CN1512378A - Tunnel transmission method of SSL intermediate surrogate user certification - Google Patents
Tunnel transmission method of SSL intermediate surrogate user certification Download PDFInfo
- Publication number
- CN1512378A CN1512378A CNA021281246A CN02128124A CN1512378A CN 1512378 A CN1512378 A CN 1512378A CN A021281246 A CNA021281246 A CN A021281246A CN 02128124 A CN02128124 A CN 02128124A CN 1512378 A CN1512378 A CN 1512378A
- Authority
- CN
- China
- Prior art keywords
- ssl
- agent
- user
- certificate
- digital certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The tunnel transmission method of SSL intermediate proxy user certificate includes the personality confirmation in the safety passage established between the browser and the SSL intermediate proxy user and the personality confirmation in the safety passage established between the SSL intermediate proxy user and the web site. The method features that it also includes establishing communication tunnel for transmitting user's certificate inside the SSL intermediate proxy users to transmit the personality of log-on user to the web site in transparent mode. The communication tunnel is the passage for the SSL intermediate proxy user to create temporary digital certificate of log-on user personality information, link the temporary digital certificate to the digital certificate of SSL intermediate proxy user and to confirm in the proxy and the web site. The present invention has the advantages of greatly raise information use safety.
Description
Technical field
The present invention relates to a kind of identity identifying method of secure internet communication.
Background technology
Because domestic online software is subjected to the u.s. export restriction, Cipher Strength (being security intensity) can't reach commercial use, so what domestic employing was many is exactly SSL middle-agent's way, the SSL middle-agent is exactly that what receive the user is the online request, obtains the network information (being data) on the internet by the high escape way of security intensity then.
Secure socket layer protocol (SSL) is that provide on the basis, internet a kind of guarantees the security protocol that the data of transmission over networks are not stolen.It can make the not victim eavesdropping of communication between the computing machine, and all the time the supplier (for example website) of information is carried out authenticity verification, also can select the winner (for example Internet user) to information to carry out the true identity authentication.
Ssl protocol is all encrypted the all-network data of transmitting by escape way between the computing machine, thereby is not obtained data content by the listener-in on the network.
SSL middle-agent's effect provides an escape way that security intensity is high for exactly the communication between the computing machine.The SSL middle-agent overlaps independently software, can co-exist on the computing machine with user's Internet access (for example browser) or network information supplier (for example website); If be arranged separately on the computing machine, then also can regard a computing machine as.The SSL middle-agent is identity of agency in operational process because in the middle of it, and it is network information supplier's agency, also is network information winner's agency.
Information acquisition person agency is not final information acquisition person, but acts on behalf of final information acquisition person, obtains the network information from the informant, as informant's agency, these network informations is offered final information acquisition person then.Use the SSL security mechanism to be, in some network service, need to confirm own authenticity to the other side mutually between network information supplier and the information acquisition person.And in the SSL security mechanism, the means of authentication the other side true identity are exactly checking the other side's digital certificate.
Digital certificate is exactly a series of data of sign communication parties identity information in the internet communication, and a kind of mode of identity verification on the internet is provided, and its effect is similar to driver's driving license or the I.D. in the daily life.It is called the distribution of certificate granting center again by an authoritative institution, and people can discern the other side's identity on the net with it.Internet user, SSL middle-agent, website all need to certificate granting center application digital certificate separately in running.The general certificate authorization center can be sent out a corresponding password simultaneously when issuing digital certificate, be used for verifying digital certificate, claims this corresponding private key that corresponding password is a digital certificate.
In current SSL middle-agent's realization, the user of online obtains the network information that network information supplier provides must be through two sections authentications.First section is the authentication of carrying out in the escape way 1 between SSL middle-agent and browser, and second section is the authentication of carrying out in the escape way 3 between SSL middle-agent and website.The middle-agent that Fig. 1 has provided between existing browser, SSL middle-agent, website authenticates and information flow chart.Escape way 1 is the low escape way of security intensity among the figure, connects in the secure network scope.In the process of implementing visit, need at first set up this escape way.Its foundation needs once authentication: the SSL middle-agent is authentic as network information supplier's agency in the foundation of this escape way.The owned certificate of SSL middle-agent is to offer browser and website checking SSL middle-agent's identity respectively.At first the SSL middle-agent shows the digital certificate of oneself to browser and verifies, browser shows Internet user's digital certificate to the SSL middle-agent and to verify after affirmation, both sides' demonstration validation by after set up escape way 1.Escape way 3 is the high escape ways of security intensity among the figure, connects on the internet, and its foundation needs another time authentication, and the SSL middle-agent is authentic as network information winner's agency in the foundation of this escape way.At first, the website shows the digital certificate of own WEB server to the SSL middle-agent to be verified, the SSL middle-agent shows the digital certificate of oneself to the website after affirmation and verifies, both sides' demonstration validation by after set up escape way 3.Passage 2 is in SSL middle-agent inside among the figure, only plays transmission user online request and returns the network information.From above flow process as can be seen, in the authentication of escape way 1, the information acquisition person's that SSL middle-agent (informant agency) is known true identity is the Internet user, and in the authentication of escape way 3, the information acquisition person's that the website is known true identity is SSL middle-agent (information acquisition person agency).So just a problem appears: if there are a plurality of Internet users to use the SSL middle-agent to obtain site information, and being identity according to the Internet user, the information providing formula of website determines whether to offer the network information that the Internet user asks, so, the website just can not obtain current Internet user's true identity by ssl protocol from network, therefore can not provide the corresponding network information to the Internet user, in ecommerce, also just can not provide corresponding commerce services to the client.
Summary of the invention
The objective of the invention is to: in present SSL middle-agent Network Transmission, can not directly authenticate existing problem between website and network information winner, the invention provides a kind of the needs changes to informant's (for example website) program and information acquisition person (as browser) program, exist under the situation informant and all imperceptible SSL middle-agent of information acquisition person, Internet user's identity information is passed to the informant be for further processing, thereby improved the tunnel transmission method of a kind of SSL middle-agent user certificate of communication security effectively.
The present invention realizes by implementing following technical proposals:
A kind of tunnel transmission method of SSL middle-agent user certificate, be included in the escape way of setting up between browser and the SSL middle-agent and carry out authentication, and the method for carrying out authentication in the escape way of between SSL middle-agent and website, setting up, it is characterized in that: also comprise by set up the communication tunnel of transmission user certificate in SSL middle-agent inside, the transparent method of giving the website of Internet user's identity.
Its additional technical feature is: the described communication tunnel of setting up the transmission user certificate in SSL middle-agent inside, and the transparent method of giving the website of Internet user's identity, be meant: the SSL middle-agent is with its identity information from the Internet user of the process authentication of informant Agency acquisition, digital certificate by the SSL middle-agent, generate the interim digital certificate that loads Internet user's identity information, and after this interim digital certificate is linked at SSL middle-agent digital certificate, the passage that authenticates in SSL middle-agent's information acquisition person Agency and website; Described the transparent method of giving the website of Internet user's identity, be meant by this passage, the website just can obtain the method for Internet user's identity information of loading in the interim digital certificate behind the interim digital certificate of demonstration validation SSL middle-agent's digital certificate and link thereof.
The invention has the advantages that: informant's (as the website) program and information acquisition person (as browser) program are changed not needing; Do not need additional configuration equipment; Do not need to revise under the situation of SSL intermediate agency frame, can make Internet user's identity information transparent be transferred to the website, thereby improved the security that information is used in the network service greatly, this method also has with conventional SSL middle-agent uses compatible outstanding advantage.
Description of drawings
Fig. 1 authenticates and the information flow synoptic diagram for existing SSL middle-agent
Fig. 2 is the position view of user certificate of the present invention tunnel in the SSL middle-agent
Fig. 3 is SSL middle-agent user certificate tunnel realization flow figure of the present invention.
Mark among the figure: 1 is escape way, and 2 are SSL middle-agent internal transmission user request of surfing the Net and the passage that returns the network information; 3 is escape way, and 4 is the certificate tunnel.In Fig. 3, the subject area of digital certificate is the certificate principal name, wherein comprises Internet user belonging country, affiliated province, affiliated city, affiliated unit, user name, is the data set of unique identification Internet user title.Interim digital certificate is with the same to the digital certificate format of certificate granting center application, but it is the digital certificate as Internet user's subject area information carrier that is in operation and is generated temporarily by the SSL middle-agent, and can verify by SSL middle-agent's digital certificate.
Embodiment
According to top technical scheme, provide a example below based on WIN2000 operating system.
In this example, we have used the OpenSSL storehouse of increasing income in order to reduce unnecessary programing work.The OpenSSL storehouse provides encryption function for the such application of similar safe WEB website, and has realized the ssl protocol of all versions.
1. software design:
The OpenSSL storehouse realizes because current many SSL middle-agents are based on, and therefore uses header file and data structure in many OpenSSL storehouse in the design.
Key data structure
1) data structure of transmission informant agency's current operation information
This data structure comprises the current operation information that transmits the informant agency.
2) data structure of SSL middle-agent certificate/private key to the position deposited in transmission:
This data structure definition two parameters, one is a SSL middle-agent certificate file location parameter; It two is a SSL middle-agent certificate private key document location parameter.More than two parameters mainly when needs are used SSL middle-agent certificate/private key, provide corresponding memory location so that program is obtained the information of SSL middle-agent certificate/private key.
The function that the major function function is realized
1) distribution and transmission informant agency's current operation information structure.
2) the current operation information structure of transmitting the informant agency is set.
3) the actual subject area information of obtaining in Internet user's digital certificate in network service, and generation/processing/link temporary credentials.
Function performance in the OpenSSL storehouse of using
1) in the SSL link, transmits information data.
2) in SSL link, be arranged on and need the function that calls in the network service.
2. program example:
(1) acquired information supplier agency's current operation information process
1) transmits SSL middle-agent certificate/private key
The certificate of supposing the SSL middle-agent leaves under a certain path of hard disk with the form of file:
The private key of supposing SSL middle-agent's certificate correspondence leaves under the same path with the form encryption (with the algorithm for encryption of supporting in the OpenSSL storehouse) of file:
Give SSL middle-agent certificate file location parameter with the path assignment that SSL middle-agent certificate is deposited,
Give SSL middle-agent private key file location parameter with the path assignment that SSL middle-agent private key is deposited;
2) transmit the current operation information that the informant acts on behalf of
Suppose that informant agency among the SSL middle-agent sets up SSL with browser and is connected;
Suppose that information acquisition person among the SSL middle-agent acts on behalf of to create and prepare to set up SSL and be connected with the website;
After informant in SSL middle-agent agency and browser are set up SSL and be connected, carry out following processing:
Information acquisition person agency among the initialization SSL middle-agent is connected with the SSL of website;
Environmental parameter when information acquisition person agency among the SSL middle-agent being set being connected with Website server;
Information acquisition person agency " current WEB server host name, port numbers " parameter among the SSL middle-agent is set;
Error handling processing when information acquisition person agency among the SSL middle-agent being set carrying out certification authentication;
The certificate environment variable that the WEB server end sends when information acquisition person agency among the SSL middle-agent being set being connected with the website;
(2) in the SSL middle-agent to the processing of digital certificate:
In processing procedure, be set to preparation that information acquisition person among the SSL middle-agent acts on behalf of establishment and website and set up in the structure that SSL is connected handling function pointer, in the actual process of setting up this connection, call this processing function.
Informant agency in the SSL middle-agent sets up SSL with browser and is connected, and after transmitting informant agency's current operation information, carries out following processing:
1) the subject area information in acquisition Internet user's the digital certificate from the relevant treatment function.
2) digital certificate/private key of acquisition SSL middle-agent.
3) generate interim digital certificate, the subject area information in loading Internet user's the digital certificate.
4) private key of interim digital certificate and correspondence being turned back to the SSL connection sets up in the process.
The present invention is applicable to the Secure Application based on SSL, is specially adapted to the SSL encryption equipment of the agent location that mediates in the ecommerce.
Claims (2)
1, a kind of tunnel transmission method of SSL middle-agent user certificate, be included in the escape way of setting up between browser and SSL middle-agent (1) and carry out authentication, and the method for carrying out authentication in the escape way of between SSL middle-agent and website, setting up (3), it is characterized in that: also comprise by set up the communication tunnel (2) of transmission user certificate in SSL middle-agent inside, the transparent method of giving the website of Internet user's identity.
2, tunnel transmission method according to the described SSL middle-agent of claim 1 user certificate, it is characterized in that: the described communication tunnel of setting up the transmission user certificate in SSL middle-agent inside, and the transparent method of giving the website of Internet user's identity, be meant: the SSL middle-agent is with its identity information from the Internet user of the process authentication of informant Agency acquisition, digital certificate by the SSL middle-agent, generate the interim digital certificate that loads Internet user's identity information, and after this interim digital certificate is linked at SSL middle-agent digital certificate, the passage that authenticates in SSL middle-agent's information acquisition person Agency and website; Described the transparent method of giving the website of Internet user's identity is meant by this passage that the website can obtain the method for Internet user's identity information of loading in the interim digital certificate behind the interim digital certificate of demonstration validation SSL middle-agent's digital authenticating and link thereof.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02128124 CN1275169C (en) | 2002-12-30 | 2002-12-30 | Tunnel transmission method of SSL intermediate surrogate user certification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02128124 CN1275169C (en) | 2002-12-30 | 2002-12-30 | Tunnel transmission method of SSL intermediate surrogate user certification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1512378A true CN1512378A (en) | 2004-07-14 |
| CN1275169C CN1275169C (en) | 2006-09-13 |
Family
ID=34231234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02128124 Expired - Fee Related CN1275169C (en) | 2002-12-30 | 2002-12-30 | Tunnel transmission method of SSL intermediate surrogate user certification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1275169C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188074A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | Proxy method for improving SSL algorithm intensity of browser |
| CN106031097A (en) * | 2015-01-14 | 2016-10-12 | 华为技术有限公司 | Service processing method and device |
| CN107636662A (en) * | 2015-02-13 | 2018-01-26 | 优替控股有限公司 | Web content certification |
| CN109150844A (en) * | 2018-07-26 | 2019-01-04 | 网易(杭州)网络有限公司 | Determine the methods, devices and systems of digital certificate |
| CN110326267A (en) * | 2017-02-13 | 2019-10-11 | 亚马逊技术有限公司 | Network security with Alternative digital certificate |
| CN111800402A (en) * | 2020-06-28 | 2020-10-20 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
-
2002
- 2002-12-30 CN CN 02128124 patent/CN1275169C/en not_active Expired - Fee Related
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188074A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | Proxy method for improving SSL algorithm intensity of browser |
| CN106031097A (en) * | 2015-01-14 | 2016-10-12 | 华为技术有限公司 | Service processing method and device |
| CN107636662A (en) * | 2015-02-13 | 2018-01-26 | 优替控股有限公司 | Web content certification |
| CN110326267A (en) * | 2017-02-13 | 2019-10-11 | 亚马逊技术有限公司 | Network security with Alternative digital certificate |
| CN110326267B (en) * | 2017-02-13 | 2021-07-02 | 亚马逊技术有限公司 | Network security system, method and storage medium with substitute digital certificate |
| CN109150844A (en) * | 2018-07-26 | 2019-01-04 | 网易(杭州)网络有限公司 | Determine the methods, devices and systems of digital certificate |
| CN109150844B (en) * | 2018-07-26 | 2021-07-27 | 网易(杭州)网络有限公司 | Method, device and system for determining digital certificate |
| CN111800402A (en) * | 2020-06-28 | 2020-10-20 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
| CN111800402B (en) * | 2020-06-28 | 2022-08-09 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1275169C (en) | 2006-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1302407C (en) | Equipment identifying system | |
| CN1252598C (en) | Method and system for providing information related to status and preventing attacks from middleman | |
| CN1212716C (en) | Method of sharing subscriber confirming information in different application systems of internet | |
| CN1191703C (en) | Safe inserting method of wide-band wireless IP system mobile terminal | |
| CN1631001A (en) | System and method for creating a secure network using identity credentials of batches of devices | |
| CN100347986C (en) | Method and system for certification | |
| CN1274105C (en) | Dynamic password authentication method based on digital certificate implement | |
| CN1756148A (en) | Mobile authentication for network access | |
| CN1805341A (en) | Network authentication and key allocation method across secure domains | |
| CN1756155A (en) | Mobile authentication for network access | |
| CN1815482A (en) | Method for obtaining and verifying credentials | |
| US20100138907A1 (en) | Method and system for generating digital certificates and certificate signing requests | |
| CN1859096A (en) | Safety verifying system and method | |
| CN1881879A (en) | Public key framework and method for checking user | |
| JP2008511232A (en) | Personal token and method for control authentication | |
| CN1731723A (en) | Electron/handset token dynamic password identification system | |
| CN1855810A (en) | Dynamic code verificating system, method and use | |
| CN1787513A (en) | System and method for safety remote access | |
| CN1960255A (en) | Distributed access control method in multistage securities | |
| CN1855814A (en) | Safety uniform certificate verification design | |
| MX2008015958A (en) | Biometric credential verification framework. | |
| CN1547343A (en) | A Single Sign On method based on digital certificate | |
| CN1874226A (en) | Terminal access method and system | |
| CN1420659A (en) | Method and apparatus for authenticating and veritying user and computer over network | |
| CN1640092A (en) | System and method for providing key management protocol with client verification of authorization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060913 Termination date: 20191230 |