CN115296863A - Method, device and storage medium for ensuring user safety - Google Patents
Method, device and storage medium for ensuring user safety Download PDFInfo
- Publication number
- CN115296863A CN115296863A CN202210835077.5A CN202210835077A CN115296863A CN 115296863 A CN115296863 A CN 115296863A CN 202210835077 A CN202210835077 A CN 202210835077A CN 115296863 A CN115296863 A CN 115296863A
- Authority
- CN
- China
- Prior art keywords
- certificate
- target user
- target
- request message
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present disclosure relates to the technical field of network security, and discloses a method, a device and a storage medium for ensuring user security, wherein the method comprises the following steps: the method comprises the steps of determining a target client certificate and a target user certificate corresponding to a target user terminal based on an HTTPS request message initiated by the target user terminal, determining a bound client certificate bound with the target user certificate based on the target user certificate and a binding relation between a pre-established certificate and the certificate, wherein the binding relation between the certificate and the certificate is determined based on the HTTPS connection establishment request message sent by the target user terminal, responding to the HTTPS request message based on the target client certificate and the bound client certificate, namely determining whether the target client certificate and the bound client certificate of the target user terminal are consistent according to the binding relation, so as to judge whether a potential safety hazard exists, effectively screen behaviors of falsifying other user identities, and ensure the safety of users.
Description
Technical Field
The disclosure relates to the technical field of network security, and provides a method, a device and a storage medium for ensuring user security.
Background
At present, a user terminal obtains a credential, such as SessionId, accesstken, and the like, after a system login is successful, and subsequent user terminals need to carry the credential to access the system, so as to clarify the identity, authority, and the like of the user terminal.
However, the credentials are generally in the form of a random string or a Java Web Service (JWS), and once the credentials are revealed, an attacker (i.e., another user) can use the credentials to access data of the user terminal in the system, that is, the existing method using HTTPS bidirectional authentication can only determine that the user terminal is a trusted user terminal, but cannot determine whether the user terminal falsely uses the identity of another user terminal.
Disclosure of Invention
The embodiment of the disclosure provides a method, a device and a storage medium for ensuring user safety, which are used for screening behaviors of falsely using other user identities, so that the user safety is ensured.
The specific technical scheme provided by the disclosure is as follows:
in a first aspect, an embodiment of the present disclosure provides a method for ensuring user security, including:
determining a target client certificate and a target user certificate corresponding to a target user terminal based on a hypertext transfer security protocol (HTTPS) request message initiated by the target user terminal;
determining a binding client certificate bound with a target user certificate based on the target user certificate and a binding relation between a pre-established certificate and the certificate, wherein the binding relation between the certificate and the certificate is determined based on an HTTPS connection establishment request message sent by a target user terminal;
responding to the HTTPS request message based on the target client certificate and the bound client certificate.
Optionally, the binding relationship between the certificate and the credential is determined by:
when receiving an HTTPS connection establishment request message sent by a target user terminal, analyzing a client certificate from the HTTPS connection establishment request message;
generating a certificate digest based on the client certificate, and generating a user credential based on the certificate digest;
based on the client certificate and the user credential, a binding relationship between the certificate and the credential is generated.
Optionally, determining a target client certificate and a target user credential corresponding to the target user terminal based on an HTTPS request message initiated by the target user terminal includes:
when receiving an HTTPS request message sent by a target user terminal, analyzing a target client certificate from the HTTPS request message;
and generating a target certificate abstract based on the target client certificate, generating a target user certificate based on the target certificate abstract, and determining the generated target user certificate as the target user certificate corresponding to the target user terminal.
Optionally, determining a bound client certificate bound to the target user credential based on the target user credential and a pre-established binding relationship between the certificate and the credential includes:
searching a client certificate bound with a target user certificate in a binding relation between the certificate and the certificate established in advance;
and taking the found bound client certificate as a bound client certificate.
Optionally, responding to the HTTPS request message based on the target client certificate and the bound client certificate includes:
if the target client certificate is the same as the binding client certificate, allowing the HTTPS request message to access;
and if the target client certificate is different from the binding client certificate, intercepting the HTTPS request message.
In a second aspect, an embodiment of the present disclosure further provides an apparatus for ensuring user security, including:
the system comprises a determining unit, a sending unit and a receiving unit, wherein the determining unit is used for determining a target client certificate and a target user certificate corresponding to a target user terminal based on a hypertext transfer security protocol (HTTPS) request message initiated by the target user terminal;
the binding unit is used for determining a binding client certificate bound with the target user certificate based on the target user certificate and a binding relation between a certificate and the certificate which is established in advance, wherein the binding relation between the certificate and the certificate is determined based on an HTTPS connection establishment request message sent by a target user terminal;
a response unit for responding to the HTTPS request message based on the target client certificate and the binding client certificate.
Optionally, the binding relationship between the certificate and the credential is determined by:
when receiving an HTTPS connection establishment request message sent by a target user terminal, analyzing a client certificate from the HTTPS connection establishment request message;
generating a certificate digest based on the client certificate, and generating a user credential based on the certificate digest;
based on the client certificate and the user credential, a binding relationship between the certificate and the credential is generated.
Optionally, the target client certificate and the target user credential corresponding to the target user terminal are determined based on an HTTPS request message initiated by the target user terminal, and the determining unit is configured to:
when receiving an HTTPS request message sent by a target user terminal, analyzing a target client certificate from the HTTPS request message;
and generating a target certificate abstract based on the target client certificate, generating a target user certificate based on the target certificate abstract, and determining the generated target user certificate as the target user certificate corresponding to the target user terminal.
Optionally, a binding client certificate bound to the target user credential is determined based on the target user credential and a binding relationship between a certificate and a credential established in advance, and the binding unit is configured to:
searching a client certificate bound with a target user certificate in a binding relation between the certificate and the certificate established in advance;
and taking the found bound client certificate as a bound client certificate.
Optionally, in response to the HTTPS request message based on the target client certificate and the bound client certificate, the response unit is configured to:
if the target client certificate is the same as the binding client certificate, allowing the HTTPS request message to access;
and if the target client certificate is different from the bound client certificate, intercepting the HTTPS request message.
In a third aspect, a server comprises:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement a method as in any one of the first aspect.
In a fourth aspect, a computer-readable storage medium, wherein instructions, when executed by a processor, enable the processor to perform the method of any of the first aspect.
The beneficial effects of this disclosure are as follows:
in summary, in the embodiments of the present disclosure, a method, an apparatus, and a storage medium for guaranteeing user security are provided, where the method includes: the method comprises the steps of determining a target client certificate and a target user certificate corresponding to a target user terminal based on an HTTPS request message initiated by the target user terminal, determining a binding client certificate bound with the target user certificate based on the target user certificate and a binding relation between the target user certificate and the certificate, wherein the binding relation between the certificate and the certificate is determined based on the HTTPS connection establishment request message sent by the target user terminal, responding to the HTTPS request message based on the target client certificate and the binding client certificate, namely determining whether the target client certificate and the binding client certificate of the target user terminal are consistent according to the binding relation, so as to judge whether potential safety hazards exist, effectively screen behaviors of falsifying other user identities, and ensure the safety of users.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure. In the drawings:
fig. 1 is a schematic diagram of a system architecture for ensuring user security in an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart illustrating a method for ensuring user security in an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart illustrating the determination of target user credentials in an embodiment of the present disclosure;
FIG. 4 is a schematic flow chart illustrating the process of determining a bound client certificate according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of responding to an HTTPS request message in an embodiment of the present disclosure;
fig. 6 is a schematic diagram of generating a digest certificate using SHA256 in an application scenario;
FIG. 7 is a diagram illustrating binding of target client credentials and target user credentials in an application scenario;
FIG. 8 is a diagram illustrating the use of binding relationships to validate user credentials in an application scenario;
FIG. 9 is a schematic diagram of a logic architecture of an apparatus for securing a user in an embodiment of the present disclosure;
fig. 10 is a schematic physical architecture diagram of a server in an embodiment of the disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present disclosure. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments described in the present disclosure without any creative effort belong to the protection scope of the technical solution of the present disclosure.
The terms "first," "second," and the like in the description and in the claims, and in the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein.
Preferred embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1, in the embodiment of the present disclosure, a system includes at least one server and at least two user terminals, and in fig. 1, a user terminal 1 and a user terminal 2 are used to represent two user terminals connected to the server. In the implementation process, one user terminal (for example, the user terminal 1) generates a user credential on the basis of HTTPS bidirectional authentication with a server, and the other user terminal (for example, the user terminal 2) may falsify the user credential when issuing an HTTPS request message to the server, thereby bringing about a security risk. In the embodiment of the present disclosure, the target user terminal is usually one of the at least two user terminals, and the target user terminal verifies the target user terminal that sends the HTTPS request message by using a binding relationship between a certificate and a credential established in advance, which is described in detail below.
Referring to fig. 2, in the embodiment of the present disclosure, a specific process for ensuring the user security includes:
step 201: and determining a target client certificate and a target user certificate corresponding to the target user terminal based on a HyperText Transfer Protocol Secure (HTTPS) request message initiated by the target user terminal.
In an implementation process, the process of determining a target client certificate and a target user credential corresponding to a target user terminal is shown in fig. 3, and includes:
step 2011: and when receiving an HTTPS request message sent by a target user terminal, analyzing a target client certificate from the HTTPS request message.
When a target user terminal sends an HTTPS request message to a server, for example, an interface access request message sent by the target user terminal, that is, when an HTTPS handshake occurs, the server receives the HTTPS request message and analyzes the HTTPS request message to obtain a target client certificate included therein.
It should be noted that the target client certificate and the target user terminal are in one-to-one correspondence, and the target client certificate is uniquely configured for the target user terminal by the server, and the target client certificates corresponding to the target user terminals are different.
Step 2012: and generating a target certificate abstract based on the target client certificate, generating a target user certificate based on the target certificate abstract, and determining the generated target user certificate as the target user certificate corresponding to the target user terminal.
Because the target client certificate is a file, in the implementation process, after the target client certificate is determined, the target client certificate is generated into a target certificate abstract by using algorithms such as SHA256, MD5 or SM3 and the like, so that a mark with smaller volume and more privacy is determined for the target user terminal. Further, a target user credential, i.e. a SessionId, an AccessToken, etc., is generated according to the target certificate digest, and the generated target user credential is determined to be a target user credential corresponding to the target user terminal, i.e. a target user credential corresponding to an HTTPS request message sent by the target user terminal.
Step 202: and determining a binding client certificate bound with the target user certificate based on the target user certificate and a binding relation between a certificate and the certificate established in advance, wherein the binding relation between the certificate and the certificate is determined based on an HTTPS connection establishment request message sent by the target user terminal.
First, the binding relationship between the certificate and the credential is determined by the following method:
(1) When receiving an HTTPS connection establishment request message sent by a target user terminal, analyzing a client certificate from the HTTPS connection establishment request message.
When the target user terminal sends an HTTPS connection establishment request message to the server, the server analyzes the received HTTPS connection establishment request message and determines a client certificate corresponding to the target user terminal, wherein the client certificate is used as a calibration mark when the target user terminal sends the HTTPS request message subsequently.
(2) A certificate digest is generated based on the client certificate, and a user credential is generated based on the certificate digest.
In the implementation process, after the client certificate is determined, algorithms such as SHA256, MD5 or SM3 are used for generating a certificate abstract of the client certificate, and further, user credentials, namely, session Id, access token and the like are generated according to the certificate abstract.
(3) Based on the client certificate and the user credential, a binding relationship between the certificate and the credential is generated.
Because the subsequent target user terminal accesses the server and needs to carry the user certificate to determine the identity, the authority and the like of the user, the client certificate and the corresponding user certificate are bound to generate the binding relationship between the certificate and the certificate so as to conveniently verify the target user terminal in the subsequent process.
It should be added that, because the number of target user terminals sending the HTTPS connection establishment request message to the server is multiple, correspondingly, the binding relationship between the certificate and the credential may also store the pairing between multiple client-side certificates and user credentials.
After the target user terminal sends the HTTPS request message, the method for determining the bound client certificate bound to the target user credential, as shown in fig. 4, specifically includes:
step 2021: and searching a client certificate bound with the target user certificate in the binding relationship between the certificate and the certificate established in advance.
In the implementation process, after the target user certificate is determined according to the HTTPS request message, the client certificate bound with the target user certificate is searched in the binding relationship between the certificate and the certificate established in advance, namely the user certificate same as the target user certificate is searched in the binding relationship.
If the user certificate identical to the target user certificate is found in the stored binding relationship, the bound client certificate is further found according to the identical user certificate.
If the user certificate which is the same as the target user certificate cannot be found in the stored binding relationship, an abnormal alarm is directly sent out, namely, the target user terminal is determined to steal the illegal target user certificate for access.
Step 2022: and taking the found bound client certificate as a bound client certificate.
In the implementation process, if the user certificate identical to the target user certificate is found based on the binding relationship, the found bound client certificate is used as a bound client certificate, and the bound client certificate is used as a criterion for judging whether the target user terminal falsely uses the user certificates of other clients.
Step 203: responding to the HTTPS request message based on the target client certificate and the bound client certificate.
In the implementation process, responding to the HTTPS request message according to whether the target client certificate and the bound client certificate are consistent, specifically, as shown in fig. 5, the method includes:
step 2031: and if the target client certificate is the same as the binding client certificate, allowing the HTTPS request message to access.
In the first case, the target client certificate is the same as the binding client certificate, which indicates that the target user credential corresponding to the target user terminal when sending the HTTPS request message is identical to the user credential corresponding to the target user terminal when sending the connection establishment request message, and that the client certificate corresponding to the target user terminal is also valid, in this case, the HTTPS request message is allowed to be accessed, that is, the HTTPS request message is continuously responded.
Step 2032: and if the target client certificate is different from the bound client certificate, intercepting the HTTPS request message.
In the second case, the target client certificate is the same as the bound client certificate, which indicates that although the target user credential corresponding to the target user terminal when sending the HTTPS request message is identical to the user credential corresponding to the target user terminal when sending the connection establishment request message, the client certificate corresponding to the target user terminal is illegal, that is, it is determined that the target user terminal has a behavior of falsely using the user credential, and in this case, the HTTPS request message is intercepted, that is, the HTTPS request message is stopped being responded. In this case, an abnormality alarm is also issued to the outside.
Application scenarios:
referring to fig. 6, the process of the user terminal a interacting with the server is as follows: the user terminal A sends an HTTPS connection establishment request to a gateway of a server, namely the user terminal A wants to log in the server, the gateway of the server returns a certificate containing a server public key to the user terminal A, the user terminal A verifies the legality of the certificate returned by the server and obtains the public key from the certificate, after the verification is passed, the certificate containing a client public key is sent to the server, in order to facilitate subsequent binding, the gateway of the server verifies the legality of the client certificate, obtains the public key from the certificate and generates a certificate abstract through an SHA256 algorithm, and then the user terminal A sends an encryption scheme supported by the user terminal A to the server, the server uses a public key encryption communication encryption scheme of the client (namely, a user terminal A) to the client, so that the client can use a client private key decryption scheme to generate a random number R, the random number R is transmitted to the server after being encrypted by using a server public key, so that the server uses a server private key to decrypt and take the private key R, meanwhile, the client uses the random number R as a key to carry out HTTPS communication and sends GET/user/{ userId } to the server, so that a gateway of the server can add a field in a requested Header for storing a digest of a client certificate and request a corresponding service based on the fact that the GET/user/{ userId } { http request Header contains the digest of the client certificate }.
Referring to fig. 7, the normal interaction process between the user terminal and the server is as follows: in the process of carrying out HTTPS mutual authentication with a server, a user terminal A generates a certificate digest through a SHA256 algorithm, then sends the generated digest of a client certificate to a gateway of the server, further sends a POST/login message to the gateway, the gateway adds a field in a requested Header and stores the digest of the client certificate in the field, the gateway sends a POST/login (including the digest of the client certificate in an http request Header) message to the service, corresponding elements such as a service check username and a password are used, after the verification is successful, a user certificate, namely token is generated, a value stored in the request Header, namely the certificate digest is taken out, the certificate digest is bound with the token, the OK (200) user info is sent to the gateway by the service, the gateway sends a token (200) to the user terminal A, so that the user terminal A carries the token for subsequent interface access and the like, the user terminal A sends GET/user info/, the gateway adds a field in the requested server, the server stores the OK (200) token, the OK, the cookie is used for storing a certificate, the validity of the certificate in the token stored in the user terminal A, the server, the cookie is sent to the gateway, the GET/user terminal A, the server sends a cookie/user certificate, the cookie is sent a cookie request, the cookie is sent to the cookie associated with the cookie (cookie) message, the cookie).
Referring to fig. 8, when an attacker steals the user credential (i.e., token) of the user terminal a, the interaction process among the user terminal a, the attacker and the server is as follows: the method comprises the steps that the environment of a user terminal A has risks, so that a login credential token is stolen by an attacker, under the condition, the attacker uses a certificate of the attacker to handshake, meanwhile, the stolen token of other users is used, after a gateway receives a handshake request, a field is added in a Header of the request, the abstract of a client certificate is stored in the field, a corresponding service takes out a value stored in the field added in the request Header, namely the abstract of the client certificate, and checks the binding relationship with the token. The service sends an Unauuthorized (401) alarm to the gateway, which further sends the Unauuthorized (401) alarm to the attacker.
Based on the same inventive concept, referring to fig. 9, an apparatus for ensuring user security in an embodiment of the present disclosure includes:
a determining unit 901, configured to determine, based on a hypertext transfer security protocol HTTPS request message initiated by a target user terminal, a target client certificate and a target user credential corresponding to the target user terminal;
a binding unit 902, configured to determine, based on a target user credential and a binding relationship between a pre-established certificate and a credential, a binding client certificate bound to the target user credential, where the binding relationship between the certificate and the credential is determined based on an HTTPS connection setup request message sent by a target user terminal;
a response unit 903, configured to respond to the HTTPS request message based on the target client certificate and the binding client certificate.
Optionally, the binding relationship between the certificate and the credential is determined by:
when receiving an HTTPS connection establishment request message sent by a target user terminal, analyzing a client certificate from the HTTPS connection establishment request message;
generating a certificate digest based on the client certificate, and generating a user credential based on the certificate digest;
based on the client certificate and the user credential, a binding relationship between the certificate and the credential is generated.
Optionally, the target client certificate and the target user credential corresponding to the target user terminal are determined based on an HTTPS request message initiated by the target user terminal, and the determining unit 901 is configured to:
when receiving an HTTPS request message sent by a target user terminal, analyzing a target client certificate from the HTTPS request message;
and generating a target certificate abstract based on the target client certificate, generating a target user certificate based on the target certificate abstract, and determining the generated target user certificate as the target user certificate corresponding to the target user terminal.
Optionally, based on the target user credential and a binding relationship between the pre-established certificate and the credential, a binding client certificate bound to the target user credential is determined, and the binding unit 902 is configured to:
searching a client certificate bound with a target user certificate in a binding relation between the certificate and the certificate established in advance;
and taking the found bound client certificate as a bound client certificate.
Optionally, in response to the HTTPS request message based on the target client certificate and the binding client certificate, the response unit 903 is configured to:
if the target client certificate is the same as the binding client certificate, allowing the HTTPS request message to access;
and if the target client certificate is different from the binding client certificate, intercepting the HTTPS request message.
Based on the same inventive concept, referring to fig. 10, an embodiment of the present disclosure provides a server, including: a memory 1001 for storing executable instructions; the processor 1002 is configured to read and execute the executable instructions stored in the memory, and perform any one of the above-mentioned methods for securing a user.
Based on the same inventive concept, the disclosed embodiments provide a computer-readable storage medium, wherein when instructions of the storage medium are executed by a processor, the processor can execute any one of the above methods for ensuring user security.
In summary, in the embodiments of the present disclosure, a method, an apparatus, and a storage medium for guaranteeing user security are provided, where the method includes: the method comprises the steps of determining a target client certificate and a target user certificate corresponding to a target user terminal based on an HTTPS request message initiated by the target user terminal, determining a binding client certificate bound with the target user certificate based on the target user certificate and a binding relation between the target user certificate and the certificate, wherein the binding relation between the certificate and the certificate is determined based on the HTTPS connection establishment request message sent by the target user terminal, responding to the HTTPS request message based on the target client certificate and the binding client certificate, namely determining whether the target client certificate and the binding client certificate of the target user terminal are consistent according to the binding relation, so as to judge whether potential safety hazards exist, effectively screen behaviors of falsifying other user identities, and ensure the safety of users.
As will be appreciated by one of skill in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product system. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product system embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program product systems according to the present disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications can be made in the present disclosure without departing from the spirit and scope of the disclosure. Thus, if such modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and their equivalents, the present disclosure is intended to include such modifications and variations as well.
Claims (10)
1. A method for securing a user, the method comprising:
determining a target client certificate and a target user certificate corresponding to a target user terminal based on a hypertext transfer security protocol (HTTPS) request message initiated by the target user terminal;
determining a binding client certificate bound with the target user certificate based on the target user certificate and a binding relation between a certificate and a certificate established in advance, wherein the binding relation between the certificate and the certificate is determined based on an HTTPS connection establishment request message sent by the target user terminal;
responding to the HTTPS request message based on the target client certificate and the bound client certificate.
2. The method of claim 1, wherein the binding relationship of the certificate to the credential is determined by:
when receiving an HTTPS connection establishment request message sent by the target user terminal, analyzing a client certificate from the HTTPS connection establishment request message;
generating a certificate digest based on the client certificate, and generating a user credential based on the certificate digest;
and generating a binding relation between the certificate and the certificate based on the client certificate and the user certificate.
3. The method of claim 2, wherein the determining the target client certificate and the target user credential corresponding to the target user terminal based on an HTTPS request message initiated by the target user terminal comprises:
when receiving an HTTPS request message sent by the target user terminal, analyzing the target client certificate from the HTTPS request message;
and generating a target certificate abstract based on the target client certificate, generating a target user certificate based on the target certificate abstract, and determining the generated target user certificate as the target user certificate corresponding to the target user terminal.
4. The method of claim 1, wherein determining a bound client credential bound to the target user credential based on the target user credential and a pre-established binding relationship of credentials to credentials comprises:
searching a client certificate bound with the target user certificate in a binding relation between the certificate and the certificate established in advance;
and taking the found bound client certificate as the bound client certificate.
5. The method of any of claims 1-4, wherein responding to the HTTPS request message based on the target client certificate and the bound client certificate comprises:
if the target client certificate is the same as the binding client certificate, allowing the HTTPS request message to access;
and if the target client certificate is different from the binding client certificate, intercepting the HTTPS request message.
6. An apparatus for securing a user, comprising:
the system comprises a determining unit, a sending unit and a receiving unit, wherein the determining unit is used for determining a target client certificate and a target user certificate corresponding to a target user terminal based on a hypertext transfer security protocol (HTTPS) request message initiated by the target user terminal;
a binding unit, configured to determine, based on the target user credential and a binding relationship between a pre-established certificate and a credential, a binding client certificate bound to the target user credential, where the binding relationship between the certificate and the credential is determined based on an HTTPS connection setup request message sent by the target user terminal;
a response unit configured to respond to the HTTPS request message based on the target client certificate and the bound client certificate.
7. The apparatus of claim 6, wherein the binding relationship of the certificate to the credential is determined by:
when receiving an HTTPS connection establishment request message sent by the target user terminal, analyzing a client certificate from the HTTPS connection establishment request message;
generating a certificate digest based on the client certificate and generating a user credential based on the certificate digest;
and generating a binding relation between the certificate and the certificate based on the client certificate and the user certificate.
8. The apparatus of claim 7, wherein the target client certificate and the target user credential corresponding to the target user terminal are determined based on an HTTPS request message initiated by the target user terminal, and wherein the determining unit is configured to:
when receiving an HTTPS request message sent by the target user terminal, analyzing the target client certificate from the HTTPS request message;
and generating a target certificate abstract based on the target client certificate, generating a target user certificate based on the target certificate abstract, and determining the generated target user certificate as the target user certificate corresponding to the target user terminal.
9. A server, comprising:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement the method of any one of claims 1-5.
10. A computer-readable storage medium, wherein instructions in the storage medium, when executed by a processor, enable the processor to perform the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210835077.5A CN115296863A (en) | 2022-07-15 | 2022-07-15 | Method, device and storage medium for ensuring user safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210835077.5A CN115296863A (en) | 2022-07-15 | 2022-07-15 | Method, device and storage medium for ensuring user safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115296863A true CN115296863A (en) | 2022-11-04 |
Family
ID=83822136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210835077.5A Pending CN115296863A (en) | 2022-07-15 | 2022-07-15 | Method, device and storage medium for ensuring user safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115296863A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016045541A1 (en) * | 2014-09-26 | 2016-03-31 | 阿里巴巴集团控股有限公司 | Method and device for identifying the presence of man-in-the-middle |
| CN107508682A (en) * | 2017-08-16 | 2017-12-22 | 努比亚技术有限公司 | Browser certificate authentication method and mobile terminal |
| US20180124106A1 (en) * | 2015-04-09 | 2018-05-03 | Wandera Limited | Detecting "man-in-the-middle' attacks |
| CN109688111A (en) * | 2018-12-04 | 2019-04-26 | 国汽(北京)智能网联汽车研究院有限公司 | A kind of vehicle identification Verification System and method adapting to V2X communication |
| CN113179323A (en) * | 2021-04-29 | 2021-07-27 | 杭州迪普科技股份有限公司 | HTTPS request processing method, device and system for load balancing equipment |
-
2022
- 2022-07-15 CN CN202210835077.5A patent/CN115296863A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016045541A1 (en) * | 2014-09-26 | 2016-03-31 | 阿里巴巴集团控股有限公司 | Method and device for identifying the presence of man-in-the-middle |
| CN105516066A (en) * | 2014-09-26 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Method and device for identifying existence of intermediary |
| US20180124106A1 (en) * | 2015-04-09 | 2018-05-03 | Wandera Limited | Detecting "man-in-the-middle' attacks |
| CN107508682A (en) * | 2017-08-16 | 2017-12-22 | 努比亚技术有限公司 | Browser certificate authentication method and mobile terminal |
| CN109688111A (en) * | 2018-12-04 | 2019-04-26 | 国汽(北京)智能网联汽车研究院有限公司 | A kind of vehicle identification Verification System and method adapting to V2X communication |
| CN113179323A (en) * | 2021-04-29 | 2021-07-27 | 杭州迪普科技股份有限公司 | HTTPS request processing method, device and system for load balancing equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107295011B (en) | Webpage security authentication method and device | |
| CN108173662B (en) | Equipment authentication method and device | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| US8214890B2 (en) | Login authentication using a trusted device | |
| CN111901346B (en) | Identity authentication system | |
| US10530763B2 (en) | Late binding authentication | |
| CN107040513B (en) | Trusted access authentication processing method, user terminal and server | |
| US20140298037A1 (en) | Method, apparatus, and system for securely transmitting data | |
| CN108243176B (en) | Data transmission method and device | |
| KR20150036104A (en) | Method, client, server and system of login verification | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN111800378B (en) | Login authentication method, device, system and storage medium | |
| JP2019530265A (en) | Method and apparatus for providing and acquiring graphic code information and terminal | |
| CN112532599B (en) | Dynamic authentication method, device, electronic equipment and storage medium | |
| CN114900338A (en) | Encryption and decryption method, device, equipment and medium | |
| CN113572728B (en) | Method, device, equipment and medium for authenticating Internet of things equipment | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| US20200382305A1 (en) | Systems and methods for enhanced mobile device authentication | |
| CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| JP2001186122A (en) | Authentication system and authentication method | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| CN113922974B (en) | Information processing method and system, front end, server side and storage medium | |
| CN112261103A (en) | Node access method and related equipment | |
| CN113992387B (en) | Resource management method, device, system, electronic equipment and readable storage medium | |
| CN114745115A (en) | Information transmission method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |