CN101616165B - Method for inquiring and authenticating issue of novel X509 digital certificate white list - Google Patents
Method for inquiring and authenticating issue of novel X509 digital certificate white list Download PDFInfo
- Publication number
- CN101616165B CN101616165B CN 200910181545 CN200910181545A CN101616165B CN 101616165 B CN101616165 B CN 101616165B CN 200910181545 CN200910181545 CN 200910181545 CN 200910181545 A CN200910181545 A CN 200910181545A CN 101616165 B CN101616165 B CN 101616165B
- Authority
- CN
- China
- Prior art keywords
- certificate
- white list
- trusted
- unique identification
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for inquiring and authenticating the issue of an X509 digital certificate white list. The method comprises the following steps that: a certificate white list comprising a certificate part, a signature algorithm and a signature value is established, wherein the certificate part comprises current update time, next update time, a signer, a white list certificate unique identifier (such as a serial number) and the like; a trusted certificate authority signs and issues the certificate white list for users inquire; the users obtain data of the white list and authenticate the certificate white list at one time through a CA certificate of the trusted certificate authority to obtain a certificate list of the white list (the unique identifier list for the certificate); and the users can judge whether a user certificate is in the white list according to the certificate unique identifier. The method determines the security and the reliability by the mode that the trusted certificate authority signs the data; the users can obtain the CA certificate approved by the trusted certificate authority and authenticate the signature of the certificate white list through a public key of the certificate to achieve the aim of confirming whether the white list can be trusted.
Description
Technical field
The present invention generally is applied to Public Key Infrastructure system (PKI) field, for the digital certificate white list inquiry provides the more efficient of a kind of lightweight, safely and efficiently mode.
Background technology
X509 is an international standard of being recommended by ITU-T, and widely accepted PKI is basic X.509 to have defined one, and it comprises data format and the process of distributing PKI by the digital certificate of being signed and issued by certificate agency.
The X509 digital certificate refers to the data of particular public key and data message being signed by trusted certificate issuance tissue.
X509 certificate white list: signed and issued by trusted certificate issuance tissue or certificate use the provider and assert still effectively set of certificates.
X509 certificate blacklist: be the set of a series of certificates of being abolished by trusted certificate issuance tissue, the public and private key of the certificate that is put on the blacklist will lose efficacy.
CRL CRL: store the certificate blacklist with certain format, and can upgrade the data whether list and checking issued by trusted certificate issuance tissue.
The online certificate agreement of OCSP: agreement that namely can the real time inspection certificate status, initiated by client, inquire about at any time certificate status.
LDAP (LDAP) is an agreement that is used for visiting by the TCP/IP network directory service, and catalogue is kind of a special database, and this database retrieves and browse being optimized to reading.
The X500 catalogue is a kind of data organizational structure that can use in LDAP, and data organizational structure is a tree-shaped structure, and each node in the tree except root node has the child node of a father node and arbitrary number.General Store Credentials black and white lists and the CRL of being used for.
X509 digital certificate white list present stage use X500 catalogue is issued in LDAP, inquiry, and checking, these LDAP data are issued by the trusted certificate authority tissue.
Summary of the invention
For existing problem in the prior art, the present invention proposes a lightweight, low expense, low network consumption, fast response, safety, verifiable certificate white list published method.
To achieve these goals, technical scheme of the present invention is: a kind of method of X509 digital certificate white list inquiring and authenticating issue, and method comprises at least:
Foundation is comprised of a string; The certificate white list that comprises certificate part, signature algorithm, signature value, the tabulation of described certificate white list comprise this update time, next update time, the person of signing and issuing, white list certificate unique identification (such as: sequence number) etc.; Trusted certificate authority is organized the grant a certificate white list for users inquire; The data of the white list address acquisition white list that the user issues according to the trusted certificate authority tissue, and the CA certificate by the trusted certificate authority tissue carries out disposable checking to all white list certificate serial numbers and (for example: sequence number) obtains corresponding white list certificate unique identification.
White list delivery system of the present invention relatively, mainly contains following difference with original white list delivery system (for example: by the LDAP issue):
1. the present invention is a kind of a kind of mode of X509 issue certificate white list of lightweight, and originally the certificate white list is issued detailed certificate information, institutional framework, and certificate itself, single white list data capacity size often has thousands of bytes., the unique identification that this kind mode white list is only issued certificate (for example: sequence number) and the associative operation time.Therefore single white list size of data is several crossed joints, have reduced greatly the storage area.
2. for original white list verification mode, certificate must be verified respectively whether trusted of each certificate in the checking white list, by and all certificates in can not disposable checking white list.And the CA certificate of the mode that the present invention uses by trusted certificate authority tissue carries out disposable checking to all certificate serial numbers, thereby reaches the purpose of batch sign test., promoted greatly verification efficiency, saved the proving time.
3. for traditional white list verification mode (for example: by LDAP issue white list), user application must (for example: LDAP) connect the white list publisher server always, certificate of every checking just must be inquired about a ldap server, the mode of this invention checking white list, can download white list by off-line, and all white list certificates in the disposable checking white list, reduced greatly network resource consumption, and improved greatly verifying speed, checking fast and safely the certificate in the white list.
4. can pass through HTTP, the network communication protocol issue white list that FTP etc. are extensively used, and do not need specific protocols.
Description of drawings
Fig. 1 is the white list sign test process flow diagram of the embodiment of the invention.
Fig. 2 is the white list issuing process schematic diagram of the embodiment of the invention.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in more detail.
The present invention proposes a lightweight, but have more efficient, succinct, safety, verifiable certificate white list published method.
Mainly realize issue with following content, the checking white list.
One, the white list data format of issuing
CertificateList::=SESQUENCE{
TbsCertList?TBSCertList,
SignatureAlgorithm?AlgorithmIdentifier,
SignatureValue?BIT?string
}
TBSCertList::=SEQUENCE{
Version?Version?OPTIONAL,
Singature?AlgorithmIdentifier,
Issuer?name,
thisUpdate?Time,
nextUpdate?time?OPTIONAL,
Trusted?Certificates?List?SEQUENCE?OF?SEQUENCE{
userCertificate?Unique?identifier(Example:CertificateSerailName),
revocationDate?Time,}
}
The certificate white list is comprised of one (ASN1) string, comprises the list of cert part, signature algorithm, signature value list of cert part, comprise version information, signature authentication, the person of signing and issuing, this update time, the next update time, the certificate unique identification (for example: certificate serial number) set.
Two, the issue white list
Certificate issuance trusty is organized in white list and arrives next update after the time, can be according to application demand, (for example: sequence number) adjust the unique identification of certificate in the white list list of cert, the unique identification that needs the new certificate that adds (for example: sequence number) add tabulation, the certificate unique identification of needs deletion (for example: sequence number) delete out tabulation, sign and issue the white list that makes new advances according to the appeal coded format at last, and be published on LDAP or the HTTP etc., for user's inquiry.
Three, obtain white list
The white list address that the user issues according to the trusted certificate authority tissue gets access to the data of white list by LDAP or HTTP etc.
Four, the checking white list
The credible wilfulness of white list, non repudiation are to issue the CA certificate that organization issues by trusted data are signed to realize.The user then needs white list is verified if be confirmed whether to trust this white list, the signature of namely whether being done by the corresponding private key of CA certificate of trusted certificate issuance mechanism.
Concrete steps are:
After the user gets access to this white list content, can verify the signature of white list according to the CA certificate that trusted certificate authority organization issues.Proof procedure is that the data that PKI is signed to private key are confirmed.
Five, the inquiry white list
The user according to the required unique identification of certificate acquisition (for example: sequence number) with white list in the certificate unique identification (for example: sequence number) compare, if have then be the certificate that belongs to this white list, if do not have then be not the certificate that belongs to this white list.
This example specifically describes in same CA system, and namely under the same trust domain, enterprise uses the example prerequisite of digital certificate: CA_O is the CA certificate of this tissue for certain trusted certificate authority tissue, CA_CACERT, and this certificate is used to sign and issue white list.O_A is an enterprise that uses the CA_O certificate.CERT_A, CERT_B are 2 certificates of O_A that CA_O is presented to, and sequence number is respectively SERIAL_A, SERIAL_B, and step:
The white list issue:
One. to O_A grant a certificate CERT_A, CERT_B, and the sequence number of these two certificates parsed, and it is added in the white list of original this tissue go according to algorithm of the present invention, generates last white list by CA_O;
Two. the white list that generates is published in the http server of CA_O or in the ldap server of CA_O.
White list is used:
One .O_A enterprise gets access to the white list data from the URL of CA_O tissue issue white list or LDAP;
Two .O_A get access to CA_CACERT from the CA_O tissue;
Three .O_A enterprises use CA_CACERT that white list is carried out sign test;
If four. the sign test success, then therefrom take out the certificate serial number that comprises in the white list;
The OA system of five .O_A enterprises has obtained certificate serial number and has carried out the OA office.
Although the present invention with preferred embodiment openly as above; but they are not to limit the present invention; anyly be familiar with this skill person; without departing from the spirit and scope of the invention; from when can making various changes or retouch, so being as the criterion of should being defined with the application's claim protection range of protection scope of the present invention.
Claims (1)
1. the method for an X509 digital certificate white list inquiring and authenticating issue is characterized in that the method comprises:
The certificate white list is comprised of an ASN1 string, comprises the certificate part, signature algorithm, signature value; The certificate part comprises version information, signature authentication, the person of signing and issuing, this update time, next update time, white list certificate unique identification; The trusted certificate authority tissue uses the corresponding private key grant a certificate of CA certificate white list for users inquire; The data of the white list address acquisition white list that the user issues according to the trusted certificate authority tissue, and the CA certificate by the trusted certificate authority tissue carries out disposable checking to all white lists and obtains corresponding white list certificate unique identification table data;
Described issue refers to that certificate issuance trusty is organized in white list and arrives next update after the time, can be according to application demand, adjust the unique identification of certificate in the white list list of cert, the unique identification that needs the new certificate that adds is added tabulation, the certificate unique identification of needs deletion is deleted out tabulation, at last sign and issue the white list that makes new advances according to coded format, and be published on LDAP or the HTTP, for user's inquiry;
Described checking refers to after the user obtains the white list content, according to the CA certificate PKI sign test that the trusted certificate authority tissue is issued, verifies whether the signature of white list is signed and issued by trusted certificate authority mechanism CA certificate;
When the user need to do credible wilfulness and judges user certificate, at first obtain the uniqueness sign of certificate, then obtain and verify white list, obtain all certificate unique identification tabulations in the white list, do contrast with the user certificate unique identification, thus the authentication of users certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910181545 CN101616165B (en) | 2009-07-28 | 2009-07-28 | Method for inquiring and authenticating issue of novel X509 digital certificate white list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910181545 CN101616165B (en) | 2009-07-28 | 2009-07-28 | Method for inquiring and authenticating issue of novel X509 digital certificate white list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101616165A CN101616165A (en) | 2009-12-30 |
| CN101616165B true CN101616165B (en) | 2013-03-13 |
Family
ID=41495569
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910181545 Active CN101616165B (en) | 2009-07-28 | 2009-07-28 | Method for inquiring and authenticating issue of novel X509 digital certificate white list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101616165B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10250588B1 (en) * | 2017-03-07 | 2019-04-02 | Symantec Corporation | Systems and methods for determining reputations of digital certificate signers |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011130713A1 (en) * | 2010-04-15 | 2011-10-20 | General Instrument Corporation | Online secure device provisioning with updated offline identity data generation and offline device binding |
| WO2011148744A1 (en) * | 2010-05-24 | 2011-12-01 | ルネサスエレクトロニクス株式会社 | Communication system, vehicle-mounted terminal, roadside device |
| US9264237B2 (en) | 2011-06-15 | 2016-02-16 | Microsoft Technology Licensing, Llc | Verifying requests for access to a service provider using an authentication component |
| CN102664874B (en) * | 2012-03-29 | 2016-08-03 | 北京奇虎科技有限公司 | A kind of method and system for secure logging in |
| CN102811218B (en) * | 2012-07-24 | 2013-07-31 | 江苏省电子商务服务中心有限责任公司 | Precision authentication method and device for digital certificate, and cloud authentication service system |
| SG11201503553YA (en) * | 2012-11-09 | 2015-06-29 | Ent Technologies Inc | Entity network translation (ent) |
| CN103281307B (en) * | 2013-05-06 | 2017-02-22 | 四川长虹电器股份有限公司 | On-line certificate state query method for dynamic packet scheduling algorithm on the basis of limited priority level |
| CN103346916B (en) * | 2013-07-05 | 2018-07-31 | 上海斐讯数据通信技术有限公司 | A kind of management method of network equipment digital certificate |
| CN103825741B (en) * | 2014-01-24 | 2017-03-15 | 安徽云盾信息技术有限公司 | The solution of certificate of the injection with signature in a kind of encryption device production process |
| DE102014203813A1 (en) * | 2014-02-28 | 2015-09-03 | Siemens Aktiengesellschaft | Use of certificates by means of a positive list |
| CN104394166B (en) * | 2014-12-04 | 2017-07-07 | 东北大学 | The certificate false proof Verification System and method of facing moving terminal under a kind of cloud environment |
| CN104580172B (en) * | 2014-12-24 | 2017-12-12 | 北京奇虎科技有限公司 | A kind of data communications method and device based on https agreements |
| CN106936768B (en) * | 2015-12-29 | 2020-04-10 | 大唐高鸿信安(浙江)信息科技有限公司 | White list network control system and method based on trusted chip |
| CN106060087A (en) * | 2016-07-26 | 2016-10-26 | 中国南方电网有限责任公司信息中心 | Multi-factor host security access control system and method |
| EP3337119B1 (en) * | 2016-12-13 | 2019-09-11 | Nxp B.V. | Updating and distributing secret keys in a distributed network |
| CN106972931B (en) * | 2017-02-22 | 2020-05-15 | 中国科学院数据与通信保护研究教育中心 | Method for transparentizing certificate in PKI |
| CN107277794A (en) * | 2017-06-09 | 2017-10-20 | 中国联合网络通信集团有限公司 | Set up the method, device and mobile terminal of communication connection |
| CN109120397B (en) * | 2018-07-18 | 2020-12-11 | 郑州信大捷安信息技术股份有限公司 | Document authentication method and system based on identification password |
| CN113395160B (en) * | 2020-03-11 | 2022-11-01 | 大唐移动通信设备有限公司 | Certificate management method and device, issuing entity, management entity and vehicle networking equipment |
| TWI802040B (en) * | 2021-10-08 | 2023-05-11 | 精品科技股份有限公司 | Method of application control based on file attributes |
| CN114818012B (en) * | 2022-06-29 | 2022-10-21 | 麒麟软件有限公司 | Linux file integrity measuring method based on white list |
| CN115378737B (en) * | 2022-10-24 | 2023-01-10 | 中汽数据(天津)有限公司 | Cross-domain device communication trust method, device, equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035135A (en) * | 2007-04-27 | 2007-09-12 | 清华大学 | Digital certificate system applicable to the no/weak local storage client system |
| CN101471867A (en) * | 2007-12-27 | 2009-07-01 | 深圳华为通信技术有限公司 | Method and system for controlling network access authority, access terminal and operation support system |
-
2009
- 2009-07-28 CN CN 200910181545 patent/CN101616165B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035135A (en) * | 2007-04-27 | 2007-09-12 | 清华大学 | Digital certificate system applicable to the no/weak local storage client system |
| CN101471867A (en) * | 2007-12-27 | 2009-07-01 | 深圳华为通信技术有限公司 | Method and system for controlling network access authority, access terminal and operation support system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10250588B1 (en) * | 2017-03-07 | 2019-04-02 | Symantec Corporation | Systems and methods for determining reputations of digital certificate signers |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101616165A (en) | 2009-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101616165B (en) | Method for inquiring and authenticating issue of novel X509 digital certificate white list | |
| US6304974B1 (en) | Method and apparatus for managing trusted certificates | |
| Housley et al. | Internet X. 509 public key infrastructure certificate and CRL profile | |
| Housley et al. | RFC2459: Internet X. 509 public key infrastructure certificate and CRL profile | |
| US8086842B2 (en) | Peer-to-peer contact exchange | |
| US9419806B2 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
| US7461250B1 (en) | System and method for certificate exchange | |
| US8301877B2 (en) | System and method for configuring a valid duration period for a digital certificate | |
| US20020046337A1 (en) | Tree-based certificate revocation system | |
| US8484461B2 (en) | Method and apparatus for external organization path length validation within a public key infrastructure (PKI) | |
| EP2747377B1 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
| WO2014035748A1 (en) | Method and device for dynamically updating and maintaining certificate path data across remote trust domains | |
| CN100558034C (en) | A kind of email authentication and reliable sorted transmission method based on the cryptographic technique that identifies | |
| CN109687965A (en) | The real name identification method of subscriber identity information in a kind of protection network | |
| US9680655B2 (en) | Public-key certificate management system and method | |
| CN111340485B (en) | Configuration method of digital certificate for alliance block chain, terminal and root certificate server | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| CN113672942A (en) | PKI certificate cross-domain authentication method based on block chain | |
| CN115801223A (en) | CA certificate-based identification key system and PKI system compatible method | |
| CN115883088B (en) | BGP route-based autonomous domain security parameter updating method | |
| Solo et al. | Internet X. 509 public key infrastructure certificate and CRL profile | |
| CN108683506A (en) | A kind of applying digital certificate method, system, mist node and certificate authority | |
| CN102833754B (en) | A kind of mobile device trusted access method based on digital certificate | |
| CN102299924A (en) | Information interaction and authentication methods between RADIUS server and 8.2.1x client and RADIUS system | |
| CN117294417A (en) | Secure communication system, method and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |