CN115941217A - Method for secure communication and related product - Google Patents
Method for secure communication and related product Download PDFInfo
- Publication number
- CN115941217A CN115941217A CN202110942545.4A CN202110942545A CN115941217A CN 115941217 A CN115941217 A CN 115941217A CN 202110942545 A CN202110942545 A CN 202110942545A CN 115941217 A CN115941217 A CN 115941217A
- Authority
- CN
- China
- Prior art keywords
- client
- certificate
- digital certificate
- user
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000004891 communication Methods 0.000 title claims abstract description 44
- 230000004044 response Effects 0.000 claims abstract description 15
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims abstract description 6
- 238000012795 verification Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000010420 art technique Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Abstract
The present invention relates to a method, a client, a server, a system and a computer program product for secure communication. Wherein the method comprises the following steps: generating a certificate application request about a client digital certificate in response to a communication request between an application program installed on a client and a server, wherein the client digital certificate is associated with the client; sending the certificate application request to a certificate issuing authority; receiving a client digital certificate sent by the certificate issuing authority based on the certificate application request; and establishing a secure transport layer protocol mutual authentication channel between the application program and the server based on the client digital certificate. Through the technical scheme of the invention, the establishment of the secure transport layer protocol bidirectional authentication channel between the application program and the server can be realized without introducing additional hardware equipment.
Description
Technical Field
The present invention relates generally to the field of communications. More particularly, the present invention relates to a method, client, server, system and computer program product for secure communication.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived or pursued. Thus, unless otherwise indicated herein, what is described in this section is not prior art to the description and claims in this application and is not admitted to be prior art by inclusion in this section.
TLS (Transport Layer Security, secure Transport Layer protocol) is a general secure channel protocol in the internet field. At present, most mobile APPs in the client use a TLS channel when communicating with the server, and often only TLS one-way authentication is involved in the establishment process of the channel, that is, only the client needs to verify the identity of the server. The channel constructed by the TLS unidirectional authentication method has a relatively low security level, and cannot be applied to a scene with a high security requirement. In addition, the related art also proposes a TLS mutual authentication, i.e., verifying the client identity by the server. This authentication method requires additional configuration of digital certificate hardware devices (e.g. devices with costs varying from tens of yuan to hundreds of yuan such as bluetooth U shield, audio shield, NFC card, etc.) for support. It can be seen that such TLS authentication method is not only costly, but also has poor portability, thereby affecting the communication performance between APP and server.
Disclosure of Invention
To solve at least the technical problems described in the background section above, the present invention proposes a solution for secure communication. By using the scheme of the invention, the establishment of the secure transport layer protocol bidirectional authentication channel between the application program and the server can be realized without introducing additional hardware equipment. Therefore, the technical scheme of the invention improves the safety of the communication between the application program and the server, effectively reduces the construction cost of the secure channel and further improves the communication performance between the application program and the server. In view of this, the present invention provides solutions in the following aspects.
A first aspect of the invention provides a method for secure communication, comprising: generating a certificate application request about a client digital certificate in response to a communication request between an application program installed on a client and a server, wherein the client digital certificate is associated with the client; sending the certificate application request to a certificate issuing authority; receiving a client-side digital certificate sent by the certificate issuing authority based on the certificate application request; and establishing a secure transport layer protocol mutual authentication channel between the application program and the server based on the client digital certificate.
In one embodiment, wherein generating the certificate application request for the client digital certificate comprises: acquiring identification information of the client; acquiring identification information of the application program; and generating the certificate application request according to the identification information of the client and the identification information of the application program.
In one embodiment, the obtaining the identification information of the client comprises: generating an initial key for the client digital certificate, wherein the initial key comprises an initial public key; acquiring equipment information of the client; and generating identification information of the client according to the equipment information and the initial public key.
In one embodiment, wherein the initial key further comprises an initial private key, the method further comprises: generating a target private key according to the identification information of the client and the initial private key; generating a target public key according to the target private key; and adding the target public key, the identification information of the client and the identification information of the application program into a signed area in the certificate application request.
A second aspect of the invention provides a method for secure communication, comprising: obtaining a client digital certificate associated with a client, wherein the client digital certificate is used for constructing a secure transport layer protocol mutual authentication channel between a server and an application program installed on the client; associating the client digital certificate with a user of the application in response to an authentication request for the user; and based on the verification of the client digital certificate, realizing the identity verification of the user. .
In one embodiment, wherein associating the client digital certificate with the user comprises: acquiring verification information when the user accesses the application program; authenticating the user based on the authentication information; and associating the client digital certificate with the user in response to passing the identity verification.
In one embodiment, wherein associating the client digital certificate with the user comprises: extracting identification information of the client from the client digital certificate; and associating the identification information of the client with the user.
A third aspect of the present invention provides a client, including: a processor; and a memory storing computer instructions for secure communication, which when executed by the processor, cause the client to perform the method of the foregoing first aspect and in the following embodiments.
A fourth aspect of the present invention provides a computer program product comprising program instructions for secure communication, which when executed by a processor, cause the method of the preceding first aspect and in a plurality of embodiments below to be carried out.
A fifth aspect of the present invention provides a server comprising: a processor; and a memory storing computer instructions for secure communication, which when executed by the processor, cause the server to perform the method of the foregoing second aspect and in the following embodiments.
A sixth aspect of the present invention provides a computer program product comprising program instructions for secure communication, which when executed by a processor, cause the method of the aforementioned second aspect and in a plurality of embodiments below to be carried out.
A seventh aspect of the present invention proposes a system for secure communication, comprising: a client according to a third aspect of the present invention, configured to perform the method according to the foregoing first aspect and in the following embodiments, to generate a certificate application request regarding a client certificate, and to construct a secure transport layer protocol bidirectional authentication channel between an application and a server based on the client certificate; a certificate issuing authority configured to issue a client digital certificate associated with the client based on the certificate application request; and a server according to a fifth aspect of the present invention, configured to perform the method according to the foregoing second aspect and in the following embodiments, for binding the client digital certificate with the user to enable authentication of the user based on the authentication of the client digital certificate.
By utilizing the scheme provided by the invention, the client can apply the client digital certificate associated with the client to the certificate issuing mechanism so as to realize the construction of a secure transport layer protocol bidirectional authentication channel (namely TLS bidirectional authentication channel) between the application program and the server based on the client digital certificate. It can be seen that, the scheme of the present invention can realize the establishment of the TLS bidirectional authentication channel between the application program and the server without introducing additional hardware devices, and can effectively reduce the construction cost of the secure channel. Further, through establishment of the TLS bidirectional authentication channel, the scheme of the invention improves the communication safety between the application program and the server, and further improves the communication performance between the application program and the server. Additionally, in some implementation scenarios, the client digital certificate may be associated with a user accessing an application after the TLS bi-directional authentication channel is established. Therefore, when the user uses the application program again, the scheme of the invention can realize the authentication of the user identity by means of authenticating the client digital certificate so as to support the login-free operation of the user and improve the use experience of the user.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. In the accompanying drawings, which are meant to be exemplary and not limiting, several embodiments of the invention are shown and indicated by like or corresponding reference numerals, wherein:
FIG. 1A is a flow diagram illustrating a method for secure communications according to an embodiment of the present invention;
FIG. 1B is a flow diagram illustrating a method for generating a certificate application request according to an embodiment of the invention;
FIG. 2 is a flow diagram illustrating another method for secure communications according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating interactions between devices in a system for secure communications according to an embodiment of the present invention; and
fig. 4 is a block diagram illustrating a client according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present invention, belong to the protection scope of the present invention.
It should be understood that the terms "first", "second", "third" and "fourth", etc. in the claims, the description and the drawings of the present invention are used for distinguishing different objects and are not used for describing a particular order. The terms "comprises" and "comprising," when used in the specification and claims of this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification and claims of this application, the singular form of "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should be further understood that the term "and/or" as used in the specification and claims of this specification refers to any and all possible combinations of one or more of the associated listed items and includes such combinations.
As used in this specification and claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
The following detailed description of the embodiments of the invention refers to the accompanying drawings.
Fig. 1 is a flow diagram illustrating a method 100 for secure communications according to an embodiment of the present invention. In some implementations, the method 100 described above is applicable to a client on which an application is installed and communication with a server may be achieved by the method 100 described above. As shown in fig. 1 in particular, at step S101, a certificate application request regarding a client digital certificate may be generated in response to the aforementioned communication request of the application program with the server. Wherein the aforementioned communication request can be triggered by the application program according to the service requirement. In some embodiments, the aforementioned application may be any application installed on the client, and in particular, relates to an application with higher security requirements. With respect to the foregoing generation process of the certificate application request, in one embodiment, steps S101-1, S101-2 and S101-3 shown in fig. 1B may be involved.
As shown in fig. 1B, at step S101-1, the aforementioned identification information of the client may be acquired. In one implementation scenario, the aforementioned identification information of the client may be determined by the initial public key of the client digital certificate and the device information. Specifically, the initial key for the aforementioned client digital certificate may be generated. The aforementioned initial key may be generated, for example, by the RSA algorithm. It is to be understood that the generation process of the initial key is only one implementation manner, and the scheme of the present invention is not limited thereto. Then, the device information of the aforementioned client may be acquired. In an implementation scenario, the aforementioned device information may include, but is not limited to, mac address, IMEI (International Mobile Equipment Identity), UUID (universal Unique Identifier), IDFV (Identifier For Vendor Identifier), and the like. Then, the aforementioned device information and the initial public key may be assembled into the aforementioned identification information.
In an embodiment, the aforementioned device information and the initial public key may be sequentially arranged to form the aforementioned identification information, or the aforementioned device information and the initial public key may be subjected to an exclusive or operation to obtain the identification information. It is understood that the manner of obtaining the identification information is only one possible implementation manner, and the scheme of the present invention is not limited thereto.
Next, at step S101-2, the aforementioned identification information of the application program may be acquired. In one implementation scenario, the aforementioned identification information of the application program may include, but is not limited to, a name, a category, and other information. It is to be understood that the contents listed herein are merely for illustrating the identification information of the application program and are not limited thereto.
Then, at step S101-3, a certificate application request may be determined according to the aforementioned identification information of the client and the identification information of the application. In one implementation scenario, the identification information of the client and the application may be added to the signed area in the request. In one embodiment, the target private key may also be generated according to the initial private key in the aforementioned initial key and the identification information of the client, so as to generate the target public key based on the target private key. Then, the aforementioned target public key, the identification information of the client and the identification information of the application are added to the signed area in the certificate application request. Therefore, the target public key, the identification information of the client and the identification information of the application program can be prevented from being illegally tampered, and the validity of the applied digital certificate is further ensured. In addition, the identification information and the target public and private keys of the client, which are obtained in the above embodiment, may not be affected by the cache file of the application program, that is, when the cache file is emptied or lost, the identification information and the target public and private keys of the client may still be recovered in the above manner.
After generating the aforementioned certificate application request, then, at step S102, the certificate application request may be sent to a certificate issuing authority. It is understood that the certificate application request is the certificate application request obtained as described above in connection with step S102. Then, at step S103, the client digital certificate sent by the certificate issuing authority based on the certificate application request may be received. Wherein the aforementioned client digital certificate is associated with the client. In one implementation scenario, as mentioned above, the certificate application request may include identification information of the client, so that the certificate issuing authority may associate the client with the client digital certificate through the aforementioned identification information of the client (e.g., may bind the client and the client digital certificate). In one embodiment, the aforementioned certificate issuing authority may be arranged with various types of servers and/or databases to enable sending digital certificates to clients.
Next, at step 104, a TLS bi-directional authentication channel between the application and the server may be established based on the aforementioned client digital certificate. It can be seen that the scheme of the invention can realize the establishment of the secure transport layer protocol bidirectional authentication channel between the application program and the server without introducing additional hardware equipment.
Fig. 2 is a flow diagram illustrating another method 200 for secure communications according to an embodiment of the present invention. In some implementations, the method 200 described above is applied to a server that can communicate with an application installed on a client through the method 200 described above. It is to be understood that the server and the client may be the server and the client described above with reference to fig. 1, and thus the description of the server and the client also applies to the following description.
As shown in fig. 2, at step S201, a client digital certificate associated with a client may be obtained, where the aforementioned client digital certificate is used to construct a secure transport layer protocol mutual authentication channel between a server and an application installed on the client. It is to be understood that the client digital certificate herein may be the client digital certificate described above in connection with fig. 1. In one embodiment, the client may be associated with a client digital certificate by binding the client's identification information to the client digital certificate. It is to be understood that the binding described herein is merely one possible implementation and that the inventive arrangements are not so limited.
Next, at step S202, in response to an authentication request for the user of the application program, the client digital certificate and the user may be associated. In one embodiment, when a user accesses the aforementioned application, the client may trigger and send an authentication request to the server for the user. The server may then, upon receiving the authentication request, detect whether the aforementioned client digital certificate has associated the user (it is understood that the association detection step between the user and the certificate herein may be applied to the case where the user does not access the application for the first time. Upon determining that the user is not associated, the server may respond to the authentication request to associate the user with the client digital certificate. When the user logs in the application program again, the identity authentication of the user can be realized by the authentication of the client-side digital certificate.
Next, at step S203, authentication of the user may be achieved based on the authentication of the client digital certificate. In one embodiment, when a user accesses an application, the user may be authenticated by obtaining authentication information for the user (e.g., a username, password, biometric information, etc., sent by the user through a client) and based on the authentication information. And then associating the client digital certificate with the user when the authentication is passed. In one embodiment, the client's identification information (e.g., extracted from the client's digital certificate) may be associated with the user. Therefore, when the user uses the application program again, the identity of the user can be verified in a mode of verifying the client-side digital certificate, so that the login-free operation of the user is supported, and the use experience of the user is improved.
It should be noted that the technical solution of the present invention is different from the related technologies such as the traditional U shield, the NFC card, and the software form certificate. These related art techniques require, in addition to hardware support as mentioned in the background above, communication between the application and the server in strict order of auditing user identity, issuing certificates, and building channels. In addition, the user also needs to input authentication information each time in the subsequent use of the application. In contrast, with the solution of the present invention, a client digital certificate associated with a client may be obtained first, and when a user accesses an application (especially, first access), the client digital certificate is bound with the user. Based on this, when the user subsequently accesses the application again, it can directly realize the authentication of the user by authenticating the client certificate without manually inputting authentication information. Thus, a user can quickly log in after establishing a TLS channel based on a client digital certificate. Therefore, the scheme of the invention not only saves the business process, but also improves the use experience of the user.
Fig. 3 is an interaction diagram illustrating a system 300 for secure communications according to an embodiment of the present invention. In some implementation scenarios, system 300 may include a client, a certificate issuing authority, and a server. It is to be understood that the clients and servers herein may be the clients and servers described above in conjunction with fig. 1 and 2, and thus the description of the clients and servers above applies equally to the following. The interaction between the client, certificate issuing authority and server is described in detail below.
At the client:
at step S301, after the application program in the client is started and before a channel is established with the server, it is detected whether a client digital certificate is stored locally. If it is determined that the client digital certificate is not stored, step S302 is executed. It is understood that the client digital certificate may be the client digital certificate described above in conjunction with fig. 1 and 2, and thus the client digital certificate described above is also applicable to the following description.
At step S302, in response to the client digital certificate not being stored locally, a target key and a certificate application request for the client digital certificate may be generated. In one embodiment, the aforementioned identification information of the client, the identification information of the application program, and the target public key in the target key may be added to the signed area in the certificate application request. In an embodiment, the foregoing specific generation process of the identification information of the client and the target public key may be implemented according to the generation process of the identification information of the client and the target public key described in conjunction with fig. 1.
Next, at step S303, the certificate application request may be sent to the certificate issuing authority, so that the certificate issuing authority feeds back the client digital certificate associated with the client based on the certificate application request.
At a certificate issuing authority:
in step S304, the certificate issuing authority issues a client digital certificate binding the identification information of the client after receiving the certificate application request. In one embodiment, if the client digital certificate is already stored (i.e., the certificate has been applied), the binding operation need not be repeated.
Next, at step S305, the client digital certificate may be sent to the aforementioned client. It is understood that the client digital certificate here may be a digital certificate stored by the certificate authority and associated with the client, or may be a digital certificate based on the identification information of the client bound in the foregoing step S304.
At the client:
at step S306, in response to acquiring the aforementioned client digital certificate, a TLS bidirectional authentication secure channel between the application and the server may be established based on the client digital certificate when the aforementioned application and the server have a communication demand. It will be appreciated that the client digital certificate herein may be stored locally or may be transmitted by the aforementioned certificate issuing authority.
At the server:
at step S307, the client digital certificate may be forwarded to a business system associated with the server. To authenticate a user accessing an application based on the business system. In one embodiment, when a user first accesses an application, authentication information (e.g., username, password, biometric information, text messages, etc.) for the user may be obtained and the user's identity may be authenticated based on the authentication information. And associating (e.g., binding) the client's identification information in the certificate with the user upon passing authentication of the user. Therefore, when the user uses the application program again, the authentication of the user identity can be realized by means of authenticating the client digital certificate, so that the login-free operation of the user is supported.
Fig. 4 is a schematic block diagram illustrating a client 400 according to an embodiment of the present invention. The client 400 may include a device 401 according to an embodiment of the present invention and its peripheral devices and external networks. As previously described, the client (e.g., via device 401) implements operations such as obtaining a client digital certificate associated with the client, and establishing a TLS bi-directional authenticated secure channel between the application and the server using the client digital certificate, to implement the aspects of the present invention described above in conjunction with fig. 1-3.
As shown in fig. 4, the device 401 may include a CPU4011, which may be a general-purpose CPU, a dedicated CPU, or an execution unit on which other information processing and programs run. Further, the device 401 may further include a mass storage 4012 and a read only memory ROM 4013, wherein the mass storage 4012 may be configured to store various types of data including ledger, ledger information, announcement cycle, and the like, and various programs required for the blockchain network, and the ROM 4013 may be configured to store a power-on self test for the device 401, initialization of various functional modules in the system, a driver of basic input/output of the system, and data required for booting the operating system.
Further, the device 401 also includes other hardware platforms or components, such as a TPU (Tensor Processing Unit) 4014, a GPU (Graphic Processing Unit) 4015, an FPGA (Field Programmable Gate Array) 4016, and an MLU (Memory Logic Unit), memory Logic Unit) 4017, as shown. It is to be understood that although various hardware platforms or components are shown in the device 401, this is by way of example and not by way of limitation, and those skilled in the art may add or remove corresponding hardware as may be desired. For example, the device 401 may include only a CPU as a well-known hardware platform and another hardware platform as a test hardware platform of the present invention.
The device 401 of the present invention further comprises a communication interface 4018 such that it can be connected via the communication interface 4018 to a local area network/wireless local area network (LAN/WLAN) 405, which in turn can be connected via the LAN/WLAN to a local server 406 or to the Internet ("Internet") 407. Alternatively or additionally, the inventive device 401 may also be connected directly to the internet or cellular network over the communication interface 4018 based on wireless communication technology, e.g., third generation ("3G"), fourth generation ("4G"), or 5 generation ("5G").
The peripheral devices of the device 401 may include a display device 402, an input device 403, and a data transmission interface 404. In one embodiment, the display device 402 may include, for example, one or more speakers and/or one or more visual displays configured to provide voice prompts and/or visual displays of the operational procedures or final results of the testing apparatus of the present invention. Input device 403 may include, for example, a keyboard, a mouse, a microphone, a gesture capture camera, or other input buttons or controls configured to receive input of test data or user instructions. The data transfer interface 404 may include, for example, a serial interface, a parallel interface, or a universal serial bus interface ("USB"), a small computer system interface ("SCSI"), serial ATA, fireWire ("FireWire"), PCI Express, and high definition multimedia interface ("HDMI"), among others, configured for data transfer and interaction with other devices or systems. In accordance with aspects of the present invention, the data transfer interface 404 may receive a client digital certificate associated with a client and transmit the client digital certificate to the device 401.
The above-mentioned CPU4011, mass memory 4012, read only memory ROM 4013, TPU 4014, GPU 4015, FPGA 4016, MLU 4017 and communication interface 4018 of the device 401 of the present invention can be connected to each other through a bus 4019, and data interaction with peripheral devices is realized through the bus. Through this bus 4019, the cpu4011 can control other hardware components and their peripherals in the device 401, in one embodiment.
In operation, the processor CPU4011 of the apparatus 401 of the present invention may obtain identification information of a client and identification information of an application program through the input device 403 or the data transmission interface 404, and call computer program instructions or codes stored in the memory 4012 to process the obtained information, so as to generate a certificate application request associated with the client.
From the above description of the modular design of the present invention, it can be seen that the system of the present invention can be flexibly arranged according to application scenarios or requirements without being limited to the architecture shown in the accompanying drawings. Further, it should also be understood that any module, unit, component, server, computer, or device performing operations of examples of the invention may include or otherwise access a computer-readable medium, such as a storage medium, computer storage medium, or data storage device (removable) and/or non-removable) such as a magnetic disk, optical disk, or magnetic tape. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules or other data. In this regard, the present invention also discloses a computer readable storage medium having stored thereon computer readable instructions for secure communications, which when executed by one or more processors, perform the methods and operations previously described in connection with the figures.
While various embodiments of the present invention have been shown and described herein, it will be obvious to those skilled in the art that such embodiments are provided by way of example only. Numerous modifications, changes, and substitutions will occur to those skilled in the art without departing from the spirit and scope of the present invention. It should be understood that various alternatives to the embodiments of the invention described herein may be employed in practicing the invention. It is intended that the following claims define the scope of the invention and that the module compositions, equivalents, or alternatives falling within the scope of these claims be covered thereby.
Claims (10)
1. A method for secure communications, comprising:
generating a certificate application request about a client digital certificate in response to a communication request between an application program installed on a client and a server, wherein the client digital certificate is associated with the client;
sending the certificate application request to a certificate issuing authority;
receiving a client-side digital certificate sent by the certificate issuing authority based on the certificate application request; and
and establishing a secure transport layer protocol bidirectional authentication channel between the application program and the server based on the client digital certificate.
2. The method of claim 1, wherein generating a certificate application request for a client digital certificate comprises:
acquiring identification information of the client;
acquiring identification information of the application program; and
and generating the certificate application request according to the identification information of the client and the identification information of the application program.
3. The method of claim 2, wherein obtaining the identification information of the client comprises:
generating an initial key for the client digital certificate, wherein the initial key comprises an initial public key;
acquiring equipment information of the client; and
and generating the identification information of the client according to the equipment information and the initial public key.
4. The method of claim 3, wherein the initial key further comprises an initial private key, the method further comprising:
generating a target private key according to the identification information of the client and the initial private key;
generating a target public key according to the target private key; and
and adding the target public key, the identification information of the client and the identification information of the application program into a signed area in the certificate application request.
5. A method for secure communications, comprising:
obtaining a client digital certificate associated with a client, wherein the client digital certificate is used for constructing a secure transport layer protocol mutual authentication channel between a server and an application program installed on the client;
associating the client digital certificate with a user of the application in response to an authentication request for the user; and
based on the verification of the client digital certificate, identity verification of the user is achieved.
6. The method of claim 5, wherein associating the client digital certificate with the user comprises:
acquiring verification information when the user accesses the application program;
authenticating the user based on the authentication information; and
in response to passing the authentication, associating the client digital certificate with the user.
7. The method of claim 6, wherein associating the client digital certificate with the user comprises:
extracting identification information of the client from the client digital certificate; and
and associating the identification information of the client with the user.
8. An apparatus for secure communications, comprising:
a processor; and
memory storing computer instructions for secure communication, which when executed by the processor, cause the apparatus to perform the method of any of claims 1-4 or 5-7.
9. A computer program product comprising program instructions for secure communication, which when executed by a processor, cause the method according to any of claims 1-4 or 5-7 to be carried out.
10. A system for secure communications, comprising:
a client configured to perform the method of any one of claims 1-4, to generate a certificate application request for a client certificate, and to construct a secure transport layer protocol mutual authentication channel between an application and a server based on the client certificate;
a certificate issuing authority configured to issue a client digital certificate associated with the client based on the certificate application request; and
a server configured to perform the method of any one of claims 5-7 for binding the client digital certificate with a user to enable authentication of the user based on authentication of the client digital certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110942545.4A CN115941217B (en) | 2021-08-17 | 2021-08-17 | Method for secure communication and related products |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110942545.4A CN115941217B (en) | 2021-08-17 | 2021-08-17 | Method for secure communication and related products |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115941217A true CN115941217A (en) | 2023-04-07 |
| CN115941217B CN115941217B (en) | 2024-03-29 |
Family
ID=86551112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110942545.4A Active CN115941217B (en) | 2021-08-17 | 2021-08-17 | Method for secure communication and related products |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941217B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319067A (en) * | 2023-10-24 | 2023-12-29 | 上海宁盾信息科技有限公司 | Identity authentication method and system based on digital certificate and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100217975A1 (en) * | 2009-02-25 | 2010-08-26 | Garret Grajek | Method and system for secure online transactions with message-level validation |
| CN108696536A (en) * | 2018-07-03 | 2018-10-23 | 北京科东电力控制系统有限责任公司 | A kind of safety certifying method |
| CN108880821A (en) * | 2018-06-28 | 2018-11-23 | 中国联合网络通信集团有限公司 | A kind of authentication method and equipment of digital certificate |
| US20190123914A1 (en) * | 2017-10-20 | 2019-04-25 | Alibaba Group Holding Limited | Digital certificate application |
| CN109873834A (en) * | 2019-03-22 | 2019-06-11 | 云南电网有限责任公司 | A kind of enterprise-level cloud mobile application unified platform and system based on cloud computing |
| CN111064574A (en) * | 2018-10-16 | 2020-04-24 | 金联汇通信息技术有限公司 | Digital certificate generation method, authentication method and electronic equipment |
| CN112700245A (en) * | 2020-12-30 | 2021-04-23 | 标信智链(杭州)科技发展有限公司 | Block chain-based digital mobile certificate application method and device |
-
2021
- 2021-08-17 CN CN202110942545.4A patent/CN115941217B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100217975A1 (en) * | 2009-02-25 | 2010-08-26 | Garret Grajek | Method and system for secure online transactions with message-level validation |
| US20190123914A1 (en) * | 2017-10-20 | 2019-04-25 | Alibaba Group Holding Limited | Digital certificate application |
| CN108880821A (en) * | 2018-06-28 | 2018-11-23 | 中国联合网络通信集团有限公司 | A kind of authentication method and equipment of digital certificate |
| CN108696536A (en) * | 2018-07-03 | 2018-10-23 | 北京科东电力控制系统有限责任公司 | A kind of safety certifying method |
| CN111064574A (en) * | 2018-10-16 | 2020-04-24 | 金联汇通信息技术有限公司 | Digital certificate generation method, authentication method and electronic equipment |
| CN109873834A (en) * | 2019-03-22 | 2019-06-11 | 云南电网有限责任公司 | A kind of enterprise-level cloud mobile application unified platform and system based on cloud computing |
| CN112700245A (en) * | 2020-12-30 | 2021-04-23 | 标信智链(杭州)科技发展有限公司 | Block chain-based digital mobile certificate application method and device |
Non-Patent Citations (1)
| Title |
|---|
| 汪海明;: "基于数字证书企业应用单点登录的研究与实现", 计算机安全, no. 03, 15 March 2010 (2010-03-15) * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319067A (en) * | 2023-10-24 | 2023-12-29 | 上海宁盾信息科技有限公司 | Identity authentication method and system based on digital certificate and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115941217B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108632253B (en) | Client data security access method and device based on mobile terminal | |
| WO2015169158A1 (en) | Information protection method and system | |
| CN110879903A (en) | Evidence storage method, evidence verification method, evidence storage device, evidence verification device, evidence storage equipment and evidence verification medium | |
| EP2992472B1 (en) | User authentication | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| WO2016029595A1 (en) | Method, device, and equipment for calling open platform and non-volatile computer storage medium | |
| CN112559993B (en) | Identity authentication method, device and system and electronic equipment | |
| JP2018504789A (en) | Payment authentication system, method and apparatus | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| US9600671B2 (en) | Systems and methods for account recovery using a platform attestation credential | |
| CN108335105B (en) | Data processing method and related equipment | |
| US20140230031A1 (en) | Secure Configuration of Mobile Application | |
| US11777942B2 (en) | Transfer of trust between authentication devices | |
| CN110958119A (en) | Identity verification method and device | |
| US10771462B2 (en) | User terminal using cloud service, integrated security management server for user terminal, and integrated security management method for user terminal | |
| US20230186304A1 (en) | Transaction Validation Service | |
| CN111200593A (en) | Application login method and device and electronic equipment | |
| CN103036852A (en) | Method and device for achieving network login | |
| CN107645474B (en) | Method and device for logging in open platform | |
| CN115941217B (en) | Method for secure communication and related products | |
| CN112260983B (en) | Identity authentication method, device, equipment and computer readable storage medium | |
| CN104079527A (en) | Information processing method and electronic equipment | |
| CN115086090A (en) | Network login authentication method and device based on UKey | |
| JP2023521901A (en) | Mobile application forgery/falsification detection method, computer program, computer-readable recording medium and computer device using user identifier and signature collection | |
| CN105323287B (en) | Third-party application program login method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |