A kind of dynamic rights checking system and method based on trust certificateTechnical field
The present invention relates to Computer Applied Technology field, specifically a kind of dynamic rights based on trust certificate are testedDemonstrate,prove system and method.
Background technology
HTTP(Http protocol)It is used for the transmission information between Web browser and Website server.Http protocol does not provide the data encryption of any mode, if attacker has intercepted Web browser with clear-text way transmission contentTransmitting message between Website server, it is possible to directly understand information therein, therefore http protocol is not suitable for transmission oneA little sensitive informations, such as credit number, password etc..
In order to solve this defect of http protocol, it is necessary to using another agreement:Security socket layer Hyper text transferAgreement(HTTPS agreements).For the safety of data transfer, HTTPS adds ssl protocol on the basis of HTTP, and SSL is by cardBook comes the identity of authentication server, and the communication encryption between browser and server.
HTTPS and HTTP difference predominantly it is following some:
First, https agreements need CA to apply for certificate.
2nd, http is HTTP, and information is plaintext transmission, and https is then that the ssl with security is encryptedHost-host protocol.
3rd, http connection is very simple, is stateless.HTTPS agreements are carried out by SSL+HTTP protocol constructionsEncrypted transmission, the procotol of authentication, than http protocol security.
In recent years, developing rapidly due to computer network, the Authority Verification security of some key service systems obtainIncreasing attention, and the Authority Verification mode based on trust certificate is wherein important one kind, based on this, the present inventionThe technology that a kind of dynamic rights in trust certificate are verified is provided.
The content of the invention
The technical assignment of the present invention is to be directed to above weak point, there is provided a kind of dynamic rights based on trust certificate are testedDemonstrate,prove system and method.
A kind of dynamic rights checking system based on trust certificate, including,
Client;
Service end;
Trust storehouse, all trustworthy certificates information are stored with tabular form, for information coded communication between client, service endWhen certification authentication.
It is described trust storehouse be used for the client certificate that receives of service end checking whether trusted, this is verified dynamic and testedDemonstrate,prove class to realize, the verification process of the dynamic authentication class is:
Dynamic authentication class judges to trust whether storehouse is modified first, has been changed if trusting storehouse, has reloaded and trust storehouseContent, reload trust storehouse complete after, judge active client certificate whether in trusted certificate list;
If trusting storehouse not change, directly judge active client certificate whether in trusted certificate list.
The dynamic authentication class is used as mark to judge to trust whether storehouse is changed by a globally accessible attributeCross, the attribute includes global variable, the file on disk, the record in database.
A kind of dynamic rights verification method based on trust certificate, based on said system, implementation step is:
First, first verify that whether client, the certificate version information of service end are legal;
2nd, after checking is legal, service end judges whether client certificate is legal by trusting storehouse;
3rd, encipherment scheme, service end is selected to be sent to client after using the public key encryption received;
4th, new symmetric cryptographic key is produced after client is decrypted using private key, service end is sent to after encryption;
5th, service end is decrypted using private key, obtains symmetric cryptographic key;
6th, client, service end carry out symmetric cryptography, it is ensured that communication security.
The process of the step 1 is:
Client sends client certificate version information to service end;
Service end returns to service end certificate version, random number information, and server public key to client;
Whether client verification service end certificate is legal, legal continuation, otherwise alerts.
In the step 2, after checking is legal, client sends the certificate of oneself and public key to service end, service endClient certificate is verified, verification obtains client public key after terminating, and then it is supported symmetrical to send oneself for clientEncipherment scheme selects to service end for service end.
The process that service end enters verification to client certificate is:
The mark of configuration one first, to represent to trust whether storehouse is modified;
Judge above-mentioned mark, if trust storehouse is modified, reloads and trust storehouse, reload after trusting storehouse completion,Overall identification is reset to unmodified state, then judges active client certificate whether in trusted certificate list;
If trusting storehouse not change, directly judge active client certificate whether in trusted certificate list.
Described to be identified as a globally accessible attribute, the attribute includes global variable, the file on disk, databaseIn record, represent trust storehouse whether be modified.
The process of the step 3 is:
The symmetric encryption scheme that service end is sent according to client selects cipher mode;
Service end is sent to client after the encipherment scheme chosen is encrypted using client public key.
The process of the step 4 is:
After client receives cipher mode, it is decrypted using private key, produces random code, as symmetric cryptographic key, use clothesAfter business end public key is encrypted, service end is sent to, is then decrypted again by service end using private key pair encryption, obtainedThe key of symmetric cryptography.
Compared to the prior art a kind of dynamic rights checking system and method based on trust certificate of the present invention, hasFollowing beneficial effect:
A kind of dynamic rights checking system and method based on trust certificate of the present invention, has transmission encryption, without passwordThe advantages that disclosure risk, including dynamic modification trusted certificate list, the trusted certificate newly added or removed certificate are instantCome into force, so as to realize effectively, control system access rights in time, it is practical, it is applied widely, have and promote wellApplication value.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existingThere is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only thisThe embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basisThe accompanying drawing of offer obtains other accompanying drawings.
Accompanying drawing 1 is method implementation process figure of the invention.
Accompanying drawing 2 is the present invention based on the flow chart for trusting storehouse progress certification authentication.
Accompanying drawing 3 is web container connector configuration diagram of the present invention.
Embodiment
In order that those skilled in the art more fully understand the solution of the present invention, with reference to embodiment to thisInvention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than allEmbodiment.Based on the embodiment in the present invention, those of ordinary skill in the art institute under the premise of creative work is not madeThe every other embodiment obtained, belongs to the scope of protection of the invention.
A kind of dynamic rights checking system based on trust certificate, including,
Client;
Service end;
Trust storehouse, all trustworthy certificates information are stored with tabular form, for information coded communication between client, service endWhen certification authentication.
It is described trust storehouse be used for the client certificate that receives of service end checking whether trusted, this is verified dynamic and testedDemonstrate,prove class to realize, the verification process of the dynamic authentication class is:
Dynamic authentication class judges to trust whether storehouse is modified first, has been changed if trusting storehouse, has reloaded and trust storehouseContent, reload trust storehouse complete after, judge active client certificate whether in trusted certificate list;
If trusting storehouse not change, directly judge active client certificate whether in trusted certificate list.
The dynamic authentication class is used as mark to judge to trust whether storehouse is changed by a globally accessible attributeCross, the attribute includes global variable, the file on disk, the record in database.
Server end container is by taking tomcat as an example:
Such as Fig. 3, web container is configured(By taking tomcat as an example)Connector, specify trustManager class name.
Realize customized dynamic trust storehouse checking class:DynamicTrustManager.
Such as Fig. 2, the class realized in previous step first determines whether overall identification, if it is modified to trust storehouse, reloadsTrust storehouse.Whether loading judges active client certificate in trusted certificate list after completing.
If trusting storehouse not change, directly judge active client certificate whether in trusted certificate list.Such as Fig. 1Step 5.
Handled according to the result of previous step, if the verification passes, obtain client public key, continued follow-up logicalLetter.Such as the subsequent step of Fig. 1 step 5.
If checking is not by terminating communication, connection disconnects.
If be modified to trusting storehouse, including add and delete, renewal overall identification is modified state.
As shown in Figure 1 and Figure 2, a kind of dynamic rights verification method based on trust certificate, based on said system, it realizes stepSuddenly it is:
First, first verify that whether client, the certificate version information of service end are legal;
2nd, after checking is legal, service end judges whether client certificate is legal by trusting storehouse;
3rd, encipherment scheme, service end is selected to be sent to client after using the public key encryption received;
4th, new symmetric cryptographic key is produced after client is decrypted using private key, service end is sent to after encryption;
5th, service end is decrypted using private key, obtains symmetric cryptographic key;
6th, client, service end carry out symmetric cryptography, it is ensured that communication security.
The process of the step 1 is:
Client sends client certificate version information to service end;
Service end returns to service end certificate version, random number information, and server public key to client;
Whether client verification service end certificate is legal, legal continuation, otherwise alerts.
In the step 2, after checking is legal, client sends the certificate of oneself and public key to service end, service endClient certificate is verified, verification obtains client public key after terminating, and then it is supported symmetrical to send oneself for clientEncipherment scheme selects to service end for service end.
The process that service end enters verification to client certificate is:
The mark of configuration one first, to represent to trust whether storehouse is modified;
Judge above-mentioned mark, if trust storehouse is modified, reloads and trust storehouse, reload after trusting storehouse completion,Overall identification is reset to unmodified state, then judges active client certificate whether in trusted certificate list;
If trusting storehouse not change, directly judge active client certificate whether in trusted certificate list.
Described to be identified as a globally accessible attribute, the attribute includes global variable, the file on disk, databaseIn record, represent trust storehouse whether be modified.
The process of the step 3 is:
The symmetric encryption scheme that service end is sent according to client selects cipher mode;
Service end is sent to client after the encipherment scheme chosen is encrypted using client public key.
The process of the step 4 is:
After client receives cipher mode, it is decrypted using private key, produces random code, as symmetric cryptographic key, use clothesAfter business end public key is encrypted, service end is sent to, is then decrypted again by service end using private key pair encryption, obtainedThe key of symmetric cryptography.
The present invention is applicable based on https agreements, the Authority Verification system of trust certificate.
The certificate requirements being related to use X509 certificate formats.
Support to dynamically increase and delete entry in the trust storehouse that system is used for inspection certificate validity.
This patent is applied to https two-way authentications.
By embodiment above, the those skilled in the art can readily realize the present invention.But shouldWork as understanding, the present invention is not limited to above-mentioned embodiment.On the basis of disclosed embodiment, the technical fieldTechnical staff can be combined different technical characteristics, so as to realize different technical schemes.
It is the known technology of those skilled in the art in addition to the technical characteristic described in specification.