CN111641615A - Distributed identity authentication method and system based on certificate - Google Patents

Abstract

The invention discloses a distributed identity authentication method and a distributed identity authentication system based on certificates, wherein the method comprises the following steps: when a certificate needs to be applied, the client generates a password pair comprising a public key and a private key, and sends the public key and user information to the verification server; after receiving the public key and the user information sent by the client, the verification server verifies the user information; if the verification is successful, a certificate of the client is issued and returned to the client; when the client receives the certificate returned by the verification server, the certificate and the private key are merged and stored in the client; after the client obtains the current certificate, the certificate can be used for initiating connection of signing the certificate, modifying verification information and changing certificate functions to the verification server, and service request connection can also be initiated to the service server. Even if the communication is completely intercepted, other operations can not be carried out through the intercepted information, the number of servers needing to access the user information is reduced, and the performance overhead is saved.

Description

Distributed identity authentication method and system based on certificate

Technical Field

The invention relates to the technical field of communication, in particular to a distributed identity authentication method and a distributed identity authentication system based on certificates.

Background

In the program model in which the client and the server are separated, the server needs to verify the client and confirm the identity of the user. In a common scenario, for example, a login interface, a client needs to enter own identity information in the interface, and after the server confirms that the information is correct, the client can be allowed to perform subsequent operations with the identity. After the information is verified, there are generally two problems to be solved: firstly, how the two parties store the trust relationship means that the user name and the password of the user need not to be filled in each step of operation of the client; secondly, how to control the transmission range of the trust relationship, namely, the client can simulate the identity of the client to communicate with the server without intercepting the request of the client; it is also undesirable that each server need to independently verify identity when the number of servers is large. There are three common authentication methods:

1. the client stores the own user information including authentication information (such as a password) in an encrypted form, and submits the information to the server every time the server is accessed. This information is generated and stored by the client. This approach is typically only applicable to client applications and does not adapt well to web browsers.

2. The client places its own user information, including authentication information, in some encrypted form in a cookie (the cookie is a "cookie" of the type used by some websites to identify the user's identity, and is data (usually encrypted) stored on the user's local terminal for Session tracking, and temporarily or permanently stored by the user's client computer) of the HTTP request. This cookie information is typically set by the server web program after the user's identity is verified. After setup, the client attaches this cookie information each time it accesses the server.

3. After the client verifies the user's identity at the server's web page, the server saves the user information (Session) and sends an encrypted serial number (which may be saved in a cookie) to the client. The client saves this sequence number and attaches it at each commit.

However, if the communication is intercepted, the interceptor can intercept the authentication information and operate by taking the authentication information as the user identity; each time a user logs in, the server needs to authenticate the user, which brings inconvenience and additional performance overhead. Also, once the algorithm is revealed, the interceptor can fool the server into authentication by making a false cookie. Therefore, to avoid this, the server usually records some other information about the user, such as the IP of the visitor. But if the user changes his own IP, it will cause authentication failure and re-authentication.

Disclosure of Invention

The invention aims to provide a distributed identity authentication method and a distributed identity authentication system based on certificates, and aims to solve the problems that in the prior art, an interceptor after communication is intercepted performs operation by using intercepted information, so that a user suffers loss, and the user needs to perform authentication to a server for multiple times during operation, so that extra performance overhead is caused.

The embodiment of the invention provides a distributed identity authentication method based on a certificate, which comprises the following steps:

when a certificate needs to be applied, a client generates a password pair comprising a public key and a private key, and sends the public key and user information to a verification server; after receiving a public key and user information sent by a client, the verification server verifies the user information; if the verification is successful, a certificate of the client is issued and returned to the client; when the client receives a certificate returned by the verification server, the certificate and the private key are merged and stored in the client;

when the certificate needs to be renewed, the verification information of the certificate needs to be modified or the function of the certificate needs to be changed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key; after verifying the validity of the current certificate, the verification server signs a new certificate according to the regenerated public key and returns the new certificate to the client;

when a service request needs to be initiated, the client initiates connection to a service server by using a current certificate and submits data required by a service function; and the service server verifies the validity of the current certificate, reads the identity information and the additional information in the certificate if the current certificate passes the verification, verifies whether the certificate has the authority to access the service function, executes the corresponding service function under the authority condition, and returns a result to the client.

Preferably, the method further comprises the following steps:

configuring a certificate of a certificate authority and a corresponding private key or a certificate signed by an upper certificate authority and a corresponding private key to the verification server;

configuring the certificate configured on the authentication server on the service server and the client so that the service server and the client trust the certificate as a trusted certificate authority; and configuring the verification information in the certificate to the service server so as to verify the certificate authority.

Preferably, the method further comprises the following steps:

the client side initiates a high-security limited service connection request to a service server by using a current certificate;

the service server verifies the validity of the current certificate;

and if the verification is passed, the service server generates a random value, records the random value and the current certificate in a local memory of the service server in an associated manner, and returns the random value to the client.

Preferably, the method further comprises the following steps:

the client initiates connection to the verification server by using a current certificate, and submits the random value to the verification server as a data block to be signed;

and after verifying the validity of the current certificate, the verification server verifies whether the data block meets the requirement of signature, if so, the private key of the certificate of the verification server is used for signing the data block, and the data block is sent back to the client.

Preferably, the method further comprises the following steps:

the client initiates connection to the service server by using the current certificate and sends the signed data blocks to the service server together;

after verifying the validity of the current certificate, the service server extracts the signed data block and checks whether the signature of the data block is the signature of a private key corresponding to the certificate of the certificate issuing authority on the data block; and if so, adding the identification information in the current certificate into a special credit granting list.

Preferably, the method further comprises the following steps:

the client initiates a high-security limited service connection to the service server by using the current certificate;

after verifying the validity of the current certificate, the service server reads the information in the current certificate and checks whether the identification information of the current certificate is in the special credit granting list;

and if the identification information of the current certificate is in the special credit granting list, executing the function of the corresponding high-safety limited service.

Preferably, when the certificate needs to be renewed, the verification information of the certificate needs to be modified, or the function of the certificate needs to be changed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key; after verifying the validity of the current certificate, the verification server issues a new certificate according to the regenerated public key and returns the new certificate to the client, and the method comprises the following steps:

when the certificate needs to be renewed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; after verifying the validity of the current certificate, the verification server reissues a new certificate with the same function at the current time point according to the regenerated public key and returns the new certificate to the client;

if the verification information of the certificate needs to be modified, the client regenerates a password pair comprising a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; after verifying the validity of the current certificate, the verification server guides the user to modify verification information through the functional interface, re-issues a new certificate with the same function at the current time point according to the newly generated public key, and returns the new certificate to the client;

if the function of the certificate is changed, the client regenerates a password pair comprising a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; and after verifying the validity of the current certificate, the verification server guides the user to provide new certificate function information and verify the authority through the function interface, re-issues a new certificate with changed functions at the current time point according to the newly generated public key after the authority verification is passed, and returns the new certificate to the client.

The embodiment of the invention provides a distributed identity authentication system based on a certificate, which comprises a client, an authentication server and a service server:

the client is used for generating a password pair comprising a public key and a private key when a certificate is required to be applied, and sending the public key and user information to the verification server; when the client receives a certificate returned by the verification server, the certificate and the private key are merged and stored in the client;

the client is also used for regenerating a password pair comprising a public key and a private key when the certificate needs to be renewed, the verification information of the certificate needs to be modified or the function of the certificate needs to be changed, initiating connection to the verification server by using the current certificate, and submitting the regenerated public key;

the client is also used for initiating connection to the service server by using the current certificate and submitting data required by the service function when a service request needs to be initiated;

the verification server is used for verifying the user information after receiving the public key and the user information sent by the client; if the verification is successful, a certificate of the client is issued and returned to the client;

the verification server is also used for signing and issuing a new certificate according to the regenerated public key and returning the new certificate to the client after verifying the validity of the current certificate;

the business server is used for verifying the validity of the current certificate, reading the identity information and the additional information in the certificate if the current certificate passes the verification, verifying whether the certificate has the authority of accessing the business function, executing the corresponding business function under the authority condition, and returning the result to the client.

Preferably, the client is further configured to initiate a high security restricted service connection request to the service server using the current certificate;

the service server is also used for verifying the validity of the current certificate; and if the verification is passed, generating a random value, recording the random value and the current certificate in a local memory of the service server in an associated manner, and returning the random value to the client.

Preferably, the client is further configured to initiate a connection to the authentication server using the current certificate, and submit the random value to the authentication server as a data block to be signed;

and the verification server is also used for verifying whether the data block meets the requirement of signature after verifying the validity of the current certificate, and if so, the private key of the certificate of the verification server is used for signing the data block and sending the data block back to the client.

The embodiment of the invention provides a distributed identity authentication method and a distributed identity authentication system based on a certificate, wherein the method comprises the following steps: when a certificate needs to be applied, a client generates a password pair comprising a public key and a private key, and sends the public key and user information to a verification server; after receiving a public key and user information sent by a client, the verification server verifies the user information; if the verification is successful, a certificate of the client is issued and returned to the client; when the client receives a certificate returned by the verification server, the certificate and the private key are merged and stored in the client; when the certificate needs to be renewed, the verification information of the certificate needs to be modified or the function of the certificate needs to be changed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key; after verifying the validity of the current certificate, the verification server signs a new certificate according to the regenerated public key and returns the new certificate to the client; when a service request needs to be initiated, the client initiates connection to a service server by using a current certificate and submits data required by a service function; and the service server verifies the validity of the current certificate, reads the identity information and the additional information in the certificate if the current certificate passes the verification, verifies whether the certificate has the authority to access the service function, executes the corresponding service function under the authority condition, and returns a result to the client. By the invention, the following can be realized: 1. even if the communication is completely intercepted, the interceptor can not simulate the client side through the intercepted information to perform other operations; 2. no other servers than the particular authentication server need access to the user information data, nor need to be connected to the authentication server. Thus, servers can be deployed in a distributed fashion, with some servers even deployed in an isolated network (accessible only to specific clients and neither to other servers).

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic flowchart of a distributed certificate-based identity authentication method according to an embodiment of the present invention;

fig. 2 is a schematic block diagram of a certificate-based distributed authentication system according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It is to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.

Referring to fig. 1, fig. 1 is a schematic flowchart of a distributed authentication method based on a certificate according to an embodiment of the present invention, where the method includes steps S101 to S103:

s101, when a certificate needs to be applied, a client generates a password pair comprising a public key and a private key, and sends the public key and user information to a verification server; after receiving a public key and user information sent by a client, the verification server verifies the user information; if the verification is successful, a certificate of the client is issued and returned to the client; when the client receives a certificate returned by the verification server, the certificate and the private key are merged and stored in the client;

in this step, the client needs to apply for a certificate, specifically, the client generates a password pair including a public key and a private key, and then sends the public key and user information to the verification server, the verification server uses its functional interface to verify the user information, if the verification is successful, the client certificate is issued and returned to the client, if the verification is unsuccessful, an error state is returned, and after receiving the returned certificate, the client merges and stores the certificate and the private key, so as to perform subsequent other operations.

Specifically, the client may generate the password pair through an RSA algorithm (in subsequent steps, the password pair may be generated by using the RSA algorithm), which is an unpaired encryption algorithm. Asymmetric encryption keys, two per group, are generated at the time of generation, and because it is difficult to deduce the other key by knowing only one of the keys due to mathematical properties, data encrypted using one of the keys can only be decrypted by the other key. In use, one of the generated keys is advertised (called a public key) and the other is kept in place (called a private key). Anyone can use the public key to encrypt data and send it to the owner of the private key. Since only the private key owner can decrypt the data, it is also possible to prevent others from lying on their own as the private key owner to obtain the plaintext information. Also, data encrypted using a private key can be decrypted by anyone using the corresponding public key. This operation can be used to ensure that the person issuing the information is necessarily the owner of the private key. In use, the owner of the private key typically performs a digest algorithm (hash) on the plaintext information to be transmitted, and encrypts the digest result using the private key, which is called signature. The receiver uses the same algorithm to calculate the abstract information of the plaintext, and compares the abstract information with the signature decrypted by the public key, so that whether the original sender is the corresponding private key owner can be known.

The certificate type applied by the client may be an x.509 certificate, where x.509 is a format standard of a public key certificate in cryptography. The x.509 certificate refers to a certificate (hereinafter, referred to as a certificate) conforming to the x.509 standard, which is issued by an issuing authority granted with trust and is an electronic certificate for certifying the identity of an owner. In practical use, the owner provides the communication party with the own certificate to show the identity information of the owner, the certificate contains the public key, the communication party can encrypt the information by using the public key and sends the certificate encrypted by the public key back to the other party, and because only the private key can decrypt the information encrypted by the public key and the private key does not leave the equipment of the owner, the process can identify whether the sender of the certificate is the real owner of the certificate instead of a thief. The certificate will typically contain the following information: subject (Subject), public key information of the Subject, validity period (start and end time) of the certificate, issuer, extension information, signature of the issuer. A fingerprint is an attribute of a certificate and is the result of a hash of the certificate itself.

The client refers to a terminal device (a holder has an account and authentication information (such as a password)) held by a user and used for accessing a specific function of the service server, and particularly refers to an application (app, a desktop program and the like) in the terminal device. The authentication server is a server for providing the identity authentication of the user at the client, and the number of the authentication servers can be multiple.

Specifically, the client generates a password pair including a public key and a private key, sends the public key and user information (user name or other information used as the function of the user name, such as a mobile phone number) to the authentication server, enables the authentication server to execute a function of applying for a certificate, guides and inputs other information (such as a password used as authentication information) according to a functional interface of the authentication server, obtains a certificate signed by the authentication server, and properly stores the certificate and the private key in a local place so as to perform subsequent other operations.

The specific process of the authentication server executing the function of applying for the certificate is as follows: the authentication server verifies the identity of the user (e.g., checking a password) using a functional interface (which may be a web page or other functional interface); if the verification is successful, the client certificate is issued and returned to the client; an error status is returned if the verification fails. The issued certificate contains user information provided by the client, a public key, a label using function, an effective date (the effective date is usually earlier than the current date, for example, 1 day before, in case of system time deviation), and an end time (usually, it is not suitable to be too late, for example, it may be set to be 7 days after the current date). The certificate may also contain other additional information for information verification of the specific service server, which may include, for example, department, identity, etc. of the user.

S102, when the certificate needs to be renewed, the verification information of the certificate needs to be modified or the function of the certificate needs to be changed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key; after verifying the validity of the current certificate, the verification server signs a new certificate according to the regenerated public key and returns the new certificate to the client;

in this step, when the certificate needs to be renewed, the verification information is modified, or the certificate is changed, because the existing public key is configured in the current certificate, the client regenerates a password pair including the public key and the private key for reapplication of the certificate; the client initiates connection to the verification server by using the current certificate and submits a newly generated public key to the verification server, the verification server verifies the validity of the current certificate of the client, and after the verification is passed, a new certificate is signed and returned to the client according to the new public key.

In one embodiment, the step S102 includes:

s201, when the certificate needs to be renewed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; after verifying the validity of the current certificate, the verification server reissues a new certificate with the same function at the current time point according to the regenerated public key and returns the new certificate to the client;

s202, if the verification information of the certificate needs to be modified, the client regenerates a password pair comprising a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; after verifying the validity of the current certificate, the verification server guides the user to modify verification information through the functional interface, re-issues a new certificate with the same function at the current time point according to the newly generated public key, and returns the new certificate to the client;

s203, if the function of the certificate is changed, the client regenerates a password pair comprising a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; and after verifying the validity of the current certificate, the verification server guides the user to provide new certificate function information and verify the authority through the function interface, re-issues a new certificate with changed functions at the current time point according to the newly generated public key after the authority verification is passed, and returns the new certificate to the client.

Specifically, in this embodiment, when the remaining time of the validity period of the certificate is less than a predetermined time (for example, 2 days), if the client needs to continue to use the certificate, a password pair including a public key and a private key needs to be generated again, the current certificate is connected to the authentication server, so that the authentication server performs a "certificate renewal" function, and after a new certificate issued by the authentication server is obtained, the obtained new certificate and the new private key are properly stored locally, so as to replace the existing old certificate information.

The specific process of executing the function of 'renewing certificate' by the verification server is as follows: the authentication server verifies the validity of the current certificate of the client, and the specific content of the validity verification is to verify whether the current certificate is issued by the authentication server and to check the owner of the current certificate, such as whether the client has a corresponding private key, time check, function check, and verification that the 'password modification time' of the user information data of the corresponding user cannot be later than the issuing time of the certificate, and the like, wherein the issuing time of the certificate can be calculated by combining the effective date of the certificate with an offset value set in the 'certificate application' function. After the check is passed, the verification server reissues the certificate with the same function at the current time point according to the new public key provided by the client, and returns the certificate to the client.

When the client needs to modify the verification information (such as a password) in the certificate, the client regenerates a password pair comprising a public key and a private key, connects to the verification server by using the current certificate, enables the verification server to execute a function of 'modifying the verification information', and guides to input related information (such as an old password and a new password) according to a function interface of the verification server. After obtaining the new certificate issued by the verification server, the obtained new certificate and the new private key are properly stored locally to replace the existing old certificate information.

The specific process of executing the function of 'modifying the verification information' by the verification server is as follows: the authentication server verifies the validity of the current certificate of the client (see the process of 'renewing the certificate' for details). After the verification is passed, the verification server uses a webpage or other functional interfaces to enable the user to modify the verification information. And after the modification is successful, reissuing a new certificate (see the process of 'renewing the certificate') and returning the new certificate to the client, and recording the current time in a 'password modification time' field of the user information data.

When the client needs to change the function of the certificate, the client regenerates a password pair containing a public key and a private key, uses the current certificate to connect to a verification server, so that the verification server executes the function of changing the certificate, and guides to input related information according to a functional interface of the verification server. After obtaining the new certificate issued by the verification server, the obtained new certificate and the new private key are properly stored locally to replace the existing old certificate information.

The specific process of the authentication server executing the function of changing the certificate is as follows: the authentication server verifies the validity of the current certificate of the client (the specific process can refer to the same processing mode of the 'renewing certificate' process). After the verification is passed, the server guides the user to provide new certificate function information and verify the authority by using a webpage or other function interfaces. And after the change is successful, reissuing a new certificate (specifically referring to the same processing mode of 'renewing certificate'), and returning the new certificate to the client. This function is used to modify additional information in the certificate to coordinate information authentication for a particular service server.

S103, when a service request needs to be initiated, the client initiates connection to a service server by using a current certificate and submits data required by a service function; and the service server verifies the validity of the current certificate, reads the identity information and the additional information in the certificate if the current certificate passes the verification, verifies whether the certificate has the authority to access the service function, executes the corresponding service function under the authority condition, and returns a result to the client.

In this step, the client may initiate a service request to the service server after obtaining the current certificate, and specifically, the client provides current certificate information to the service server and submits data required by a service function, and the service server verifies the validity of the current certificate of the client (the verification process is similar to that of the verification server and is not described again). And when the verification is passed, reading the identity information and the additional information in the current certificate, verifying whether the current certificate has the authority of accessing the service function, executing the corresponding service function under the authority condition, and returning the result to the client.

In an embodiment, the certificate-based distributed authentication method further includes:

configuring a certificate of a certificate authority and a corresponding private key or a certificate signed by an upper certificate authority and a corresponding private key to the verification server;

configuring the certificate configured on the authentication server on the service server and the client so that the service server and the client trust the certificate as a trusted certificate authority; and configuring the verification information in the certificate to the service server so as to verify the certificate authority.

In this embodiment, a certificate and a private key of a certificate authority of the certificate authority trusted by the service server and the client are provided for the authentication server (for convenience of distinction, the certificate may be referred to as a trusted certificate, the private key may be referred to as a trusted private key, the private key generated by the client may be referred to as a client private key, the public key generated by the client may be referred to as a client public key, and the certificate obtained by the client may be referred to as a client certificate), so that a certificate (client certificate) may be provided for the client in subsequent operations. Since the certificate authority is trusted by the client and the service server, the certificate (client certificate) signed by the authentication server through the certificate authority private key (trusted private key) is also trusted by the client and the service server.

The certificate authority, abbreviated CA. The certificate authority generates a certificate by self-signing, i.e. signs the self-generated certificate with its own private key. This certificate will be used as the certificate of the CA itself (trust certificate) and corresponding certificate information (without private key) will be sent to other users. If other users trust the authority, the certificate (trust certificate) is added to their trusted authority list, which trusts all certificates issued by the CA.

The following certificate issuance process (except self-signature) is explained below: the certificate applicant generates a set of passwords, keeps its private key well, and issues the public key, the intention to apply for the certificate (e.g., subject matter), extension information, etc. to a certain certificate authority. The latter will make some examination of the applicant to confirm that its true identity is the same as described. After examination, the certificate issuing authority signs the information of the issuer, the validity period of the certificate and the like according to the application intention, and the information is made into a certificate together with the signature and sent to the applicant. In this process, the applicant's private key does not leave the applicant's device. That is, if the certificate issued by the certificate authority is intercepted by others, the certificate cannot be normally used because the corresponding private key is not stored therein.

When the certificate is used, the certificate owner submits the own certificate to the opposite party of communication. The other party firstly analyzes the certificate, checks whether the certificate is authentic (the certificate itself is trusted or an issuing organization of the certificate is trusted and the certificate passes the signature check of a public key corresponding to the certificate of the organization), whether the certificate is in a valid period, whether the application of the certificate is met, and the like. After the check is passed, the communication party encrypts the subsequent information by the public key of the certificate and sends the subsequent information to the owner of the certificate. If it is the owner of the certificate as it is generated, it can decrypt the information using the corresponding private key.

In an embodiment, the certificate-based distributed authentication method further includes:

the client side initiates a high-security limited service connection request to a service server by using a current certificate;

the service server verifies the validity of the current certificate;

and if the verification is passed, the service server generates a random value, records the random value and the current certificate in a local memory of the service server in an associated manner, and returns the random value to the client.

In this embodiment, the client initiates a request for high security restricted service connection to a service server, and before the service server executes a high security restricted service function, the current certificate sent by the client needs to be added to a special credit granting list, so that the service server needs to perform a signature application on the current certificate sent by the client, and the service server generates a random value and returns the random value to the client.

Specifically, the client connects to the service server where the target function is located using the current certificate, executes the "signature application" function, and stores the random value returned from the service server. The specific process of executing the signature application by the service server is as follows: the service server verifies the validity of the client certificate (in particular, the same procedure as the foregoing procedure). And when the verification is passed, the business server generates a random value, records the random value in a local memory in association with the applicant certificate information, and returns the random value to the client.

In an embodiment, the certificate-based distributed authentication method further includes:

the client initiates connection to the verification server by using a current certificate, and submits the random value to the verification server as a data block to be signed;

and after verifying the validity of the current certificate, the verification server verifies whether the data block meets the requirement of signature, if so, the private key of the certificate of the verification server is used for signing the data block, and the data block is sent back to the client.

In an embodiment, the verification server signs the data block sent by the client, and returns the signed data block to the client. Specifically, a client uses a current certificate to connect to a verification server, so that the verification server executes a data signature function, the client submits an obtained random value as a data block to the verification server, and the verification server performs signature and returns the signature to the client to obtain a signature result.

The specific steps of the authentication server for executing the data signature are as follows: the authentication server verifies the validity of the current certificate of the client (in particular, the same procedure as the previous one). The client submits the obtained random value as a data block to the verification server, and the verification server signs the data block by using a private key (trust private key) of a certificate of the verification server and sends the data block back to the client.

It should be noted that, in order to prevent the above functions from being used for issuing any file, strict requirements are usually made on the format and length of the data block to be signed. The data generated by the service server's "signature application" must meet these requirements. For example, it may be required that the data must start with a particular content and be limited in length.

In an embodiment, the certificate-based distributed authentication method further includes:

the client initiates connection to the service server by using the current certificate and sends the signed data blocks to the service server together;

after verifying the validity of the current certificate, the service server extracts the signed data block and checks whether the signature of the data block is the signature of a private key corresponding to the certificate of the certificate issuing authority on the data block; and if so, adding the identification information in the current certificate into a special credit granting list.

In this embodiment, the client sends the signed data block to the service server, the service server verifies the signature of the data block after verifying the validity of the current certificate, and if the signature is signed by a private key (trusted private key) of a certificate authority trusted by the service server, the client adds the identification information in the current certificate of the client to a special trust list.

The method specifically comprises the following steps: the client initiates a connection using its own current credentials. The service server verifies the validity of the current certificate of the client (which must be issued by the verification server, owner check-check whether the client has a corresponding private key, time check, function check, etc., the process is the same as the foregoing embodiment). And the client sends the signed data block to a service server. The service server obtains the random value corresponding to the certificate, and verifies whether the signature is the signature of the random value by the private key (trust private key) of the CA certificate. If the certificate passes, the identification information of the current certificate is added into a special credit list.

In an embodiment, the certificate-based distributed authentication method further includes:

the client initiates a high-security limited service connection to the service server by using the current certificate;

after verifying the validity of the current certificate, the service server reads the information in the current certificate and checks whether the identification information of the current certificate is in the special credit granting list;

and if the identification information of the current certificate is in the special credit granting list, executing the function of the corresponding high-safety limited service.

In this embodiment, a client connects to a service server using a current certificate to execute a corresponding function of high security restriction, the service server checks the current certificate of the client, if identification information in the current certificate is listed in the special credit granting list, executes the function of the corresponding service of high security restriction, and if the service server returns no authority, executes an authorization process and then retries the operation.

The method specifically comprises the following steps: the client initiates a connection to the service server using the current certificate. The service server verifies the validity of the current certificate of the client (the process is the same as the foregoing embodiment). At the same time, the identification information in the current certificate is read again, and whether the identification information is in the special credit granting list is checked. And if the verification is passed, the identity information and the additional information in the current certificate are considered to be read, and whether the current certificate has the authority of accessing the function is verified. Only certificates located in a special trust list can access highly security-defined functions. The client can temporarily add the current certificate into a special trust list through the functions of signature application and signature verification, the validity period after the addition can be set to be several minutes to several hours generally, the certificate can be moved out after exceeding the validity period after the addition, and the certificate can be repeatedly applied and added after being moved out.

Referring to fig. 2, fig. 2 is a schematic block diagram of a distributed certificate-based authentication system according to an embodiment of the present invention, where the distributed certificate-based authentication system includes:

the system comprises aclient 201, averification server 202 and a verification server, wherein theclient 201 is used for generating a password pair comprising a public key and a private key when a certificate needs to be applied, and sending the public key and user information to theverification server 202; when theclient 201 receives the certificate returned by theauthentication server 202, the certificate and the private key are merged and stored in theclient 201;

theclient 201 is further configured to regenerate a password pair including a public key and a private key when the certificate needs to be renewed, the verification information of the certificate needs to be modified, or the function of the certificate needs to be changed, initiate connection to theverification server 202 using the current certificate, and submit the regenerated public key;

theclient 201 is further configured to initiate a connection to theservice server 203 using the current certificate and submit data required by the service function when a service request needs to be initiated;

theauthentication server 202, theauthentication server 202 is configured to authenticate the user information after receiving the public key and the user information sent by theclient 201; if the verification is successful, a certificate of the client is issued and returned to theclient 201;

theverification server 202 is further configured to, after verifying the validity of the current certificate, issue a new certificate according to the regenerated public key and return the new certificate to theclient 201;

and theservice server 203 is used for verifying the validity of the current certificate, reading the identity information and the additional information in the certificate if the current certificate passes the verification, verifying whether the certificate has the authority to access the service function, executing the corresponding service function under the authorized condition, and returning the result to theclient 201.

In an embodiment, theclient 201 is further configured to initiate a high security qualified service connection request to theservice server 203 using the current certificate;

theservice server 203 is further configured to verify the validity of the current certificate; if the verification is passed, a random value is generated, the random value and the current certificate are recorded in the local memory of theservice server 203 in an associated manner, and the random value is returned to theclient 201.

In an embodiment, theclient 201 is further configured to initiate a connection to theverification server 202 using the current certificate, and submit the random value to theverification server 202 as a data block to be signed;

theverification server 202 is further configured to verify whether the data block meets the requirement of signature after verifying the validity of the current certificate, and if so, sign the data block using a private key of the certificate of theverification server 202 and send the data block back to theclient 201.

The technical details of the above system embodiment correspond to the contents of the foregoing method embodiment, and thus are not described herein again.

The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A distributed authentication method based on certificates is characterized by comprising the following steps:

when a certificate needs to be applied, a client generates a password pair comprising a public key and a private key, and sends the public key and user information to a verification server; after receiving a public key and user information sent by a client, the verification server verifies the user information; if the verification is successful, a certificate of the client is issued and returned to the client; when the client receives a certificate returned by the verification server, the certificate and the private key are merged and stored in the client;

when the certificate needs to be renewed, the verification information of the certificate needs to be modified or the function of the certificate needs to be changed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key; after verifying the validity of the current certificate, the verification server signs a new certificate according to the regenerated public key and returns the new certificate to the client;

when a service request needs to be initiated, the client initiates connection to a service server by using a current certificate and submits data required by a service function; and the service server verifies the validity of the current certificate, reads the identity information and the additional information in the certificate if the current certificate passes the verification, verifies whether the certificate has the authority to access the service function, executes the corresponding service function under the authority condition, and returns a result to the client.

2. The certificate-based distributed authentication method according to claim 1, further comprising:

configuring a certificate of a certificate authority and a corresponding private key or a certificate signed by an upper certificate authority and a corresponding private key to the verification server;

configuring the certificate configured on the authentication server on the service server and the client so that the service server and the client trust the certificate as a trusted certificate authority; and configuring the verification information in the certificate to the service server so as to verify the certificate authority.

3. The certificate-based distributed authentication method according to claim 1, further comprising:

the client side initiates a high-security limited service connection request to a service server by using a current certificate;

the service server verifies the validity of the current certificate;

and if the verification is passed, the service server generates a random value, records the random value and the current certificate in a local memory of the service server in an associated manner, and returns the random value to the client.

4. The certificate-based distributed authentication method according to claim 3, further comprising:

the client initiates connection to the verification server by using a current certificate, and submits the random value to the verification server as a data block to be signed;

and after verifying the validity of the current certificate, the verification server verifies whether the data block meets the requirement of signature, if so, the private key of the certificate of the verification server is used for signing the data block, and the data block is sent back to the client.

5. The certificate-based distributed authentication method according to claim 4, further comprising:

the client initiates connection to the service server by using the current certificate and sends the signed data blocks to the service server together;

after verifying the validity of the current certificate, the service server extracts the signed data block and checks whether the signature of the data block is the signature of a private key corresponding to the certificate of the certificate issuing authority on the data block; and if so, adding the identification information in the current certificate into a special credit granting list.

6. The certificate-based distributed authentication method according to claim 5, further comprising:

the client initiates a high-security limited service connection to the service server by using the current certificate;

after verifying the validity of the current certificate, the service server reads the information in the current certificate and checks whether the identification information of the current certificate is in the special credit granting list;

and if the identification information of the current certificate is in the special credit granting list, executing the function of the corresponding high-safety limited service.

7. The certificate-based distributed identity authentication method of claim 1, wherein when the certificate needs to be renewed, the authentication information of the certificate is modified, or the function of the certificate is changed, the client regenerates a password pair including a public key and a private key, initiates a connection to the authentication server using the current certificate, and submits the regenerated public key; after verifying the validity of the current certificate, the verification server issues a new certificate according to the regenerated public key and returns the new certificate to the client, and the method comprises the following steps:

when the certificate needs to be renewed, the client regenerates a password pair containing a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; after verifying the validity of the current certificate, the verification server reissues a new certificate with the same function at the current time point according to the regenerated public key and returns the new certificate to the client;

if the verification information of the certificate needs to be modified, the client regenerates a password pair comprising a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; after verifying the validity of the current certificate, the verification server guides the user to modify verification information through the functional interface, re-issues a new certificate with the same function at the current time point according to the newly generated public key, and returns the new certificate to the client;

if the function of the certificate is changed, the client regenerates a password pair comprising a public key and a private key, initiates connection to the verification server by using the current certificate, and submits the regenerated public key to the verification server; and after verifying the validity of the current certificate, the verification server guides the user to provide new certificate function information and verify the authority through the function interface, re-issues a new certificate with changed functions at the current time point according to the newly generated public key after the authority verification is passed, and returns the new certificate to the client.

8. A distributed identity authentication system based on certificates is characterized by comprising a client, an authentication server and a service server:

the client is used for generating a password pair comprising a public key and a private key when a certificate is required to be applied, and sending the public key and user information to the verification server; when the client receives a certificate returned by the verification server, the certificate and the private key are merged and stored in the client;

the client is also used for regenerating a password pair comprising a public key and a private key when the certificate needs to be renewed, the verification information of the certificate needs to be modified or the function of the certificate needs to be changed, initiating connection to the verification server by using the current certificate, and submitting the regenerated public key;

the client is also used for initiating connection to the service server by using the current certificate and submitting data required by the service function when a service request needs to be initiated;

the verification server is used for verifying the user information after receiving the public key and the user information sent by the client; if the verification is successful, a certificate of the client is issued and returned to the client;

the verification server is also used for signing and issuing a new certificate according to the regenerated public key and returning the new certificate to the client after verifying the validity of the current certificate;

the business server is used for verifying the validity of the current certificate, reading the identity information and the additional information in the certificate if the current certificate passes the verification, verifying whether the certificate has the authority of accessing the business function, executing the corresponding business function under the authority condition, and returning the result to the client.

9. The certificate-based distributed authentication system according to claim 8,

the client is also used for initiating a high-safety limited service connection request to the service server by using the current certificate;

the service server is also used for verifying the validity of the current certificate; and if the verification is passed, generating a random value, recording the random value and the current certificate in a local memory of the service server in an associated manner, and returning the random value to the client.

10. The certificate-based distributed authentication system according to claim 9,

the client is also used for initiating connection to the verification server by using the current certificate and submitting the random value to the verification server as a data block to be signed;

and the verification server is also used for verifying whether the data block meets the requirement of signature after verifying the validity of the current certificate, and if so, the private key of the certificate of the verification server is used for signing the data block and sending the data block back to the client.

Images