CN113347148A - Electronic authentication method and system - Google Patents
Electronic authentication method and system Download PDFInfo
- Publication number
- CN113347148A CN113347148A CN202110426704.5A CN202110426704A CN113347148A CN 113347148 A CN113347148 A CN 113347148A CN 202110426704 A CN202110426704 A CN 202110426704A CN 113347148 A CN113347148 A CN 113347148A
- Authority
- CN
- China
- Prior art keywords
- electronic authentication
- server
- authentication server
- gateway
- electronic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000003993 interaction Effects 0.000 claims description 7
- 230000008014 freezing Effects 0.000 claims description 6
- 238000007710 freezing Methods 0.000 claims description 6
- 230000002452 interceptive effect Effects 0.000 claims 1
- 230000004044 response Effects 0.000 description 21
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The utility model discloses an electronic authentication method and a system, wherein, the electronic authentication method comprises that a digital certificate registration center server obtains an operation request and sends the operation request to an electronic authentication gateway; when the first electronic authentication server is normal, the electronic authentication gateway sends an operation request to the first electronic authentication server, the first electronic authentication server responds to the operation request, acquires a key pair protected by a user signature public key from the key management server, and sends the key pair to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server; when the first electronic authentication server fails, the electronic authentication gateway sends the operation request to a second electronic authentication server, the second electronic authentication server responds to the operation request, a key pair protected by a user signature public key is obtained from the key management server, the key pair is sent to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server.
Description
Technical Field
The present disclosure relates to the field of electronic authentication technologies, and in particular, to an electronic authentication method and system.
Background
In a Public Key Infrastructure (PKI) system, a Certificate Authority (CA) is an Authority that issues digital certificates. Is an authority responsible for issuing and managing digital certificates, and serves as a trusted third party in e-commerce transactions, and bears the responsibility for verifying the validity of public keys in a public key system.
In the prior art, PKI systematic faults occur frequently, so that services cannot be performed, and economic loss and cost increase are caused.
Disclosure of Invention
An object of the embodiments of the present disclosure is to provide an electronic authentication method and system, so as to at least solve the problem of frequent failures in the existing PKI system.
The technical scheme of the disclosure is as follows:
according to a first aspect of the embodiments of the present disclosure, there is provided an electronic authentication method, which is applied to a public key infrastructure system, where the public key infrastructure system includes a digital certificate registry server, an electronic authentication gateway, heterogeneous electronic authentication servers, and a key management server, which are sequentially arranged, where the heterogeneous electronic authentication servers include a first electronic authentication server and a second electronic authentication server that are arranged in parallel, and the electronic authentication method includes:
the digital certificate registration center server acquires an operation request and sends the operation request to the electronic authentication gateway;
when the first electronic authentication server is normal, the electronic authentication gateway sends an operation request to the first electronic authentication server, the first electronic authentication server responds to the operation request, acquires a key pair protected by a user signature public key from the key management server, and sends the key pair to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server;
when the first electronic authentication server fails, the electronic authentication gateway sends the operation request to a second electronic authentication server, the second electronic authentication server responds to the operation request, a key pair protected by a user signature public key is obtained from the key management server, the key pair is sent to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server.
Further, the method further comprises:
and when the first electronic authentication server is recovered to be normal in fault, the electronic authentication gateway reissues the operation request to the first electronic authentication server.
Further, when the first electronic authentication server is normal, the method further comprises:
the second electronic authentication server registers the information of the encrypted certificate and disconnects the connection with the key management server.
Further, the operation request is: one or more combinations of issuing a certificate request, updating a certificate request, revoking/freezing/unfreezing a certificate request, recovering an encrypted certificate request, and querying a certificate request.
Further, the method further comprises:
and the electronic authentication gateway records the complete interaction data.
According to a second aspect of embodiments of the present disclosure, there is provided an electronic authentication system including: the system comprises a digital certificate registration center server, an electronic authentication gateway, a heterogeneous electronic authentication server and a key management server which are arranged in a long connection mode;
the heterogeneous electronic authentication server comprises a first electronic authentication server and a second electronic authentication server which are arranged in parallel.
Further, the first electronic authentication server and the second electronic authentication server are configured identically;
the key management server is used for processing the encrypted certificate sent by the first electronic authentication server and/or the second electronic authentication server.
Further, the electronic authentication gateways are multiple;
a plurality of electronic authentication gateways and a digital certificate registration center server adopt an HA deployment mode;
the electronic authentication system further includes: a switch;
the switch is arranged between the electronic authentication gateway and the digital certificate registration center server.
Further, the switch is used for carrying out load balancing on the plurality of electronic authentication gateways and carrying out data synchronization on the plurality of electronic authentication gateways.
Furthermore, the electronic authentication gateway is provided with a database, and the database is used for recording complete interaction data.
The technical scheme provided by the embodiment of the disclosure at least brings the following beneficial effects:
the method of the embodiment of the present disclosure obtains an operation request through a digital certificate registry server, and sends the operation request to an electronic authentication gateway; when the first electronic authentication server is normal, the electronic authentication gateway sends an operation request to the first electronic authentication server, the first electronic authentication server responds to the operation request, acquires a key pair protected by a user signature public key from the key management server, and sends the key pair to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server; when the first electronic authentication server fails, the electronic authentication gateway sends the operation request to a second electronic authentication server, the second electronic authentication server responds to the operation request, a key pair protected by a user signature public key is obtained from the key management server, the key pair is sent to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server. The method prevents the problem that the service cannot be carried out due to the fact that the whole system fails caused by the fact that the electronic authentication server fails by utilizing a seamless switching mode of the first electronic authentication server and the second electronic authentication server, reduces the large pressure on the database under the high concurrency condition, and ensures that the overall performance is influenced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure and are not to be construed as limiting the disclosure.
Fig. 1 is a schematic flow chart of an electronic authentication method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of an electronic authentication system according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a first electronic authentication server according to an embodiment of the present invention in a normal state;
fig. 4 is a schematic flow chart of a first electronic authentication server according to an embodiment of the present invention in a failure state;
fig. 5 is a schematic flowchart of the synchronous operation information of the electronic authentication gateway according to an embodiment of the present invention;
fig. 6 is a schematic flow chart of load balancing performed by the switch according to the embodiment of the present invention;
fig. 7 is a schematic flow chart of a switch performing data synchronization according to an embodiment of the present invention;
Detailed Description
In order to make the technical solutions of the present disclosure better understood by those of ordinary skill in the art, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The inventor finds that the failure of the PKI system frequently causes the failure of the business, and often results in the failure of the certificate issuing organization, and when the certificate issuing organization fails, the failure of the whole system is often caused, so that the business cannot be performed, and economic loss and cost increase are caused. Based on this finding, the present disclosure provides an electronic authentication method and an electronic authentication system to solve the above-described problems.
As shown in fig. 1, in a first aspect of the embodiments of the present disclosure, there is provided an electronic authentication method, which is applied to a public key infrastructure system, where the public key infrastructure system includes a digital certificate registry server, an electronic authentication gateway, heterogeneous electronic authentication servers, and a key management server, which are sequentially arranged, where the heterogeneous electronic authentication servers include a first electronic authentication server and a second electronic authentication server that are arranged in parallel, and the electronic authentication method includes:
step 100: the digital certificate registration center server acquires an operation request and sends the operation request to the electronic authentication gateway;
step 210: when the first electronic authentication server is normal, the electronic authentication gateway sends an operation request to the first electronic authentication server, the first electronic authentication server responds to the operation request, acquires a key pair protected by a user signature public key from the key management server, and sends the key pair to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server;
step 220: when the first electronic authentication server fails, the electronic authentication gateway sends the operation request to a second electronic authentication server, the second electronic authentication server responds to the operation request, a key pair protected by a user signature public key is obtained from the key management server, the key pair is sent to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server.
According to the embodiment method, the problem that the service cannot be performed due to the fact that the whole system fault is caused by the fact that the CA fault occurs is solved through the seamless switching mode of the first electronic authentication server and the second electronic authentication server, and therefore the problem that the database is subjected to large pressure under the high concurrency condition is reduced, and the influence on the overall performance is guaranteed.
In some optional embodiments of the disclosure, the method further comprises:
step 211: and when the first electronic authentication server is recovered to be normal in fault, the electronic authentication gateway reissues the operation request to the first electronic authentication server. Since the second electronic authentication server has already processed the operation requests during the error period of the first electronic authentication server, after the first electronic authentication server recovers, the electronic authentication gateway only sends the operation requests and the processing data at this stage to the first electronic authentication server, so that the data consistency of the first electronic authentication server and the second electronic authentication server is ensured.
In some optional embodiments of the disclosure, when the first electronic authentication server is normal, the method further comprises:
step 230: the second electronic authentication server registers the information of the encrypted certificate and disconnects the connection with the key management server.
In some optional embodiments of the disclosure, the operation request is: one or more combinations of issuing a certificate request, updating a certificate request, revoking/freezing/unfreezing a certificate request, recovering an encrypted certificate request, and querying a certificate request.
It should be noted that the type of the operation request is not limited to the above example, and may also include other types of requests, and the addition setting is performed according to the requirement, which is not described herein again.
Issuing a certificate request
(1) Description and priority: signing and issuing certificate
(2) Input/response sequence
Inputting: certificate signing and issuing request sent by digital certificate registration center server
And (3) normal response: PKIMessage
Abnormal response: PKIMessage for error
(3) Functional requirements are as follows: and processing a certificate issuing request sent by the digital certificate registration center server.
2. Updating certificates
(1) Description and priority: renewal certificate (renewal signature certificate and encryption certificate at the same time)
(2) Input/response sequence
Inputting: certificate update request sent by digital certificate registry server
And (3) normal response: PKIMessage
Abnormal response: PKIMessage for error
(3) Functional requirements are as follows: and processing the certificate updating request sent by the digital certificate registration center server.
3. Revoking/freezing/unfreezing certificates
(1) Description and priority: revoking/freezing/unfreezing certificates
(2) Input/response sequence
Inputting: the revocation/freezing/unfreezing certificate request sent by the digital certificate registry server responds normally: PKIMessage
Abnormal response: PKIMessage for error
(3) Functional requirements are as follows: a revoke/freeze/unfreeze certificate request sent by a digital certificate registry server is processed.
4. Recovering encrypted certificates
After the user certificate equipment is lost and damaged, the original encrypted certificate still needs to be available.
(1) Description and priority: recovering encrypted certificates
(2) Input/response sequence
Inputting: request for recovering encrypted certificate sent by digital certificate registration center server
And (3) normal response: PKIMessage
Abnormal response: PKIMessage for error
(3) Functional requirements are as follows: and processing the encrypted certificate recovery request sent by the digital certificate registry server.
5. Inquiry certificate
(1) Description and priority: certificate query
(2) Input/response sequence
Inputting: OCSPRequest
And (3) normal response: OCSPResponse
Abnormal response: OCSPRESPONSe FOR ERROR
(3) Functional requirements are as follows: inquiring the certificate information of the request and returning a response.
In some optional embodiments of the disclosure, the method further comprises: and the electronic authentication gateway records the complete interaction data. The electronic authentication gateway can provide perfect service data statistics, record complete data interaction and trace back a service operation flow according to data records.
As shown in fig. 2, in a second aspect of an embodiment of the present disclosure, there is provided an electronic authentication system including: the system comprises a digital certificate registration center server, an electronic authentication gateway, a heterogeneous electronic authentication server and a key management server which are arranged in a long connection mode;
the heterogeneous electronic authentication server comprises a first electronic authentication server and a second electronic authentication server which are arranged in parallel.
Specifically, the electronic authentication gateway includes the following functions for explanation: receiving a request of a digital certificate registration center server, storing the request of the digital certificate registration center server, forwarding the request of the digital certificate registration center server, recording the ID of a heterogeneous electronic authentication server for processing the request, recording the response of the heterogeneous electronic authentication server, storing the certificate and the certificate information, sending the response of the heterogeneous electronic authentication server to the digital certificate registration center server, and requesting the intelligent synchronous master and the second electronic authentication server. The electronic authentication gateway is deployed in a web service form. The operating system of the electronic authentication gateway supports mainstream Linux systems such as RedHat, Centos and SUSE, and supports deployment modes such as enterprise private cloud. The electronic authentication gateway supports mainstream databases such as Oracle and DB2, and supports an open source database such as maridb.
The electronic authentication gateway needs to ensure the channel safety between the digital certificate registration center server and the heterogeneous electronic authentication server, and a national secret SSL protocol is recommended. The communication message needs to adopt a uniform message protocol to increase the universality and expandability of the system to the maximum extent. In the present embodiment, the communication protocol specified in GB/T19714 is employed.
The electronic authentication gateway receives and stores an operation request from the digital certificate registration center server, and sequentially sends the operation request to the first electronic authentication server and the second electronic authentication server, the first electronic authentication server responds to the operation request, a key pair protected by a client signature public key sent by the digital certificate registration center server is obtained from the key management server, and the key pair is returned to the electronic authentication gateway. When the first electronic authentication server is normal, the second electronic authentication server registers only the information of the encrypted certificate, and does not establish connection with the key management server. In one embodiment of the invention, the information of the encrypted certificate includes information of the subject of the certificate, the issuer, the validity period, the serial number, and the like.
The following describes a flow of the first electronic authentication server in a normal state by taking an operation request as an example to apply for downloading a certificate, with reference to fig. 3.
The terminal user applies for downloading the certificate to the digital certificate registration center server, and the digital certificate registration center server further sends an operation request for applying for downloading the certificate to the electronic authentication gateway. The electronic authentication gateway sends the operation request to a first electronic authentication server, the first electronic authentication server applies for a key pair to a key management server, receives the key pair returned by the key management server and returns a double certificate to the electronic authentication gateway, and the electronic authentication gateway further sends the double certificate to a digital certificate registration center server which transmits the double certificate to a terminal user. Meanwhile, the electronic authentication gateway synchronizes the registration certificate downloading information to a second electronic authentication server for storage.
It should be noted that the processes of updating the certificate and revoking the certificate are similar to those of the certificate application, and are not described herein again.
When the first electronic authentication server fails, the electronic authentication gateway automatically switches the latest operation request to the second electronic authentication server, so that seamless conversion is realized. And the second electronic authentication server responds to the operation request, acquires a key pair protected by the client signature public key sent by the digital certificate registry server from the key management server, and returns the key pair to the electronic authentication gateway. And, when the first electronic authentication server is recovered, the electronic authentication gateway complements the operation request during the error period of the first electronic authentication server to the first electronic authentication server, as shown in fig. 4. Similarly, when the second electronic authentication server is switched from the failure state to the recovery normal state, the electronic authentication gateway supplements the operation request during the error period of the second electronic authentication server to the first electronic authentication server. Because the second electronic authentication server has already processed the operation requests during the error period of the first electronic authentication server, after the first electronic authentication server is recovered, the electronic authentication gateway only sends the operation requests and the processing data of the stage to the first electronic authentication server, so that the data consistency of the main electronic authentication server and the second electronic authentication server is ensured.
The following describes a flow in the failure state of the first electronic authentication server with reference to fig. 4 by taking an operation request as an example for applying for downloading a certificate.
As shown in fig. 4, the end user applies for downloading the certificate to the digital certificate registry server, and the digital certificate registry server further sends an operation request for applying for downloading the certificate to the electronic authentication gateway. The electronic authentication gateway sends the operation request to a second electronic authentication server, the second electronic authentication server applies for a key pair to the key management server, receives the key pair returned by the key management server and returns a double certificate to the electronic authentication gateway, and the electronic authentication gateway further sends the double certificate to a digital certificate registration center server and the double certificate is transmitted to the terminal user by the digital certificate registration center server. Meanwhile, the electronic authentication gateway synchronizes the registration certificate downloading information to a second electronic authentication server for storage. Meanwhile, the electronic authentication gateway stores the operation request during the failure of the first electronic authentication server. When the first electronic authentication server recovers, the electronic authentication gateway complements the operation request during the error of the first electronic authentication server to the first electronic authentication server, as shown in fig. 5.
The electronic authentication gateway records the ID of the CA and CA response data that process each operation request, and stores the encryption certificate and the information of the encryption certificate, wherein the operation requests processed by the electronic authentication gateway to the first electronic authentication server and the second electronic authentication server. The electronic authentication gateway supports the continuous non-failure operation time of the system to be more than 1 ten thousand hours.
In the embodiment of the disclosure, the electronic authentication gateway is connected with the digital certificate registry server, the first electronic authentication server and the second electronic authentication server in a long connection mode, so that performance loss caused by repeated handshaking is avoided.
The database is a place where the electronic authentication gateway system is easy to fail, a high-performance database server is needed to ensure data access performance, and the database is used for connecting the pool.
In some optional embodiments of the present disclosure, the first electronic authentication server and the second electronic authentication server are configured identically; the key management server is used for processing the encrypted certificate sent by the first electronic authentication server and/or the second electronic authentication server. In this embodiment, in order to ensure that the revocation lists issued by the two CAs are the same, the same cdp calculation policy is applied to the master CA and the slave CA, which cannot be completely random. Therefore, the key management server identifies the first electronic authentication server and the second electronic authentication server as the same CA, so as to ensure that the encrypted certificates sent by the first electronic authentication server and the second electronic authentication server can be processed.
In some optional embodiments of the present disclosure, the electronic authentication gateway is plural; a plurality of electronic authentication gateways and a digital certificate registration center server adopt an HA deployment mode; the electronic authentication system further includes: a switch; the switch is arranged between the electronic authentication gateway and the digital certificate registration center server. When the performance of a single electronic authentication gateway cannot meet the service requirement, the single electronic authentication gateway can be deployed in a cluster mode. When the cluster is deployed, data needs to be synchronized among a plurality of electronic authentication gateways. The electronic authentication gateway is serially deployed in the whole system, so that performance guarantee and HA are required to be made to avoid becoming a bottleneck and a single-point hidden danger, and the robustness of the whole system is ensured.
In some optional embodiments of the present disclosure, the switch is configured to load balance the plurality of electronic authentication gateways and synchronize data of the plurality of electronic authentication gateways. Specifically, as shown in fig. 6 and 7, when two or more electronic authentication gateways are provided, the electronic authentication gateway and the digital certificate registration center server adopt an HA deployment mode, and a switch is deployed between the digital certificate registration center server and the electronic authentication gateway, so that a single point of failure is avoided, and the availability is improved. The exchanger carries out load balance on the electronic authentication gateways, and data synchronization is realized among the electronic authentication gateways.
In some optional embodiments of the present disclosure, the electronic authentication gateway is provided with a database for recording complete interaction data. In this embodiment, the electronic authentication gateway has an independent database, which avoids a large pressure on the database under a high concurrency condition, and ensures that the overall performance is affected. The electronic authentication gateway can record all business incoming and outgoing data, the occupied space can be increased quickly, and enough disk space needs to be ensured. The electronic authentication gateway has higher concurrent processing capability, and the performance depends on the sum of the connected CA processing capabilities. In the invention, in order to ensure the service requirement, the TPS supports 100 times/second. In response time, the electronic authentication gateway response time under 100VUser is not more than 200 milliseconds. And the electronic authentication gateway feeds the received CA response data back to the digital certificate registration center server. The electronic authentication gateway needs to provide perfect service data statistics, record complete data interaction, and trace back a service operation flow according to data records.
According to the method of the embodiment of the disclosure, the hot standby is realized by adding the electronic authentication gateway in front of the CA, when the first electronic authentication server is normal, the first electronic authentication server completes the operation request, when the first electronic authentication server fails, the second electronic authentication server completes the operation request, and meanwhile, the data synchronization of the first electronic authentication server and the second electronic authentication server is ensured. The electronic authentication gateway feeds back the received certificate to the digital certificate registration center server, and the digital certificate registration center server forwards the certificate to the terminal user. The mode of seamless switching between the main electronic authentication server and the second electronic authentication server is realized. And an independent database is adopted for the electronic authentication gateway, so that the problem that the database is subjected to large pressure under the high concurrency condition is avoided, and the influence on the overall performance is ensured. When the traffic is large, the invention supports the adoption of a plurality of electronic authentication gateways which are deployed in a cluster mode, realizes the cooperative work of the plurality of electronic authentication gateways through load balancing, avoids becoming a bottleneck and a single-point hidden danger, needs to make performance guarantee and HA, and ensures the robustness of the whole system.
It will be apparent to those skilled in the art that various changes and modifications can be made in the present disclosure without departing from the spirit and scope of the disclosure. Thus, if such modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and their equivalents, the present disclosure is intended to include such modifications and variations as well.
Claims (10)
1. An electronic authentication method is applied to a public key infrastructure system, wherein the public key infrastructure system comprises a digital certificate registry server, an electronic authentication gateway, a heterogeneous electronic authentication server and a key management server which are sequentially arranged, wherein the heterogeneous electronic authentication server comprises a first electronic authentication server and a second electronic authentication server which are arranged in parallel, and the electronic authentication method comprises the following steps:
the digital certificate registration center server acquires an operation request and sends the operation request to the electronic authentication gateway;
when the first electronic authentication server is normal, the electronic authentication gateway sends the operation request to the first electronic authentication server, the first electronic authentication server responds to the operation request, a key pair protected by a user signature public key is obtained from the key management server, the key pair is sent to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server;
when the first electronic authentication server fails, the electronic authentication gateway sends the operation request to the second electronic authentication server, the second electronic authentication server responds to the operation request, obtains a key pair protected by a user signature public key from the key management server, and sends the key pair to the electronic authentication gateway, and the electronic authentication gateway sends the key pair to the digital certificate registration center server.
2. The method of claim 1, further comprising:
and when the first electronic authentication server is recovered to be normal in fault, the electronic authentication gateway reissues the operation request to the first electronic authentication server.
3. The method according to claim 1, wherein when the first electronic authentication server is normal, the method further comprises:
the second electronic authentication server registers information of the encrypted certificate, and disconnects the connection with the key management server.
4. The method of claim 1, wherein the operation request is: one or more combinations of issuing a certificate request, updating a certificate request, revoking/freezing/unfreezing a certificate request, recovering an encrypted certificate request, and querying a certificate request.
5. The method of claim 1, further comprising:
and the electronic authentication gateway records the complete interactive data.
6. An electronic authentication system, comprising: the system comprises a digital certificate registration center server, an electronic authentication gateway, a heterogeneous electronic authentication server and a key management server which are arranged in a long connection mode;
the heterogeneous electronic authentication server comprises a first electronic authentication server and a second electronic authentication server which are arranged in parallel.
7. The system according to claim 6, wherein the first electronic authentication server and the second electronic authentication server are configured identically;
the key management server is used for processing the encrypted certificate sent by the first electronic authentication server and/or the second electronic authentication server.
8. The system according to claim 6, wherein the electronic authentication gateway is plural;
a plurality of electronic authentication gateways and the digital certificate registration center server adopt an HA deployment mode;
the electronic authentication system further includes: a switch;
the switch is arranged between the electronic authentication gateway and the digital certificate registry server.
9. The system of claim 8, wherein the switch is configured to load balance the plurality of electronic authentication gateways and synchronize data of the plurality of electronic authentication gateways.
10. The system according to claim 6, characterized in that the electronic authentication gateway is provided with a database for recording complete interaction data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110426704.5A CN113347148A (en) | 2021-04-20 | 2021-04-20 | Electronic authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110426704.5A CN113347148A (en) | 2021-04-20 | 2021-04-20 | Electronic authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113347148A true CN113347148A (en) | 2021-09-03 |
Family
ID=77468206
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110426704.5A Pending CN113347148A (en) | 2021-04-20 | 2021-04-20 | Electronic authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113347148A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050055552A1 (en) * | 2003-09-10 | 2005-03-10 | Canon Kabushiki Kaisha | Assurance system and assurance method |
| US20070079115A1 (en) * | 2005-10-04 | 2007-04-05 | Roman Kresina | Secure gateway with redundent servers |
| US20110078304A1 (en) * | 2009-09-30 | 2011-03-31 | Ade Lee | Automatic Server Administration of Serial Numbers in a Replicated Certificate Authority Topology |
| EP2837162A1 (en) * | 2012-04-11 | 2015-02-18 | Nokia Solutions and Networks Oy | Apparatus, method, system and computer program product for server failure handling |
-
2021
- 2021-04-20 CN CN202110426704.5A patent/CN113347148A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050055552A1 (en) * | 2003-09-10 | 2005-03-10 | Canon Kabushiki Kaisha | Assurance system and assurance method |
| US20070079115A1 (en) * | 2005-10-04 | 2007-04-05 | Roman Kresina | Secure gateway with redundent servers |
| US20110078304A1 (en) * | 2009-09-30 | 2011-03-31 | Ade Lee | Automatic Server Administration of Serial Numbers in a Replicated Certificate Authority Topology |
| EP2837162A1 (en) * | 2012-04-11 | 2015-02-18 | Nokia Solutions and Networks Oy | Apparatus, method, system and computer program product for server failure handling |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110569309B (en) | Apparatus, method, system, and medium for implementing blockchain | |
| CN109688012B (en) | Method for hot standby switching of alliance link nodes | |
| US20180337892A1 (en) | Scalable proxy clusters | |
| CN112686668B (en) | Alliance chain crossing system and method | |
| CN112199726B (en) | A blockchain-based alliance trust distributed identity authentication method and system | |
| CN102148850B (en) | Cluster system and service processing method thereof | |
| CN100369413C (en) | Proxy-response device and method for proxy-response device | |
| US20080222296A1 (en) | Distributed server architecture | |
| CN113824563A (en) | Cross-domain identity authentication method based on block chain certificate | |
| US20130173747A1 (en) | System, method and apparatus providing address invisibility to content provider/subscriber | |
| CN111460029B (en) | Data synchronization method and device | |
| CN111314060B (en) | A key updating method, device and storage medium | |
| CN116389105B (en) | Remote access management platform and management method | |
| CN110035081A (en) | A kind of publish/subscribe architectural framework based on block chain | |
| CN110730081B (en) | Block chain network-based certificate revocation method, related equipment and medium | |
| WO2016177231A1 (en) | Dual-control-based active-backup switching method and device | |
| CN112152981A (en) | A communication method, node and communication system | |
| CN105933379A (en) | Business processing method, device and system | |
| KR101342258B1 (en) | Deistributed data management system and method thereof | |
| US9706440B2 (en) | Mobile communication system, call processing node, and communication control method | |
| CN110290163B (en) | Data processing method and device | |
| CN111193720A (en) | Trust service adaptation method based on security agent | |
| CN112202801B (en) | Cloud key system | |
| CN113347148A (en) | Electronic authentication method and system | |
| JP7480434B2 (en) | Distributed management system and method for smart card management device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210903 |