CN115361135A - Identity authentication system and method for solving mutual communication among multiple platforms - Google Patents

Identity authentication system and method for solving mutual communication among multiple platforms Download PDF

Info

Publication number
CN115361135A
CN115361135A CN202210906822.0A CN202210906822A CN115361135A CN 115361135 A CN115361135 A CN 115361135A CN 202210906822 A CN202210906822 A CN 202210906822A CN 115361135 A CN115361135 A CN 115361135A
Authority
CN
China
Prior art keywords
certificate
module
service
participant
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210906822.0A
Other languages
Chinese (zh)
Inventor
聂翔
李升林
邓龙辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Qianfang Technology Co ltd
Original Assignee
Shanghai Qianfang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Qianfang Technology Co ltd filed Critical Shanghai Qianfang Technology Co ltd
Priority to CN202210906822.0A priority Critical patent/CN115361135A/en
Publication of CN115361135A publication Critical patent/CN115361135A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention is suitable for the technical field of information security, and provides an identity authentication system and method for solving the mutual communication among multiple platforms, wherein the identity authentication system comprises the following steps: a certificate generation module: for providing a generate certificate service; a certificate downloading module: for providing a certificate download service; a certificate renewal module: for providing a certificate renewal service; certificate revoke module: for providing certificate revocation services; a certificate verification module: for providing certificate revocation services; the encryption and decryption service module is used for providing encryption and decryption services; according to the scheme, the private computing network is controlled to be added and withdrawn through the certificate, and data leakage is prevented through the certificate encryption processing mode in communication between the participants; by deploying a certificate management platform, managing certificates and certificate-related operations, all participants in the privacy computing network can only perform certificate-related operations through the platform, and the platform manages the certificates indirectly to realize the management of the participants.

Description

Identity authentication system and method for solving mutual communication among multiple platforms
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an identity authentication system and method for achieving mutual communication among multiple platforms.
Background
With the frequent occurrence of data security events in recent years, the threat of data security becomes more serious. Both the application data and the data security are required to be protected. How to give consideration to development, safety, efficiency balance and risk and exert data value on the premise of ensuring safety is an important subject faced at present. The privacy computing technology represented by Multi-Party Secure computing (MPC), trusted Execution Environment (TEE), federal Learning (FL), and the like provides a solution for 'available and invisible' of data in the circulation process, and is helpful for breaking the contradiction between data protection and utilization.
The prior art has the following defects:
1. the application process is complex, the existing third-party trusted certificate platform has strict requirements on application data of the certificate, the application failure can be caused by inaccurate data, and the application can be approved and not determined, so that the related rights and interests of participants in the private computing network can be limited
2. Participants cannot be limited, and if the privacy computing platform adopts certificates issued by a trusted third-party platform, malicious third parties can be caused to join the privacy computing network through the available certificates due to the fact that the same ROOT CA certificate is adopted, so that the severe problems of platform data leakage and the like are caused.
3. Effective management cannot be formed, firstly, for a private computing network, the method is equivalent to a federation chain in a block chain, although members in the network have high autonomy, effective management and control need to be formed for the members to join or leave the network, and data encryption and identity authentication are also needed for the interaction of the members with public services. Therefore, if a trusted third party is used for management or a user management platform is separately developed, only the participants of the private computing network can apply for certificates, continue for a long time and cancel the work, and thus effective management cannot be formed.
4. The third party is completely limited, because the inside of the privacy computing network uses the certificate for interaction, whether the certificate is available or not needs to be verified in the interaction process, if the trusted platform of the third party is completely used, the third party can be requested to verify the certificate state every time, and as long as the certificate is unavailable in the privacy computing network, the current request fails and the next interaction cannot be carried out, and if the verification service of the third party is wrong, the inside of the privacy computing network can be paralyzed.
Disclosure of Invention
The embodiment of the invention mainly provides services such as certificate generation, certificate downloading, certificate renewal, certificate revocation, certificate verification and the like, and provides an encryption and decryption service for data encryption and decryption; the method and the system are mainly used for managing the participants in the privacy computing network and guaranteeing the data privacy safety of the participants.
The embodiment of the invention is realized in such a way, and the identity authentication system for solving the mutual communication among multiple platforms comprises:
a certificate generation module: for providing a generate certificate service;
a certificate downloading module: for providing a certificate download service;
a certificate renewal module: for providing a certificate renewal service;
certificate revoke module: for providing certificate revocation services;
a certificate verification module: for providing certificate revocation services;
and the encryption and decryption service module is used for providing encryption and decryption services.
As a preferred embodiment of the present invention, the present invention further includes a user module, the user door module includes a participant module and an administrator module, the participant module is used for the participant to perform the certificate related application service, and the administrator module is used for managing the participant, including the addition, deletion, modification, and examination of the participant user and the approval of the participant application.
As a preferred embodiment of the present invention, the present invention further includes a user management login module and a storage database module, wherein the user management login module is used for providing a basic user management login service, and the storage database module is used for storing data.
As a preferred implementation scheme of the present invention, all certificates in the system are issued by the same root certificate, and a root certificate is generated in the system, i.e. a root ca certificate, which is equivalent to a self-signed certificate, so that an issuer of the root certificate is consistent with a user; wherein only the current network name and the organization to which it belongs need to be provided when generating the root ca certificate.
As a preferred embodiment of the present invention, when executing the certificate generation service, the certificate generation function module needs a participant to log in the system through a participant module, and then submits a business license, a name of an organization, and mandatory information of the organization for short to apply for a certificate, and then an admin user of the system approves through a record submitted by an administrator module offline or online verifying the participant, and if the approval is passed, a node certificate is generated for the corresponding participant, the node certificate organization information is consistent with a root ca certificate, the validity period should be less than or equal to the root ca certificate, the child node certificate is consistent with a root ca certificate signature algorithm, and if the root ca signature algorithm is a national secret algorithm, the child node needs to generate two sets of certificates, one set of certificate is used for encryption, and the other set of certificate is used for decryption.
As a preferred embodiment of the present invention, when executing a certificate downloading task, the certificate downloading module needs to log in the system by a participant module and then download the certificate, where the downloaded certificate is in a zip package format, and the package includes a private key and a public key of a child node and a public key of a root ca; the format of the public key certificate is crt, and the format of the private key certificate is pem. And the certificate of each participant is visible only to the participant.
As a preferred embodiment of the present invention, when executing a certificate renewal task, the certificate renewal module needs a participant to submit a certificate renewal application through the participant module, and the application premise is that the system determines that a digital certificate exists in the current participant module, and the application mode can select a default renewal designated year or a custom renewal time period, and the maximum time of both request modes cannot be greater than the valid time period of a root ca certificate; and after successful submission, the admin user uses the administrator module to carry out approval, and after approval, a new certificate is generated and is downloaded by the participants.
As a preferred embodiment of the present invention, the detailed steps of the certificate revoking module in executing the certificate revoking task are as follows, when the admin user determines that a certain participant exits the network through the administrator module, the admin user sends an application to clear the user information of the participant in the certificate system through the administrator module, and marks the certificate of the user as failed.
As a preferred embodiment of the present invention, the certificate verification service module is provided with an external interface, the external interface does not perform login verification but needs to set a request token, and the token is provided by a certificate platform.
An identity authentication method for solving the mutual communication among multiple platforms comprises the following steps:
a) The Net service sends a communication message 'hello' to the data center, and the Net service selects parameters of handshake; the choice of the cipher suite, which is specified by the data center, determines what type of handshake to perform; the "hello" communication message contains the net service random number, the password suite of the net service selection, and the certificate of the net service; the certificate contains the public key of the net service and the participant information;
b) The data center firstly verifies whether the certificate is credible and available through an external service of the certificate platform, and after verification, the data center creates a random pre-main secret; this secret is encrypted with the public key in the certificate and sent to the net service;
c) After receiving the message, the net service decrypts the premaster secret key by using the private key of the net service; since both parties have pre-main secret and the data center and net service are random, they can both derive the same session key; they then exchange a short message indicating that the next message they send will be encrypted;
d) When the data center and the net service exchange a 'completion' message, the handshake is formally completed; the actual text literally means: "data center completion" or "net service completion" encrypted using a session key; any subsequent communication between the two parties is encrypted using the session key.
The invention has the beneficial effects that:
1. the method is characterized in that a certificate is used as a participation certificate for participation of participants in the private computing network, participation and quitting of the private computing network are controlled through the certificate, and data leakage is prevented through communication among the participants through a certificate encryption processing mode.
2. The method has the advantages that unified certificate management is achieved, management of participants is achieved indirectly, through deployment of a certificate management platform, certificate and certificate related operations are managed, all participants in the privacy computing network can only conduct certificate related operations through the platform, and management of the participants is achieved indirectly through management of the platform on the certificate.
3. The certificate application process is simplified, data required by application of a certificate are simplified according to the conditions of the privacy computing network participants, a certificate management platform does not need a multi-layer superior-inferior relation, one or more admin users are provided to be handed to the participants listed in the privacy computing network for management, and admin directly carries out certificate-related approval work.
4. The usable life of the self-defined certificate is generally one year, the service life of the certificate of a common third-party trusted certificate platform is generally one year, and the platform is adjusted according to the actual condition of the participant to improve the usable life.
5. And the certificate platform is used for carrying out certificate authentication services, including whether the certificate is trusted, the service life of the certificate, the state of the certificate and the like, and is used for limiting participants of the private computing network and preventing third parties from maliciously joining, and only the certificate signed by the certificate platform of the private computing platform can be used for communication among services.
6. And the participants perform safe communication, and a safe communication channel between the participant service and the data center is established through the digital certificate provided by the certificate platform, so that the safe transmission of data is ensured, and the data leakage is prevented.
Drawings
FIG. 1 is a diagram of the overall architecture of the certificate system of the present invention;
FIG. 2 is a participant interaction diagram of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The method has the advantages that the certificate is used as a participation certificate for participation of participants in the privacy computing network, the participation and the quitting of the privacy computing network are controlled through the certificate, and data leakage is prevented through the communication between the participants through a certificate encryption processing mode; unified certificate management, indirectly realize the management to the participant, through deploying a certificate management platform, manage certificate and certificate relevant operation, all participants in the privacy computing network can only carry on certificate relevant operation through this platform, through the platform to the management indirectly of certificate realize advantages such as the management to the participant.
The embodiment of the invention is realized in such a way that an identity authentication system for solving the mutual communication among multiple platforms comprises:
a certificate generation module: for providing a generate certificate service;
a certificate downloading module: for providing a certificate download service;
a certificate renewal module: for providing a certificate renewal service;
certificate revoke module: for providing certificate revocation services;
a certificate verification module: for providing certificate revocation services;
and the encryption and decryption service module is used for providing encryption and decryption services.
Furthermore, the invention also comprises a user module, wherein the user door module comprises a participant module and an administrator module, the participant module is used for the participant to carry out certificate related application service, and the administrator module is used for managing the participant, including the addition and deletion of the participant user and the examination and approval of the participant application.
Furthermore, the invention also comprises a user management login module and a storage database module, wherein the user management login module is used for providing basic user management login service, and the storage database module is used for storing data.
Furthermore, all certificates in the system are issued by the same root certificate, and a root certificate is generated in the system and is a root ca certificate which is equivalent to a self-signed certificate, so that an issuer of the root ca certificate is consistent with a user; where the root ca certificate is generated only by providing the current network name and the organization to which it belongs.
Further, when executing the certificate generation service, the certificate generation function module needs a participant to log in the system through a participant module, and then submits a business license of the participant, a name of an organization, and mandatory information of the organization for short to carry out certificate application, and then an admin user of the system verifies records submitted by the participant offline or online through an administrator module to carry out approval, if the approval is passed, a node certificate is generated for the corresponding participant, the organization information of the node certificate is consistent with the root ca certificate, the validity period is less than or equal to the root ca certificate, the child node certificate is consistent with a root ca certificate signature algorithm, and if the root ca signature algorithm is a national secret algorithm, the child node needs to generate two sets of certificates, one set of certificate is used for encryption, and the other set of certificate is used for decryption.
Furthermore, when executing a certificate downloading task, the certificate downloading module needs to log in the system by a participant module and then download, wherein the downloading certificate is in a zip package format, and the package comprises a private key and a public key of a child node and a public key of root ca; the format of the public key certificate is crt, and the format of the private key certificate is pem. And the certificate of each participant is visible only to the participant.
Furthermore, when executing the certificate renewal task, the certificate renewal module needs a participant to submit a certificate renewal application through the participant module, the application premise is that the system judges that the digital certificate exists in the current participant module, the application mode can select default delay designated years or self-define delay time periods, and the maximum time of the two request modes can not be longer than the effective time period of the root certificate; and after successful submission, the admin user uses the administrator module to carry out approval, and after approval is passed, a new certificate is generated and is downloaded by the participant.
Further, the detailed steps of the certificate revoking module in executing the certificate revoking task are as follows, when the admin module determines that a participant exits from the network, the admin module sends an application for clearing the user information of the participant in the certificate system, and marks the certificate of the user as invalid.
Furthermore, the certificate verification service module is provided with an external interface, the external interface does not perform login verification but needs to set a request token, and the token is provided by the certificate platform.
An identity authentication method for solving the mutual communication among multiple platforms comprises the following steps:
a) The Net service sends a communication message 'hello' to the data center, and the Net service selects parameters of handshake; the choice of the cipher suite, which is specified by the data center, determines what type of handshake to perform; the "hello" communication message contains the net service nonce, the net service selected cipher suite, and the net service's certificate; the certificate contains the public key of the net service and the participant information;
b) The data center firstly verifies whether the certificate is credible and usable through an external service of the certificate platform, and the data center creates a random pre-main secret after verification; this secret is encrypted with the public key in the certificate and sent to the net service;
c) After receiving the message, the net service decrypts the premaster secret key by using the private key of the net service; since both parties have a pre-main secret and both the data center and the net service are random, they can both derive the same session key; they then exchange a short message indicating that the next message they send will be encrypted;
d) When the data center and the net service exchange a 'completion' message, the handshake is formally completed; the actual text literally means: "data center completion" or "net service completion" encrypted using a session key; any subsequent communication between the two parties is encrypted using the session key.
Example one
Referring to fig. 1-2, an identity authentication system for solving the mutual communication between multiple platforms includes:
a certificate generation module: for providing a generate certificate service;
a certificate downloading module: for providing a certificate download service;
a certificate renewal module: for providing a certificate renewal service;
certificate revoke module: for providing certificate revocation services;
a certificate verification module: for providing certificate revocation services;
and the encryption and decryption service module is used for providing encryption and decryption services.
In this embodiment, the present invention further includes a user module, where the user door module includes a participant module and an administrator module, the participant module is used for the participant to perform certificate-related application services, and the administrator module is used for managing the participants, including addition, deletion, modification, and examination of users of the participants and approval of applications of the participants.
In this embodiment, the present invention further includes a user management login module and a storage database module, where the user management login module is configured to provide a basic user management login service, and the storage database module is configured to store data, and the user module has a simple function, and can simplify a process, thereby improving a speed.
In this embodiment, all certificates in the system are issued by the same root certificate, and a root certificate, that is, a root ca certificate is generated in the system, and the root ca certificate is equivalent to a self-signed certificate, so that an issuer of the root ca certificate is consistent with a user; when generating the root ca certificate, only the current network name and the organization to which the root ca certificate belongs need to be provided, and further 5, since the root ca certificate is mainly used for verification and issuance, the validity period of the certificate can be properly prolonged. Finally, the certificate signature algorithm has a plurality of algorithms, and the invention needs to support mainstream algorithms such as 1.SM3WITHSM2 (national secret algorithm), 2.SHA256WITHECDSA (ECDSA encryption algorithm), 3.SHA256WITHRSA (RSA encryption algorithm) and the like; and the signature algorithm of the subsequent node certificate should be consistent with the root node algorithm.
In this embodiment, when executing the certificate generation service, the certificate generation function module needs a participant to log in the system through a participant module, and then submits a business license of the participant, a name of an organization, and mandatory information of the organization, which is abbreviated as "authority", to apply for a certificate, and then an admin user of the system approves the record submitted by the participant through offline or online verification of an administrator module, and if the approval is passed, a node certificate is generated for the corresponding participant, the node certificate organization information is consistent with the root ca certificate, the validity period should be less than or equal to the root ca certificate, and the child node certificate is consistent with a root ca certificate signature algorithm, and if the root ca signature algorithm is a national secret algorithm, the child node needs to generate two sets of certificates, one set of the certificates is used for encryption, and the other set of the certificates is used for decryption.
In this embodiment, when executing a certificate downloading task, the certificate downloading module needs to log in a system and then download the certificate through a participant module, where the downloaded certificate is in a zip package format, and the package includes a private key and a public key of a child node, and a public key of root ca; the format of the public key certificate is crt, and the format of the private key certificate is pem. And the certificate of each participant is visible only to the participant.
In this embodiment, when executing the certificate renewal task, the certificate renewal module needs the participant to submit the certificate renewal application through the participant module, and the application premise is that the system determines that the digital certificate exists in the current participant module, and the application mode can select default delay designated years or custom delay time periods, and the maximum time of both request modes cannot be greater than the valid time period of the root ca certificate; and after successful submission, the admin user uses the administrator module to carry out approval, and after approval, a new certificate is generated and is downloaded by the participants.
In this embodiment, the detailed steps of the certificate revoking module in executing the certificate revoking task are as follows, when an admin user determines that a certain participant exits the network through the administrator module, the admin user sends an application to clear user information of the participant in the certificate system through the administrator module, and marks the certificate of the user as invalid.
In this embodiment, the certificate verification service module is provided with an external interface, the external interface does not perform login verification but needs to set a request token, the token is provided by the certificate platform, in this embodiment, a service with an effective token can access the external interface, the token is synchronized to an external service at regular time, and the service fails at regular time. The external service provides the unique information of the certificate to be verified to obtain the current certificate state by requesting the external interface, the certificate state is judged by the certificate platform, and the states include but are not limited to: in effect, the information is invalid, expired and absent; the external service can judge whether the current request certificate is legal or not through the function.
Example two
Referring to fig. 2, the interaction manner of the participants in the private computing network can be known from fig. 2. Each participant requests the data center by operating the console in the internal service of the participant, communication among the participants is realized by operating the data center, the internal service of the participant is deployed in an intranet, and the internal console service and the network service are in the same server, so that the interaction between the internal console service and the network service does not have safety problem. Therefore, the encryption and decryption of the certificate need to be implemented in the process of interaction between the participant and the data center, and the internal service net service of the participant is mainly used for receiving the request of the console and requesting the data center according to the request content, so that the communication between the net service and the data center needs to perform data encryption and decryption and identity authentication.
An identity authentication method for solving the mutual communication among multiple platforms comprises the following steps:
a) The Net service sends a communication message 'hello' to the data center, and the Net service selects handshake parameters; the choice of the cipher suite, which is specified by the data center, determines what type of handshake to perform; the "hello" communication message contains the net service nonce, the net service selected cipher suite, and the net service's certificate; the certificate contains the public key of the net service and the participant information;
b) The data center firstly verifies whether the certificate is credible and usable through an external service of the certificate platform, and the data center creates a random pre-main secret after verification; this secret is encrypted with the public key in the certificate and sent to the net service;
c) After receiving the message, the net service decrypts the premaster secret key by using the private key of the net service; since both parties have pre-main secret and the data center and net service are random, they can both derive the same session key; they then exchange a short message indicating that the next message they send will be encrypted;
d) When the data center exchanges 'completion' information with the net service, the handshake is formally completed; the actual text literally means: "data center completion" or "net service completion" encrypted using a session key; any subsequent communication between the two parties is encrypted using the session key.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternatingly with other steps or at least a portion of sub-steps or stages of other steps.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent should be subject to the appended claims.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Claims (10)

1. An identity authentication system for resolving intercommunication between multiple platforms, comprising:
a certificate generation module: for providing a generate certificate service; a certificate downloading module: for providing a certificate download service; a certificate renewal module: for providing a certificate renewal service;
certificate revoke module: for providing certificate revocation services; a certificate verification module: for providing certificate revocation services;
and the encryption and decryption service module is used for providing encryption and decryption services.
2. The identity authentication system for resolving intercommunication between multiple platforms as recited in claim 1, further comprising a user module;
the user door module comprises a participant module and an administrator module, wherein the participant module is used for a participant to perform certificate related application service;
the administrator module is used for managing the participants, including the addition, deletion, modification and check of users of the participants and the examination and approval of applications of the participants.
3. The identity authentication system for solving the intercommunication problem among the multiple platforms as recited in claim 2, further comprising a user management login module and a repository database module;
the user management login module is used for providing basic user management login service, and the storage database module is used for storing data.
4. The identity authentication system for solving the problem of intercommunication between multiple platforms as claimed in claim 3, wherein all certificates in the system are issued by the same root certificate, and a root certificate is generated in the system, namely, root ca certificate, which is equivalent to self-signed certificate, and the issuer is consistent with the user; wherein only the current network name and the organization to which it belongs need to be provided when generating the root ca certificate.
5. The system of claim 4, wherein the identity authentication system is configured to resolve intercommunication between multiple platforms
When executing the certificate generating service, the certificate generating function module needs the participant to log in the system through the participant module, and then submits the business license, the name of the organization and the short name of the organization of the participant to carry out the certificate application;
then, the admin user of the system verifies the records submitted by the participants offline or online through an administrator module to carry out examination and approval, and if the examination and approval are passed, a node certificate is generated for the corresponding participants;
the node certificate organization information is consistent with the root ca certificate, the validity period is less than or equal to the root ca certificate, the child node certificate is consistent with a root ca certificate signature algorithm, and if the root ca signature algorithm is a national encryption algorithm, the child node needs to generate two sets of certificates, one set is used for encryption and the other set is used for decryption.
6. The identity authentication system for solving the intercommunication problem among the multiple platforms as claimed in claim 5, wherein said certificate downloading module needs the participant to log in the system through the participant module for downloading when executing the task of downloading the certificate, the downloaded certificate is in a zip package format and comprises the private key and the public key of the child node and the public key of root ca; the public key certificate format is crt, the private key certificate format pem, and the certificate of each participant is only visible to the participant.
7. The system of claim 6, wherein the identity authentication system is configured to resolve intercommunication between multiple platforms
When executing a certificate renewal task, a certificate renewal module needs a participant to submit a certificate renewal application through a participant module, and the application premise is that the system judges that a digital certificate exists in the current participant module;
the application mode can select default delay designated years or self-defined delay time periods, and the maximum time of the two request modes cannot be larger than the effective time period of the root ca certificate;
and after successful submission, the admin user uses the administrator module to carry out approval, and after approval, a new certificate is generated and is downloaded by the participants.
8. The identity authentication system for solving the mutual communication among the multiple platforms as claimed in claim 7, wherein the detailed steps of the certificate revoking module in executing the certificate revoking task are as follows, when the admin user determines that a certain participant exits the network through the administrator module, the admin user sends an application for clearing the user information of the participant in the certificate system through the administrator module, and marks the certificate of the user as invalid.
9. The identity authentication system for solving the intercommunication problem among the multiple platforms as recited in claim 8, wherein the certificate verification service module is provided with an external interface which does not make login verification but needs to set a request token, and the token is provided by the certificate platform.
10. An identity authentication method for solving intercommunication between multiple platforms is characterized by comprising the following steps:
a) The Net service sends a communication message 'hello' to the data center, and the Net service selects parameters of handshake; the selection of the cipher suite, which is specified by the data center, determines what type of handshake to perform; the "hello" communication message contains the net service random number, the password suite of the net service selection, and the certificate of the net service; the certificate contains the public key of the net service and the participant information;
b) The data center firstly verifies whether the certificate is credible and usable through an external service of the certificate platform, and the data center creates a random pre-main secret after verification; this secret is encrypted with the public key in the certificate and sent to the net service;
c) After receiving the message, the net service decrypts the premaster secret key by using the private key of the net service; both parties possess pre-main secret, and the data center and the net service are random and can derive the same session key; then exchanging a short message to indicate that the next message to be sent is to be encrypted;
d) When the data center exchanges 'completion' information with the net service, the handshake is formally completed; the actual text literally means: "data center complete" or "net service complete" encrypted using session keys; any subsequent communication between the two parties is encrypted using the session key.
CN202210906822.0A 2022-07-29 2022-07-29 Identity authentication system and method for solving mutual communication among multiple platforms Pending CN115361135A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210906822.0A CN115361135A (en) 2022-07-29 2022-07-29 Identity authentication system and method for solving mutual communication among multiple platforms

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210906822.0A CN115361135A (en) 2022-07-29 2022-07-29 Identity authentication system and method for solving mutual communication among multiple platforms

Publications (1)

Publication Number Publication Date
CN115361135A true CN115361135A (en) 2022-11-18

Family

ID=84032234

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210906822.0A Pending CN115361135A (en) 2022-07-29 2022-07-29 Identity authentication system and method for solving mutual communication among multiple platforms

Country Status (1)

Country Link
CN (1) CN115361135A (en)

Similar Documents

Publication Publication Date Title
Paulson Inductive analysis of the internet protocol TLS
US7725730B2 (en) Cryptographic methods and apparatus for secure authentication
RU2325693C2 (en) Methods of authentication of potentials members, which were invited to join the group
TWI233739B (en) Systems, methods and computer readable recording medium for remote password authentication using multiple servers
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
JP2008503966A (en) Anonymous certificate for anonymous certificate presentation
CN116566660A (en) Identity authentication method based on medical block chain
CN114154125B (en) Identity authentication scheme without block chain certificate in cloud computing environment
CN101534192A (en) System used for providing cross-domain token and method thereof
Abdalla et al. Provably secure password-based authentication in TLS
CN113824570A (en) Block chain-based security terminal authentication method and system
CN115883102B (en) Cross-domain identity authentication method and system based on identity credibility and electronic equipment
Trivedi et al. Design of secure authentication protocol for dynamic user addition in distributed Internet-of-Things
CN114254284B (en) Digital certificate generation and identity authentication method, quantum CA authentication center and system
CN110557367B (en) Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography
Li et al. Blockchain-based portable authenticated data transmission for mobile edge computing: a universally composable secure solution
CN115834093A (en) Block chain-based network node control method and system and consensus node
Szalachowski Smartcert: Redesigning digital certificates with smart contracts
Gajek et al. Provably secure browser-based user-aware mutual authentication over TLS
CN113301026A (en) Method for communication between servers
Persiano et al. A secure and private system for subscription-based remote services
Laing et al. Symbolon: Enabling Flexible Multi-device-based User Authentication
CN114417419A (en) Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection
CN115361135A (en) Identity authentication system and method for solving mutual communication among multiple platforms
Shahidinejad et al. Untraceable blockchain-assisted authentication and key exchange in medical consortiums

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination