WO2018121249A1 - Procédé et dispositif de contrôle d'accès basés sur un protocole ssl - Google Patents

Procédé et dispositif de contrôle d'accès basés sur un protocole ssl Download PDF

Info

Publication number
WO2018121249A1
WO2018121249A1 PCT/CN2017/115713 CN2017115713W WO2018121249A1 WO 2018121249 A1 WO2018121249 A1 WO 2018121249A1 CN 2017115713 W CN2017115713 W CN 2017115713W WO 2018121249 A1 WO2018121249 A1 WO 2018121249A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access request
authentication
certificate
server
Prior art date
Application number
PCT/CN2017/115713
Other languages
English (en)
Chinese (zh)
Inventor
王琪
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2018121249A1 publication Critical patent/WO2018121249A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to an access control method and apparatus based on an SSL protocol.
  • SSL Secure Sockets Layer
  • TCP Transmission Control Protocol
  • SSL Handshake Protocol It is built on the SSL record protocol to authenticate the identity, negotiate encryption algorithms, and exchange encryption keys before the actual data transmission begins.
  • the SSL protocol is divided into one-way authentication and two-way authentication.
  • One-way authentication requires the server to provide a digital certificate to the client, and the client authenticates the server.
  • Two-way authentication requires both the client and the server to provide a digital certificate to each other and verify the digital certificate of the other party.
  • one server (unique IP address and port) provides external SSL services, mostly using a single authentication method, either using one-way authentication or using dual
  • the authentication system needs to be set up separately for different authentication methods, and the utilization efficiency of resources is low.
  • the embodiment of the invention provides an access control method and device based on the SSL protocol, which is used to solve the problem that the authentication system needs to be separately set up in different authentication modes in the prior art, and the resource utilization efficiency is low.
  • the SSL protocol-based access control method includes: an ingress server receiving an access request sent by a terminal; the ingress server determining a secure socket layer SSL authentication mode corresponding to the access request; After the two-way authentication with the terminal is passed, the portal server adds the identifier information of the terminal to the access request and sends the identifier to the background server, where the background server is configured to carry the identifier of the terminal according to the access request. Information to determine the access rights of the terminal.
  • the ingress server performs the bidirectional authentication with the terminal, including: the ingress server sends the certificate of the ingress server to the terminal, and receives an authentication result of the terminal to the ingress server;
  • the portal server sends a certificate acquisition request to the terminal; the portal server receives the terminal certificate sent by the terminal, and the terminal certificate includes the identifier information of the terminal; the portal server completes the Terminal authentication.
  • the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, so that the certificate authority is configured according to the certificate authority
  • the CSR generates the terminal certificate; the terminal receives the terminal certificate sent by the certificate authority.
  • the ingress server determines the SSL authentication mode corresponding to the access request, where the ingress server receives the access request sent by the terminal, where the access request includes a port number; The port number determines that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the portal server receives the access request sent by the terminal, where the ingress server receives the https request sent by the terminal, and the portal server adds the identifier information of the terminal to the access request and sends the request a background server, including: the portal server will be the https The request is converted into an http request, and the identification information of the terminal is inserted in the header of the http request; the portal server sends the http request that adds the identification information to the background server.
  • the embodiment of the present invention provides an access control method based on SSL authentication, which includes: a background server receives an access request sent by an ingress server; and the background server determines, according to whether the access request includes identifier information of the terminal, The SSL authentication mode corresponding to the access request; the background server verifies the terminal according to the SSL authentication mode corresponding to the access request; and the background server processes the access request after verifying the terminal, and The portal server sends the processing result.
  • the background server performs the verification on the terminal according to the SSL authentication mode corresponding to the access request, including: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes The login account and the password of the terminal, the background server verifies whether the login account and the password match; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes The identification information of the terminal, the background server verifies whether the identification information of the terminal is already registered.
  • an embodiment of the present invention provides an access control device based on an SSL protocol, including: an ingress transceiver module, configured to receive an access request sent by a terminal, and an ingress authentication module, configured to determine an SSL authentication mode corresponding to the access request An ingress processing module, configured to add the identification information of the terminal to the access request after the bidirectional authentication is passed, and the access transceiver module is further configured to: The request is sent to the background server, and the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
  • the ingress and receiving transceiver module is configured to: send a certificate of the ingress server to the terminal, and receive an authentication result of the terminal to the ingress server; send a certificate obtaining request to the terminal;
  • the terminal certificate sent by the terminal, the terminal certificate includes the identifier information of the terminal, and the ingress processing module is specifically configured to complete the authentication of the terminal according to the terminal certificate.
  • the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, The certificate issuing authority generates the terminal certificate according to the CSR; the terminal receives the terminal certificate sent by the certificate issuing authority.
  • the access request includes a port number
  • the ingress authentication module is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the ingress transceiver module is configured to receive an https request sent by the terminal; the ingress processing module is specifically configured to convert the https request into an http request, and in the header of the http request Inserting the identifier information of the terminal; the ingress transceiver module is configured to send the http request for adding the identifier information to the background server.
  • an embodiment of the present invention provides an access control apparatus based on SSL authentication, including:
  • a background transceiver module configured to receive an access request sent by the portal server
  • a background authentication module configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal;
  • a background processing module configured to perform verification on the terminal according to an SSL authentication manner corresponding to the access request
  • the background processing module is further configured to process the access request after verifying the pass of the terminal;
  • the background transceiver module is further configured to send a processing result to the portal server.
  • the background processing module is further configured to: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and verify the login account. Whether the password is matched with the password; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and it is verified whether the identifier information of the terminal is already registered.
  • an embodiment of the present application provides an electronic device, including a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface pass through a bus connection;
  • the transceiver is configured to receive an access request sent by the terminal, and send the access request to a background server, where the background server is configured to: according to whether the access request carries the identifier information of the terminal. Determine the access rights of the terminal;
  • the processor is configured to read a program in the memory and perform the following methods:
  • the memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
  • an embodiment of the present application provides an electronic device, including a transceiver, a processor, a memory, and a communication interface, wherein the transceiver, the processor, the memory, and the communication interface pass through a bus connection;
  • the transceiver is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server;
  • the processor is configured to read a program in the memory, and execute the following method:
  • the memory is configured to store one or more executable programs, and may store data used by the processor when performing operations.
  • the embodiment of the present application provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform the first aspect or the The method of any of the possible implementations of the aspect, or the computer instructions for causing the computer to perform the method of the second aspect or any possible implementation of the second aspect.
  • an embodiment of the present application provides a computer program product, where the computer program product includes a calculation program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instruction is The computer executes the first aspect when the computer executes Or a method in any of the possible implementations of the first aspect, or causing a computer to perform the method of the second aspect or any possible implementation of the second aspect.
  • the ingress server receives the access request sent by the terminal, and determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication according to the access request. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the background server may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem.
  • FIG. 1 is a schematic diagram of a system architecture to which an embodiment of the present invention is applied;
  • FIG. 2 is a flowchart of an access control method based on an SSL protocol according to an embodiment of the present invention
  • FIG. 3 is a flowchart of an SSL-based access control method in which an SSL authentication mode is one-way authentication according to Embodiment 1 of the present invention
  • FIG. 4 is a flowchart of an SSL-based access control method in which the SSL authentication mode is two-way authentication according to Embodiment 2 of the present invention
  • FIG. 5 is a schematic structural diagram of an access control apparatus based on an SSL protocol according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another access control apparatus based on an SSL protocol according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
  • a system architecture applicable to an embodiment of the present invention includes a terminal 101, an ingress server 102, and a background server 103.
  • the terminal 101 may be an electronic device with a wireless communication function, such as a mobile phone, a tablet computer, or a dedicated handheld device, or may be a device connected to the Internet by a wired access method such as a personal computer (PC), a notebook computer, or a server.
  • Server 102 can be a network device such as a computer.
  • the portal server 102 is an F5 server that provides Internet access portals and load balancing of the various portals.
  • the processing of different SSL authentication modes may be processed by different portal servers 102, that is, one portal server 102 handles one-way authentication, and another portal server 102 handles mutual authentication; or may be implemented by different ports of the same portal server 102, that is, an entry.
  • One port on server 102 handles one-way authentication
  • the other port on the same ingress server 102 handles two-way authentication.
  • the background server 103 can be a stand-alone device, or a server cluster formed by multiple servers, for processing an access request sent by the terminal. If the background server 103 is a plurality of servers, the application deployed in each background server The system is completely consistent, that is, each background server can process the access request corresponding to the two-way authentication and the access request corresponding to the one-way authentication.
  • the portal server 102 and the background server 103 can employ cloud computing technology for information processing.
  • the terminal 101 can communicate with the server 102 through the INTERNET network, or communicate with the server 102 through a mobile communication system such as a Global System for Mobile Communications (GSM) or a Long Term Evolution (LTE) system. .
  • GSM Global System for Mobile Communications
  • LTE Long Term Evolution
  • FIG. 2 is a schematic flowchart diagram of an access control method based on the SSL protocol provided by an embodiment of the present invention.
  • a monitoring method for monitoring software provided by an embodiment of the present invention includes the following steps:
  • Step 201 The ingress server receives an access request sent by the terminal.
  • Step 202 The ingress server determines a secure socket layer SSL authentication mode corresponding to the access request.
  • Step 203 If the two-way authentication is performed, the portal server adds the identification information of the terminal to the access request and sends the information to the background server after the two-way authentication is passed. Whether the request carries the identification information of the terminal to determine the access right of the terminal.
  • the ingress server receives the access request sent by the terminal, and determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication according to the access request. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the background server may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem.
  • the browser When the user browses the network resource or manages the network resource, the browser sends an access request to the server through the browser on the terminal, and the server replies to the terminal with the information requested by the terminal based on the access request.
  • the information transmitted between the browser of the terminal and the server may be based on HTTP (Hyper Text Transport Protocol).
  • HTTP Hyper Text Transport Protocol
  • the SSL protocol is added to the HTTP, that is, HTTP is changed to HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer).
  • the portal server receives the access request sent by the terminal, including:
  • the portal server receives an https request sent by the terminal.
  • HTTP is a standard for requesting and responding between a client and a server.
  • the client is installed on the terminal, and the server can be a website.
  • the server can be a website.
  • the client initiates an HTTP request to the specified port on the server.
  • Resources are stored on the server, such as HTML (HyperText Markup Language) files and images.
  • a request is initiated by the client to establish a TCP connection to the server's designated port.
  • the HTTP server listens on the port for requests sent by the client. After processing the received request, the server replies with a response message to the client, and the content of the response message may be a file requested by the client, an error message, or some other information.
  • HTTP sends messages in clear text, it does not provide any way of data encryption, and the security is very low. If an attacker intercepts a transmission message between the browser and the server, the information can be directly read.
  • HTTPS Secure Sockets Layer Hypertext Transfer Protocol
  • SSL relies on digital certificates to verify the identity of the server or client and encrypt the communication between the client and the server.
  • the portal server After the portal server receives the access request sent by the terminal, since the access request is based on HTTPS, the portal server needs to determine how to authenticate the digital certificate according to the access request.
  • Digital certificate The authentication is divided into two modes: two-way authentication and one-way authentication. A digital certificate with two-way authentication and one-way authentication is required on the ingress server.
  • the two-way authenticated digital certificate and the one-way authenticated digital certificate can be configured in different entry servers, such that one ingress server only processes the access request corresponding to the two-way authentication, and the other ingress server only processes the access request corresponding to the one-way authentication.
  • Access requests of different authentication modes are sent to the corresponding ingress server according to different IP addresses or different network domain names, that is, the access request corresponding to the mutual authentication is sent to the ingress server that processes the mutual authentication according to the IP address of the ingress server that processes the mutual authentication;
  • the access request corresponding to the one-way authentication is sent to the ingress server that processes the one-way authentication according to the IP address of the ingress server that processes the one-way authentication.
  • the digital certificate of the two-way authentication and the one-way authentication is configured on one of the ingress servers, and the authentication mode corresponding to the access request is distinguished by different ports.
  • the ingress server determines the SSL authentication mode corresponding to the access request, including:
  • the access server receives the access request sent by the terminal, where the access request includes a port number
  • the ingress server determines, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the server or port corresponding to the two-way authentication is different from the server or port corresponding to the two-way authentication. That is, if the authentication mode corresponding to the client is two-way authentication, the access request initiated by the client is directly sent to the server or port corresponding to the mutual authentication. If the authentication mode corresponding to the client is one-way authentication, the access request initiated by the client is sent to the server or port corresponding to the one-way authentication. Therefore, if the same ingress server receives the access request sent by the terminal, it can determine the SSL authentication mode corresponding to the access request according to the port number carried in the access request.
  • the ingress server After the SSL authentication mode is determined to be two-way authentication or one-way authentication, the ingress server performs SSL authentication with the client.
  • the ingress server performs mutual authentication with the terminal, including:
  • the portal server sends the certificate of the portal server to the terminal and receives an authentication result of the terminal to the portal server;
  • the portal server sends a certificate acquisition request to the terminal
  • the portal server completes authentication of the terminal according to the terminal certificate.
  • the ingress server determines that the authentication mode corresponding to the access request sent by the terminal is two-way authentication, and sends the certificate of the ingress server to the terminal, and the terminal authenticates the certificate of the ingress server, and the authentication succeeds after the authentication succeeds. . Because it is a two-way authentication, the ingress server sends a certificate requesting to acquire the terminal to the terminal. After receiving the certificate of the terminal, the portal server verifies the certificate of the terminal, thereby completing the SSL mutual authentication between the ingress server and the terminal.
  • the ingress server only needs to send the digital certificate of the server to the terminal, so that the client verifies the certificate of the ingress server, and the terminal does not need to send the certificate of the terminal to the ingress server.
  • the difference between the two SSL authentication methods is that the terminal sends the certificate to the server in the two-way authentication, and the terminal does not send the certificate to the server in the one-way authentication. Therefore, in the embodiment of the present invention, the two-way authentication sends the certificate to the ingress server, and the identifier information of the terminal is added to the certificate and sent to the ingress server, and the ingress server sends the obtained identification information of the terminal to the access request. To the background server, the background server can obtain the identification information of the terminal from the access request corresponding to the mutual authentication.
  • the one-way authentication is that the ingress server sends the certificate of the ingress server to the terminal, and the terminal does not need to send the certificate of the terminal to the ingress server, the ingress server does not obtain the identification information of the terminal, therefore, in the case of one-way authentication, the portal The access request sent by the server to the background server does not carry the identification information of the terminal.
  • the background server can determine whether the authentication method corresponding to the access request is two-way authentication or one-way authentication according to whether the access request carries the identifier information of the terminal, thereby determining the authority corresponding to the access request.
  • the terminal generates a certificate request CSR file according to the identification information of the terminal;
  • the terminal receives the terminal certificate sent by the certificate authority.
  • the terminal generates a private key file and a CSR (Certificate Signing Request) file by using a unique identifier such as a MAC (Message Authentication Code) of the terminal, a terminal serial number, and the like, and sends the CSR file to the certificate authority.
  • the certificate authority signs the CSR file by using the private key of the certificate authority, and generates a certificate public key file, that is, a certificate issued to the user terminal, and sends the terminal certificate back to the terminal, and the terminal certificate can be used for authenticating the terminal.
  • the terminal certificate carries the identification information of the terminal, and the terminal sends the terminal certificate to the portal server, and the portal server can obtain the identifier information of the terminal from the terminal certificate and add it to the access request.
  • the portal server adds the identification information of the terminal to the access request and sends the information to the background server, including:
  • the ingress server converts the https request into an http request, and inserts the identification information of the terminal in a packet header of the http request;
  • the portal server sends the http request that joins the identification information to the background server.
  • HTTPS is a more secure communication protocol than HTTP
  • HTTPS requires the background server to process the certificate sent by the other party, which increases the workload of the background server. Since the connection between the ingress server and the backend server belongs to the intranet connection, the security is already high, and the communication does not need to be encrypted. Therefore, the ingress server converts the https request into an http request and sends it to the background server. At the same time, if the authentication method corresponding to the access request is the two-way authentication, the ingress server adds the http request to the identification information of the terminal, so that the background server can determine the authentication mode corresponding to the access request as the mutual authentication according to the identification information of the terminal in the access request. .
  • the background server after receiving the access request, processes the access request according to the authentication mode corresponding to the access request, and specifically includes:
  • the background server receives the access request sent by the portal server
  • the background server enters the terminal according to the SSL authentication mode corresponding to the access request.
  • Line verification
  • the background server After the background server passes the verification of the terminal, the background server processes the access request and sends the processing result to the portal server.
  • the two types of SSL authentication methods are two-way authentication or one-way authentication.
  • the background server performs different authentication on the terminal according to the access request.
  • the access request includes a login account and a password of the terminal, and the background server verifies whether the login account and the password match.
  • the background server verifies whether the login account and password carried in the access request are correct and match, and returns the processing result to the terminal according to the source address.
  • the packet header of the access request includes the identifier information of the terminal, and the background server verifies whether the identifier information of the terminal is already registered.
  • the background server will register the terminal identification information in advance. In this way, when the terminal sends an access request, the background server verifies whether the identification information of the terminal carried in the access request is stored in the background server, and if so, passes the verification of the access request, otherwise it does not pass.
  • the SSL authentication mode in the first embodiment is one-way authentication.
  • the specific steps are as shown in FIG. 3, including:
  • Step 301 The terminal sends an https request to the portal server, where the https request includes an account and a password, and the access address is a port number.
  • the login account and password, and the port number are used to obtain the registration from the portal server when registering the terminal.
  • Step 302 The ingress server determines, according to the port number in the https request, that the SSL authentication mode corresponding to the https request is one-way authentication.
  • Step 303 The portal server sends the certificate of the portal server to the terminal.
  • Step 304 After receiving the verification pass message fed back by the terminal, the portal server will https please Seek to convert to http request.
  • Step 305 The portal server sends the http request to the background server.
  • Step 306 The background server determines that the authentication mode corresponding to the http request is one-way authentication, according to the identifier information of the terminal that does not include the terminal.
  • Step 307 The background server processes the http request.
  • Step 308 The background server sends the processing result to the portal server.
  • Step 309 The portal server sends the processing result to the terminal.
  • the SSL authentication mode in the second embodiment is two-way authentication. The specific steps are as shown in Figure 4.
  • Step 401 The terminal sends an https request to the portal server, where the https request includes an access address, that is, a port number.
  • Step 402 The ingress server determines, according to the port number in the https request, that the SSL authentication mode corresponding to the https request is two-way authentication.
  • Step 403 The portal server sends the certificate of the portal server to the terminal.
  • Step 404 The terminal verifies the certificate of the portal server, and feeds back the verification result to the portal server.
  • Step 405 After receiving the verification pass message fed back by the terminal, the ingress server sends a certificate request to the terminal.
  • Step 406 The terminal sends the terminal certificate to the portal server, where the terminal certificate includes the identifier information of the terminal.
  • Step 407 After the portal server verifies the terminal certificate, the https request is converted into an http request, and the identifier information of the terminal is added to the http request.
  • Step 408 The portal server sends the http request to the background server.
  • Step 409 The background server determines, according to the identifier information of the terminal in the http request, that the authentication mode corresponding to the http request is two-way authentication.
  • Step 410 The background server processes the http request.
  • Step 411 The background server sends the processing result to the portal server.
  • Step 412 The portal server sends the processing result to the terminal.
  • the embodiment of the present invention further provides an apparatus for access control based on the SSL protocol. As shown in FIG. 5, the method includes:
  • the ingress transceiver module 501 is configured to receive an access request sent by the terminal.
  • the ingress authentication module 502 is configured to determine an SSL authentication mode corresponding to the access request.
  • the ingress processing module 503 is configured to add the identifier information of the terminal to the access request after the mutual authentication with the terminal is successful if the two-way authentication is performed.
  • the ingress and receiving module 501 is further configured to send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal.
  • the ingress transceiver module 501 is specifically configured to:
  • the ingress processing module is specifically configured to complete authentication of the terminal according to the terminal certificate.
  • the terminal certificate is obtained by:
  • the terminal generates a certificate request CSR file according to the identification information of the terminal;
  • the terminal receives the terminal certificate sent by the certificate authority.
  • the access request includes a port number
  • the ingress authentication module 502 is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the ingress transceiver module 501 is configured to receive an https request sent by the terminal.
  • the ingress processing module 503 is configured to: convert the https request into an http request, and insert the identifier information of the terminal in a packet header of the http request;
  • the ingress transceiver module 501 is configured to send the http request that adds the identifier information to the background server.
  • Another access control device based on SSL authentication includes:
  • the background transceiver module 601 is configured to receive an access request sent by the portal server;
  • the background authentication module 602 is configured to determine an SSL authentication mode corresponding to the access request according to whether the access request includes the identifier information of the terminal.
  • the background processing module 603 is configured to perform verification on the terminal according to the SSL authentication mode corresponding to the access request.
  • the background processing module 603 is further configured to process the access request after verifying the pass of the terminal;
  • the background transceiver module 601 is further configured to send a processing result to the portal server.
  • the background processing module 603 is further configured to:
  • the access request includes a login account and a password of the terminal, and verify whether the login account and the password match;
  • the packet header of the access request includes the identifier information of the terminal, and the identifier information of the terminal is verified to be registered.
  • FIG. 7 is a schematic structural diagram of an electronic device provided by the present application.
  • the electronic device 700 includes a transceiver 701, a processor 702, a memory 703, and a communication interface 704; wherein the transceiver 701, the processor 7012, the memory 703, and the communication interface 704 are connected to one another via a bus 705.
  • the memory 703 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 703 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory. ), hard disk drive (HDD) or solid-state drive (SSD); It can also be any combination of any one or more of the above-described volatile memory and non-volatile memory.
  • the memory 703 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
  • Operation instructions include various operation instructions for implementing various operations.
  • Operating system Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
  • the bus 705 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 7, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 704 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface can be a WLAN interface.
  • the processor 702 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof. .
  • the transceiver 701 is configured to receive an access request sent by the terminal, and send the access request to the background server, where the background server is configured to determine the access authority of the terminal according to whether the access request carries the identification information of the terminal;
  • the processor 702 is configured to read a program in the memory 703 and perform the following methods:
  • the memory 703 is configured to store one or more executable programs, and may store data used by the processor 702 when performing operations.
  • the transceiver 701 is specifically configured to: send a certificate of the electronic device to the terminal, and receive an authentication result of the terminal to the electronic device; send a certificate acquisition request to the terminal;
  • the terminal certificate sent by the terminal, the terminal certificate includes the identification information of the terminal, and the processor 702 is specifically configured to complete the authentication of the terminal according to the terminal certificate.
  • the terminal certificate is obtained by: the terminal generating a certificate request CSR file according to the identifier information of the terminal; the terminal sending the CSR to a certificate authority, so that the certificate authority is configured according to the certificate authority
  • the CSR generates the terminal certificate; the terminal receives the terminal certificate sent by the certificate authority.
  • the access request includes a port number
  • the processor 702 is configured to determine, according to the port number, that the SSL authentication mode corresponding to the access request is two-way authentication or one-way authentication.
  • the transceiver 701 is configured to receive an https request sent by the terminal, and send the http request that adds the identifier information to the background server, where the processor 702 is specifically configured to: The request is converted into an http request, and the identification information of the terminal is inserted in the header of the http request.
  • the electronic device receives the access request sent by the terminal, and determines, according to the access request, whether the corresponding SSL authentication mode is two-way authentication or one-way authentication. If the SSL authentication mode of the access request is two-way authentication, the electronic device and the terminal perform mutual authentication. After the two-way authentication is passed, the electronic device adds the identification information of the terminal to the access request, and sends the access request for adding the identification information to the background server. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the background server may determine the SSL authentication mode between the terminal and the electronic device according to whether the access request carries the identification information of the terminal, thereby further determining the final Access rights.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same backend server (unique IP address and port), which improves the flexibility of the background server to process access requests, saves server resources, and solves the problem.
  • FIG. 8 is a schematic structural diagram of an electronic device provided by the present application.
  • the electronic device 800 includes a transceiver 801, a processor 802, a memory 803, and a communication interface 804; wherein the transceiver 801, the processor 8012, the memory 803, and the communication interface 804 are connected to one another via a bus 805.
  • the memory 803 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 803 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory.
  • RAM random-access memory
  • non-volatile memory such as a flash memory.
  • HDD hard disk drive
  • SSD solid-state drive
  • the memory 803 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
  • Operation instructions include various operation instructions for implementing various operations.
  • Operating system Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
  • the bus 805 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 8, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 804 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface can be a WLAN interface.
  • the processor 802 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.
  • the transceiver 801 is configured to receive an access request sent by an ingress server, and send a processing result to the ingress server.
  • the processor 802 is configured to read a program in the memory 803 and perform the following methods:
  • the memory 803 is configured to store one or more executable programs, and may store data used by the processor 802 when performing operations.
  • the processor 802 is further configured to: if the SSL authentication mode corresponding to the access request is one-way authentication, the access request includes a login account and a password of the terminal, and verify the login account. Whether the password is matched with the password; if the SSL authentication mode corresponding to the access request is two-way authentication, the packet header of the access request includes the identifier information of the terminal, and it is verified whether the identifier information of the terminal is already registered.
  • the portal server receives the access request sent by the terminal, and according to the access The request determines whether the corresponding SSL authentication mode is two-way authentication or one-way authentication. If the SSL authentication mode of the access request is two-way authentication, the ingress server and the terminal perform mutual authentication. After the two-way authentication is passed, the ingress server adds the identification information of the terminal to the access request, and sends an access request for adding the identification information to the electronic device. Since two-way authentication can provide a more secure guarantee for terminal access, one-way authentication is less secure than two-way authentication. Therefore, for different authentication methods, the permissions of the corresponding access request are different.
  • the electronic device may determine the SSL authentication mode between the terminal and the portal server according to whether the access request carries the identifier information of the terminal, thereby further determining the access authority of the terminal.
  • the SSL mutual authentication system and the SSL one-way authentication system can be set on the same electronic device (unique IP address and port), which improves the flexibility of the electronic device to process access requests, saves server resources, and solves the problem.
  • embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer readable memory is stored in the computer readable memory.
  • the instructions in the production result include an article of manufacture of the instruction device that implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne le domaine des télécommunications, et en particulier un procédé et un dispositif de contrôle d'accès basés sur un protocole de couche de connexion sécurisée (SSL). Le procédé comporte les étapes suivantes: un serveur de portail reçoit une demande d'accès émanant d'un terminal; le serveur de portail détermine un procédé d'authentification SSL correspondant à la demande d'accès; si une authentification bidirectionnelle est déterminée, après que l'authentification bidirectionnelle a été effectuée avec succès entre le serveur de portail et le terminal, le serveur de portail ajoute des informations d'identifiant du terminal dans la demande d'accès et envoie celle-ci à un serveur d'appui; et le serveur d'appui détermine, suivant que la demande d'accès contient ou non les informations d'identifiant du terminal, une permission d'accès du terminal. L'invention est utilisée pour résoudre un problème de faible rendement d'utilisation des ressources dû à l'établissement de systèmes d'authentification séparés pour différents procédés d'authentification dans l'état antérieur de la technique.
PCT/CN2017/115713 2016-12-30 2017-12-12 Procédé et dispositif de contrôle d'accès basés sur un protocole ssl WO2018121249A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611264199.4 2016-12-30
CN201611264199.4A CN106790194B (zh) 2016-12-30 2016-12-30 一种基于ssl协议的访问控制方法及装置

Publications (1)

Publication Number Publication Date
WO2018121249A1 true WO2018121249A1 (fr) 2018-07-05

Family

ID=58951407

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/115713 WO2018121249A1 (fr) 2016-12-30 2017-12-12 Procédé et dispositif de contrôle d'accès basés sur un protocole ssl

Country Status (2)

Country Link
CN (1) CN106790194B (fr)
WO (1) WO2018121249A1 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111222121A (zh) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 一种嵌入式设备授权管理方法
CN112019339A (zh) * 2019-05-31 2020-12-01 西安理邦科学仪器有限公司 一种数字证书自动分发方法及装置
CN112511550A (zh) * 2020-12-02 2021-03-16 迈普通信技术股份有限公司 通信方法、装置、电子设备及存储介质
CN112770317A (zh) * 2020-12-31 2021-05-07 上海遨有信息技术有限公司 一种用于泛在电力物联网的感知层安全接入鉴权方法
CN113179323A (zh) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 用于负载均衡设备的https请求处理方法、装置及系统
CN113364795A (zh) * 2021-06-18 2021-09-07 北京天空卫士网络安全技术有限公司 一种数据传输方法和代理服务器
CN114513362A (zh) * 2022-02-22 2022-05-17 中国银行股份有限公司 基于tls协议的长连接通讯处理方法及装置
CN114531467A (zh) * 2020-11-04 2022-05-24 中移(苏州)软件技术有限公司 一种信息处理方法、设备和系统
CN114785611A (zh) * 2022-05-10 2022-07-22 山东高速信息集团有限公司 一种用于智能监控终端的通讯协议配置方法、设备及介质
EP4161012A4 (fr) * 2020-05-27 2023-11-08 Hangzhou Hikvision Digital Technology Co., Ltd. Procédé et appareil d'authentification, dispositif électronique, serveur, programme et support de stockage

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790194B (zh) * 2016-12-30 2020-06-19 中国银联股份有限公司 一种基于ssl协议的访问控制方法及装置
CN107241428B (zh) * 2017-06-30 2019-11-26 北京百度网讯科技有限公司 一种在基于容器的共享虚拟主机中实现https的方法和装置
CN109587097A (zh) * 2017-09-29 2019-04-05 阿里巴巴集团控股有限公司 一种实现安全访问内部网络的系统、方法和装置
CN107911398B (zh) * 2018-01-04 2020-12-15 世纪龙信息网络有限责任公司 身份信息的认证方法、装置以及系统
CN108989290A (zh) * 2018-06-21 2018-12-11 上海二三四五网络科技有限公司 一种在外网中实现服务器网络访问限制的控制方法及控制装置
CN110399713B (zh) * 2018-07-27 2024-06-25 腾讯科技(北京)有限公司 一种信息认证的方法及相关装置
CN111343126A (zh) * 2018-12-18 2020-06-26 武汉信安珞珈科技有限公司 一种处理数字证书申请的方法和系统
CN111491296A (zh) * 2019-01-28 2020-08-04 上海擎感智能科技有限公司 基于Marathon LB的访问认证方法及系统、服务器、车机客户端
CN111491298A (zh) * 2019-01-28 2020-08-04 上海擎感智能科技有限公司 基于emqtt服务器访问的认证方法及系统、服务器、客户端
CN110012016B (zh) * 2019-04-10 2021-04-27 山东师创云服务有限公司 混合云环境中资源访问控制的方法及系统
CN112118206B (zh) * 2019-06-19 2022-04-12 贵州白山云科技股份有限公司 一种解密方法、装置、系统、介质及设备
CN112312389B (zh) * 2019-07-29 2022-05-06 中国移动通信集团广东有限公司 通信信息传输方法、装置及存储介质、电子设备
CN111818100B (zh) * 2020-09-04 2021-02-02 腾讯科技(深圳)有限公司 一种跨网配置通道的方法、相关设备及存储介质
CN112468969A (zh) * 2020-12-11 2021-03-09 北京中交国通智能交通系统技术有限公司 基于位置信息的etc安全认证设备授权方法、装置及系统
CN112512040B (zh) * 2020-12-11 2024-08-13 北京中交国通智能交通系统技术有限公司 高适应性的etc安全认证设备授权方法、装置及系统
CN114531303B (zh) * 2022-04-24 2022-07-12 北京天维信通科技有限公司 一种服务器端口隐藏方法及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883106A (zh) * 2010-06-30 2010-11-10 赛尔网络有限公司 基于数字证书的网络接入认证方法和网络接入认证服务器
EP2341724A2 (fr) * 2010-01-04 2011-07-06 Tata Consultancy Services Limited Système et procédé de transaction sécurisée de données entre un dispositif de communication sans fil et un serveur
CN103179565A (zh) * 2011-12-23 2013-06-26 中国银联股份有限公司 基于瘦终端模式的安全性信息交互系统、终端、服务器及方法
CN103685187A (zh) * 2012-09-14 2014-03-26 华耀(中国)科技有限公司 一种按需转换ssl认证方式以实现资源访问控制的方法
CN104735058A (zh) * 2015-03-04 2015-06-24 深信服网络科技(深圳)有限公司 一种基于安全协议ssl的加密方法及系统
CN106790194A (zh) * 2016-12-30 2017-05-31 中国银联股份有限公司 一种基于ssl协议的访问控制方法及装置

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150406B (zh) * 2006-09-18 2011-06-08 华为技术有限公司 基于802.1x协议的网络设备认证方法及系统及相关装置
CN101800639A (zh) * 2009-02-09 2010-08-11 华为终端有限公司 一种实现网银业务的方法、系统和设备
CN103684768A (zh) * 2012-09-10 2014-03-26 中国银联股份有限公司 一种pos系统以及在pos系统内进行双向认证的方法
CN104700261B (zh) * 2013-12-10 2018-11-27 中国银联股份有限公司 Pos终端的安全入网初始化方法及其系统
CN104954123A (zh) * 2014-03-28 2015-09-30 中国银联股份有限公司 智能pos终端主密钥更新系统及更新方法
CN104639534B (zh) * 2014-12-30 2019-02-12 北京奇虎科技有限公司 网站安全信息的加载方法和浏览器装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2341724A2 (fr) * 2010-01-04 2011-07-06 Tata Consultancy Services Limited Système et procédé de transaction sécurisée de données entre un dispositif de communication sans fil et un serveur
CN101883106A (zh) * 2010-06-30 2010-11-10 赛尔网络有限公司 基于数字证书的网络接入认证方法和网络接入认证服务器
CN103179565A (zh) * 2011-12-23 2013-06-26 中国银联股份有限公司 基于瘦终端模式的安全性信息交互系统、终端、服务器及方法
CN103685187A (zh) * 2012-09-14 2014-03-26 华耀(中国)科技有限公司 一种按需转换ssl认证方式以实现资源访问控制的方法
CN104735058A (zh) * 2015-03-04 2015-06-24 深信服网络科技(深圳)有限公司 一种基于安全协议ssl的加密方法及系统
CN106790194A (zh) * 2016-12-30 2017-05-31 中国银联股份有限公司 一种基于ssl协议的访问控制方法及装置

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112019339A (zh) * 2019-05-31 2020-12-01 西安理邦科学仪器有限公司 一种数字证书自动分发方法及装置
CN112019339B (zh) * 2019-05-31 2024-02-27 西安理邦科学仪器有限公司 一种数字证书自动分发方法及装置
CN111222121A (zh) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 一种嵌入式设备授权管理方法
EP4161012A4 (fr) * 2020-05-27 2023-11-08 Hangzhou Hikvision Digital Technology Co., Ltd. Procédé et appareil d'authentification, dispositif électronique, serveur, programme et support de stockage
CN114531467B (zh) * 2020-11-04 2023-04-14 中移(苏州)软件技术有限公司 一种信息处理方法、设备和系统
US11928449B2 (en) 2020-11-04 2024-03-12 China Mobile (Suzhou) Software Technology Co., Ltd. Information processing method, device, apparatus and system, medium, andprogram
CN114531467A (zh) * 2020-11-04 2022-05-24 中移(苏州)软件技术有限公司 一种信息处理方法、设备和系统
CN112511550A (zh) * 2020-12-02 2021-03-16 迈普通信技术股份有限公司 通信方法、装置、电子设备及存储介质
CN112511550B (zh) * 2020-12-02 2022-02-22 迈普通信技术股份有限公司 通信方法、装置、电子设备及存储介质
CN112770317A (zh) * 2020-12-31 2021-05-07 上海遨有信息技术有限公司 一种用于泛在电力物联网的感知层安全接入鉴权方法
CN113179323A (zh) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 用于负载均衡设备的https请求处理方法、装置及系统
CN113179323B (zh) * 2021-04-29 2023-07-04 杭州迪普科技股份有限公司 用于负载均衡设备的https请求处理方法、装置及系统
CN113364795B (zh) * 2021-06-18 2023-03-24 北京天空卫士网络安全技术有限公司 一种数据传输方法和代理服务器
CN113364795A (zh) * 2021-06-18 2021-09-07 北京天空卫士网络安全技术有限公司 一种数据传输方法和代理服务器
CN114513362A (zh) * 2022-02-22 2022-05-17 中国银行股份有限公司 基于tls协议的长连接通讯处理方法及装置
CN114785611A (zh) * 2022-05-10 2022-07-22 山东高速信息集团有限公司 一种用于智能监控终端的通讯协议配置方法、设备及介质
CN114785611B (zh) * 2022-05-10 2024-05-07 山东高速信息集团有限公司 一种用于智能监控终端的通讯协议配置方法、设备及介质

Also Published As

Publication number Publication date
CN106790194B (zh) 2020-06-19
CN106790194A (zh) 2017-05-31

Similar Documents

Publication Publication Date Title
WO2018121249A1 (fr) Procédé et dispositif de contrôle d'accès basés sur un protocole ssl
US10447674B2 (en) Key exchange through partially trusted third party
US10257699B2 (en) Mobile device user authentication for accessing protected network resources
CN108702393B (zh) 用于服务授权握手的方法和系统
US10412098B2 (en) Signed envelope encryption
US9021552B2 (en) User authentication for intermediate representational state transfer (REST) client via certificate authority
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
US10623399B1 (en) Virtual requests
US8532620B2 (en) Trusted mobile device based security
KR101708587B1 (ko) 양방향 권한 부여 시스템, 클라이언트 및 방법
US20140068702A1 (en) Single sign-on system and method
WO2016127914A1 (fr) Procédé, appareil, et système de redirection
US20140359741A1 (en) Mutually Authenticated Communication
WO2019178942A1 (fr) Procédé et système d'exécution de négociation ssl
US10257171B2 (en) Server public key pinning by URL
US20130339736A1 (en) Periodic platform based web session re-validation
US9313191B1 (en) Virtual requests
WO2013100967A1 (fr) Authentification web utilisant la racine de confiance d'une plateforme client
WO2023071751A1 (fr) Procédé d'authentification et appareil de communication
CN115065703B (zh) 物联网系统及其认证与通信方法、相关设备
US12041173B2 (en) Whitelisting clients accessing resources via a secure web gateway with time-based one time passwords for authentication
EP3220604B1 (fr) Procédés de délégation de certificat client et dispositifs associés
US11882120B2 (en) Identity intermediary service authorization
WO2019184206A1 (fr) Procédé et appareil d'authentification d'identité

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17887585

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17887585

Country of ref document: EP

Kind code of ref document: A1