=83076739
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210724037.3A Active CN115021917B (en) | 2022-06-24 | 2022-06-24 | Certificate-based security verification method, system, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115021917B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100077208A1 (en) * | 2008-09-19 | 2010-03-25 | Microsoft Corporation | Certificate based authentication for online services |
CN102571340A (en) * | 2010-12-23 | 2012-07-11 | 普天信息技术研究院有限公司 | Certificate authentication device as well as access method and certificate update method thereof |
CN108881484A (en) * | 2018-07-26 | 2018-11-23 | 杭州云缔盟科技有限公司 | A method of whether detection terminal can access internet |
CN110602123A (en) * | 2019-09-21 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Single-point certificate authentication system and method based on micro-service |
CN112422551A (en) * | 2020-11-16 | 2021-02-26 | 微医云(杭州)控股有限公司 | SSL certificate updating method and device, electronic equipment and storage medium |
CN113472790A (en) * | 2021-06-30 | 2021-10-01 | 中国工商银行股份有限公司 | Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server |
-
2022
- 2022-06-24 CN CN202210724037.3A patent/CN115021917B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100077208A1 (en) * | 2008-09-19 | 2010-03-25 | Microsoft Corporation | Certificate based authentication for online services |
CN102571340A (en) * | 2010-12-23 | 2012-07-11 | 普天信息技术研究院有限公司 | Certificate authentication device as well as access method and certificate update method thereof |
CN108881484A (en) * | 2018-07-26 | 2018-11-23 | 杭州云缔盟科技有限公司 | A method of whether detection terminal can access internet |
CN110602123A (en) * | 2019-09-21 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Single-point certificate authentication system and method based on micro-service |
CN112422551A (en) * | 2020-11-16 | 2021-02-26 | 微医云(杭州)控股有限公司 | SSL certificate updating method and device, electronic equipment and storage medium |
CN113472790A (en) * | 2021-06-30 | 2021-10-01 | 中国工商银行股份有限公司 | Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server |
Also Published As
Publication number | Publication date |
---|---|
CN115021917B (en) | 2024-05-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11743054B2 (en) | Method and system for creating and checking the validity of device certificates | |
CN107257340B (en) | A kind of authentication method, authentication data processing method and equipment based on block chain | |
CN108764870B (en) | Transaction processing method and device based on block chain and electronic equipment | |
CN107483509B (en) | A kind of auth method, server and readable storage medium storing program for executing | |
CN112311735B (en) | Credible authentication method, network equipment, system and storage medium | |
EP3489853A1 (en) | A method for providing a firmware update of a device | |
CN108696356B (en) | Block chain-based digital certificate deleting method, device and system | |
CN109936552B (en) | Key authentication method, server and system | |
CN107026738B (en) | Digital certificate updating method, digital signature verification method and digital authentication device | |
CN114240433A (en) | Data processing method and system based on block chain | |
CN113609213B (en) | Method, system, device and storage medium for synchronizing device keys | |
US10686612B2 (en) | Cryptographic data | |
CN111931199A (en) | Health authentication method, equipment and medium based on block chain and dynamic code | |
CN114117551B (en) | Access verification method and device | |
CN114040401A (en) | Terminal authentication method and system | |
CN112182009B (en) | Block chain data updating method and device and readable storage medium | |
CN115021917B (en) | Certificate-based security verification method, system, equipment and medium | |
CN115049402B (en) | Transaction risk parameter calculation method, block chain verification node and storage medium | |
CN111369246B (en) | Calling authentication method and device of intelligent contract, electronic equipment and storage medium | |
CN113162889B (en) | Authentication method and device for route updating information | |
CN107733659B (en) | Key certificate processing method and device and key certificate authentication method and device | |
CN112671780A (en) | Data correctness checking method and device based on block link storage certificate and medium | |
CN114040143A (en) | Method, system and equipment for IPTV service management | |
CN117879898A (en) | Network access authentication method and device, electronic equipment and storage medium | |
CN117075940A (en) | Management method, system and medium of software warehouse in Linux system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |