CN1581144A - Digital certificate local identification method and system - Google Patents

Digital certificate local identification method and system Download PDF

Info

Publication number
CN1581144A
CN1581144A CN 03141990 CN03141990A CN1581144A CN 1581144 A CN1581144 A CN 1581144A CN 03141990 CN03141990 CN 03141990 CN 03141990 A CN03141990 A CN 03141990A CN 1581144 A CN1581144 A CN 1581144A
Authority
CN
China
Prior art keywords
certificate
system
server
blacklist
authentication
Prior art date
Application number
CN 03141990
Other languages
Chinese (zh)
Inventor
张伟鹏
何国锋
陈荦祺
冯晔
马骁骁
Original Assignee
上海市电子商务安全证书管理中心有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海市电子商务安全证书管理中心有限公司 filed Critical 上海市电子商务安全证书管理中心有限公司
Priority to CN 03141990 priority Critical patent/CN1581144A/en
Publication of CN1581144A publication Critical patent/CN1581144A/en

Links

Abstract

The present invention provides a method of local authentication of digital certificate. It is characterized by that the certificate of root CA which will e credited by self can be introduced into the local authentication module by application system, and configurated according to a certain requirement (for example down-loading time and address of the blacklist), so that when the application system has need of judging that a certificate is effective or not, only the correspondent certificate authentication API function is called, the result can be obtained regardless of that said certificate is signal and issued by which CA which only can be authenticated in the local module. Said invention can greatly raise safety of local area network, can reduce the network flow between local area network and Internet, and can raise network performance and response speed of certificate authentication service.

Description

The method and system of digital certificate local authentication

Technical field

The invention belongs to the IT information security field, relate to a kind of method and system of digital certificate authentication, relate in particular to a kind of digital certificate authentication method and system that realize local authentication.

Background technology

The purpose that the digital certificate authentication system sets up is to realize the granting of certificate, and from deep layer, the realization of CA mechanism finally is application service.Embedding application system that certificate is seamless uses safety technique based on digital certificate to realize that the angle of the safety requirements of each application can regard whether vital important symbol of CA system as, and this main task of CA at present exactly.

The purpose of CA system construction is in order to guarantee the safety of network application system, mainly to combine with practical application, for example operating information system, secure e-mail system, the office automation system, file-sharing transmission system, desktop PC Secure Application system etc.

But because application system often needs to support more than one certificate at present, and these certificates may come from different CA.How to guarantee also can use in each application system the certificate of a plurality of CA, just become a key issue.

An application system often can only be believed any root, if two condition precedents just must be arranged when trusting a plurality of certificates:

1. carry out cross-certification between many root CA (authentication center).

2. should consider the user certificate of supporting that different CA sign and issue in the application system development process.

More than two conditions have one not satisfy, application system all can not be used a plurality of user certificates of signing and issuing simultaneously.Yet in reality, carry out the restriction that cross-certification can be subjected to multiple condition between the root CA, be difficult to realize.Simultaneously, will think about in the application system development process and support several CA, if increase CA Application and Development system again newly, this thinking is also very unrealistic.

In the existing P KI system, the validation verification of certificate can only be realized on the LIST SERVER of appointment in certificate, require relatively stricter LAN for those safety, confidentiality so to network, as government's internal network, LAN (Local Area Network) such as public security network, general office PC does not allow to be connected on the Internet, thereby makes in these LAN (Local Area Network) deploy PKI system difficulty has been arranged; Client's application system realizes the local verification of certificate by change the download address of blacklist when certification authentication; The blacklist that all need all passes through the local verification system and issues timing or real-time download the on the LIST SERVER from the blacklist that Internet goes up CA.Equally, customer's certificate also can obtain from digital certificate local authentication system.Simultaneously, for general LAN (Local Area Network), if realize the checking of certificate and obtaining of customer's certificate according to existing systems, all client's application systems all will arrive obtains certificate and blacklist on the Internet, will increase the network traffics between LAN (Local Area Network) and the Internet greatly, reduce network performance, the application responds that slows down speed, and, also make the catalogue publisher server of CA bear bigger service pressure.

Summary of the invention

Technical matters to be solved by this invention provides a kind of digital certificate local authentication method and system that are deployed in LAN (Local Area Network) inside and can finish certification authentication, certificate update, thereby realizes the localization of certification authentication process.

Application system is confirming that user certificate whether effectively the time, often will carry out following three partly operations:

1. affirmation user's certificate before the deadline

2. the certificate of confirming the user is that the root of being trusted is signed and issued

3. the certificate of confirming the user is not in the CRL (blacklist) of authentication center's issue.

In above three steps work, had only for the 3rd step need link to each other with CA.And the CRL issue neither be real-time, but regular.Complete like this can be with the localization of certification authentication process.In view of the above, digital certificate local authentication system, above three steps are finished in its groundwork exactly.

In the practical application performance history, application system imports to the certificate of the root CA that oneself will trust in the local authentication module, and by certain requirements configuration (as the time and the address of download blacklist).Judge at needs whether a certificate is effective,, just can obtain the result as long as will call corresponding certification authentication api function.It is which CA signs and issues that application system need not be managed this certificate, as long as it is just passable to trust this CA in local module.

Behind user's the certificate update, the local authentication system can arrive the up-to-date certificate of corresponding C A download user automatically, like this, even application system and do not know that the user has upgraded certificate, still can be smoothly by checking.If desired, the local authentication system can also obtain the up-to-date certificate of this user by any certificate of certain user.Like this, application system just can be the most complicated certification authentication, and the problem of certificate update is given the local authentication system, has simplified the design and the exploitation of application system greatly.

Simultaneously, concerning using system developer, the local authentication system is fully transparent, uses and disuses the local authentication system, and performance history is on all four.That is to say no matter increase several CA, or the local authentication module in use for some time, decision does not re-use, and application system also need not to develop again.

Owing to used technique scheme, the present invention to have following advantage:

1), at it goes without doing cross-certification, or under the situation of bridge CA, support to have the local verification of the certificate that a plurality of CA sign and issue, good extensibility is arranged.

2), support the automatic renewal of local certificate, guarantee the consistance of the certificate and the CA of certain object.

3), intelligent blacklist is downloaded.Automatically as required, download blacklist, and can behind certificate update, finish the blacklist download of new authentication automatically to each different CA.

4), can be under the environment of the catalogue publisher server that breaks away from CA, the checking customer's certificate increases the security of inner PKI network, reduces external network traffic.

5), adopt JAVA technology, the cross-platform operating system platforms such as Linux, AIX, Solaris, HP, Windows that can be applicable to.

6), adopt B/S three-decker construct system, adopt thin client mode, make and install and manipulate very easy.

7), support following standard fully:

X509v1, X509v2, X509v3, CRL, TimeStamp, PKCS7, ASN1, MIME, SSL, SMIME, LDAP etc.

8), Highgrade integration, total system can move with a station server on, construction cost is significantly reduced.

In sum, because realize this locality of certificate verification, make the terminal network user of enterprise or government organs in LAN (Local Area Network), just can verify the certificate of signing and issuing by a plurality of different CA on the Internet, thereby improved the security of LAN (Local Area Network) greatly, the network traffics between LAN (Local Area Network) and the Internet have been reduced, improve the response speed of network performance and certification authentication service, and local certification authentication is adopted the encryption and authentication technique based on the PKI standard, the security of assurance certification authentication process.Simultaneously, digital certificate local authentication system adopts the WEB mode to realize the management of certificate, flexile certificate lead-in modes such as local importing, online importing, batch importing are provided, and manual real-time update, system such as regularly upgrade at the update mode of blacklist, greatly facilitate certificate management person's work, reduced the cost of system management; And digital certificate local authentication system supports the local verification of the certificate that a plurality of CA sign and issue, and powerful system suitability is arranged.

Description of drawings

Fig. 1 is the network architecture synoptic diagram of digital certificate local authentication system.

Fig. 2 is the functional module framework figure of digital certificate local authentication system.

Fig. 3 is the overall design synoptic diagram of digital certificate local authentication system.

Fig. 4 is the logical organization synoptic diagram of digital certificate local authentication system.

Embodiment

As shown in Figure 1: digital certificate local authentication server 1 can be deployed in by in the LAN (Local Area Network) that outer application system constituted such as application server 3, workstation 4, PC 5, and with several 2 two-way connections of CA server.Described digital certificate local authentication system 1 can be connected with the Internet net, and above-mentioned application server 3, workstation 4, PC 5 all directly are not connected with the Internet net.

Shown in Fig. 2,3: the structure and the function of digital certificate local authentication system 1 are as follows:

Ground floor is the service module that is connected with external system, comprising: system data is update service unit 11 regularly, WEB customer service unit 12, client's application system service interface 13;

Regularly update service unit 11 smart download and the renewal of finishing blacklist according to time of appointment and the time interval of described system data; And more new authentication self-verifying and download; It is connected with the catalogue publisher server of outside CA.

WEB customer service unit 12 is the keeper of digital certificate local authentication server in the LAN (Local Area Network) and management and the operation interface that the operator provides man-machine interaction in the mode of WEB mainly, also supplies some disclosed data of common user query simultaneously;

Client's application system service interface 13 comprises the more inspection of new authentication in the fixed time, the introducting interface of new authentication etc. for client's application system provides service;

The second layer mainly is the ground floor system service, mainly contains: certificate issuance unit 14, WEB use and realize unit 15, codec unit 16 and encryption/decryption element 17;

The certificate issuance unit is published to LIST SERVER with certificate, blacklist and certificate chain etc.;

WEB uses the applied logic that realizes unit realization WEB;

Codec unit realizes the encoding and decoding of certificate, blacklist and certificate chain etc.;

The encryption and decryption equipment of encryption/decryption element utilization bottom is finished the encryption and decryption of data, comprises the realization interface of generation, the HASH of random number, symmetrical encryption and decryption, RSA computings such as (asymmetric computings)

The 3rd layer of main encryption and decryption that realizes the storage of data and bottom is provided has: catalogue publisher server 18, database server 19 and encryption and decryption equipment 20;

Catalogue publisher server 18 provides the catalogue issuing service of standard;

Information such as database server 19 system management memories, configuration information and user's certificate, blacklist

Encryption and decryption equipment is realized the encryption and decryption of data with the encryption and decryption equipment of the close committee of state approval;

The 4th layer is operating system 21, is the basis of all module operations;

Such as, certain enterprise has many based on PKI client or server application, and they have used the certificate of being signed and issued by a plurality of different CA simultaneously, are example below in conjunction with the process with certifying signature shown in Figure 4, and how illustrative system works:

The certificate management person of digital certificate local authentication server 1 at first downloads the certificates such as employee, client or server of this enterprise according to the certificate issuance situation of this enterprise from a plurality of CA servers 2, or the employee of this enterprise, client or corresponding server administrators are the certificate importing digital certificate local authentication server 1 of oneself; And the download address of configuration blacklist inquiry on digital certificate local authentication server 1, thereby book server can be regularly or the manual blacklist of downloading, and is the authentication certificate service;

After client or server application are received the other side's signature packets, earlier download user certificate and corresponding root certificate from digital certificate authentication server 1 according to information such as the other side's name, email address or users unique number, just can authentication certificate, download corresponding blacklist according to certificate from digital certificate authentication server 1 again, just can verify blacklist, thereby finish whole certification authentication process;

Digital certificate local authentication server 1 has following function:

1), the online condition of certificate imports

Specify to need import the CA LIST SERVER of certificate, can import certificate, can import in batch, also can singlely import according to conditions such as address names, e-mail address, user unique number;

2), the certificate off-line imports

Can from the single certificate medium of appointment, import certificate, also can from the batch certificate file, import certificate;

3), CRL imports and upgrades

Can all have the CRL directory service of each CA regularly to import and wait lead-in mode with manual importing in real time, and the function that provides timing to prepare at interval;

4), certificate chain imports

Can to corresponding C A server, import certificate chain according to the condition of appointment, perhaps can lead by off-line

Go into certificate chain;

5), certificate information management

Can do bookkeepings such as inquiry and deletion to the certificate that imports;

6), certificate upgrades automatically

To entering the certificate that upgrades the critical section, search the certificate of latest update automatically.Provide from the interface of arbitrary the up-to-date certificate of certificate acquisition.

7), certificate imports service interface

The service interface that provides certificate to import according to certain interface standard, is accepted outside CA system and is made certificate to digital certificate local authentication system and import request;

8), system management

The function that administers and maintains to digital certificate local authentication system is provided

In conjunction with prior art, digital certificate local authentication of the present invention system can also have following function:

1), fully satisfy or support relevant international standard, comprising:

X509v1、X509v2、X509v3、CRL、OCSP、TimeStamp、PKCS1、PKCS8、PKCS7、PKCS10、ASN1、MIME、SSL、SMIME、LDAP。

2), compatible multiple application software and operating system commonly used

This product can with following software collaboration work

A, client application: Netscape Navigator, Netscape Communication, Microsoft Internet Exploer, UniTrust SafeEngine, UniTrust certificate manager

B, various WEB server: MicroSoft IIS WebServer, NetscapeEnterprise, Apache, Java WebServer, Domino etc.

C, defer to X.509 all the PKI application programs with PKCS.

3), unified administration interface

The operational administrative of local certification authentication all based on the WEB page, is effectively reduced the cost of safeguarding.

4), support multiple high strength algorithm

SSF33、RSA、SHA1、MD5、MD2

All algorithms all adopt the hardware module of national password council approval.

5), Yan Ge rights management

Digital certificate local authentication system is divided into system manager, Systems Operator, system user and four rank users of anonymous.The system manager is responsible for the operation of system, but can not contact the Any user data, and the Shi Caineng that must show up above the system manager of half simultaneously enters System Management Mode.The operator only can operate user and certificate, can not influence the operation of system.The user only can operate the data of oneself, can not revise his personal data.Anonymous provides public service, as downloads other people certificate, root certificate, downloads blacklist etc.All authentication modes all adopt the digital authenticating mode to carry out, and guarantee security of system;

6), clear and definite, careful operator's authority

Digital certificate local authentication system except to system divides the support role of different stage, wherein Systems Operator has also been done careful delineation of power, different operators, difference according to his authority, can do the importing of certificate, deletion, different operations such as inquiry;

7), support multiple medium

System supports multiple certificate to deposit medium, and is first-class as floppy disk, IC-card, USB rod and server, as long as and media drive has been installed, system just can discern medium automatically;

8), data backup

Digital certificate local authentication system provides the function that imports and exports of root certificate, also supports all data backups and restore funcitons.For data security provides safeguard.

9), log information

Digital certificate local authentication system provides detailed journal function; Comprise system journal and user journal.System journal mainly provides all system managers, Systems Operator, user the operation to system information or certificate information.The system manager can obtain the state of system by log query, and the operator can obtain the historical record of certificate and user profile operation by log query, and the user can inquire about my operation note etc., and powerful querying condition is provided.

10), operation audit

Powerful operation audit function is provided, and the user all places on record to system's all operations, in order to statistics and analysis.

11), product up-gradation

Technology that improves constantly for adaptation and new demand, digital certificate local authentication systems attempt promotes properties of product and function; The user only needs the system manager that system is entered service mode, and the software upgrade package that operation SHECA provides just can be upgraded to product.

Describe below in conjunction with an object lesson: suppose that the A of unit has 50 people, wherein 10 people use the certificate of CA1, and other 40 people use the certificate of CA2.Everyone will use inner OA system in the A unit.Inside OA system wishes to use signing certificate to carry out authentication, and wishes that the certificate of two CA can be used in the inner OA system.

At first, the user can be by corresponding certificate request system application certificate.For example, the certificate that can apply for CA1 also can be applied for the certificate of CA2.

Secondly, when the application system of exploitation inside, API (application programming interface) function that provides with Shanghai CA should be provided the A of unit.

At last, the internal application system should be not own to the validity of judging certificate, tests the judgement that positive API carries out certificate validity and should call corresponding certificate.As long as after the root certificate of CA1 and CA2 is trusted in configuration simultaneously in the local authentication module, the certificate that two CA sign and issue is with regard in the OA system that all can use in inside like this.

Claims (6)

1, a kind of method of digital certificate local authentication is characterized in that, comprises the steps:
1) certificate management person at first downloads the certificates such as employee, client or server of this enterprise according to the certificate issuance situation of this enterprise from a plurality of CA servers (2), or the employee of this enterprise, client or corresponding server administrators are the certificate importing digital certificate local authentication server (1) of oneself;
2) go up the download address of configuration blacklist inquiry at digital certificate local authentication server (1), thereby book server can be regularly or the manual blacklist of downloading, and is the authentication certificate service;
3) after client or server application are received the other side's signature packets, earlier download user certificate and root certificate accordingly from digital certificate authentication server (1) according to information such as the other side's name, email address or users unique number, just can authentication certificate, download corresponding blacklist according to certificate from digital certificate authentication server (1) again, just can verify blacklist, thereby finish whole certification authentication process.
2, the method for a kind of digital certificate local authentication according to claim 1 is characterized in that dividing four rank users: system manager, Systems Operator, system user and anonymous.
3, the method for a kind of digital certificate local authentication according to claim 1 is characterized in that, described certificate imports and can be divided into online importing and off-line importing
4, a kind of digital certificate local authentication according to claim 1 system, it can be deployed in the LAN (Local Area Network) that external client's application system constituted, and with several two-way connections of CA server (2), comprising:
One is used for the catalogue publisher server (18) of the issue of information such as certificate chain, user certificate and blacklist;
Information databases (19) such as one certificate that is used for system management memory, configuration information and user, blacklist;
One is used to upgrade the system data timing update service unit (11) of data such as certificate chain, certificate and blacklist, and it is connected with catalogue publisher server, native system LIST SERVER (18), the system database (19) of outside CA server (2);
One mode with WEB provides the management and the operation interface of man-machine interaction, also supplies the WEB customer service unit (12) of some disclosed data of common user query simultaneously, and it joins with system database (19), outside WEB browser;
One for client's application system provides client's application system service interface (13) of serving introducting interface, and it is connected with catalogue publisher server (18), system database (19), external client's application system.
5, digital certificate local authentication according to claim 4 system is characterized in that, also comprises:
One is used for certificate, blacklist and certificate chain etc. are published to the certificate issuance unit (14) of catalogue publisher server;
One WEB that is used to realize the applied logic of WEB uses and realizes unit (15);
One is used to realize the codec unit (16) of the encoding and decoding of certificate, blacklist and certificate chain etc.;
6, digital certificate local authentication according to claim 5 system is characterized in that, also comprises an encryption and decryption equipment (20);
CN 03141990 2003-07-31 2003-07-31 Digital certificate local identification method and system CN1581144A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 03141990 CN1581144A (en) 2003-07-31 2003-07-31 Digital certificate local identification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 03141990 CN1581144A (en) 2003-07-31 2003-07-31 Digital certificate local identification method and system

Publications (1)

Publication Number Publication Date
CN1581144A true CN1581144A (en) 2005-02-16

Family

ID=34579317

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 03141990 CN1581144A (en) 2003-07-31 2003-07-31 Digital certificate local identification method and system

Country Status (1)

Country Link
CN (1) CN1581144A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924634A (en) * 2009-06-10 2010-12-22 任少华 Verification portal
CN101490689B (en) * 2006-07-07 2012-05-16 桑迪士克股份有限公司 Content control system and method using certificate chains
CN101802805B (en) * 2007-08-02 2012-07-18 普兰蒂网络有限公司 Method for verifying application programs and controlling the execution thereof
CN101853353B (en) * 2005-02-14 2012-07-18 松下电器产业株式会社 Application executing device and method
CN101681264B (en) * 2007-04-23 2014-01-08 汤姆森许可贸易公司 Method and apparatus for software downloads in a network
CN106462673A (en) * 2014-06-27 2017-02-22 英特尔公司 Technologies for secure offline activation of hardware features

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853353B (en) * 2005-02-14 2012-07-18 松下电器产业株式会社 Application executing device and method
CN101490689B (en) * 2006-07-07 2012-05-16 桑迪士克股份有限公司 Content control system and method using certificate chains
CN101681264B (en) * 2007-04-23 2014-01-08 汤姆森许可贸易公司 Method and apparatus for software downloads in a network
CN101802805B (en) * 2007-08-02 2012-07-18 普兰蒂网络有限公司 Method for verifying application programs and controlling the execution thereof
CN101924634A (en) * 2009-06-10 2010-12-22 任少华 Verification portal
CN106462673A (en) * 2014-06-27 2017-02-22 英特尔公司 Technologies for secure offline activation of hardware features
CN106462673B (en) * 2014-06-27 2019-09-03 英特尔公司 For hardware characteristics to be carried out with the equipment and device of secure off-line activation

Similar Documents

Publication Publication Date Title
US10474795B2 (en) Enhancement to volume license keys
US10154055B2 (en) Real-time vulnerability monitoring
JP2018537741A (en) Peer-to-peer synchronization protocol for multi-premises hosting of digital content items
US10609063B1 (en) Computer program product and apparatus for multi-path remediation
US8984644B2 (en) Anti-vulnerability system, method, and computer program product
US10104053B2 (en) System and method for providing annotated service blueprints in an intelligent workload management system
RU2523113C1 (en) System and method for target installation of configured software
US8468340B2 (en) Configuring a valid duration period for a digital certificate
CN102394887B (en) OAuth protocol-based safety certificate method of open platform and system thereof
US7000247B2 (en) Automated computer vulnerability resolution system
JP2016532984A (en) Network connection automation
EP1849254B1 (en) Systems and methods for automatically configuring and managing network devices and virtual private networks
US7299503B2 (en) Apparatus and method for location specific authentication using powerline networking
US8171108B2 (en) System and method for providing remote forensics capability
CN101404014B (en) Methods and systems for creating and updating approved-file and trusted-domain databases
DE60320486T2 (en) Systems and methods for application delivery and configuration management for mobile devices
US7673331B2 (en) Server certificate issuing system
CN1291293C (en) Hidden link dynamic key manager for use in computers systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
US6393420B1 (en) Securing Web server source documents and executables
US6742114B1 (en) Deputization in a distributed computing system
CN102308515B (en) Transforming static password systems to become 2-factor authentication
EP1710725B1 (en) Secure digital credential sharing arrangement
US6105132A (en) Computer network graded authentication system and method
JP2012157052A (en) Systems and methods for managing network
US6996620B2 (en) System and method for concurrent security connections

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
WD01 Invention patent application deemed withdrawn after publication
C02 Deemed withdrawal of patent application after publication (patent law 2001)