WO2012031821A1 - Verfahren zur zertifikats-basierten authentisierung - Google Patents
Verfahren zur zertifikats-basierten authentisierung Download PDFInfo
- Publication number
- WO2012031821A1 WO2012031821A1 PCT/EP2011/062644 EP2011062644W WO2012031821A1 WO 2012031821 A1 WO2012031821 A1 WO 2012031821A1 EP 2011062644 W EP2011062644 W EP 2011062644W WO 2012031821 A1 WO2012031821 A1 WO 2012031821A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- certificate
- subscriber
- participant
- authentication
- requirements
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Definitions
- the invention relates to a method for certificate-based authentication, in which a first subscriber authenticates to a second subscriber with the aid of a digital certificate assigned to the first subscriber.
- Digital certificates are known per se from the prior art. They contain the identity of an entity in the form of a person or institution or machine for which the certificate is issued. Here and below the term of the participant is used, to which a certificate can be assigned.
- a subscriber can be a computer or a machine for which the certificate is issued.
- a participant can refer to a computer or a machine that manages the certificate of a person or institution. The responsibility for certificate management assigns the certificate to the computer or machine.
- a certificate contains a public key for the corresponding entity, and a digital signature in the certificate of the owner of the certificate can be confirmed ⁇ to.
- the digital signature is calculated by a certifi ⁇ katsausgabestelle.
- the signature can be verified as valid via a root certificate of this issuing authority or a certificate chain to the root certificate. Additional information in a digital certificate attributes so-called in the mold. Are encoded by which Be ⁇ authorizations for the user of the certificate or the certificate usage restrictions are set. Certificates generally have a limited validity ⁇ duration, which is specified as information in the certificate. After the end of the validity period, the certificate automatically becomes invalid.
- Certificates ensure that a certificate that is to be available beyond its period of validity is replaced in good time by a corresponding certificate with a new validity period. This is associated with a high administrative effort in practice. Especially when issuing certificates for automation devices, which are used over a long period of time and are not subject to stringent computer administration, this is difficult to implement. Although it is possible to issue certificates with a very long or unlimited validity period, this increases the risk of misuse.
- SAML Security Assertion Mark ⁇ up Language
- a possible claim is for example an authentication by means of a certificate, by password and the like.
- access is granted or denied.
- the object of the invention is to provide a certificate-based authentication in which the validity of the certificate used for this purpose can be controlled simply and flexibly.
- an authentication is carried out, in which a first subscriber authenticates himself to a second subscriber with the aid of a digital certificate assigned to the first subscriber.
- the certificate specifies one or more requirements, wherein the fulfillment of a request by a third party is assured by the third
- Participant issues the request.
- the term of specification of requirements in the certificate is to be understood broadly. The specified requirements can be stored directly in the certificate or specified using an identifier or name. Likewise, the specification of one or more requests may be via a reference that references the requests, such as a URI or a URL.
- the term of issuing a request is also to be understood in the sense of the invention. For example, a request may be considered as issued if it is deposited on the corresponding third party or can be retrieved by that party.
- a validity condition is checked by the second participant and the certificate of the first participant is then classified as valid by the second participant if the validity condition is met.
- the validity condition depends on the issuance and / or the missing publication of one or more of the requirements specified in the certificate by the third participant. If the respective specified validity condition not met, the certificate is canceled as invalid erach ⁇ tet and a corresponding authentication. It can in particular be assessed as the validity condition by the second user, whether the specified requirements are due to ⁇ a publication of the requirements satisfied by the third party at the time of verification of the certificate of the first subscriber.
- the requirements may represent the SAML assertions mentioned at the outset or corresponding claims from the Claims-based Authorization Model.
- the first subscriber asks the third user for the information as to whether one or more of the requirements specified in the certificate were issued by the third user.
- the first subscriber is doing the beautufactor ⁇ th information the second party prepared, for example by transmitting the issued requests to the second party. Then the second part ⁇ participants reviewed based on this information, the Gültmaschinesbedin- supply.
- the second participant it is also possible for the second participant to request the information directly from the third participant as to whether one or more of the requirements specified in the certificate are issued by the third participant. then check the validity condition based on the requested information.
- the first one In order to avoid misuse by unauthorized querying requests from the third party, in a particularly preferred embodiment, the first one must be
- a requirement in terms can be specified on the validity of the certificate, ie the temporal Valid ⁇ ness of the certificate is linked to the publication of a entspre ⁇ sponding requirement without taking into account other criteria.
- a request may relate to the communication environment in which the first subscriber is operated. This communication environment can be determined for example by special properties or a corresponding address of the communication network. Also, a request may relate to one or more characteristics of the first and / or second and / or third party. For example, it may be specified that only certain first, second or third participants may be used within the framework of certificate-based authentication. In particular, it can also be determined from which participant the issued certificates must originate.
- a request may specify the reliability of Au ⁇ thentmaschine of the first subscriber with the second subscriber. Only if the credibility specified in the request is given, for example in the form of a trusted value, is the certificate considered valid. By this means it can be considered that the trust worthiness ⁇ an authentication with the times may change, as for example is known an attack on a particular subscriber.
- the validity condition is a logical Verknüp ⁇ added chain comprising one or more AND and / or NAND and / or OR and / or XOR and / or NOR-links, wherein the link chain is preferably in the certificate is encoded. In this way, very well, for example, blocking requests can be processed, in the presence of a blocking request ⁇ tion, the certificate is considered invalid. The validity of the certificate can therefore be linked to the absence of a blocking request by means of a NAND link.
- verification of the certificate also takes place in addition to the above validation of the certificate. This verification can be done in a conventional manner by checking the signature of the certificate.
- the method according to the invention is built up a cryptographically secure communication between the first and second subscriber associated with a public key contained in the certificate of the first subscriber and the public areas this ⁇ chen key private key.
- the corresponding requirements for checking the validity condition can also be transmitted. If it should appear that the validity condition is not fulfilled, the encrypted connection and thus the authentication is ab ⁇ broken off.
- a renewed verification of the validity condition takes place repeatedly with an encrypted connection established, for example periodically every 5 minutes or every hour. If this is not the case, in a variant of the invention, the connection is terminated.
- the processing performed by the inventive process au- can mation based on known protocols, such as SSL / TLS protocol and / or the IKE / IPsec protocol and / or the IKEv2 / IPsec protocol, in addition to which he ⁇ -making proper verification the validity condition is based on appropriate requirements.
- the certificate used in the present invention may be based on a ⁇ be known per se certificate.
- the certificate may represent an extended X .509 certificate which specifies zusharm ⁇ Lich to the known entries one or more requests.
- the method according to the invention can also be used for mutual authentication between the first and second subscribers. That is, with the method, the first participant at the second participant and exchanging the roles of the first and second participants is analogous to the second participant in the first participant.
- the inventive method can be used for any first or second or third participants in the form of computers or machines.
- the part ⁇ participants is on components of an automation system is, for example, as like a corresponding control devices, sensors, actuators, and.
- the invention further relates to a communication network with a first, second and third party, wherein in the operation of the communication network, a certificate-based authentication according to the above-described ⁇ method or one or more variants of the method described above is feasible.
- FIG. 1 shows a schematic representation of a communications network in which an embodiment of the certificate-based authentication is carried out
- Fig. 2 is a schematic representation of a medicinalenaus ⁇ exchanges between two nodes in a network cation communi-, guide shape which authenticate each other based on mer E of the procedure according to the invention Rens
- Fig. 1 shows a schematic representation of a communication network N with a plurality of computers, wherein the participating in the certificate-based authentication described below computer with Rl, R2, and R3 are designated.
- the computer Rl corresponds to a first participant in the sense of claim 1, the computer R2 a second participant and the computer R3 a third participant.
- the participants need not necessarily be computers, but participants can also represent any other kommunizie ⁇ generating units, such as automation units or machines.
- the automation units can be corresponding components of an automation system which performs an automatic production or production process.
- the individual Au ⁇ tomatleitersakuen may represent, for example, a programmable controller, a sensor, an electric car, a power charging station for an electric car, a power meter, an energy automation ⁇ s réelles réelle, a computer tomograph, an X-ray device and the like. All automation units are characterized by the fact that they are equipped with a communication interface for communication with other units.
- the communication port ⁇ place it can be, for example, an Ethernet interface, an IP interface, a WLAN interface, a Bluetooth interface or a Zig-Bee interface.
- the computer R 1 is authenticated to the computer R 2 using an extended X.509 certificate.
- This certificate contains in a known manner, among other information, a public key of the subscriber Rl, which can be used in the context of authentication for the encrypted exchange of a secret and for generating a session key for a cryptographically secured communication between computer Rl and R2.
- the certificate is signed by a trusted certification authority. For verification of the certificate this is transmitted to the computer R2, which then verifies the signature in a conventional manner based on a root certificate issued by the certificate authority or a certificate ⁇ chain to the root certificate.
- Table 1 below shows the essential information of a conventional X.509 certificate. This certificate is e.g. used in the known SSL / TLS authentication or IKE / IPsec authentication.
- the term “certificatelD” denotes an identity of the certificate specified by the serial number "SerialNumber".
- the English expression “issuedTo” indicates for which participant the Certificate is issued, with the term “issuedTo” followed by the name of the subscriber.
- the term “issuer” refers to the publisher of the certificate, which is specified by a suitable name of the publisher.
- the terms “validFrom” and “validTo” specify the validity period of the certificate, with the term “validFrom” specifying a time “Time” at which the validity of the certificate begins or commencing, and the term “validTo” again Time specified “Time”, which specifies the expiration date of the certificate.
- the certificate then contains the public key "Public Key” of the subscriber.
- attributes may be present in the certificate, which are defined in the "Attributes" section of the certificate.
- an attribute AttributeA and an attribute AttributeB are specified.
- attributes can specify through which determines what actions the participant who owns the certifi cate ⁇ , can perform at ⁇ play as permissions.
- attributes may specify usage restrictions of the certificate, for example, it may be specified that the certificate is only suitable for the digital signature and for authentication, but that it can not be used for encryption.
- the certificate also includes the signature already described above, which is labeled "Signatu- re" and the verification of the certificate allows ba ⁇ sierend on a root certificate or a certificate chain to the root certificate.
- the structure of the certificate of Table 2 corresponds to the greatest possible extent the certificate ⁇ Table 1, so that the same are standard terms are not explained again.
- the extended X.509 certificate now includes another attribute, called "requi redClaims".
- a so-called claim classifier is specified here, which specifies one or more so-called claims, which must be fulfilled for the certificate to be considered valid.
- the syntax of the claims is based on the so-called "Claims-based Authorization Model” developed by Microsoft as part of the Geneva Framework 2008 was determined (see also htt: // msdn .microsoft. com / en - us / iaagazlne / d.d278426. aspx).
- the claim classifier may be encoded directly in the certificate, but may also include a reference to a claim classifier (eg, a URL or URI) in the certificate through which the claim classifier can be accessed.
- SAML assertions are based on the well-known XML-based SAML language, specify a statement.
- An example of a syntax as SAML assertions may be co ⁇ diert instead of a claim classifier in an inventive certificate reads as follows:
- ⁇ roleClaimType value "urn: remoteServcetApp / 2010/04 / Claims / permission" /> ⁇ / samlSecurityTokenRequirement>
- the computer R3 is used, which is a publisher for corresponding claims or Represents assertions. Only if this computer has issued one or more of the assertions or claims specified in the corresponding certificate, the certificate is considered valid.
- the corresponding certificate of the computer R 1 is indicated by the reference symbol C and the claims contained therein by the reference symbol CL.
- it can additionally be specified in the certificate by which issuing computer the corresponding claims or SAML assertions must be issued so that the certificate is valid. If appropriate, this information can again be coded in the form of a corresponding claim or a corresponding SAML assertion in the certificate.
- step S 1 the computer R 1, which wishes to authenticate itself to the computer R 2, first requests the corresponding claims based on the claim classifier in its certificate at the computer R 3. If the computer R3 issues a corresponding claim, so he also assures that the corresponding requirement is fulfilled according to the claim. Based on the requested in step Sl
- Claims determines the computer R3, which of the claims he has actually published ⁇ Lich. This information is then transferred by the computer R3 in step S2 to the computer Rl. In the embodiment described here, the claims themselves are transmitted to the computer Rl.
- step S3 the actual certificate ⁇ based authentication, which is indicated by step S3.
- the certificate C of the computer Rl and all or a subset of the claims transmitted in step S2 are transmitted to the computer R2.
- the computer R2 then verifies the certificate in a manner known per se and verifies fer ⁇ ner whether he classifies the certificate as valid. This is special when the SPECIFIED ⁇ th in the certificate claims to match the case with the other submitted claims. If the certificate C is not classified as valid, the authentication is aborted.
- the authentication can be based on known protocols, such as, for example, SSL / TLS or IKE / IPsec or IKEv2 / IPsec, whereby the presence of the claims is additionally checked in the context of these protocols.
- Is the above-described Authen ⁇ mation of step S3 finished, can subsequently be negotiated via a corresponding public key in the certificate, a session key and a cryptographically secure communication between the computers Rl and R2 take place. This is indicated in FIG. 1 by the step S4.
- step S101 the computer R2 requests from the computer Rl its certificate C with the claims CL contained therein.
- step S102 this certificate is transmitted, wherein the verification of the certificate takes place in step S103. As part of this step is also checked whether the claims contained in the certificate C were actually issued by the computer R3.
- Step S104 also transmits the computer R2 his certificate C with contained claims CL 'to the computer Rl.
- a check of the certificate C is made in step S105 in analogy to step S103 to see whether the claims CL 'have actually been issued by the computer R3. If the inspections carried in step S103 and S105 are both positive, both certificates are considered by the respective computers as valid and it can be a corresponding authentication SUC ⁇ gen, under which a session key SK between the two computers is set up Rl and R2. This key can subsequently take place trust protected commu ⁇ nication.
- the corresponding requirements of the certificate are checked during the protocol run.
- this check can also be performed outside the protocol separately between the authenticating communication partners, e.g. using the HTTP protocol after a completed SSL / TLS connection via the established SSL / TLS connection.
- the requirements can be linked to any criteria. For example, a certificate for a part ⁇ participants can be edited, which is only valid as long as this device is operated in the current communication environment, wherein the communication environment is, for example specified by a corresponding network address.
- the require ⁇ approximations can also depending issued by the participant who wants to authenticate itself, or if necessary against the au- tion also takes place by the subscriber.
- the request can be determined in such a way that a subscriber can authenticate himself to a subscriber, for example, whereas an authentication to another subscriber is not possible.
- a confidence value can be specified on a request that specifies the ceremonies Jewish ⁇ speed in the processing performed authentication.
- ⁇ when it is considered that the quality of a Authenti ⁇ tion may change over the life of a user, such as when attacks are known or a particular subscriber has been hacked or if the participant could possibly be manipulated, eg in a non-confidential ⁇ ens Calculen Previous owners.
- the requirements specified in the certificate can also be suitably concatenated. This makes it possible supraschrän- the circle of participants ken, must rely on a specific, present in network Resource ⁇ ce, for example.
- a request associated with a subscriber certificate may require a further request from the subscriber describing how it has authenticated itself.
- the corresponding requirements can, for example, be issued by the device manufacturer of the corresponding subscriber. This device manufacturer usually also issues the certificate for the subscriber.
- the concatenation of requests described above can be done with known logical operators AND, NAND, OR, XOR and NOR.
- the corresponding logical concatenation is preferably encoded in the certificate.
- Ver ⁇ chaining example it is possible to issue lock requests for corresponding certificates. These revocation requests can be used to invalidate certificates from a large number of subscribers. If a lock request is linked to other requests with a NAND link, a necessary criterion that the certificate is valid is the absence of the lock request.
- certificates for corresponding part ⁇ participants issued with virtually infinite validity advertising to. This can be done, for example, there ⁇ by with a .509 X certificate, that the relevant specifications "va- lidFrom" and "validTo" are set to an infinite valid period. In order nevertheless to revoke the certificate, it is sufficient that a requirement which must be present for the validity of a corresponding certificate is no longer provided by the publisher of the requirements. It is also possible that the corresponding An ⁇ requirements for controlling the validity of the certificate in a local communication network, for example in the communication network of an automation system, are issued by a local part ⁇ participants in the system. In particular, the manufacturer of an automation system for the individual components can issue corresponding certificates with specified therein requirements, but the release of the requirements is regulated locally by the operator of the automation system.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201180043126.1A CN103109508B (zh) | 2010-09-07 | 2011-07-22 | 基于证书的验证方法和通信网 |
EP11741165.2A EP2594047A1 (de) | 2010-09-07 | 2011-07-22 | Verfahren zur zertifikats-basierten authentisierung |
US13/820,811 US9432198B2 (en) | 2010-09-07 | 2011-07-22 | Method for certificate-based authentication |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102010044517A DE102010044517A1 (de) | 2010-09-07 | 2010-09-07 | Verfahren zur Zertifikats-basierten Authentisierung |
DE102010044517.7 | 2010-09-07 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012031821A1 true WO2012031821A1 (de) | 2012-03-15 |
Family
ID=44509274
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2011/062644 WO2012031821A1 (de) | 2010-09-07 | 2011-07-22 | Verfahren zur zertifikats-basierten authentisierung |
Country Status (5)
Country | Link |
---|---|
US (1) | US9432198B2 (de) |
EP (1) | EP2594047A1 (de) |
CN (1) | CN103109508B (de) |
DE (1) | DE102010044517A1 (de) |
WO (1) | WO2012031821A1 (de) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9432198B2 (en) | 2010-09-07 | 2016-08-30 | Siemens Aktiengesellschaft | Method for certificate-based authentication |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103716794A (zh) * | 2013-12-25 | 2014-04-09 | 北京握奇数据系统有限公司 | 一种基于便携式设备的双向安全验证方法及系统 |
DE102014000168A1 (de) | 2014-01-02 | 2015-07-02 | Benedikt Burchard | Verfahren zur Abrechnung einer Internetdienstleistung |
CA2966664C (en) | 2014-01-31 | 2018-11-27 | Goldcorp Inc. | Process for separation of at least one metal sulfide from a mixed sulfide ore or concentrate |
EP2958265B1 (de) * | 2014-06-16 | 2017-01-11 | Vodafone GmbH | Widerruf eines in einer Vorrichtung gespeicherten Root-Zertifikats |
DE102015200209A1 (de) | 2015-01-09 | 2016-07-14 | Wobben Properties Gmbh | Verfahren zum Autorisieren für Steuerzugriffe auf Windenergieanlagen sowie Schnittstelle von Windenergieanlagen und Zertifizierungsstelle |
US10193699B2 (en) * | 2015-05-15 | 2019-01-29 | Microsoft Technology Licensing, Llc | Probabilistic classifiers for certificates |
EP3208674A1 (de) * | 2016-02-19 | 2017-08-23 | Siemens Aktiengesellschaft | Netzwerksystem und verfahren zur datenübertragung in einem netzwerksystem |
US10419226B2 (en) | 2016-09-12 | 2019-09-17 | InfoSci, LLC | Systems and methods for device authentication |
US9722803B1 (en) | 2016-09-12 | 2017-08-01 | InfoSci, LLC | Systems and methods for device authentication |
CN106603519B (zh) * | 2016-12-07 | 2019-12-10 | 中国科学院信息工程研究所 | 一种基于证书特征泛化和服务器变迁行为的ssl/tls加密恶意服务发现方法 |
US11463439B2 (en) | 2017-04-21 | 2022-10-04 | Qwerx Inc. | Systems and methods for device authentication and protection of communication on a system on chip |
WO2019045914A1 (en) * | 2017-09-01 | 2019-03-07 | InfoSci, LLC | DEVICE AUTHENTICATION SYSTEMS AND METHODS |
US11729160B2 (en) * | 2019-10-16 | 2023-08-15 | Nutanix, Inc. | System and method for selecting authentication methods for secure transport layer communication |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5995625A (en) * | 1997-03-24 | 1999-11-30 | Certco, Llc | Electronic cryptographic packing |
US6058484A (en) * | 1997-10-09 | 2000-05-02 | International Business Machines Corporation | Systems, methods and computer program products for selection of date limited information |
US7581011B2 (en) * | 2000-12-22 | 2009-08-25 | Oracle International Corporation | Template based workflow definition |
US20070204078A1 (en) * | 2006-02-09 | 2007-08-30 | Intertrust Technologies Corporation | Digital rights management engine systems and methods |
EP2053531B1 (de) * | 2007-10-25 | 2014-07-30 | BlackBerry Limited | Verwaltung von Authentifizierungszertifikaten für den Zugang zu einer drahtlosen Kommunikationsvorrichtung |
US9973491B2 (en) * | 2008-05-16 | 2018-05-15 | Oracle International Corporation | Determining an identity of a third-party user in an SAML implementation of a web-service |
DE102009031817A1 (de) * | 2009-07-03 | 2011-01-05 | Charismathics Gmbh | Verfahren zur Ausstellung, Überprüfung und Verteilung von digitalen Zertifikaten für die Nutzung in Public-Key-Infrastrukturen |
US8522335B2 (en) * | 2009-12-01 | 2013-08-27 | International Business Machines Corporation | Token mediation service in a data management system |
DE102010044517A1 (de) | 2010-09-07 | 2012-03-08 | Siemens Aktiengesellschaft | Verfahren zur Zertifikats-basierten Authentisierung |
-
2010
- 2010-09-07 DE DE102010044517A patent/DE102010044517A1/de not_active Withdrawn
-
2011
- 2011-07-22 CN CN201180043126.1A patent/CN103109508B/zh active Active
- 2011-07-22 EP EP11741165.2A patent/EP2594047A1/de not_active Ceased
- 2011-07-22 US US13/820,811 patent/US9432198B2/en active Active
- 2011-07-22 WO PCT/EP2011/062644 patent/WO2012031821A1/de active Application Filing
Non-Patent Citations (3)
Title |
---|
ANONYMOUS: "SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0", 10 August 2010 (2010-08-10), pages 1 - 24, XP055016600, Retrieved from the Internet <URL:http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.pdf> [retrieved on 20120116] * |
CANTOR, SCOTT ET AL: "An X.509 Binding for SAML", 17 January 2007 (2007-01-17), pages 1 - 2, XP002667165, Retrieved from the Internet <URL:https://spaces.internet2.edu/display/GS/X509BindingSAML> [retrieved on 20120116] * |
FARRELL TRINITY COLLEGE DUBLIN R HOUSLEY VIGIL SECURITY S TURNER IECA S: "An Internet Attribute Certificate Profile for Authorization; rfc5755.txt", AN INTERNET ATTRIBUTE CERTIFICATE PROFILE FOR AUTHORIZATION; RFC5755.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 25 January 2010 (2010-01-25), pages 1 - 50, XP015068164 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9432198B2 (en) | 2010-09-07 | 2016-08-30 | Siemens Aktiengesellschaft | Method for certificate-based authentication |
Also Published As
Publication number | Publication date |
---|---|
EP2594047A1 (de) | 2013-05-22 |
US9432198B2 (en) | 2016-08-30 |
US20130173914A1 (en) | 2013-07-04 |
DE102010044517A1 (de) | 2012-03-08 |
CN103109508A (zh) | 2013-05-15 |
CN103109508B (zh) | 2016-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2012031821A1 (de) | Verfahren zur zertifikats-basierten authentisierung | |
EP3125492B1 (de) | Verfahren und system zum erzeugen eines sicheren kommunikationskanals für endgeräte | |
AT513016B1 (de) | Verfahren und Vorrichtung zur Steuerung eines Schließmechanismus mit einem mobilen Endgerät | |
DE60214632T2 (de) | Multidomäne Berechtigung und Authentifizierung | |
EP3287925B1 (de) | Computervorrichtung zum übertragen eines zertifikats auf ein gerät in einer anlage | |
EP2593897B1 (de) | Verfahren zur zertifikats-basierten authentisierung | |
DE102011081804B4 (de) | Verfahren und System zum Bereitstellen von gerätespezifischen Betreiberdaten, welche an ein Authentisierungs-Credential gebunden werden, für ein Automatisierungsgerät einer Automatisierungsanlage | |
DE60119857T2 (de) | Verfahren und Vorrichtung zur Ausführung von gesicherten Transaktionen | |
DE102015220228B4 (de) | Verfahren und System zur Absicherung einer erstmaligen Kontaktaufnahme eines Mobilgeräts mit einem Gerät | |
WO2008022606A1 (de) | Verfahren zur authentifizierung in einem automatisierungssystem | |
EP3935808B1 (de) | Kryptographisch geschütztes bereitstellen eines digitalen zertifikats | |
EP1468520B1 (de) | Verfahren zur datenverkehrssicherung in einer mobilen netzumgebung | |
DE60219915T2 (de) | Verfahren zur Sicherung von Kommunikationen in einem Computersystem | |
EP3288215A1 (de) | Verfahren und vorrichtung zur ausgabe von authentizitätsbescheinigungen sowie ein sicherheitsmodul | |
EP3881486B1 (de) | Verfahren zur bereitstellung eines herkunftsortnachweises für ein digitales schlüsselpaar | |
EP4115584B1 (de) | Gesicherter und dokumentierter schlüsselzugriff durch eine anwendung | |
EP3906653B1 (de) | Verfahren zum ausstellen einer kryptographisch geschützten authentizitätsbescheinigung für einen benutzer | |
DE102017220493A1 (de) | Verfahren und Vorrichtung zur Behandlung von Authentizitätsbescheinigungen für Entitäten, insbesondere von personenbezogenen, dienstbezogenen und/oder objektbezogenen digitalen Zertifikaten | |
WO2023194051A1 (de) | Ausbilden einer kryptographisch geschützten verbindung | |
EP4216489A1 (de) | Verfahren zur änderung eines ist-zugangsschlüssels in einem feldgerät der automatisierungstechnik | |
DE102020202879A1 (de) | Verfahren und Vorrichtung zur Zertifizierung eines anwendungsspezifischen Schlüssels und zur Anforderung einer derartigen Zertifizierung | |
EP4179758A1 (de) | Authentisierung eines kommunikationspartners an einem gerät | |
EP3809661A1 (de) | Verfahren zur authentifizierung einer clientvorrichtung bei einem zugriff auf einen anwendungsserver | |
EP4030321A1 (de) | Authentifizierung von mindestens einem ersten gerät bei mindestens einem zweiten gerät | |
WO2023217645A1 (de) | Abgesichertes zugriffssystem |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201180043126.1 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11741165 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2011741165 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011741165 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13820811 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2013115292 Country of ref document: RU Kind code of ref document: A |