CN117749389A - Method, device, equipment and storage medium for acquiring certificate - Google Patents
Method, device, equipment and storage medium for acquiring certificate Download PDFInfo
- Publication number
- CN117749389A CN117749389A CN202311766898.9A CN202311766898A CN117749389A CN 117749389 A CN117749389 A CN 117749389A CN 202311766898 A CN202311766898 A CN 202311766898A CN 117749389 A CN117749389 A CN 117749389A
- Authority
- CN
- China
- Prior art keywords
- certificate
- information
- user terminal
- platform
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000004044 response Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 8
- 239000002699 waste material Substances 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004846 x-ray emission Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a method, a device, equipment and a storage medium for acquiring a certificate. The method comprises the following steps: acquiring service request information sent by a user terminal; acquiring the identity information of the user terminal from the service request information; performing matching operation in a preset first data table by using the identity information to obtain at least one piece of certificate requirement information corresponding to the user terminal, wherein the first data table stores a corresponding relation between the identity information and the certificate requirement information; the CA certificate platforms corresponding to the certificate requirement information respectively acquire the CA certificates corresponding to the certificate requirement information respectively; and sending each CA certificate to the user terminal. The method increases the efficiency of obtaining the CA certificate, and further increases the speed of service access.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, a device, and a storage medium for acquiring a certificate.
Background
With the development of numerous services, service security becomes more and more important, so if a user initiates an application service request through a user terminal, it needs to be verified whether the user terminal is a trusted device of a corresponding service platform. The current service platform authenticates the user terminal by verifying the corresponding CA certificate, and the CA certificate is issued by the CA platform. The existing technical means for obtaining the CA certificate is a certificate application initiated by the user terminal for the target service. And then forwarding the certificate application to the CA platform corresponding to the target service by the NAF platform to apply for the CA certificate. However, since the user terminal cannot initiate the certificate application for multiple services at the same time, if multiple services exist in the user terminal and the user terminal wants to access the multiple services, multiple certificate applications need to be initiated, resulting in waste of network resources and low efficiency of downloading the certificates.
Disclosure of Invention
The application provides a method, a device, equipment and a storage medium for acquiring a certificate, which are used for solving the technical problem that the efficiency of the certificate of the CA of the prior application is low.
In a first aspect, the present application provides a method for obtaining a certificate, comprising:
acquiring service request information sent by a user terminal;
acquiring the identity information of the user terminal from the service request information;
performing matching operation in a preset first data table by using the identity information to obtain at least one piece of certificate requirement information corresponding to the user terminal, wherein the first data table stores a corresponding relation between the identity information and the certificate requirement information;
the CA certificate platforms corresponding to the certificate requirement information respectively acquire the CA certificates corresponding to the certificate requirement information respectively;
and sending each CA certificate to the user terminal.
Optionally, the method for obtaining a certificate as described above further comprises:
acquiring a data table establishment instruction sent by a client server; the data table establishment instruction comprises identification information and certificate requirement information corresponding to the identification information;
and storing the identity information, the certificate requirement information and the corresponding relation between the identity information and the certificate requirement information to obtain the first data table.
Optionally, the method for acquiring a certificate as described above, in the CA certificate platform corresponding to each piece of certificate requirement information, acquiring the CA certificate corresponding to each piece of certificate requirement information, includes:
sending each piece of certificate requirement information to a corresponding CA certificate platform, wherein the certificate requirement information is used for triggering the corresponding CA certificate platform to acquire a CA certificate and encrypting the CA certificate;
and receiving the encrypted CA certificates fed back by the CA certificate platforms.
Optionally, the method for acquiring certificates as described above, before receiving the encrypted CA certificates fed back by each CA certificate platform, further includes:
acquiring a key acquisition instruction sent by the CA certificate platform;
acquiring a session key according to the key acquisition instruction;
and sending the session key to the CA certificate platform, and triggering the CA certificate platform to encrypt the CA certificate by using the session key.
Optionally, the method for acquiring the certificate as described above, where the key acquisition instruction includes a session transaction identifier of the user terminal, and the acquiring a session key according to the key acquisition instruction includes:
acquiring a session transaction identifier from the key acquisition instruction;
and acquiring the session key according to the session transaction identifier.
Optionally, the method for acquiring a certificate as described above, acquiring the session key according to the session transaction identifier includes:
and carrying out matching operation in a preset second data table by utilizing the session transaction identifier to obtain a session key corresponding to the session transaction identifier, wherein the second data table stores the corresponding relation between the session transaction identifier and the session key.
Optionally, the method for acquiring a certificate as described above, acquiring the session key according to the session transaction identifier includes:
and calculating by utilizing the session transaction identifier according to a preset encryption algorithm to obtain the session key.
Optionally, the method for acquiring a certificate as described above sends each piece of certificate requirement information to a corresponding CA certificate platform, including:
authenticating each certificate requirement information;
and if the authentication of each piece of certificate requirement information is passed, transmitting each piece of certificate requirement information to a corresponding CA certificate platform.
In a second aspect, the present application provides an apparatus for acquiring a certificate, comprising:
the first acquisition module is used for acquiring service request information sent by the user terminal;
the second acquisition module is used for acquiring the identity information of the user terminal from the service request information;
the matching module is used for carrying out matching operation in a preset first data table by utilizing the identity information, acquiring at least one certificate requirement information corresponding to the user terminal, wherein the first data table stores the corresponding relation between the identity information and the certificate requirement information;
the third acquisition module is used for acquiring the CA certificates respectively corresponding to the certificate demand information in the CA certificate platforms respectively corresponding to the certificate demand information;
and the sending module is used for sending each CA certificate to the user terminal.
In a third aspect, the present application provides an electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory to implement the methods described above.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for performing a method as described above when executed by a processor.
According to the method, the device, the equipment and the storage medium for acquiring the certificate, through acquiring the service request information sent by the user terminal, then acquiring the identity information of the user terminal from the service request information, performing matching operation in the preset first data table according to the identity information, so as to acquire at least one certificate requirement information corresponding to the user terminal, and finally acquiring the CA certificates respectively corresponding to the certificate requirement information in the CA certificate platforms respectively corresponding to the certificate requirement information, so that a plurality of CA certificates are acquired according to one application, and further the effects of reducing resource waste and improving the certificate downloading efficiency are achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic structural diagram of a GBA networking architecture;
FIG. 2 is a flowchart of a method for obtaining a certificate according to an embodiment of the present application;
fig. 3 is a flowchart of a method for encrypting a certificate according to an embodiment of the present application;
FIG. 4 is a flowchart of a method for allocating session transaction identifiers according to an embodiment of the present application;
fig. 5 is a flowchart of a method for authenticating a user terminal according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for acquiring a certificate according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The method for acquiring the certificate provided by the embodiment is applied to a NAF (Network Application Function ) platform.
The NAF platform is arranged in a GBA (Generic Bootstrapping Architecture ) network element,
among them, GBA is a security infrastructure defined by 3GPP (3 rd Generation Partnership Project, third generation partnership project) and based on an operator communication network, and GBA is a generic authentication architecture for authentication by using a session key method. GBA is used to provide unified security authentication services for application layer services. The application layer service may be a multicast or broadcast service, a user certificate service, an information instant providing service, etc., or may be a proxy service.
As shown in fig. 1, the GBA networking architecture 100 is composed of a UE101 (User Equipment), a BSF (Bootstrapping Function, bootstrapping server function) platform 102 that performs User identity initial check verification, a HSS103 (Home Subscriber Server ), and a NAF (Network Application Function, network application function) platform 104.
The BSF platform is used for carrying out mutual authentication on identity with the UE and generating a session key Ks of the BSF platform and the user terminal; the HSS also has the function of generating authentication information.
If the user needs to use a certain service, the user can initiate a service application request through the user terminal. However, since the user terminal cannot initiate the certificate application for multiple services at the same time, if multiple services exist in the user terminal and the user terminal wants to access the multiple services, multiple certificate applications need to be initiated, resulting in waste of network resources and low efficiency of downloading the certificates. In order to improve the certificate downloading efficiency, the method and the device acquire the identity information of the user terminal by acquiring the service request information sent by the user terminal, then acquire the identity information of the user terminal from the service request information, and perform matching operation in the preset first data table according to the identity information, so as to acquire at least one certificate requirement information corresponding to the user terminal, and finally acquire the CA certificates respectively corresponding to the certificate requirement information in the CA certificate platforms respectively corresponding to the certificate requirement information, so that a plurality of CA certificates are acquired according to one application, and the effects of reducing resource waste and improving the certificate downloading efficiency are achieved.
The method for managing call services aims to solve the technical problems in the prior art.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flowchart of a method for acquiring a certificate according to an embodiment of the present application.
As shown in fig. 2, the method for acquiring a certificate may include the steps of:
step S201, NAF platform obtains service request information sent by user terminal.
Specifically, the service request information is an HTTP (HyperText Transfer Protocol ) GET message. The HTTP GET message includes the identification information of the user terminal. The identification information is, for example, TID.
Wherein the TID consists of IMSI (International Mobile Subscriber Identification Number, international mobile subscriber identity) and NSAPI (Network Service Access Point Identifier, network layer service access point identification).
Step S202, NAF platform obtains user terminal identity information from service request information.
I.e. the NAF platform obtains TID from the service request information.
In step S203, the NAF platform performs a matching operation in a preset first data table by using the identity information, and obtains at least one credential requirement information corresponding to the user terminal, where the first data table stores a correspondence between the identity information and the credential requirement information.
Because the user terminal initiates service request information to the NAF platform, the user terminal applies for a certificate for a certain service, namely only one CA certificate can be applied at a time, and the user terminal cannot initiate service request information for a plurality of services at the same time. Meanwhile, certificates of the other party cannot be applied among different services. Therefore, the embodiment of the application obtains all the certificate requirement information corresponding to the user terminal by obtaining the identity information of the user terminal and performing matching operation by utilizing the identity information, so that the CA certificates respectively corresponding to the certificate requirement information are obtained on the CA certificate platforms respectively corresponding to the certificate requirement information.
Step S204, the NAF platform obtains the CA certificate corresponding to each certificate requirement information in the CA certificate platform corresponding to each certificate requirement information.
Specifically, the NAF platform obtains the CA certificate corresponding to each piece of certificate requirement information in the CA certificate platform corresponding to each piece of certificate requirement information, and the NAF platform comprises: and sending the certificate requirement information to a corresponding CA certificate platform, wherein the certificate requirement information is used for triggering the corresponding CA certificate platform to acquire the CA certificate.
Specifically, the NAF platform sends each certificate requirement information to the corresponding CA certificate platform, including: and respectively authenticating the certificate requirement information, and transmitting the certificate requirement information passing authentication to a corresponding CA certificate platform.
Further, the certificate requirement information carries an authentication mode, identity information of the user terminal and USS information, and the NAF platform determines whether the authentication mode in the certificate requirement information is consistent with the authentication mode corresponding to the identity information in a preset database. If the authentication mode in the certificate requirement information is consistent with the authentication mode corresponding to the identity information in the preset database, whether the USS information corresponding to the identity information in the preset database is consistent with the USS information in the certificate requirement information or not is judged. If the authentication mode in the certificate demand information is inconsistent with the authentication mode corresponding to the identity information in the preset database, determining that the authentication fails. If the USS information corresponding to the identity information in the preset database is inconsistent with the identity information in the certificate requirement information, determining that the authentication fails. If the USS information corresponding to the identity information in the preset database is consistent with the USS information in the certificate requirement information, determining that the authentication passes.
Step S205, the NAF platform sends each CA certificate to the user terminal.
According to the method for acquiring the certificate, the service request information sent by the user terminal is acquired, the identity information of the user terminal is acquired from the service request information, the matching operation is performed in the preset first data table according to the identity information, so that at least one certificate requirement information corresponding to the user terminal is acquired, finally, the CA certificates respectively corresponding to the certificate requirement information are acquired on the CA certificate platforms respectively corresponding to the certificate requirement information, and therefore a plurality of CA certificates are acquired according to one application, and the effects of reducing resource waste and improving the certificate downloading efficiency are achieved.
Specifically, constructing a first data table, including: acquiring a data table establishment instruction sent by a client server; the data table establishment instruction comprises identification information and certificate requirement information corresponding to the identification information. And storing the identity information, the certificate requirement information and the corresponding relation between the identity information and the certificate requirement information to obtain a first data table.
In some embodiments, the client server receives the identification information input by the user and the certificate requirement information corresponding to the identification information, and sends the identification information input by the user and the certificate requirement information corresponding to the identification information to the user for confirmation, and the client server sends a data table establishment instruction to the NAF platform under the condition that the confirmation information sent by the user is received.
Further, after the first data table is built, if the NAF receives the data table building instruction newly sent by the client server again, determining the data table building instruction newly sent by the client server as a new data table building instruction, determining identity information in the new data table building instruction as new identity information, and determining certificate requirement information corresponding to the identity information in the new data table building instruction as new certificate requirement information. Determining whether the first data table has the same identification information as the newly-added identification information, and if the first data table has the same identification information as the newly-added identification information, updating the certificate requirement information corresponding to the newly-added identification information in the first data table by using the newly-added certificate requirement information. Or if the first data table does not have the same identity information as the newly added identity information, storing the newly added identity information, the newly added certificate requirement information and the corresponding relation of the newly added identity information and the newly added certificate requirement information into the first data table.
On the basis of embodiment 2, in order to ensure the security of the CA certificate, the CA certificate platform needs to encrypt the CA certificate after obtaining the CA certificate, and this embodiment provides a method for encrypting the certificate.
As shown in fig. 3, the method for encrypting a certificate may include the steps of:
step S301, the CA certificate platform sends a key acquisition instruction to the NAF platform.
Specifically, the key acquisition instruction includes a session transaction identifier.
In step S302, the NAF platform obtains the session key according to the key instruction.
Specifically, the NAF platform obtains the session transaction identifier from the key obtaining instruction, and then obtains the session key according to the session transaction identifier.
Further, the NAF platform performs matching operation in a preset second data table by using the session transaction identifier to obtain a session key corresponding to the session transaction identifier, and the second data table stores a corresponding relationship between the session transaction identifier and the session key. Or, the NAF platform calculates by using the session transaction identifier according to a preset encryption algorithm to obtain a session key.
Wherein the session transaction identity is assigned to the user terminal by the BSF platform.
Specifically, the encryption algorithm is an SM1 algorithm, an SM2 algorithm, an SM3 algorithm, or an SM4 algorithm. Here, SM1 is a block cipher algorithm, the packet length is 128 bits, and the key length is 128 bits. SM2 is an asymmetric algorithm based on elliptic curves. SM3 is suitable for digital signature and verification in commercial cryptography applications, SM3 adopts Merkle-Damgqrd structure, its message packet length is 512 bits, and the digest value packet length is 256 bits. The SM4 algorithm is a block cipher algorithm with a packet length of 128 bits and a key length of 128 bits. The SM4 algorithm adopts a 32-round nonlinear iterative structure, and performs encryption operation by taking words, namely 32 bits as units, and each iterative operation is a round of transformation function.
Step S303, the NAF platform sends the session key to the CA certificate platform.
Step S304, the CA certificate platform encrypts the CA certificate using the session key.
Step S305, the CA certificate platform sends the encrypted CA certificate to the NAF platform.
By adopting the method for encrypting the certificate, which is provided by the embodiment of the disclosure, the CA certificate platform sends the key acquisition instruction comprising the session transaction identifier to the NAF platform, so that the NAF platform can acquire the corresponding session key according to the session transaction identifier, then the CA certificate platform encrypts the CA certificate according to the session key fed back by the NAF platform, and the encrypted CA certificate is sent to the NAF platform, thereby realizing the encrypted transmission of the CA certificate.
Based on embodiment 3, it can be known that the session transaction identifier is allocated to the user terminal by the BSF platform, and in order to describe how the BSF platform allocates the session transaction identifier to the user terminal, a flow chart of a method for allocating the session transaction identifier is provided in the embodiments of the present disclosure.
As shown in fig. 4, a method for assigning session transaction identifications may include the steps of:
in step S401, the ue sends session identifier application information to the BSF platform.
In step S402, the BFS platform allocates a specific session transaction identifier to the user terminal, and determines a validity period of the session transaction identifier.
In step S403, the BFS platform sends session identifier response information to the user terminal, where the session identifier response information includes a session transaction identifier and a validity period of the session transaction identifier.
The BSF platform stores the identity information of the user terminal, the session transaction identifier, the validity period of the session transaction, and the correspondence between the three.
Step S404, the user terminal obtains the session transaction identification from the session identification response information.
By adopting the method for distributing the session transaction identifier, which is provided by the embodiment of the disclosure, the BSF platform respectively processes the session transaction identifier for the user terminal under the condition that the session identifier application information sent by the user terminal is received, and meanwhile, the limited term of the session transaction identifier is limited, so that the user terminal needs to apply for the BSF platform again after the session transaction identifier expires.
Based on embodiment 4, before the BSF platform allocates the session transaction identifier to the user terminal, the BSF platform authenticates the user terminal, and if the authentication is passed, allocates the session transaction identifier to the user terminal. In order to illustrate what situation the BSF platform needs to authenticate the user terminal and how to authenticate the user terminal, embodiments of the present disclosure provide a flowchart of a method for authenticating the user terminal.
As shown in fig. 5, the method for authenticating a user terminal may include the steps of:
step S501, the user terminal sends service request information to the NAF platform. The service request information includes a session transaction identification.
Step S502, the NAF platform determines in the first local database whether the session transaction identity of the user terminal is included.
The first local database stores a session transaction identifier and a validity period corresponding to the session transaction identifier.
In step S503, if the first local database does not include the session transaction identifier of the user terminal, the NAF platform sends query information to the BSF platform, where the query information includes the identifier of the NAF platform and the session transaction identifier of the user terminal.
The first local database does not include the session transaction identifier of the user terminal, and the session transaction identifier representing the user terminal has reached the validity period and is deleted in the first local database. Or, the session transaction identification of the user terminal is fake.
In step S504, the BSF platform determines whether the session transaction identifier of the user terminal is included in the second local database.
The second local database stores the session transaction identifier and the validity period corresponding to the session transaction identifier.
In step S505, if the BSF platform determines that the session transaction identifier of the user terminal is not included in the second local database, the BSF platform feeds back response information to the NAF platform.
The second local database does not include the session transaction identifier of the user terminal, and the session transaction identifier representing the user terminal has reached the validity period and is deleted in the second local database. Or, the session transaction identification of the user terminal is fake.
Step S506, the NAF platform sends an authentication instruction to the user terminal, wherein the authentication instruction is used for indicating the user terminal and the BSF platform to perform mutual authentication.
Step S507, the user terminal initiates generation of authentication instruction to the BSF platform.
In step S508, the BSF platform sends a MAR (Multimedia-Authentication-Request) Request message to the HSS/UDM. The MAR request message is used for triggering the HSS/UDM to acquire the user authentication vector and the GUSS subscription information. The MAR request message includes the identification information of the user terminal.
Step S509, the HSS/UDM acquires the identity information of the user terminal from the MAR request message.
Step S510, HSS/UDM selects EAP-AKA method according to the identity information of the user terminal, and generates authentication vector.
The authentication vector includes RAND (random challenge), XRES (Expected Response ), CK (Cipher Key), and IK (Integrity Key). Wherein RAND is generated by a random number generator. XRES is the expected response of UMTS to authentication request, CK, to achieve integrity of access data to encrypt the signaling information tuple considered confidential. IK is used to achieve confidentiality of connection data access.
In step S511, the HSS/UDM performs matching operation in a third local data table according to the identity information of the user terminal to obtain GUSS subscription information corresponding to the user information. The GUSS includes one or more USS (User Security Settings ) information. And the third local database stores the corresponding relation between the identity information and the GUSS subscription information.
Wherein the GUSS subscription information includes one or more USS (User Security Settings ) information.
In step S512, the HSS/UDM sends the first authentication response information to the BSF platform. The first authentication response information includes an authentication vector and GUSS subscription information.
In step S513, the BSF platform acquires an authentication vector from the authentication response information.
In step S514, the BSF platform sends the second authentication response message to the user terminal. The second authentication response information includes an authentication vector. Triggering the user terminal to authenticate with the BSF platform by using the authentication vector.
The method for authenticating the user terminal provided by the embodiment of the disclosure sends an authentication request to the BSF platform through the user terminal; after receiving the authentication request, the BSF platform firstly acquires authentication information of the user terminal from the HSS/UDM; and the BSF platform performs mutual authentication and key negotiation with the user after acquiring the authentication information, so as to complete mutual authentication of the identity between the user terminal and the BSF platform.
Fig. 6 is a schematic structural view of an apparatus for acquiring a certificate according to the present embodiment.
As shown in fig. 6, the apparatus 600 for acquiring a certificate may include a first acquisition module 601, a second acquisition module 602, a matching module 603, a third acquisition module 604, and a transmitting module 605.
The first obtaining module 601 is configured to obtain service request information sent by a user terminal. The second obtaining module 602 is configured to obtain the identity information of the user terminal from the service request information. The matching module 603 is configured to perform a matching operation in a preset first data table by using the identity information, and obtain at least one credential requirement information corresponding to the user terminal, where the first data table stores a correspondence between the identity information and the credential requirement information. The third obtaining module 604 is configured to obtain, on a CA certificate platform corresponding to each piece of certificate requirement information, a CA certificate corresponding to each piece of certificate requirement information. The sending module 605 is configured to send each CA certificate to the user terminal.
According to the device for acquiring the certificate, the service request information sent by the user terminal is acquired, the identity information of the user terminal is acquired from the service request information, the matching operation is performed in the preset first data table according to the identity information, so that at least one certificate requirement information corresponding to the user terminal is acquired, finally, the CA certificates respectively corresponding to the certificate requirement information are acquired on the CA certificate platforms respectively corresponding to the certificate requirement information, and therefore a plurality of CA certificates are acquired according to one application, and the effects of reducing resource waste and improving the certificate downloading efficiency are achieved.
Optionally, the apparatus for acquiring a certificate further includes: a fourth obtaining module, configured to obtain a data table establishment instruction sent by the client server; the data table establishment instruction comprises identification information and certificate requirement information corresponding to the identification information; and storing the identity information, the certificate requirement information and the corresponding relation between the identity information and the certificate requirement information to obtain a first data table.
Specifically, the fourth obtaining module is configured to obtain, on a CA certificate platform corresponding to each piece of certificate requirement information, a CA certificate corresponding to each piece of certificate requirement information in the following manner: sending each piece of certificate requirement information to a corresponding CA certificate platform, wherein the certificate requirement information is used for triggering the corresponding CA certificate platform to acquire a CA certificate and encrypting the CA certificate; and receiving the encrypted CA certificates fed back by each CA certificate platform.
Optionally, the fourth obtaining module is further configured to obtain a key obtaining instruction sent by the CA certificate platform; acquiring a session key according to the key acquisition instruction; and sending the session key to the CA certificate platform, and triggering the CA certificate platform to encrypt the CA certificate by using the session key.
Optionally, the key obtaining instruction includes a session transaction identifier of the user terminal, and the fourth obtaining module is configured to obtain the session key according to the key obtaining instruction by the following manner, including: acquiring a session transaction identifier from a key acquisition instruction; and acquiring a session key according to the session transaction identifier.
Optionally, the fourth obtaining module is configured to obtain the session key according to the session transaction identifier by: and carrying out matching operation in a preset second data table by using the session transaction identifier to obtain a session key corresponding to the session transaction identifier, wherein the second data table stores the corresponding relation between the session transaction identifier and the session key.
Optionally, the fourth obtaining module is configured to obtain the session key according to the session transaction identifier by: and calculating by using the session transaction identifier according to a preset encryption algorithm to obtain a session key.
Optionally, the third obtaining module is configured to send each certificate requirement information to the corresponding CA certificate platform in the following manner: authenticating the demand information of each certificate; and if the authentication of each certificate requirement information is passed, transmitting each certificate requirement information to the corresponding CA certificate platform.
Fig. 7 is a schematic structural diagram of an electronic device provided in the present application.
As shown in fig. 7, the electronic device 700 of the present embodiment includes a processor 701, and a memory 702 communicatively connected to the processor 701.
Memory 702 stores computer-executable instructions.
The processor 701 executes computer-executable instructions stored in memory to implement the methods of fig. 2-5 of the above-described method embodiments.
Embodiments of the present application further provide a computer readable storage medium, where computer executable instructions are stored, where the computer executable instructions are used to implement the methods of fig. 2 to 5 in the above embodiments when executed by a processor.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required in the present application.
It should be further noted that, although the steps in the flowchart are sequentially shown as indicated by arrows, the steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps in the flowcharts may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order in which the sub-steps or stages are performed is not necessarily sequential, and may be performed in turn or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
It should be understood that the above-described device embodiments are merely illustrative, and that the device of the present application may be implemented in other ways. For example, the division of the units/modules in the above embodiments is merely a logic function division, and there may be another division manner in actual implementation. For example, multiple units, modules, or components may be combined, or may be integrated into another system, or some features may be omitted or not performed.
In addition, each functional unit/module in each embodiment of the present application may be integrated into one unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated together, unless otherwise specified. The integrated units/modules described above may be implemented either in hardware or in software program modules.
The integrated units/modules, if implemented in hardware, may be digital circuits, analog circuits, etc. Physical implementations of hardware structures include, but are not limited to, transistors, memristors, and the like. The processor may be any suitable hardware processor, such as CPU, GPU, FPGA, DSP and ASIC, etc., unless otherwise specified. Unless otherwise indicated, the storage elements may be any suitable magnetic or magneto-optical storage medium, such as resistive Random Access Memory RRAM (Resistive Random Access Memory), dynamic Random Access Memory DRAM (Dynamic Random Access Memory), static Random Access Memory SRAM (Static Random-Access Memory), enhanced dynamic Random Access Memory EDRAM (Enhanced Dynamic Random Access Memory), high-Bandwidth Memory HBM (High-Bandwidth Memory), hybrid Memory cube HMC (Hybrid Memory Cube), etc.
The integrated units/modules may be stored in a computer readable memory if implemented in the form of software program modules and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned memory includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments. The technical features of the above embodiments may be combined in any way, and for brevity, all of the possible combinations of the technical features of the above embodiments are not described, but should be considered as the scope of the description
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (11)
1. A method for obtaining a certificate, comprising:
acquiring service request information sent by a user terminal;
acquiring the identity information of the user terminal from the service request information;
performing matching operation in a preset first data table by using the identity information to obtain at least one piece of certificate requirement information corresponding to the user terminal, wherein the first data table stores a corresponding relation between the identity information and the certificate requirement information;
the CA certificate platforms corresponding to the certificate requirement information respectively acquire the CA certificates corresponding to the certificate requirement information respectively;
and sending each CA certificate to the user terminal.
2. The method as recited in claim 1, further comprising:
acquiring a data table establishment instruction sent by a client server; the data table establishment instruction comprises identification information and certificate requirement information corresponding to the identification information;
and storing the identity information, the certificate requirement information and the corresponding relation between the identity information and the certificate requirement information to obtain the first data table.
3. The method according to claim 1, wherein obtaining, on the CA certificate platforms respectively corresponding to the certificate requirement information, the CA certificates respectively corresponding to the certificate requirement information, comprises:
sending each piece of certificate requirement information to a corresponding CA certificate platform, wherein the certificate requirement information is used for triggering the corresponding CA certificate platform to acquire a CA certificate and encrypting the CA certificate;
and receiving the encrypted CA certificates fed back by the CA certificate platforms.
4. The method of claim 3, further comprising, prior to receiving the encrypted CA certificates fed back by each CA certificate platform:
acquiring a key acquisition instruction sent by the CA certificate platform;
acquiring a session key according to the key acquisition instruction;
and sending the session key to the CA certificate platform, and triggering the CA certificate platform to encrypt the CA certificate by using the session key.
5. The method according to claim 4, wherein the key obtaining instruction includes a session transaction identifier of the user terminal, and obtaining the session key according to the key obtaining instruction includes:
acquiring a session transaction identifier from the key acquisition instruction;
and acquiring the session key according to the session transaction identifier.
6. The method of claim 5, wherein obtaining the session key from the session transaction identification comprises:
and carrying out matching operation in a preset second data table by utilizing the session transaction identifier to obtain a session key corresponding to the session transaction identifier, wherein the second data table stores the corresponding relation between the session transaction identifier and the session key.
7. The method of claim 5, wherein obtaining the session key from the session transaction identification comprises:
and calculating by utilizing the session transaction identifier according to a preset encryption algorithm to obtain the session key.
8. A method according to claim 3, wherein transmitting each of the certificate requirement information to a corresponding CA certificate platform comprises:
authenticating each certificate requirement information;
and if the authentication of each piece of certificate requirement information is passed, transmitting each piece of certificate requirement information to a corresponding CA certificate platform.
9. An apparatus for obtaining a certificate, comprising:
the first acquisition module is used for acquiring service request information sent by the user terminal;
the second acquisition module is used for acquiring the identity information of the user terminal from the service request information;
the matching module is used for carrying out matching operation in a preset first data table by utilizing the identity information, acquiring at least one certificate requirement information corresponding to the user terminal, wherein the first data table stores the corresponding relation between the identity information and the certificate requirement information;
the third acquisition module is used for acquiring the CA certificates respectively corresponding to the certificate demand information in the CA certificate platforms respectively corresponding to the certificate demand information;
and the sending module is used for sending each CA certificate to the user terminal.
10. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 8.
11. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311766898.9A CN117749389A (en) | 2023-12-20 | 2023-12-20 | Method, device, equipment and storage medium for acquiring certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311766898.9A CN117749389A (en) | 2023-12-20 | 2023-12-20 | Method, device, equipment and storage medium for acquiring certificate |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117749389A true CN117749389A (en) | 2024-03-22 |
Family
ID=90252362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311766898.9A Pending CN117749389A (en) | 2023-12-20 | 2023-12-20 | Method, device, equipment and storage medium for acquiring certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117749389A (en) |
-
2023
- 2023-12-20 CN CN202311766898.9A patent/CN117749389A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11026084B2 (en) | Mobile network authentication method, terminal device, server, and network authentication entity | |
| US10284555B2 (en) | User equipment credential system | |
| Zhang et al. | SMAKA: Secure many-to-many authentication and key agreement scheme for vehicular networks | |
| US20190068591A1 (en) | Key Distribution And Authentication Method And System, And Apparatus | |
| US10841784B2 (en) | Authentication and key agreement in communication network | |
| WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
| US10411884B2 (en) | Secure bootstrapping architecture method based on password-based digest authentication | |
| JP4709815B2 (en) | Authentication method and apparatus | |
| EP2810418B1 (en) | Group based bootstrapping in machine type communication | |
| CN111865603A (en) | Authentication method, authentication device and authentication system | |
| CN109075973B (en) | Method for carrying out unified authentication on network and service by using ID-based cryptography | |
| WO2006027650A2 (en) | Service authentication | |
| CN110087240B (en) | Wireless network security data transmission method and system based on WPA2-PSK mode | |
| Castiglione et al. | An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update | |
| CN112333705B (en) | Identity authentication method and system for 5G communication network | |
| Leu et al. | Improving security level of LTE authentication and key agreement procedure | |
| Braeken | Device-to-device group authentication compatible with 5G AKA protocol | |
| CN117749389A (en) | Method, device, equipment and storage medium for acquiring certificate | |
| CN114095229A (en) | Method, device and system for constructing data transmission protocol of energy Internet | |
| Portnoi et al. | Location-enhanced authenticated key exchange | |
| CN113014534A (en) | User login and authentication method and device | |
| CN117749390A (en) | Method, device, equipment and storage medium for encrypting certificate | |
| CN114915494B (en) | Anonymous authentication method, system, equipment and storage medium | |
| CN117729056B (en) | Equipment identity authentication method and system | |
| Li et al. | Secure and Efficient Authentication Protocol for Power System Computer Networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |