WO2018219009A1 - Certificate obtaining method and device - Google Patents

Certificate obtaining method and device Download PDF

Info

Publication number
WO2018219009A1
WO2018219009A1 PCT/CN2018/078824 CN2018078824W WO2018219009A1 WO 2018219009 A1 WO2018219009 A1 WO 2018219009A1 CN 2018078824 W CN2018078824 W CN 2018078824W WO 2018219009 A1 WO2018219009 A1 WO 2018219009A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
server
request
obtaining
terminal
Prior art date
Application number
PCT/CN2018/078824
Other languages
French (fr)
Chinese (zh)
Inventor
薛晶
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018219009A1 publication Critical patent/WO2018219009A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present disclosure relates to the field of communications, and in particular, to a certificate acquisition method and apparatus.
  • terminal projects mostly involve data interaction with the server of the office.
  • Terminal applications related to this include mobile terminal over-the-air (FOTA) and traffic tracking status data traffic display (DataUsage).
  • FOTA mobile terminal over-the-air
  • DataUsage traffic tracking status data traffic display
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • server certificates Some projects because of the security of server certificates, such as the continuous advancement of encryption technology and the in-depth study of professional personnel and hackers in related fields, caused many algorithms to be hacked, resulting in some certificates being tampered with and forged into untrusted certificates.
  • the server needs to update the server certificate.
  • Terminals for example, UFI, mobile phones and other wireless Internet products generally pre-produce related certificates as required. For security reasons, the terminal pre-made certificates will not change unless the version is upgraded. For example, a personal computer (Personal Computer, referred to as PC) By default, the "Turn off automatic root certificate update" function is not enabled. If the PC does not want to automatically update the certificate, you need to manually enable the "Automatically update the root certificate” function. This is a common practice for the terminal. If the server certificate updated by the server is not in the previously negotiated certificate list, the certificate authentication fails because the terminal does not pre-process these new server certificates. As a result, the terminal cannot connect to the server properly, DataUsage and FOTA. If it is not working properly, it will seriously affect the user experience.
  • PC Personal Computer
  • the terminal can download the certificate from a pre-designated server via the Internet.
  • the PC does not enable the "Automatically close the root certificate" function.
  • server and server address security is yet to be confirmed.
  • some browsers used by the terminal can perform the next step even if the authentication is not passed. Obviously, this is very unsafe.
  • a method for obtaining a certificate including the steps of: authenticating a root certificate or a certificate chain of a server; and in case of failing authentication, sending a certificate acquisition request to the server, the certificate obtaining The request is used to request to obtain a changed root certificate in the server, where the root certificate is used to form a complete certificate chain; and according to the response information of the server in response to the certificate obtaining request, the changed information in the server is obtained. Root certificate.
  • a certificate obtaining method including the steps of: receiving a certificate obtaining request sent by a terminal, where the certificate obtaining request is used to request to acquire a changed root certificate, where the root certificate is used to form a complete certificate chain; sending, according to the certificate obtaining request, response information for acquiring the changed root certificate to the terminal.
  • a certificate obtaining apparatus including: a detecting module configured to authenticate a root certificate or a certificate chain of a server; and a sending module configured to, in case of authentication failure, to the The server sends a certificate obtaining request, where the obtaining request is used to request to obtain a changed root certificate in the server, where the root certificate is used to form a complete certificate chain; and the obtaining module is configured to respond to the certificate according to the server Obtain the response information of the request, and obtain the changed root certificate in the server.
  • a certificate obtaining apparatus including: a receiving module, configured to receive a certificate obtaining request sent by a terminal, where the certificate obtaining request is used to request to acquire a changed root certificate; and a sending module, And configured to send, to the terminal, response information for acquiring the changed root certificate according to the certificate obtaining request.
  • a storage medium including a stored program that executes any of the above-described certificate acquisition methods while the program is running.
  • a processor configured to execute a program that executes any of the above-described certificate acquisition methods while the program is running.
  • Figure 1 is a schematic diagram of the location of SSL/TLS in the Internet model
  • FIG. 2 is a schematic diagram of a handshake process of SSL/TLS
  • FIG. 3 is a block diagram showing a hardware configuration of a mobile terminal that executes a certificate acquisition method of an embodiment of the present disclosure
  • FIG. 4 is a flowchart of a certificate acquisition method running on a terminal side according to an embodiment of the present disclosure
  • FIG. 5 is a schematic diagram of a wireless terminal configuring a digital certificate in accordance with an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram of a process of a User Equipment (UE) requesting a Public Data Network (PDN) connection;
  • UE User Equipment
  • PDN Public Data Network
  • FIG. 7 is a preferred flow diagram of a certificate acquisition method in accordance with an embodiment of the present disclosure.
  • FIG. 8 is a flowchart of a certificate acquisition method running on a server side, according to an embodiment of the present disclosure
  • FIG. 9 is a diagram showing an example of interaction of network side digital certificate synchronization, in accordance with an embodiment of the present disclosure.
  • FIG. 10 is a structural block diagram of a certificate obtaining apparatus according to an embodiment of the present disclosure.
  • FIG. 11 is a structural block diagram of another certificate obtaining apparatus according to an embodiment of the present disclosure.
  • the Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are based on the Transmission Control Protocol/Internet Protocol (TCP/IP).
  • the client server application provides security measures such as client and server authentication, data integrity, and information confidentiality. It is a protocol designed to ensure the security of both parties' information. It relies on a reliable TCP transport layer. Transfer and receive data.
  • FIG 1 is a schematic diagram of the location of SSL/TLS in the Internet model.
  • the SSL/TLS protocol is characterized by an application layer protocol independent of the upper layer (such as Hypertext Transfer Protocol HTTP, File Transfer Protocol FTP, Remote Terminal Protocol TELNET). Etc.), these applications are protected by data encryption.
  • These application layer protocols can transparently use the SSL/TLS protocol.
  • the SSL/TLS protocol can negotiate a symmetric encryption algorithm and session key, and at the same time authenticate the validity of the server before communicating. All application layer data is encrypted and transmitted.
  • the SSL/TLS protocol consists of two important independent processes, the SSL handshake process (including authentication) and the SSL record process (including data stream encryption).
  • SSL/TLS works fine and is secure.
  • the identity authentication process is relatively weak. The focus of this disclosure is on the identity authentication problem encountered in the project. Here, a brief introduction to the identity authentication process is given.
  • Certificate is also called “digital certificate” or "public key certificate”, which is used to prove that something is indeed something.
  • a certificate is like a seal. Through the official seal, it can be proved that the letter of introduction is indeed issued by the corresponding company. In theory, everyone can find a certificate tool and make a certificate of their own. But whether this official seal is credible remains to be confirmed.
  • the contents of the certificate include the information of the electronic visa authority, the public key user information, the public key, the signature of the authority and the validity period.
  • the format and certification methods of certificates generally follow the X.509 international standard.
  • server certificates are generally in the form of a certificate chain, that is, trust relationships between certificates can be nested. For example, C trusts A1, A1 trusts A2, A2 trusts A3..., this is called the certificate's trust chain. As long as the first certificate (also called the root certificate) on the chain of trust, the subsequent certificates can be trusted. Correspondingly, if the certificate chain does not have a trusted certificate, the authentication will fail.
  • the trust process of the entire certificate chain is mainly to find a public key capable of decoding the certificate chain from the trusted root certificate, thereby performing a series of verification work.
  • FIG. 2 is a schematic diagram of the handshake process of SSL/TLS. As shown in Figure 2 (especially the comment box), after the handshake process of SSL/TLS starts, identity authentication is performed. Identity authentication is divided into: 1) client-side authentication only; 2) server-side identity authentication; 3) server and client authentication.
  • FIG. 3 is a hardware block diagram of a mobile terminal that executes a certificate obtaining method of an embodiment of the present disclosure.
  • the mobile terminal 30 may include one or more (only one shown) processor 302 (the processor 302 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA).
  • FIG. 3 is merely illustrative, and does not limit the structure of the mobile terminal.
  • mobile terminal 30 may also include more or fewer components than shown in FIG. 3, or may have a different configuration than that shown in FIG.
  • the memory 304 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the certificate acquisition method in the embodiment of the present disclosure, and the processor 302 executes each by executing a software program and a module stored in the memory 304.
  • a functional application and data processing, that is, the above-mentioned certificate acquisition method is implemented.
  • Memory 304 can include high speed random access memory and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 304 can further include memory remotely located relative to processor 302, which can be connected to mobile terminal 30 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Transmission device 306 is for receiving or transmitting data via a network.
  • Specific examples of the above-described network may include a wireless network provided by a communication provider of the mobile terminal 30.
  • transmission device 306 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • NIC Network Interface Controller
  • the transmission device 306 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
  • RF Radio Frequency
  • FIG. 4 is a flowchart of a method for obtaining a certificate according to an embodiment of the present disclosure.
  • the method for obtaining a certificate includes the following steps. Step S402: authenticating the root certificate or the certificate chain of the server; in step S404, if the authentication fails, sending a certificate obtaining request to the server, where the certificate obtaining request is used to request to obtain the changed root certificate in the server, the root certificate And used to form a complete certificate chain; in step S406, the changed root certificate in the server is obtained according to the response information of the server in response to the certificate obtaining request.
  • the terminal can obtain the changed root certificate in the server in time to update the locally saved certificate, thereby solving the pre-made certificate list saved locally by the terminal.
  • the problem that the authentication fails and the terminal cannot connect to the server properly is not included in the root certificate of the server, and the normal interaction between the terminal and the server is achieved.
  • authenticating the root certificate or certificate chain of the server comprises: initiating a handshake request to the server; receiving a certificate returned by the server according to the handshake request; and detecting whether there is a certificate matching the certificate returned by the server according to the handshake request. The manner of authenticating the root certificate or the certificate chain of the server.
  • transmitting the certificate acquisition request to the server comprises transmitting the certificate acquisition request to the server by the first predetermined signaling.
  • FIG. 5 is a schematic diagram of a wireless terminal configuring a digital certificate according to an embodiment of the present disclosure. As shown in FIG. 5, the configuration process includes the following steps 1 and 2.
  • Step 1 The terminal configures two sets of APN profile parameters A and B.
  • the APN profile A does not carry the certificate acquisition request field information, that is, the APN profile used by the general project, and the APN profile is used for normal dialing.
  • the APN profile B carries the certificate obtaining request field information, and is used to request to obtain related information of the certificate.
  • the specific content of APN profile B can be as follows:
  • Container_id 13(0xd)(DNS Server IPv4 Address Requestt)
  • Container_id 3(0x3)(DNS Server IPv6 Address Request)
  • Container_id 65280(0xff00)(unknown)
  • Container_contents[1] 1(0x1)
  • Container_contents[2] 132(0x84)
  • Container_id 3(0x3)(DNS Server IPv6 Address)
  • Container_id 3(0x3)(DNS Server IPv6 Address)
  • Container_id 65280(0xff00)(unknown)
  • Container_contents[1] 1(0x1)
  • Container_contents[2] 132(0x84)
  • Container_contents[3] 0(0x0)
  • the request information needs to be sent to the network, and the network is required to reply to the related content.
  • the content of the specific reply needs to be negotiated with the network side in advance.
  • the digital certificate acquisition request field includes but is not limited to: 1) a network-approved PCO signaling message representing a request field of a digital certificate type that can determine the request, that is, a container_id in the signaling; 2) if the network side still needs to provide the terminal Additional information about the certificate request, which can be placed in the container_contents field.
  • Step 2 Pre-configure the two APN profile parameters A and B that have been configured in the terminal, so that the terminal can make different choices in different situations.
  • the terminal when the terminal is successfully connected to the network and a request to connect to the server occurs, the terminal detects that the local root certificate cannot be found and the certificate chain verification caused by the server update certificate is not passed.
  • the APN profile that carries the request field information by carrying the certificate re-initiates the attach procedure of requesting the relevant parameters of the certificate.
  • the core network After receiving the relevant request, the core network gives a corresponding response.
  • the terminal parses the received response message, and obtains the trusted root certificate through parsing and subsequent operations.
  • acquiring the changed root certificate in the server includes: receiving, by the second server, response information of the certificate obtaining request by using the second predetermined signaling, where the response information carries The parameters of the changed root certificate; parsing the response information acquisition parameters, and obtaining the changed root certificate according to the parameters.
  • the first predetermined signaling includes Protocol Configuration Options (PCO) signaling
  • the second predetermined signaling includes Protocol Configuration Option (PCO) signaling.
  • the PCO is used to provide additional selection information for the destination network (the destination network to which the terminal is connected).
  • the Internet distributes the PCO signaling in addition to the IP address of the terminal.
  • the signaling includes the default gateway IP address, the Domain Name System (DNS) service address, etc.
  • PCO signaling contains a lot of additional information. The transmission and reception of PCO signaling takes place in an attach procedure.
  • 3GPP 23.401 also has the following description:
  • the terminal initializes a procedure for requesting a PDN connection by the UE by transmitting PDN connection request information (access point APN, PDN, PCO, header compression configuration), and the PCO is used to transmit parameters between the terminal and the network.
  • PDN connection request information access point APN, PDN, PCO, header compression configuration
  • the PCO is generally used to transmit parameters between the terminal and the network.
  • PCO signaling is often used to transmit IP addresses and APN types, but does not use PCO signaling to transmit information about the server certificate.
  • PCO signaling is applied to the transmission of server certificates in embodiments of the present disclosure.
  • FIG. 7 is a preferred flowchart of a certificate obtaining method according to an embodiment of the present disclosure. As shown in FIG. 7, the certificate obtaining method includes the following steps S702 to S722, where The steps performed on the terminal side are mainly described.
  • Step S702 The terminal initiates an attach request to the network side by using an APN profile parameter (ie, APN profile A) that does not carry the certificate acquisition request field.
  • APN profile A APN profile parameter that does not carry the certificate acquisition request field.
  • step S704 the attach response is completed, and the terminal is successfully connected.
  • the success of networking is a prerequisite for normal communication between the terminal and the central server.
  • Step S706 the terminal initiates an SSL/TLS handshake request to the server according to the project requirement.
  • Step S708 after receiving the handshake request of the terminal, the network side sends a corresponding response to the terminal, and the terminal receives the certificate chain of the local server.
  • step S710 the terminal checks the server certificate chain. If the verification is successful, the process goes to step S712. If the verification fails, the process proceeds to step S714.
  • step S712 the server performs subsequent normal handshake and communication.
  • step S714 the terminal determines the cause of the verification failure locally, and selects whether the certificate needs to be updated according to the failure reason. There are many reasons for certificate failure, such as certificate signature failure, root certificate not found, certificate expiration, and so on. The specific rules that need to be updated will be clearly defined by the product design requirements. If it is necessary to update the certificate, go to step S716, otherwise go to step S722.
  • Step S716 the terminal actively initiates a detach request, and then re-initiates the attach request using the APN profile B carrying the certificate acquisition request field.
  • Step S7108 the network side responds to the received request message, and the terminal successfully receives the response message.
  • the network side response message to the terminal includes, but is not limited to: 1) the network side directly sends the root certificate itself to the terminal through the PCO signaling; 2) the network side sends the key to obtain the root certificate to the terminal through the PCO signaling.
  • Data such as certificate acquisition password, certificate acquisition server address, etc.
  • Step S720 The terminal locally parses the received message, and successfully obtains a root certificate of the reliable server certificate chain through parsing and subsequent operations. This ensures the normal use of related functions.
  • the terminal performs corresponding operations according to the parsed information, for example: 1) If the terminal receives the certificate itself delivered by the network side through the PCO signaling, the terminal saves the parsed root certificate locally for subsequent use. 2) If the terminal parses the server address and password for obtaining the root certificate through PCO signaling, the terminal performs subsequent operations to complete the certificate acquisition.
  • step S722 the exception processing flow is entered.
  • the terminal when the terminal confirms that the certificate chain verification fails due to a certificate change or the like, the terminal sends a trusted certificate acquisition request message to the network side through protocol configuration option (PCO) signaling.
  • PCO protocol configuration option
  • the requesting network side sends the trusted root certificate or the content related to the root certificate of the certificate chain deployed by the central office server to the terminal through the corresponding signaling message. Then, the terminal performs corresponding parsing processing on the received information to obtain a trusted root certificate.
  • the method for transmitting key information of a certificate by signaling of the present disclosure greatly improves the reliability of certificate transmission and ensures normal use of related functions.
  • FIG. 8 is a flowchart of a certificate acquisition method running on the server side according to an embodiment of the present disclosure.
  • the obtaining method includes the following steps: Step S802: Receive a certificate obtaining request sent by the terminal, where the certificate obtaining request is used to request to acquire the changed root certificate, and the root certificate is used to form a complete certificate chain; and in step S804, the method is sent to the terminal according to the certificate obtaining request. Used to obtain response information for the changed root certificate.
  • the request for obtaining a certificate sent by the receiving terminal comprises: receiving a certificate obtaining request sent by the terminal by using the first predetermined signaling.
  • the sending the response information for acquiring the changed root certificate to the terminal according to the certificate obtaining request includes: determining response information for acquiring the changed root certificate according to the certificate obtaining request, where the response information carries the information for obtaining The parameter of the changed root certificate; sending the response information to the terminal by using the second predetermined signaling.
  • the first predetermined signaling includes a protocol configuration option (PCO) signaling and the second predetermined signaling includes protocol configuration option (PCO) signaling.
  • PCO protocol configuration option
  • the certificate obtaining method further includes: after transmitting the response information for acquiring the changed root certificate to the terminal according to the certificate obtaining request, notifying the core network to perform the certificate update, for example, sending the notification information to the core network.
  • the notification information carries valid information of the certificate. It should be noted that the core network synchronizes the trusted certificates used by the local server in time, and the synchronization mode is not limited.
  • FIG. 9 is a diagram showing an example of interaction of network side digital certificate synchronization according to an embodiment of the present disclosure.
  • the network side digital certificate synchronization includes the following two schemes: scheme 1, when a certificate used by an authority server changes The core network is notified in time to update the certificate; in the second scheme, the central server and the core network are periodically synchronized according to certain rules.
  • the terminal when the certificate of the terminal does not match the certificate between the terminal and the server, the terminal is configured to use the protocol configuration option (PCO) to send the trusted certificate to the network.
  • PCO protocol configuration option
  • the request is to request the network side to deliver the certificate or certificate related content used by the server to the terminal through the corresponding response message, and then the terminal parses and responds to the received response message, thereby effectively ensuring the certificate between the terminal and the server. Secure and reliable synchronization, ultimately, ensures normal communication between the terminal and the central server.
  • portions of the technical solution of the present disclosure that contribute substantially or to the related art may be embodied in the form of a computer software product that can be stored in a storage medium (eg, ROM/RAM, disk, The optical disc, etc., includes a number of instructions for causing a terminal device (such as a cell phone, computer, server, or network device, etc.) to perform the methods described in various embodiments of the present disclosure.
  • a terminal device such as a cell phone, computer, server, or network device, etc.
  • the embodiment of the present disclosure further provides a certificate obtaining apparatus, which is used to implement the certificate obtaining method of the embodiments and the embodiments of the present disclosure, and the above description has been omitted herein.
  • the term "module” is a combination of software and/or hardware that can perform a predetermined function.
  • the certificate acquisition device described below is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and conceivable.
  • FIG. 10 is a structural block diagram of a certificate obtaining apparatus (for a terminal side) according to an embodiment of the present disclosure.
  • the certificate obtaining apparatus includes: a detecting module 102 for a root certificate or certificate to a server The chain is authenticated; the sending module 104 is connected to the detecting module 102, and is configured to send a certificate obtaining request to the server in the case that the authentication fails, and the certificate obtaining request is used to request to obtain the changed root certificate in the server, where the root certificate is The obtaining module 106 is connected to the sending module 104, and configured to obtain the changed root certificate in the server according to the response information of the server in response to the certificate obtaining request.
  • the sending module 104 is configured to send a certificate acquisition request to the server by using the first predetermined signaling.
  • the obtaining module 106 is configured to receive, by the server, the response information of the request for obtaining the certificate by using the second predetermined signaling, where the response information carries a parameter for acquiring the changed root certificate, and the obtaining module 106 is further configured to parse the response. The information gets the parameters, and then the changed root certificate is obtained according to the parameters.
  • FIG. 11 is a structural block diagram of another certificate obtaining apparatus (for a server side) according to an embodiment of the present disclosure.
  • the certificate obtaining apparatus includes: a receiving module 112, configured to receive a certificate obtained by a terminal. The request, the certificate obtaining request is used to request to obtain the changed root certificate, and the root certificate is used to form a complete certificate chain; the sending module 114 is connected to the receiving module 112, and configured to send the terminal to the terminal according to the certificate obtaining request. Response information of the changed root certificate.
  • each of the foregoing modules may be implemented by software or hardware.
  • each of the foregoing modules may be located in the same processor, or any combination of the foregoing modules may be used in any combination.
  • the forms are respectively located in different processors, but the implementation is not limited to this.
  • Embodiments of the present disclosure also provide a storage medium including a stored program that executes the steps in the certificate acquisition method of the embodiment of the present disclosure described above when the stored program runs.
  • the above storage medium may be configured to store program code (for the terminal side) for performing the following steps: S1, authenticating the root certificate or certificate chain of the server; S2, in case of authentication failure Sending a certificate acquisition request to the server, the certificate obtaining request is used to request to obtain the changed root certificate in the server, and the root certificate is used to form a complete certificate chain; and S3, according to the response information obtained by the server in response to the certificate obtaining request, is obtained after the server changes Root certificate.
  • the authenticating the root certificate or the certificate chain of the server in step S1 comprises: initiating a handshake request to the server; receiving a certificate returned by the server according to the handshake request; and detecting whether the certificate returned by the server according to the handshake request is detected locally.
  • the way to match the certificate, the server's root certificate or certificate chain is authenticated.
  • the sending the certificate acquisition request to the server in step S2 comprises: sending a certificate acquisition request to the server by using the first predetermined signaling.
  • the root certificate according to the response information acquired by the server in response to the certificate obtaining request in step S3 includes: the receiving server responds to the certificate obtaining request response information by using the second predetermined signaling, and the response information is carried in the response information. There are parameters for obtaining the changed root certificate; parsing the response information acquisition parameters, and obtaining the changed root certificate according to the parameters.
  • the first predetermined signaling includes Protocol Configuration Option (PCO) signaling.
  • PCO Protocol Configuration Option
  • the second predetermined signaling includes Protocol Configuration Option (PCO) signaling.
  • PCO Protocol Configuration Option
  • the above storage medium may be configured to store program code (for server side) for performing the following steps: S1', receiving a certificate acquisition request sent by the terminal, and requesting the certificate acquisition request for obtaining the changed
  • the root certificate is used to form a complete certificate chain; S2' sends a response message for obtaining the changed root certificate to the terminal according to the certificate obtaining request.
  • the obtaining request sent by the receiving terminal in step S1' includes: receiving a certificate obtaining request sent by the terminal by using the first predetermined signaling.
  • the sending, by the certificate obtaining request, the response information for acquiring the changed root certificate according to the certificate obtaining request in the step S2 is: determining, according to the certificate obtaining request, response information for acquiring the changed root certificate, the response information.
  • the parameter carries the parameter for obtaining the changed root certificate, and sends the response information to the terminal by using the second predetermined signaling.
  • the storage medium is further configured to store program code for performing the following steps: after transmitting the response information for acquiring the changed root certificate to the terminal according to the certificate acquisition request, notifying the core network to perform the certificate update .
  • the foregoing storage medium may include, but is not limited to, a USB flash drive, a read-only memory (ROM), a random access memory (RAM), a mobile hard disk, a magnetic disk. Or a variety of media such as optical discs that can store program code.
  • Embodiments of the present disclosure also provide a processor configured to execute a program that, when executed, performs the steps in the certificate acquisition method of the embodiments of the present disclosure described above.
  • the processor runs a program for performing the following steps (for the terminal side): S1, authenticating the server's root certificate or certificate chain; S2, sending the certificate to the server if the authentication fails The request, the certificate obtaining request is used to obtain the changed root certificate in the server, and the root certificate is used to form a complete certificate chain; S3, the changed root certificate in the server is obtained according to the response information of the server in response to the certificate obtaining request.
  • the authenticating the root certificate or the certificate chain of the server in step S1 comprises: initiating a handshake request to the server; receiving a certificate returned by the server according to the handshake request; and detecting whether the certificate returned by the server according to the handshake request is detected locally.
  • the sending the certificate acquisition request to the server in step S2 comprises: sending a certificate acquisition request to the server by using the first predetermined signaling.
  • the root certificate according to the response information acquired by the server in response to the certificate obtaining request in step S3 includes: the receiving server responds to the certificate obtaining request response information by using the second predetermined signaling, and the response information is carried in the response information. There are parameters for obtaining the changed root certificate; parsing the response information acquisition parameters, and obtaining the changed root certificate according to the parameters.
  • the first predetermined signaling includes Protocol Configuration Option (PCO) signaling.
  • PCO Protocol Configuration Option
  • the second predetermined signaling includes Protocol Configuration Option (PCO) signaling.
  • PCO Protocol Configuration Option
  • the program run by the processor is configured to perform the following steps (for the server side): S1', receiving a certificate acquisition request sent by the terminal, and the certificate obtaining request is used to request to acquire the changed root certificate, the root The certificate is used to form a complete certificate chain; S2' sends a response message for obtaining the changed root certificate to the terminal according to the certificate obtaining request.
  • the certificate obtaining request sent by the receiving terminal in step S1' includes: receiving a certificate obtaining request sent by the terminal by using the first predetermined signaling.
  • the sending, by the certificate obtaining request, the response information for acquiring the changed root certificate according to the certificate obtaining request in the step S2 is: determining, according to the certificate obtaining request, response information for acquiring the changed root certificate, the response information.
  • the parameter carries the parameter for obtaining the changed root certificate, and sends the response information to the terminal by using the second predetermined signaling.
  • modules or steps of the present disclosure may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • various modules or steps of the present disclosure may be implemented by program code executable by a computing device such that the program code may be stored in a storage device and executed by the computing device, and in certain The steps of the present disclosure may be performed in an order different from that shown or described in the present disclosure, or the various modules or steps of the present disclosure may be separately fabricated into individual integrated circuit modules, or the various modules of the present disclosure may be Or a plurality of modules or steps in each step are fabricated into a single integrated circuit module. As such, implementations of the present disclosure are not limited to any particular combination of hardware and software.

Abstract

The present disclosure provides a certificate obtaining method, a certificate obtaining device, a storage medium, and a processor. The certificate obtaining method comprises: authenticating a root certificate or a certificate chain of a server; in the case of an authentication failure, sending a certificate obtaining request to the server, the certificate obtaining request being used for requesting the obtaining of a changed root certificate in the server, and the changed root certificate being used for forming a complete certificate chain; and obtaining the changed root certificate in the server according to response information of the server in response to the certificate obtaining request.

Description

证书获取方法及装置Certificate acquisition method and device 技术领域Technical field
本公开涉及通信领域,具体而言,涉及证书获取方法及装置。The present disclosure relates to the field of communications, and in particular, to a certificate acquisition method and apparatus.
背景技术Background technique
目前,终端项目大多涉及到和局方服务器的数据交互。涉及到这方面的终端应用包括移动终端的空中下载软件升级(Firmware Over-The-Air,简称为FOTA)以及流量追踪状态数据流量显示(DataUsage)等。这些数据交互均涉及到安全问题,原因是局方服务器上的内容不对大众开放,具有一定的机密性。目前,项目常用的处理安全问题的方法是采用安全套接层(Secure Sockets Layer,简称为SSL)及其继任者传输层安全(Transport Layer Security,简称为TLS)协议。Currently, terminal projects mostly involve data interaction with the server of the office. Terminal applications related to this include mobile terminal over-the-air (FOTA) and traffic tracking status data traffic display (DataUsage). These data interactions all involve security issues because the content on the server is not open to the public and has certain confidentiality. At present, the commonly used method for handling security problems is to use Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS).
一些项目因为服务器证书的安全问题,如加密技术的不断进步以及专业人事、黑客对相关领域的深入研究,引起很多算法不断被破解,从而使得一些证书被篡改、伪造而成为了不可信证书,因此,局方服务器需更新服务器证书。Some projects because of the security of server certificates, such as the continuous advancement of encryption technology and the in-depth study of professional personnel and hackers in related fields, caused many algorithms to be hacked, resulting in some certificates being tampered with and forged into untrusted certificates. The server needs to update the server certificate.
而终端(例如,UFI、手机等无线上网产品)一般会按需求预制相关证书,出于安全性考虑,除非版本升级,否则终端预制的证书不会改变,例如,个人计算机(Personal Computer,简称为PC)默认不启用“关闭根证书自动更新”功能,如果PC不想自动更新证书,需手动启用“关闭根证书自动更新”功能,这是终端的常用做法。如果局方服务器更新的服务器证书并不在之前协商好的证书列表之内,这样,由于终端内部没有预制这些新的服务器证书,因此会出现证书认证失败,从而导致终端无法正常连接服务器,DataUsage以及FOTA等不能正常使用,严重影响用户体验。Terminals (for example, UFI, mobile phones and other wireless Internet products) generally pre-produce related certificates as required. For security reasons, the terminal pre-made certificates will not change unless the version is upgraded. For example, a personal computer (Personal Computer, referred to as PC) By default, the "Turn off automatic root certificate update" function is not enabled. If the PC does not want to automatically update the certificate, you need to manually enable the "Automatically update the root certificate" function. This is a common practice for the terminal. If the server certificate updated by the server is not in the previously negotiated certificate list, the certificate authentication fails because the terminal does not pre-process these new server certificates. As a result, the terminal cannot connect to the server properly, DataUsage and FOTA. If it is not working properly, it will seriously affect the user experience.
认证失败后,终端可以通过互联网从某预先指定的服务器下载 证书,例如,PC不启用“关闭根证书自动更新”功能。但是,服务器以及服务器地址安全性有待确认。另外,终端使用的有些浏览器即便认证不被通过,也能进行下一步操作,很明显,这是非常不安全的。After the authentication fails, the terminal can download the certificate from a pre-designated server via the Internet. For example, the PC does not enable the "Automatically close the root certificate" function. However, server and server address security is yet to be confirmed. In addition, some browsers used by the terminal can perform the next step even if the authentication is not passed. Obviously, this is very unsafe.
因此,相关技术中,存在服务器中的根证书发生了变更后由于终端内预制的证书列表中没有服务器中变更后的根证书而导致证书认证失败、终端无法正常连接服务器的问题。Therefore, in the related art, after the root certificate in the server is changed, there is a problem that the certificate authentication fails and the terminal cannot connect to the server normally because there is no root certificate changed in the server in the pre-made certificate list in the terminal.
公开内容Public content
根据本公开的一个实施例,提供了一种证书获取方法,包括步骤:对服务器的根证书或者证书链进行认证;在认证失败的情况下,向所述服务器发送证书获取请求,所述证书获取请求用于请求获取所述服务器中变更后的根证书,所述根证书用于形成完整的证书链;根据所述服务器响应于所述证书获取请求的响应信息,获取所述服务器中变更后的根证书。According to an embodiment of the present disclosure, a method for obtaining a certificate is provided, including the steps of: authenticating a root certificate or a certificate chain of a server; and in case of failing authentication, sending a certificate acquisition request to the server, the certificate obtaining The request is used to request to obtain a changed root certificate in the server, where the root certificate is used to form a complete certificate chain; and according to the response information of the server in response to the certificate obtaining request, the changed information in the server is obtained. Root certificate.
根据本公开的另一个实施例,提供了一种证书获取方法,包括步骤:接收终端发送的证书获取请求,所述证书获取请求用于请求获取变更后的根证书,所述根证书用于形成完整的证书链;根据所述证书获取请求向所述终端发送用于获取所述变更后的根证书的响应信息。According to another embodiment of the present disclosure, a certificate obtaining method is provided, including the steps of: receiving a certificate obtaining request sent by a terminal, where the certificate obtaining request is used to request to acquire a changed root certificate, where the root certificate is used to form a complete certificate chain; sending, according to the certificate obtaining request, response information for acquiring the changed root certificate to the terminal.
根据本公开的又一个实施例,提供了一种证书获取装置,包括:检测模块,配置为对服务器的根证书或者证书链进行认证;发送模块,配置为在认证失败的情况下,向所述服务器发送证书获取请求,所述获取请求用于请求获取所述服务器中变更后的根证书,所述根证书用于形成完整的证书链;获取模块,配置为根据所述服务器响应于所述证书获取请求的响应信息,获取所述服务器中变更后的根证书。According to still another embodiment of the present disclosure, a certificate obtaining apparatus is provided, including: a detecting module configured to authenticate a root certificate or a certificate chain of a server; and a sending module configured to, in case of authentication failure, to the The server sends a certificate obtaining request, where the obtaining request is used to request to obtain a changed root certificate in the server, where the root certificate is used to form a complete certificate chain; and the obtaining module is configured to respond to the certificate according to the server Obtain the response information of the request, and obtain the changed root certificate in the server.
根据本公开的又一个实施例,提供了一种证书获取装置,包括:接收模块,配置为接收终端发送的证书获取请求,所述证书获取请求用于请求获取变更后的根证书;发送模块,配置为根据所述证书获取请求向所述终端发送用于获取所述变更后的根证书的响应信息。According to still another embodiment of the present disclosure, a certificate obtaining apparatus is provided, including: a receiving module, configured to receive a certificate obtaining request sent by a terminal, where the certificate obtaining request is used to request to acquire a changed root certificate; and a sending module, And configured to send, to the terminal, response information for acquiring the changed root certificate according to the certificate obtaining request.
根据本公开的又一个实施例,还提供了一种存储介质,所述存 储介质包括存储的程序,所述程序运行时执行上述任一证书获取方法。According to still another embodiment of the present disclosure, there is also provided a storage medium including a stored program that executes any of the above-described certificate acquisition methods while the program is running.
根据本公开的又一个实施例,还提供了一种处理器,所述处理器配置为运行程序,所述程序运行时执行上述任一证书获取方法。According to still another embodiment of the present disclosure, there is also provided a processor configured to execute a program that executes any of the above-described certificate acquisition methods while the program is running.
附图说明DRAWINGS
此处所说明的附图用来提供对本公开的进一步理解,构成本公开的一部分,本公开的示意性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the disclosure, and are intended to be a In the drawing:
图1是互联网模型内SSL/TLS的位置示意图;Figure 1 is a schematic diagram of the location of SSL/TLS in the Internet model;
图2是SSL/TLS的握手过程示意图;2 is a schematic diagram of a handshake process of SSL/TLS;
图3是执行本公开的实施例的证书获取方法的移动终端的硬件结构框图;3 is a block diagram showing a hardware configuration of a mobile terminal that executes a certificate acquisition method of an embodiment of the present disclosure;
图4是根据本公开的实施例的运行于终端侧的证书获取方法的流程图;4 is a flowchart of a certificate acquisition method running on a terminal side according to an embodiment of the present disclosure;
图5是根据本公开的实施例的无线终端配置数字证书的示意图;5 is a schematic diagram of a wireless terminal configuring a digital certificate in accordance with an embodiment of the present disclosure;
图6是用户设备(UE)请求公用数据网(PDN)连接的过程示意图;6 is a schematic diagram of a process of a User Equipment (UE) requesting a Public Data Network (PDN) connection;
图7是根据本公开的实施例的证书获取方法的优选流程图;7 is a preferred flow diagram of a certificate acquisition method in accordance with an embodiment of the present disclosure;
图8是根据本公开的实施例的运行于服务器侧的证书获取方法的流程图;8 is a flowchart of a certificate acquisition method running on a server side, according to an embodiment of the present disclosure;
图9是根据本公开的实施例的网络侧数字证书同步的交互示例图;9 is a diagram showing an example of interaction of network side digital certificate synchronization, in accordance with an embodiment of the present disclosure;
图10是根据本公开的实施例的一种证书获取装置的结构框图;FIG. 10 is a structural block diagram of a certificate obtaining apparatus according to an embodiment of the present disclosure; FIG.
图11是根据本公开的实施例的另一种证书获取装置的结构框图。FIG. 11 is a structural block diagram of another certificate obtaining apparatus according to an embodiment of the present disclosure.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本公开。需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互组合。The present disclosure will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present disclosure and the features in the embodiments may be combined with each other without conflict.
需要说明的是,本公开的说明书和权利要求书及附图的相关描 述中的术语“第一”、“第二”等是用于区别类似的对象,而不是用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second" and the like in the related description of the present disclosure and the claims and the drawings are used to distinguish similar objects, and are not used to describe a specific order or order. order.
为了方便理解,本文下面对认证过程中的相关概念进行简要的说明。For the sake of easy understanding, the following is a brief description of the relevant concepts in the certification process.
安全套接层(Secure Sockets Layer,简称为SSL)以及其继任者传输层安全(Transport Layer Security,简称为TLS)协议为基于传输控制协议/因特网互联协议(Transmission Control/Internet Protocol,简称为TCP/IP)的客户服务器应用程序提供了客户端和服务器的鉴别、数据完整性及信息机密性等安全措施,是被设计用来保证通信双方的信息安全的一个协议,它依赖于可靠的TCP传输层来传输和接收数据。The Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are based on the Transmission Control Protocol/Internet Protocol (TCP/IP). The client server application provides security measures such as client and server authentication, data integrity, and information confidentiality. It is a protocol designed to ensure the security of both parties' information. It relies on a reliable TCP transport layer. Transfer and receive data.
图1是互联网模型内SSL/TLS的位置示意图,如图1所示,SSL/TLS协议的特点是独立于上层的应用层协议(如超文本传输协议HTTP,文件传输协议FTP,远程终端协议TELNET等),是对这些应用进行数据加密保护的,这些应用层协议可以透明地使用SSL/TLS协议。SSL/TLS协议可以协商一个对称加密算法和会话密钥,同时可以在通信之前认证服务器的合法性。所有应用层的数据都是加密后传输的。Figure 1 is a schematic diagram of the location of SSL/TLS in the Internet model. As shown in Figure 1, the SSL/TLS protocol is characterized by an application layer protocol independent of the upper layer (such as Hypertext Transfer Protocol HTTP, File Transfer Protocol FTP, Remote Terminal Protocol TELNET). Etc.), these applications are protected by data encryption. These application layer protocols can transparently use the SSL/TLS protocol. The SSL/TLS protocol can negotiate a symmetric encryption algorithm and session key, and at the same time authenticate the validity of the server before communicating. All application layer data is encrypted and transmitted.
SSL/TLS协议包含了两个重要的独立进程,即SSL握手进程(包括身份认证)和SSL记录进程(包括数据流加密)。在风险很大的网络环境下,采用强大的加密功能来保护数据包以便使其能顺利到达预定的目的地是非常重要的。SSL/TLS可以正常工作并保证安全。在整个过程中,身份认证过程相对薄弱。本公开重点解决的就是项目中遇到的身份认证问题,这里,就身份认证过程做一简要介绍。The SSL/TLS protocol consists of two important independent processes, the SSL handshake process (including authentication) and the SSL record process (including data stream encryption). In a risky network environment, it is important to use strong encryption to protect the packet so that it can reach its intended destination. SSL/TLS works fine and is secure. Throughout the process, the identity authentication process is relatively weak. The focus of this disclosure is on the identity authentication problem encountered in the project. Here, a brief introduction to the identity authentication process is given.
“证书”也叫“数字证书(digital certificate)”或“公钥证书(public key certificate)”,它是用来证明某某东西确实是某某东西的东西。通俗地说,证书就好比公章。通过公章,可以证明该介绍信确实是对应的公司发出的。理论上,人人都可以找个证书工具,自己做一个证书。但这个公章是否可信,就有待确认。证书的内容包括电子签证机关的信息、公钥用户信息、公钥、权威机构的签字和有效期等等。目前,证书的格式和认证方法普遍遵循X.509国际 标准。"Certificate" is also called "digital certificate" or "public key certificate", which is used to prove that something is indeed something. In layman's terms, a certificate is like a seal. Through the official seal, it can be proved that the letter of introduction is indeed issued by the corresponding company. In theory, everyone can find a certificate tool and make a certificate of their own. But whether this official seal is credible remains to be confirmed. The contents of the certificate include the information of the electronic visa authority, the public key user information, the public key, the signature of the authority and the validity period. Currently, the format and certification methods of certificates generally follow the X.509 international standard.
目前,服务器证书一般都采用证书链的形式,也就是说,证书之间的信任关系是可以嵌套的。比如,C信任A1,A1信任A2,A2信任A3......,这个叫做证书的信任链。只要信任链上的头一个证书(又叫根证书),那后续的证书,都是可以信任的。与之对应,如果证书链没有可信任的证书,此次认证即为失败。而整个证书链的信任过程主要是从可信的根证书找到能够解码证书链的公钥,从而进行一系列校验工作。Currently, server certificates are generally in the form of a certificate chain, that is, trust relationships between certificates can be nested. For example, C trusts A1, A1 trusts A2, A2 trusts A3..., this is called the certificate's trust chain. As long as the first certificate (also called the root certificate) on the chain of trust, the subsequent certificates can be trusted. Correspondingly, if the certificate chain does not have a trusted certificate, the authentication will fail. The trust process of the entire certificate chain is mainly to find a public key capable of decoding the certificate chain from the trusted root certificate, thereby performing a series of verification work.
下面对SSL/TLS的握手进程进行简要论述,图2是SSL/TLS的握手进程示意图,如图2所示(尤其是批注框),SSL/TLS的握手进程开始后,会进行身份认证,身份认证分为:1)仅客户端身份认证;2)仅服务器端身份认证;3)服务器和客户端均进行认证。The following is a brief discussion of the handshake process of SSL/TLS. Figure 2 is a schematic diagram of the handshake process of SSL/TLS. As shown in Figure 2 (especially the comment box), after the handshake process of SSL/TLS starts, identity authentication is performed. Identity authentication is divided into: 1) client-side authentication only; 2) server-side identity authentication; 3) server and client authentication.
对于客户端身份认证,即,当终端收到服务器的证书链后,会进行证书校验。当证书为不可信证书时,后面的交互流程停止。反之,当证书可信,即可进行后续的相关业务。For client authentication, that is, when the terminal receives the certificate chain of the server, it performs certificate verification. When the certificate is an untrusted certificate, the subsequent interaction process stops. Conversely, when the certificate is trusted, subsequent related services can be performed.
本公开的实施例所提供的证书获取方法可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在移动终端上为例,图3是执行本公开的实施例的证书获取方法的移动终端的硬件结构框图。如图3所示,移动终端30可以包括一个或多个(图中仅示出一个)处理器302(处理器302可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器304、以及用于通信功能的传输装置306。本领域普通技术人员可以理解,图3所示的结构仅为示意,其并不对移动终端的结构造成限定。例如,移动终端30还可包括比图3中所示更多或者更少的组件,或者可具有与图3所示不同的配置。The certificate acquisition method provided by the embodiment of the present disclosure may be performed in a mobile terminal, a computer terminal, or the like. Taking a mobile terminal as an example, FIG. 3 is a hardware block diagram of a mobile terminal that executes a certificate obtaining method of an embodiment of the present disclosure. As shown in FIG. 3, the mobile terminal 30 may include one or more (only one shown) processor 302 (the processor 302 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA). A memory 304 for storing data, and a transmission device 306 for communication functions. It will be understood by those skilled in the art that the structure shown in FIG. 3 is merely illustrative, and does not limit the structure of the mobile terminal. For example, mobile terminal 30 may also include more or fewer components than shown in FIG. 3, or may have a different configuration than that shown in FIG.
存储器304可用于存储应用软件的软件程序以及模块,如本公开的实施例中的证书获取方法对应的程序指令/模块,处理器302通过运行存储在存储器304内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的证书获取方法。存储器304可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存 储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器304可进一步包括相对于处理器302远程设置的存储器,这些远程存储器可以通过网络连接至移动终端30。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 304 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the certificate acquisition method in the embodiment of the present disclosure, and the processor 302 executes each by executing a software program and a module stored in the memory 304. A functional application and data processing, that is, the above-mentioned certificate acquisition method is implemented. Memory 304 can include high speed random access memory and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 304 can further include memory remotely located relative to processor 302, which can be connected to mobile terminal 30 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
传输装置306用于经由一个网络接收或者发送数据。上述的网络的具体实例可包括移动终端30的通信供应商提供的无线网络。在一个实例中,传输装置306包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置306可以为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。Transmission device 306 is for receiving or transmitting data via a network. Specific examples of the above-described network may include a wireless network provided by a communication provider of the mobile terminal 30. In one example, transmission device 306 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet. In one example, the transmission device 306 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
在本实施例中提供了一种运行于上述移动终端的证书获取方法,图4是根据本公开的实施例的证书获取方法的流程图,如图4所示,所述证书获取方法包括如下步骤:步骤S402,对服务器的根证书或者证书链进行认证;步骤S404,在认证失败的情况下,向服务器发送证书获取请求,证书获取请求用于请求获取服务器中变更后的根证书,该根证书用于形成完整的证书链;步骤S406,根据服务器响应于证书获取请求的响应信息,获取服务器中变更后的根证书。In this embodiment, a method for obtaining a certificate running on the mobile terminal is provided. FIG. 4 is a flowchart of a method for obtaining a certificate according to an embodiment of the present disclosure. As shown in FIG. 4, the method for obtaining a certificate includes the following steps. Step S402: authenticating the root certificate or the certificate chain of the server; in step S404, if the authentication fails, sending a certificate obtaining request to the server, where the certificate obtaining request is used to request to obtain the changed root certificate in the server, the root certificate And used to form a complete certificate chain; in step S406, the changed root certificate in the server is obtained according to the response information of the server in response to the certificate obtaining request.
通过上述步骤,由于在对服务器的根证书或者证书链认证失败后,终端能及时获取服务器中变更后的根证书,以更新本地保存的证书,解决了因终端在本地保存的预制的证书列表中没有包含服务器中变更后的根证书而导致认证失败、终端无法正常连接服务器的问题,达到了保证终端和服务器的正常交互的效果。Through the above steps, after the root certificate or certificate chain authentication of the server fails, the terminal can obtain the changed root certificate in the server in time to update the locally saved certificate, thereby solving the pre-made certificate list saved locally by the terminal. The problem that the authentication fails and the terminal cannot connect to the server properly is not included in the root certificate of the server, and the normal interaction between the terminal and the server is achieved.
在一些实施方式中,对服务器的根证书或者证书链进行认证包括:向服务器发起握手请求;接收服务器根据握手请求返回的证书;通过检测本地是否有与服务器根据握手请求返回的证书相匹配的证书的方式,对所述服务器的所述根证书或者所述证书链进行认证。In some embodiments, authenticating the root certificate or certificate chain of the server comprises: initiating a handshake request to the server; receiving a certificate returned by the server according to the handshake request; and detecting whether there is a certificate matching the certificate returned by the server according to the handshake request. The manner of authenticating the root certificate or the certificate chain of the server.
在一些实施方式中,向服务器发送证书获取请求包括:通过第一预定信令向服务器发送证书获取请求。In some embodiments, transmitting the certificate acquisition request to the server comprises transmitting the certificate acquisition request to the server by the first predetermined signaling.
例如,终端可以在本地准备两套不同的接入点特征(APN profile)参数,一套用于正常的拨号接入(attach)流程,另一套用于获取证 书相关参数。图5是根据本公开的实施例的无线终端配置数字证书的示意图,如图5所示,配置过程包括以下步骤一和步骤二。For example, the terminal can locally prepare two sets of different access point feature (APN profile) parameters, one for the normal dial-up process and the other for obtaining certificate-related parameters. FIG. 5 is a schematic diagram of a wireless terminal configuring a digital certificate according to an embodiment of the present disclosure. As shown in FIG. 5, the configuration process includes the following steps 1 and 2.
步骤一:终端配置两套APN profile参数A和B。Step 1: The terminal configures two sets of APN profile parameters A and B.
APN profile A不携带证书获取请求字段信息,也就是一般项目所用的APN profile,该APN profile用于正常拨号。The APN profile A does not carry the certificate acquisition request field information, that is, the APN profile used by the general project, and the APN profile is used for normal dialing.
APN profile B携带证书获取请求字段信息,用于请求获取证书的相关信息。APN profile B的具体内容可以为如下所示:The APN profile B carries the certificate obtaining request field information, and is used to request to obtain related information of the certificate. The specific content of APN profile B can be as follows:
2015 May 22 04:05:23.927[31]0xB0ED LTE NAS EMM Plain OTA Outgoing Message--Attach request Msg2015 May 22 04:05:23.927[31]0xB0ED LTE NAS EMM Plain OTA Outgoing Message--Attach request Msg
............
num_recs2=8(0x8)Num_recs2=8(0x8)
sm_container[0]Sm_container[0]
container_id=13(0xd)(DNS Server IPv4 Address Requestt)Container_id=13(0xd)(DNS Server IPv4 Address Requestt)
container_len=0(0x0)Container_len=0(0x0)
sm_container[1]Sm_container[1]
container_id=3(0x3)(DNS Server IPv6 Address Request)Container_id=3(0x3)(DNS Server IPv6 Address Request)
container_len=0(0x0)Container_len=0(0x0)
sm_container[2]Sm_container[2]
container_id=65280(0xff00)(unknown)Container_id=65280(0xff00)(unknown)
container_len=3(0x3)Container_len=3(0x3)
container_contents[0]=19(0x13)Container_contents[0]=19(0x13)
container_contents[1]=1(0x1)Container_contents[1]=1(0x1)
container_contents[2]=132(0x84)Container_contents[2]=132(0x84)
............
2015 May 22 04:05:24.382[36]0xB0EC LTE NAS EMM Plain OTA Incoming Message--Attach accept Msg2015 May 22 04:05:24.382[36]0xB0EC LTE NAS EMM Plain OTA Incoming Message--Attach accept Msg
............
sm_container[0]Sm_container[0]
container_id=3(0x3)(DNS Server IPv6 Address)Container_id=3(0x3)(DNS Server IPv6 Address)
container_len=16(0x10)Container_len=16(0x10)
address=0x200148880010ff000132000d00000000(2001:4888:10:ff00:132:d:0:0)Address=0x200148880010ff000132000d00000000(2001:4888:10:ff00:132:d:0:0)
sm_container[1]Sm_container[1]
container_id=3(0x3)(DNS Server IPv6 Address)Container_id=3(0x3)(DNS Server IPv6 Address)
container_len=16(0x10)Container_len=16(0x10)
address=0x200148880011ff000137000d00000000(2001:4888:11:ff00:137:d:0:0)Address=0x200148880011ff000137000d00000000(2001:4888:11:ff00:137:d:0:0)
............
address=0x200148880005fe0000e00104000000a4(2001:4888:5:fe00:e0:104:0:a4)Address=0x200148880005fe0000e00104000000a4(2001:4888:5:fe00:e0:104:0:a4)
sm_container[5]Sm_container[5]
container_id=65280(0xff00)(unknown)Container_id=65280(0xff00)(unknown)
container_len=4(0x4)Container_len=4(0x4)
container_contents[0]=19(0x13)Container_contents[0]=19(0x13)
container_contents[1]=1(0x1)Container_contents[1]=1(0x1)
container_contents[2]=132(0x84)Container_contents[2]=132(0x84)
container_contents[3]=0(0x0)Container_contents[3]=0(0x0)
............
参考上述所附内容,在终端需要获取协议配置选项(Protocol Configuration Options,简称为PCO)数字证书时,需要将该请求信息发送给网络,要求网络回复相关内容。具体回复的内容需要和网络侧预先商量好。Referring to the above attached content, when the terminal needs to obtain a protocol configuration option (PCO) digital certificate, the request information needs to be sent to the network, and the network is required to reply to the related content. The content of the specific reply needs to be negotiated with the network side in advance.
数字证书获取请求字段包括但不限于:1)网络认可的、代表可判断请求的数字证书类型的请求字段的PCO信令消息,也就是信令里的container_id;2)如网络侧还需终端提供其它关于证书请求的附加信息,该信息可放置在container_contents字段中。The digital certificate acquisition request field includes but is not limited to: 1) a network-approved PCO signaling message representing a request field of a digital certificate type that can determine the request, that is, a container_id in the signaling; 2) if the network side still needs to provide the terminal Additional information about the certificate request, which can be placed in the container_contents field.
此处,终端所要做的事情是代码配置,保证终端发出“Attach request Msg”请求时携带证书获取请求字段,也就是sm_container字段。Here, what the terminal has to do is code configuration, and ensure that the terminal sends the certificate acquisition request field, that is, the sm_container field, when the "Attach request Msg" request is issued.
步骤二:将已经配置好的两个APN profile参数A和B均预制 在终端中,以供终端在不同情况下做出不同的选择。Step 2: Pre-configure the two APN profile parameters A and B that have been configured in the terminal, so that the terminal can make different choices in different situations.
需要说明的是,当终端联网成功且发生连接服务器的请求后,一旦终端检测到本地无法找到可信的根证书以及其他因局方服务器更新证书而导致的证书链校验不通过的问题,终端会通过携带证书获取请求字段信息的APN profile重新发起请求证书相关参数的接入(attach)流程。核心网收到相关请求后,给出相应的响应。终端对收到的响应消息进行解析,通过解析及后续操作获取可信根证书。It should be noted that, when the terminal is successfully connected to the network and a request to connect to the server occurs, the terminal detects that the local root certificate cannot be found and the certificate chain verification caused by the server update certificate is not passed. The APN profile that carries the request field information by carrying the certificate re-initiates the attach procedure of requesting the relevant parameters of the certificate. After receiving the relevant request, the core network gives a corresponding response. The terminal parses the received response message, and obtains the trusted root certificate through parsing and subsequent operations.
在一些实施方式中,根据服务器响应于证书获取请求的响应信息,获取服务器中变更后的根证书包括:接收服务器通过第二预定信令响应证书获取请求的响应信息,响应信息中携带有用于获取变更后的根证书的参数;解析响应信息获取参数,根据参数获取变更后的根证书。通过上述步骤,使得通过信令而非IP的方式传输可信证书(根证书)的相关内容,保证了证书相关信息在传输过程中不会被截获、篡改,确保了终端收到的根证书的可靠性。In some embodiments, according to the response information of the server in response to the certificate obtaining request, acquiring the changed root certificate in the server includes: receiving, by the second server, response information of the certificate obtaining request by using the second predetermined signaling, where the response information carries The parameters of the changed root certificate; parsing the response information acquisition parameters, and obtaining the changed root certificate according to the parameters. Through the above steps, the related content of the trusted certificate (root certificate) is transmitted by signaling instead of IP, so that the certificate related information is not intercepted and falsified during the transmission process, and the root certificate received by the terminal is ensured. reliability.
在一些实施方式中,第一预定信令包括协议配置选项(Protocol Configuration Options,简称为PCO)信令,第二预定信令包括协议配置选项(PCO)信令。PCO用于提供目的网络(终端连接的目的网络)的附加选择信息。当终端连接互联网时,互联网除了为终端分配IP地址之外,还下发了PCO信令,该信令包括默认网关IP地址、域名系统(Domain Name System,简称为DNS)服务地址等,即该PCO信令包含了很多附加的信息。PCO信令的发送以及接收过程发生在接入程序(Attach procedure)。图6是UE请求公用数据网(Public Data Network,简称为PDN)连接的过程示意图,截取于协议3GPP23.401“Figure 5.10.2-1:UE requested PDN connectivity”。同时,3GPP23.401也有如下描述:终端通过传输PDN连接请求信息(接入点APN、PDN、PCO、头压缩配置)初始化UE请求PDN连接的程序,PCO用于传输终端和网络之间的参数。通过上述内容可知,PCO一般用来传输终端和网络之间的参数,例如,PCO信令常被用于传输IP地址、APN类型,但并没有运用PCO信令传输局方服务器证书的相关信息,本公开的实施例中将PCO信令运用于服务器证书的传输。In some embodiments, the first predetermined signaling includes Protocol Configuration Options (PCO) signaling, and the second predetermined signaling includes Protocol Configuration Option (PCO) signaling. The PCO is used to provide additional selection information for the destination network (the destination network to which the terminal is connected). When the terminal is connected to the Internet, the Internet distributes the PCO signaling in addition to the IP address of the terminal. The signaling includes the default gateway IP address, the Domain Name System (DNS) service address, etc. PCO signaling contains a lot of additional information. The transmission and reception of PCO signaling takes place in an attach procedure. 6 is a schematic diagram of a process for a UE to request a Public Data Network (PDN) connection, which is intercepted in the protocol 3GPP23.401 “Figure 5.10.2-1: UE requested PDN connectivity”. Meanwhile, 3GPP 23.401 also has the following description: The terminal initializes a procedure for requesting a PDN connection by the UE by transmitting PDN connection request information (access point APN, PDN, PCO, header compression configuration), and the PCO is used to transmit parameters between the terminal and the network. It can be seen from the above that the PCO is generally used to transmit parameters between the terminal and the network. For example, PCO signaling is often used to transmit IP addresses and APN types, but does not use PCO signaling to transmit information about the server certificate. PCO signaling is applied to the transmission of server certificates in embodiments of the present disclosure.
为了方便理解上述实施例,下面进行详细的说明,图7是根据本公开的实施例的证书获取方法的优选流程图,如图7所示,所述证书获取方法包括以下步骤S702至S722,这里主要描述了终端侧执行的步骤。In order to facilitate the understanding of the above embodiments, the following is a detailed description. FIG. 7 is a preferred flowchart of a certificate obtaining method according to an embodiment of the present disclosure. As shown in FIG. 7, the certificate obtaining method includes the following steps S702 to S722, where The steps performed on the terminal side are mainly described.
步骤S702,终端使用不携带证书获取请求字段的APN profile参数(即,APN profile A)向网络侧发起attach请求。使用该APN profile的主要原因是,虽然局方服务器不定期更新证书,但是如果服务器没有更新证书,则不必进行证书获取。Step S702: The terminal initiates an attach request to the network side by using an APN profile parameter (ie, APN profile A) that does not carry the certificate acquisition request field. The main reason for using this APN profile is that although the local server does not update the certificate regularly, if the server does not update the certificate, it is not necessary to obtain the certificate.
步骤S704,attach响应完成,终端联网成功。此处,联网成功是终端和局方服务器进行正常通信的前提。In step S704, the attach response is completed, and the terminal is successfully connected. Here, the success of networking is a prerequisite for normal communication between the terminal and the central server.
步骤S706,终端按照项目需求向服务器发起SSL/TLS的握手请求。Step S706, the terminal initiates an SSL/TLS handshake request to the server according to the project requirement.
步骤S708,网络侧收到终端的握手请求后,会向终端发出相应的响应,终端收到局方服务器的证书链。Step S708, after receiving the handshake request of the terminal, the network side sends a corresponding response to the terminal, and the terminal receives the certificate chain of the local server.
步骤S710,终端对服务器证书链进行校验,如校验成功,则转到步骤S712,如校验失败,进入步骤S714。In step S710, the terminal checks the server certificate chain. If the verification is successful, the process goes to step S712. If the verification fails, the process proceeds to step S714.
步骤S712,和服务器进行后续正常的握手及通信。In step S712, the server performs subsequent normal handshake and communication.
步骤S714,终端对校验失败的原因在本地进行判断,根据失败原因选择是否需要更新证书。证书失败原因较多,比如证书签名失败、找不到根证书、证书过期等。具体是否需要更新的规则会由产品设计需求明确规定。如果需要更新证书,进入步骤S716,否则转入步骤S722。In step S714, the terminal determines the cause of the verification failure locally, and selects whether the certificate needs to be updated according to the failure reason. There are many reasons for certificate failure, such as certificate signature failure, root certificate not found, certificate expiration, and so on. The specific rules that need to be updated will be clearly defined by the product design requirements. If it is necessary to update the certificate, go to step S716, otherwise go to step S722.
步骤S716,终端主动发起分离(detach)请求,然后使用携带证书获取请求字段的APN profile B重新发起attach请求。Step S716, the terminal actively initiates a detach request, and then re-initiates the attach request using the APN profile B carrying the certificate acquisition request field.
步骤S718,网络侧对接收到的请求消息进行响应,终端成功接收到响应消息。Step S718, the network side responds to the received request message, and the terminal successfully receives the response message.
此处,网络侧对终端的响应消息包括但不限于:1)网络侧通过PCO信令直接向终端下发根证书本身;2)网络侧通过PCO信令向终端下发可以获得根证书的关键数据,比如证书获取口令、证书获取服务器地址等。Here, the network side response message to the terminal includes, but is not limited to: 1) the network side directly sends the root certificate itself to the terminal through the PCO signaling; 2) the network side sends the key to obtain the root certificate to the terminal through the PCO signaling. Data, such as certificate acquisition password, certificate acquisition server address, etc.
步骤S720,终端对收到的消息进行本地解析,通过解析及后续操作,成功获取可靠的服务器证书链的根证书。从而保证了相关功能的正常使用。Step S720: The terminal locally parses the received message, and successfully obtains a root certificate of the reliable server certificate chain through parsing and subsequent operations. This ensures the normal use of related functions.
此处,终端根据解析的信息,进行对应的操作,比如:1)如果终端通过PCO信令收到网络侧下发的证书本身,则终端将解析的根证书保存于本地,以供后续使用即可;2)如果终端通过PCO信令解析出获取根证书的服务器地址、口令等信息,则终端会进行后续的操作,以完成证书的获取工作。Here, the terminal performs corresponding operations according to the parsed information, for example: 1) If the terminal receives the certificate itself delivered by the network side through the PCO signaling, the terminal saves the parsed root certificate locally for subsequent use. 2) If the terminal parses the server address and password for obtaining the root certificate through PCO signaling, the terminal performs subsequent operations to complete the certificate acquisition.
步骤S722,进入异常处理流程。In step S722, the exception processing flow is entered.
通过上述实施例,当终端确认因证书变更等原因导致证书链校验不通过时,通过协议配置选项(Protocol Configuration Options,简称为PCO)信令,向网络侧发送可信证书获取请求消息。请求网络侧通过相对应的信令消息向终端下发局方服务器部署的证书链的可信根证书或与根证书相关的内容。然后,终端对接收到的信息进行对应的解析处理从而得到可信的根证书。本公开的通过信令传输证书的关键信息的方法极大地提高了证书传输的可靠性,保证了相关功能的正常使用。In the above embodiment, when the terminal confirms that the certificate chain verification fails due to a certificate change or the like, the terminal sends a trusted certificate acquisition request message to the network side through protocol configuration option (PCO) signaling. The requesting network side sends the trusted root certificate or the content related to the root certificate of the certificate chain deployed by the central office server to the terminal through the corresponding signaling message. Then, the terminal performs corresponding parsing processing on the received information to obtain a trusted root certificate. The method for transmitting key information of a certificate by signaling of the present disclosure greatly improves the reliability of certificate transmission and ensures normal use of related functions.
在本实施例中还提供了一种运行于服务器侧的证书获取方法,图8是根据本公开的实施例的运行于服务器侧的证书获取方法的流程图,如图8所示,所述证书获取方法包括如下步骤:步骤S802,接收终端发送的证书获取请求,证书获取请求用于请求获取变更后的根证书,根证书用于形成完整的证书链;步骤S804,根据证书获取请求向终端发送用于获取变更后的根证书的响应信息。In this embodiment, a certificate acquisition method running on the server side is further provided. FIG. 8 is a flowchart of a certificate acquisition method running on the server side according to an embodiment of the present disclosure. As shown in FIG. The obtaining method includes the following steps: Step S802: Receive a certificate obtaining request sent by the terminal, where the certificate obtaining request is used to request to acquire the changed root certificate, and the root certificate is used to form a complete certificate chain; and in step S804, the method is sent to the terminal according to the certificate obtaining request. Used to obtain response information for the changed root certificate.
在一些实施方式中,接收终端发送的证书获取请求包括:接收终端通过第一预定信令发送的证书获取请求。In some embodiments, the request for obtaining a certificate sent by the receiving terminal comprises: receiving a certificate obtaining request sent by the terminal by using the first predetermined signaling.
在一些实施方式中,根据证书获取请求向终端发送用于获取变更后的根证书的响应信息包括:根据证书获取请求确定用于获取变更后的根证书的响应信息,响应信息中携带有用于获取变更后的根证书的参数;通过第二预定信令向终端发送响应信息。In some embodiments, the sending the response information for acquiring the changed root certificate to the terminal according to the certificate obtaining request includes: determining response information for acquiring the changed root certificate according to the certificate obtaining request, where the response information carries the information for obtaining The parameter of the changed root certificate; sending the response information to the terminal by using the second predetermined signaling.
在一些实施方式中,第一预定信令包括协议配置选项(PCO)信 令,第二预定信令包括协议配置选项(PCO)信令。In some embodiments, the first predetermined signaling includes a protocol configuration option (PCO) signaling and the second predetermined signaling includes protocol configuration option (PCO) signaling.
在一些实施方式中,所述证书获取方法还包括:在根据证书获取请求向终端发送用于获取变更后的根证书的响应信息之后,通知核心网进行证书更新,例如,向核心网发送通知信息,该通知信息中携带有证书的有效信息。需要说明的是,核心网及时同步局方服务器使用的可信证书,同步方式不限。In some embodiments, the certificate obtaining method further includes: after transmitting the response information for acquiring the changed root certificate to the terminal according to the certificate obtaining request, notifying the core network to perform the certificate update, for example, sending the notification information to the core network. The notification information carries valid information of the certificate. It should be noted that the core network synchronizes the trusted certificates used by the local server in time, and the synchronization mode is not limited.
需要说明的是,由于局方服务器和核心网分管不同的功能,所以涉及到二者的同步,但是,由于二者都属于局方内部,同步工作相对容易。图9是根据本公开的实施例的网络侧数字证书同步的交互示例图,如图9所示,该网络侧数字证书同步包括以下两种方案:方案一,当局方服务器使用的证书发生变化时,及时通知核心网进行证书更新;方案二,局方服务器和核心网周期性的按一定规则进行同步即可。It should be noted that since the local server and the core network are in charge of different functions, the synchronization between the two is involved, but since both of them belong to the internal office, the synchronization work is relatively easy. 9 is a diagram showing an example of interaction of network side digital certificate synchronization according to an embodiment of the present disclosure. As shown in FIG. 9, the network side digital certificate synchronization includes the following two schemes: scheme 1, when a certificate used by an authority server changes The core network is notified in time to update the certificate; in the second scheme, the central server and the core network are periodically synchronized according to certain rules.
本公开中,当终端与局方服务器之间证书不匹配而导致终端的某些功能不能正常使用时,终端通过协议配置选项(Protocol Configuration Options,PCO)进行配置,向网络侧发送可信证书获取请求,以请求网络侧通过相对应的响应消息向终端下发服务器使用的证书或证书相关内容,之后,终端对接收的响应消息进行解析及对应操作,有效地保证了终端和服务器之间证书的安全和可靠的同步,最终,保证了终端和局方服务器的正常通信。In the present disclosure, when the certificate of the terminal does not match the certificate between the terminal and the server, the terminal is configured to use the protocol configuration option (PCO) to send the trusted certificate to the network. The request is to request the network side to deliver the certificate or certificate related content used by the server to the terminal through the corresponding response message, and then the terminal parses and responds to the received response message, thereby effectively ensuring the certificate between the terminal and the server. Secure and reliable synchronization, ultimately, ensures normal communication between the terminal and the central server.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到,根据上述实施例的方法可借助软件及必需的通用硬件平台来实现,当然也可以仅通过硬件实现,但很多情况下前者是更佳的实施方式。基于这样的理解,本公开的技术方案本质上或者说对相关技术做出贡献的部分可以以计算机软件产品的形式体现出来,该计算机软件产品可存储在存储介质(如ROM/RAM、磁碟、光盘等)中,包括若干指令,用以使得终端设备(如手机、计算机、服务器、或者网络设备等)执行本公开的各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the foregoing embodiment can be implemented by using software and a necessary general hardware platform, and of course, can also be implemented only by hardware, but in many cases, the former It is a better implementation. Based on such understanding, portions of the technical solution of the present disclosure that contribute substantially or to the related art may be embodied in the form of a computer software product that can be stored in a storage medium (eg, ROM/RAM, disk, The optical disc, etc., includes a number of instructions for causing a terminal device (such as a cell phone, computer, server, or network device, etc.) to perform the methods described in various embodiments of the present disclosure.
本公开的实施例还提供了一种证书获取装置,该装置用于实现 本公开的实施例及实施方式的证书获取方法,以上已经进行过说明的此处不再赘述。如以下所使用的,术语“模块”是可以实现预定功能的软件和/或硬件的组合。尽管以下所描述的证书获取装置较佳地以软件来实现,但是硬件、或者软件和硬件的组合的实现也是可能并可被构想的。The embodiment of the present disclosure further provides a certificate obtaining apparatus, which is used to implement the certificate obtaining method of the embodiments and the embodiments of the present disclosure, and the above description has been omitted herein. As used hereinafter, the term "module" is a combination of software and/or hardware that can perform a predetermined function. Although the certificate acquisition device described below is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and conceivable.
图10是根据本公开的实施例的一种证书获取装置(用于终端侧)的结构框图,如图10所示,该证书获取装置包括:检测模块102,用于对服务器的根证书或者证书链进行认证;发送模块104,连接至上述检测模块102,用于在认证失败的情况下,向服务器发送证书获取请求,证书获取请求用于请求获取服务器中变更后的根证书,所述根证书用于形成完整的证书链;获取模块106,连接至上述发送模块104,用于根据服务器响应于证书获取请求的响应信息,获取服务器中变更后的根证书。FIG. 10 is a structural block diagram of a certificate obtaining apparatus (for a terminal side) according to an embodiment of the present disclosure. As shown in FIG. 10, the certificate obtaining apparatus includes: a detecting module 102 for a root certificate or certificate to a server The chain is authenticated; the sending module 104 is connected to the detecting module 102, and is configured to send a certificate obtaining request to the server in the case that the authentication fails, and the certificate obtaining request is used to request to obtain the changed root certificate in the server, where the root certificate is The obtaining module 106 is connected to the sending module 104, and configured to obtain the changed root certificate in the server according to the response information of the server in response to the certificate obtaining request.
在一些实施方式中,发送模块104用于通过第一预定信令向服务器发送证书获取请求。In some embodiments, the sending module 104 is configured to send a certificate acquisition request to the server by using the first predetermined signaling.
在一些实施方式中,获取模块106用于接收服务器通过第二预定信令响应证书获取请求的响应信息,响应信息中携带有用于获取变更后的根证书的参数,获取模块106还用于解析响应信息获取参数,然后,根据参数获取变更后的根证书。In some embodiments, the obtaining module 106 is configured to receive, by the server, the response information of the request for obtaining the certificate by using the second predetermined signaling, where the response information carries a parameter for acquiring the changed root certificate, and the obtaining module 106 is further configured to parse the response. The information gets the parameters, and then the changed root certificate is obtained according to the parameters.
图11是根据本公开的实施例的另一种证书获取装置(用于服务器侧)的结构框图,如图11所示,该证书获取装置包括:接收模块112,用于接收终端发送的证书获取请求,证书获取请求用于请求获取变更后的根证书,所述根证书用于形成完整的证书链;发送模块114,连接至上述接收模块112,用于根据证书获取请求向终端发送用于获取变更后的根证书的响应信息。FIG. 11 is a structural block diagram of another certificate obtaining apparatus (for a server side) according to an embodiment of the present disclosure. As shown in FIG. 11, the certificate obtaining apparatus includes: a receiving module 112, configured to receive a certificate obtained by a terminal. The request, the certificate obtaining request is used to request to obtain the changed root certificate, and the root certificate is used to form a complete certificate chain; the sending module 114 is connected to the receiving module 112, and configured to send the terminal to the terminal according to the certificate obtaining request. Response information of the changed root certificate.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,在通过硬件来实现上述各个模块的情况下,上述各个模块可以均位于同一处理器中,或者,上述各个模块可以以任意组合的形式分别位于不同的处理器中,但是,实现方式不限于此。It should be noted that each of the foregoing modules may be implemented by software or hardware. In the case that each module is implemented by hardware, each of the foregoing modules may be located in the same processor, or any combination of the foregoing modules may be used in any combination. The forms are respectively located in different processors, but the implementation is not limited to this.
本公开的实施例还提供了一种存储介质,该存储介质包括存储的程序,存储的程序运行时执行上述本公开的实施例的证书获取方法中的步骤。Embodiments of the present disclosure also provide a storage medium including a stored program that executes the steps in the certificate acquisition method of the embodiment of the present disclosure described above when the stored program runs.
在一些实施方式中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码(用于终端侧):S1,对服务器的根证书或者证书链进行认证;S2,在认证失败的情况下,向服务器发送证书获取请求,证书获取请求用于请求获取服务器中变更后的根证书,根证书用于形成完整的证书链;S3,根据服务器响应于证书获取请求的响应信息获取服务器中变更后的根证书。In some embodiments, the above storage medium may be configured to store program code (for the terminal side) for performing the following steps: S1, authenticating the root certificate or certificate chain of the server; S2, in case of authentication failure Sending a certificate acquisition request to the server, the certificate obtaining request is used to request to obtain the changed root certificate in the server, and the root certificate is used to form a complete certificate chain; and S3, according to the response information obtained by the server in response to the certificate obtaining request, is obtained after the server changes Root certificate.
在一些实施方式中,步骤S1中的对服务器的根证书或者证书链进行认证包括:向服务器发起握手请求;接收服务器根据握手请求返回的证书;通过检测本地是否有与服务器根据握手请求返回的证书相匹配的证书的方式,对服务器的根证书或者证书链进行认证。In some embodiments, the authenticating the root certificate or the certificate chain of the server in step S1 comprises: initiating a handshake request to the server; receiving a certificate returned by the server according to the handshake request; and detecting whether the certificate returned by the server according to the handshake request is detected locally. The way to match the certificate, the server's root certificate or certificate chain is authenticated.
在一些实施方式中,步骤S2中的向服务器发送证书获取请求包括:通过第一预定信令向服务器发送证书获取请求。In some embodiments, the sending the certificate acquisition request to the server in step S2 comprises: sending a certificate acquisition request to the server by using the first predetermined signaling.
在一些实施方式中,步骤S3中的根据服务器响应于证书获取请求的响应信息获取服务器中变更后的根证书包括:接收服务器通过第二预定信令响应证书获取请求的响应信息,响应信息中携带有用于获取变更后的根证书的参数;解析响应信息获取参数,根据参数获取变更后的根证书。In some embodiments, the root certificate according to the response information acquired by the server in response to the certificate obtaining request in step S3 includes: the receiving server responds to the certificate obtaining request response information by using the second predetermined signaling, and the response information is carried in the response information. There are parameters for obtaining the changed root certificate; parsing the response information acquisition parameters, and obtaining the changed root certificate according to the parameters.
在一些实施方式中,第一预定信令包括协议配置选项(PCO)信令。In some embodiments, the first predetermined signaling includes Protocol Configuration Option (PCO) signaling.
在一些实施方式中,第二预定信令包括协议配置选项(PCO)信令。In some embodiments, the second predetermined signaling includes Protocol Configuration Option (PCO) signaling.
在一些实施方式中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码(用于服务器侧):S1’,接收终端发送的证书获取请求,证书获取请求用于请求获取变更后的根证书,根证书用于形成完整的证书链;S2’,根据证书获取请求向终端发送用于获取变更后的根证书的响应信息。In some embodiments, the above storage medium may be configured to store program code (for server side) for performing the following steps: S1', receiving a certificate acquisition request sent by the terminal, and requesting the certificate acquisition request for obtaining the changed The root certificate is used to form a complete certificate chain; S2' sends a response message for obtaining the changed root certificate to the terminal according to the certificate obtaining request.
在一些实施方式中,步骤S1’中的接收终端发送的获取请求包 括:接收终端通过第一预定信令发送的证书获取请求。In some embodiments, the obtaining request sent by the receiving terminal in step S1' includes: receiving a certificate obtaining request sent by the terminal by using the first predetermined signaling.
在一些实施方式中,步骤S2’中的根据证书获取请求向终端发送用于获取变更后的根证书的响应信息包括:根据证书获取请求确定用于获取变更后的根证书的响应信息,响应信息中携带有用于获取变更后的根证书的参数;通过第二预定信令向终端发送响应信息。In some embodiments, the sending, by the certificate obtaining request, the response information for acquiring the changed root certificate according to the certificate obtaining request in the step S2 is: determining, according to the certificate obtaining request, response information for acquiring the changed root certificate, the response information. The parameter carries the parameter for obtaining the changed root certificate, and sends the response information to the terminal by using the second predetermined signaling.
在一些实施方式中,上述存储介质还被设置为存储用于执行以下步骤的程序代码:在根据证书获取请求向终端发送用于获取变更后的根证书的响应信息之后,通知核心网进行证书更新。In some embodiments, the storage medium is further configured to store program code for performing the following steps: after transmitting the response information for acquiring the changed root certificate to the terminal according to the certificate acquisition request, notifying the core network to perform the certificate update .
在一些实施方式中,上述存储介质可以包括但不限于U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。In some embodiments, the foregoing storage medium may include, but is not limited to, a USB flash drive, a read-only memory (ROM), a random access memory (RAM), a mobile hard disk, a magnetic disk. Or a variety of media such as optical discs that can store program code.
本公开的实施例还提供了一种处理器,该处理器用配置为运行程序,该程序运行时执行上述本公开的实施例的证书获取方法中的步骤。Embodiments of the present disclosure also provide a processor configured to execute a program that, when executed, performs the steps in the certificate acquisition method of the embodiments of the present disclosure described above.
在一些实施方式中,处理器运行的程序用于执行以下步骤(用于终端侧):S1,对服务器的根证书或者证书链进行认证;S2,在认证失败的情况下,向服务器发送证书获取请求,证书获取请求用于请求获取服务器中变更后的根证书,根证书用于形成完整的证书链;S3,根据服务器响应于证书获取请求的响应信息获取服务器中变更后的根证书。In some embodiments, the processor runs a program for performing the following steps (for the terminal side): S1, authenticating the server's root certificate or certificate chain; S2, sending the certificate to the server if the authentication fails The request, the certificate obtaining request is used to obtain the changed root certificate in the server, and the root certificate is used to form a complete certificate chain; S3, the changed root certificate in the server is obtained according to the response information of the server in response to the certificate obtaining request.
在一些实施方式中,步骤S1中的对服务器的根证书或者证书链进行认证包括:向服务器发起握手请求;接收服务器根据握手请求返回的证书;通过检测本地是否有与服务器根据握手请求返回的证书相匹配的证书,来对服务器的根证书或者证书链进行认证,以检测服务器的根证书是否变更。In some embodiments, the authenticating the root certificate or the certificate chain of the server in step S1 comprises: initiating a handshake request to the server; receiving a certificate returned by the server according to the handshake request; and detecting whether the certificate returned by the server according to the handshake request is detected locally. A matching certificate to authenticate the server's root certificate or certificate chain to detect if the server's root certificate has changed.
在一些实施方式中,步骤S2中的向服务器发送证书获取请求包括:通过第一预定信令向服务器发送证书获取请求。In some embodiments, the sending the certificate acquisition request to the server in step S2 comprises: sending a certificate acquisition request to the server by using the first predetermined signaling.
在一些实施方式中,步骤S3中的根据服务器响应于证书获取请求的响应信息获取服务器中变更后的根证书包括:接收服务器通过第 二预定信令响应证书获取请求的响应信息,响应信息中携带有用于获取变更后的根证书的参数;解析响应信息获取参数,根据参数获取变更后的根证书。In some embodiments, the root certificate according to the response information acquired by the server in response to the certificate obtaining request in step S3 includes: the receiving server responds to the certificate obtaining request response information by using the second predetermined signaling, and the response information is carried in the response information. There are parameters for obtaining the changed root certificate; parsing the response information acquisition parameters, and obtaining the changed root certificate according to the parameters.
在一些实施方式中,第一预定信令包括协议配置选项(PCO)信令。In some embodiments, the first predetermined signaling includes Protocol Configuration Option (PCO) signaling.
在一些实施方式中,第二预定信令包括协议配置选项(PCO)信令。In some embodiments, the second predetermined signaling includes Protocol Configuration Option (PCO) signaling.
在一些实施方式中,处理器运行的程序用于执行以下步骤(用于服务器侧):S1’,接收终端发送的证书获取请求,证书获取请求用于请求获取变更后的根证书,所述根证书用于形成完整的证书链;S2’,根据证书获取请求向终端发送用于获取变更后的根证书的响应信息。In some embodiments, the program run by the processor is configured to perform the following steps (for the server side): S1', receiving a certificate acquisition request sent by the terminal, and the certificate obtaining request is used to request to acquire the changed root certificate, the root The certificate is used to form a complete certificate chain; S2' sends a response message for obtaining the changed root certificate to the terminal according to the certificate obtaining request.
在一些实施方式中,步骤S1’中的接收终端发送的证书获取请求包括:接收终端通过第一预定信令发送的证书获取请求。In some embodiments, the certificate obtaining request sent by the receiving terminal in step S1' includes: receiving a certificate obtaining request sent by the terminal by using the first predetermined signaling.
在一些实施方式中,步骤S2’中的根据证书获取请求向终端发送用于获取变更后的根证书的响应信息包括:根据证书获取请求确定用于获取变更后的根证书的响应信息,响应信息中携带有用于获取变更后的根证书的参数;通过第二预定信令向终端发送响应信息。In some embodiments, the sending, by the certificate obtaining request, the response information for acquiring the changed root certificate according to the certificate obtaining request in the step S2 is: determining, according to the certificate obtaining request, response information for acquiring the changed root certificate, the response information. The parameter carries the parameter for obtaining the changed root certificate, and sends the response information to the terminal by using the second predetermined signaling.
各步骤的具体示例可以参考以上所描述的示例,在此不再赘述。For specific examples of the steps, reference may be made to the examples described above, and details are not described herein again.
显然,本领域的技术人员应该明白,上述的本公开的各模块或各步骤可以由通用的计算装置来实现,它们可以集中在单个的计算装置上、或者分布在多个计算装置所组成的网络上,在一些实施方式中,本公开的各模块或各步骤可以由计算装置可执行的程序代码来实现,从而,可以将程序代码存储在存储装置中而由计算装置来执行,并且在某些情况下,可以以不同于本公开所示出或描述的顺序执行本公开的各步骤,或者可以将本公开的各模块或各步骤分别制作成各个集成电路模块,或者可以将本公开的各模块或各步骤中的多个模块或步骤制作成单个集成电路模块。这样,本公开的实现不限制于任何特定的硬件和软件的结合。Obviously, those skilled in the art should understand that the above modules or steps of the present disclosure may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices. In some embodiments, various modules or steps of the present disclosure may be implemented by program code executable by a computing device such that the program code may be stored in a storage device and executed by the computing device, and in certain The steps of the present disclosure may be performed in an order different from that shown or described in the present disclosure, or the various modules or steps of the present disclosure may be separately fabricated into individual integrated circuit modules, or the various modules of the present disclosure may be Or a plurality of modules or steps in each step are fabricated into a single integrated circuit module. As such, implementations of the present disclosure are not limited to any particular combination of hardware and software.
以上所述仅为本公开的示例实施例,并不用于限制本公开,对 于本领域的技术人员来说,本公开可以有各种更改和变化。凡在本公开的原则之内所作的任何修改、等同替换、改进等均应包含在本公开的保护范围之内。The above description is only exemplary embodiments of the present disclosure, and is not intended to limit the present disclosure, and various modifications and changes can be made to the present disclosure. Any modifications, equivalent substitutions, improvements, etc. made within the principles of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (18)

  1. 一种证书获取方法,包括步骤:A method for obtaining a certificate, comprising the steps of:
    对服务器的根证书或者证书链进行认证;Authenticate the server's root certificate or certificate chain;
    在认证失败的情况下,向所述服务器发送证书获取请求,其中,所述证书获取请求用于请求获取所述服务器中变更后的根证书,所述根证书用于形成完整的证书链;If the authentication fails, the certificate obtaining request is sent to the server, where the certificate obtaining request is used to request to acquire the changed root certificate in the server, where the root certificate is used to form a complete certificate chain;
    根据所述服务器响应于所述证书获取请求的响应信息,获取所述服务器中变更后的根证书。And obtaining, according to the response information of the server, the changed root certificate in the server.
  2. 根据权利要求1所述的方法,其中,对所述服务器的所述根证书或者证书链进行认证的步骤包括:The method of claim 1 wherein the step of authenticating the root certificate or certificate chain of the server comprises:
    向所述服务器发起握手请求;Initiating a handshake request to the server;
    接收所述服务器根据所述握手请求返回的证书;Receiving a certificate returned by the server according to the handshake request;
    通过检测本地是否有与所述服务器根据所述握手请求返回的证书相匹配的证书的方式,对所述服务器的所述根证书或者所述证书链进行认证。The root certificate or the certificate chain of the server is authenticated by detecting whether there is a local certificate matching the certificate returned by the server according to the handshake request.
  3. 根据权利要求1所述的方法,其中,向所述服务器发送所述证书获取请求的步骤包括:The method of claim 1, wherein the step of transmitting the certificate acquisition request to the server comprises:
    通过第一预定信令向所述服务器发送所述证书获取请求。The certificate acquisition request is sent to the server by first predetermined signaling.
  4. 根据权利要求1所述的方法,其中,根据所述服务器响应于所述证书获取请求的响应信息获取所述服务器中变更后的根证书的步骤包括:The method according to claim 1, wherein the step of acquiring the changed root certificate in the server according to the response information of the server in response to the certificate obtaining request comprises:
    接收所述服务器通过第二预定信令响应所述证书获取请求的响应信息,其中,所述响应信息中携带有用于获取所述变更后的根证书的参数;Receiving, by the server, the response information of the certificate obtaining request by using the second predetermined signaling, where the response information carries a parameter for acquiring the changed root certificate;
    解析所述响应信息获取所述参数,根据所述参数获取所述变更后的根证书。Parsing the response information to obtain the parameter, and acquiring the changed root certificate according to the parameter.
  5. 根据权利要求3所述的方法,其中,所述第一预定信令包括协议配置选项信令。The method of claim 3 wherein said first predetermined signaling comprises protocol configuration option signaling.
  6. 根据权利要求4所述的方法,其中,所述第二预定信令包括协议配置选项信令。The method of claim 4 wherein said second predetermined signaling comprises protocol configuration option signaling.
  7. 一种证书获取方法,包括步骤:A method for obtaining a certificate, comprising the steps of:
    接收终端发送的证书获取请求,其中,所述证书获取请求用于请求获取变更后的根证书,所述根证书用于形成完整的证书链;Receiving a certificate obtaining request sent by the terminal, where the certificate obtaining request is used to request to acquire a changed root certificate, where the root certificate is used to form a complete certificate chain;
    根据所述证书获取请求向所述终端发送用于获取所述变更后的根证书的响应信息。Sending, according to the certificate obtaining request, response information for acquiring the changed root certificate to the terminal.
  8. 根据权利要求7所述的方法,其中,接收所述终端发送的所述证书获取请求的步骤包括:The method of claim 7, wherein the step of receiving the certificate acquisition request sent by the terminal comprises:
    接收所述终端通过第一预定信令发送的证书获取请求。Receiving a certificate acquisition request sent by the terminal by using the first predetermined signaling.
  9. 根据权利要求7所述的方法,其中,根据所述证书获取请求向所述终端发送用于获取所述变更后的根证书的响应信息的步骤包括:The method according to claim 7, wherein the step of transmitting response information for acquiring the changed root certificate to the terminal according to the certificate obtaining request comprises:
    根据所述证书获取请求确定用于获取所述变更后的根证书的响应信息,其中,所述响应信息中携带有用于获取所述变更后的根证书的参数;And determining, according to the certificate obtaining request, response information for acquiring the changed root certificate, where the response information carries a parameter for acquiring the changed root certificate;
    通过第二预定信令向所述终端发送所述响应信息。The response information is sent to the terminal by second predetermined signaling.
  10. 根据权利要求7所述的方法,还包括步骤:The method of claim 7 further comprising the step of:
    在根据所述证书获取请求向所述终端发送用于获取所述变更后的根证书的响应信息之后,通知核心网进行证书更新。After transmitting the response information for acquiring the changed root certificate to the terminal according to the certificate obtaining request, the core network is notified to perform the certificate update.
  11. 一种证书获取装置,包括:A certificate obtaining device includes:
    检测模块,配置为对服务器的根证书或者证书链进行认证;The detection module is configured to authenticate the root certificate or the certificate chain of the server;
    发送模块,配置为在认证失败的情况下,向所述服务器发送证书获取请求,其中,所述证书获取请求用于请求获取所述服务器中变更后的根证书,所述根证书用于形成完整的证书链;a sending module, configured to send a certificate obtaining request to the server if the authentication fails, where the certificate obtaining request is used to request to acquire a changed root certificate in the server, where the root certificate is used to form a complete Certificate chain
    获取模块,配置为根据所述服务器响应于所述证书获取请求的响应信息,获取所述服务器中变更后的根证书。The obtaining module is configured to acquire the changed root certificate in the server according to the response information of the server in response to the certificate obtaining request.
  12. 根据权利要求11所述的装置,其中,所述发送模块还配置为通过第一预定信令向所述服务器发送所述证书获取请求。The apparatus of claim 11, wherein the transmitting module is further configured to send the certificate acquisition request to the server by first predetermined signaling.
  13. 根据权利要求11所述的装置,其中,所述获取模块还配置为:The apparatus of claim 11, wherein the obtaining module is further configured to:
    接收所述服务器通过第二预定信令响应所述证书获取请求的响应信息,其中,所述响应信息中携带有用于获取所述变更后的根证书的参数;Receiving, by the server, the response information of the certificate obtaining request by using the second predetermined signaling, where the response information carries a parameter for acquiring the changed root certificate;
    解析所述响应信息获取所述参数,根据所述参数获取所述变更后的根证书。Parsing the response information to obtain the parameter, and acquiring the changed root certificate according to the parameter.
  14. 一种证书获取装置,包括:A certificate obtaining device includes:
    接收模块,配置为接收终端发送的证书获取请求,其中,所述证书获取请求用于请求获取变更后的根证书,所述根证书用于形成完整的证书链;a receiving module, configured to receive a certificate obtaining request sent by the terminal, where the certificate obtaining request is used to request to acquire a changed root certificate, where the root certificate is used to form a complete certificate chain;
    发送模块,配置为根据所述证书获取请求向所述终端发送用于获取所述变更后的根证书的响应信息。And a sending module, configured to send, according to the certificate obtaining request, response information for acquiring the changed root certificate to the terminal.
  15. 一种存储介质,其包括存储的程序,所述程序运行时执行根据权利要求1至6中任一项所述的方法。A storage medium comprising a stored program, the program running to perform the method according to any one of claims 1 to 6.
  16. 一种处理器,配置为运行程序,所述程序运行时执行根据权利要求1至6中任一项所述的方法。A processor configured to execute a program, the program running to perform the method of any one of claims 1 to 6.
  17. 一种存储介质,其包括存储的程序,所述程序运行时执行根 据权利要求7至10中任一项所述的方法。A storage medium comprising a stored program, the program running to perform the method of any one of claims 7 to 10.
  18. 一种处理器,配置为运行程序,所述程序运行时执行根据权利要求7至10中任一项所述的方法。A processor configured to execute a program, the program running to perform the method of any one of claims 7 to 10.
PCT/CN2018/078824 2017-05-31 2018-03-13 Certificate obtaining method and device WO2018219009A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710400108.3A CN108989039A (en) 2017-05-31 2017-05-31 Certificate acquisition method and device
CN201710400108.3 2017-05-31

Publications (1)

Publication Number Publication Date
WO2018219009A1 true WO2018219009A1 (en) 2018-12-06

Family

ID=64454412

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/078824 WO2018219009A1 (en) 2017-05-31 2018-03-13 Certificate obtaining method and device

Country Status (2)

Country Link
CN (1) CN108989039A (en)
WO (1) WO2018219009A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110300096B (en) * 2019-05-22 2022-09-23 深圳壹账通智能科技有限公司 Self-checking method, device and equipment based on local certificate and storage medium
CN112019339B (en) * 2019-05-31 2024-02-27 西安理邦科学仪器有限公司 Automatic distribution method and device for digital certificates
CN111698097B (en) * 2020-06-29 2024-03-08 北京达佳互联信息技术有限公司 Certificate authentication method and device
CN111934870B (en) * 2020-09-22 2020-12-29 腾讯科技(深圳)有限公司 Method, apparatus, device and medium for updating root certificate in block chain network
CN115150162A (en) * 2022-07-01 2022-10-04 阿里云计算有限公司 Root certificate updating method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050120203A1 (en) * 2003-12-01 2005-06-02 Ryhwei Yeh Methods, systems and computer program products for automatic rekeying in an authentication environment
CN1698336A (en) * 2003-04-01 2005-11-16 松下电器产业株式会社 Communication apparatus and authentication apparatus
EP2336941A1 (en) * 2009-03-12 2011-06-22 Panasonic Corporation Form reader, form authentication method, and program
CN102572552A (en) * 2011-12-31 2012-07-11 深圳市酷开网络科技有限公司 Method and system for automatically updating digital certificate of Internet television
CN105763521A (en) * 2014-12-18 2016-07-13 阿里巴巴集团控股有限公司 Equipment verification method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001965B (en) * 2012-12-10 2016-01-27 北京星网锐捷网络技术有限公司 Server certificate update method and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1698336A (en) * 2003-04-01 2005-11-16 松下电器产业株式会社 Communication apparatus and authentication apparatus
US20050120203A1 (en) * 2003-12-01 2005-06-02 Ryhwei Yeh Methods, systems and computer program products for automatic rekeying in an authentication environment
EP2336941A1 (en) * 2009-03-12 2011-06-22 Panasonic Corporation Form reader, form authentication method, and program
CN102572552A (en) * 2011-12-31 2012-07-11 深圳市酷开网络科技有限公司 Method and system for automatically updating digital certificate of Internet television
CN105763521A (en) * 2014-12-18 2016-07-13 阿里巴巴集团控股有限公司 Equipment verification method and device

Also Published As

Publication number Publication date
CN108989039A (en) 2018-12-11

Similar Documents

Publication Publication Date Title
WO2018219009A1 (en) Certificate obtaining method and device
JP7421591B2 (en) Network-assisted bootstrapping for machine-to-machine communication
US10965473B2 (en) Smart object identification in the digital home
US10169024B2 (en) Systems and methods for short range wireless data transfer
US11829774B2 (en) Machine-to-machine bootstrapping
KR20180069737A (en) Enabling communications between devices
EP3120591B1 (en) User identifier based device, identity and activity management system
EP3522473A1 (en) Data transmission method, apparatus and system
US20130305036A1 (en) Tls abbreviated session identifier protocol
US10250578B2 (en) Internet key exchange (IKE) for secure association between devices
EP2909988B1 (en) Unidirectional deep packet inspection
US20160242025A1 (en) Porting wifi settings
EP3442250B1 (en) Data transmission
US20060224712A1 (en) Device management in a communication system
US9847875B1 (en) Methods and systems for bootstrapping an end-to-end application layer session security keyset based on a subscriber identity master security credential
EP3335394B1 (en) Method and apparatus for extensible authentication protocol
CN107135190B (en) Data flow attribution identification method and device based on transport layer secure connection
US9532218B2 (en) Implementing a security association during the attachment of a terminal to an access network
EP3552367B1 (en) Method and intermediate network node for managing tcp segment
US20200053578A1 (en) Verification of wireless network connection
CN107005410B (en) Internet protocol security tunnel establishment method, user equipment and base station
WO2020041933A1 (en) Methods and devices for a secure connection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18809562

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18809562

Country of ref document: EP

Kind code of ref document: A1