[go: up one dir, main page]

CN120128365A - System and method for secure communication between web application and local digital certificate application - Google Patents

System and method for secure communication between web application and local digital certificate application Download PDF

Info

Publication number
CN120128365A
CN120128365A CN202510231421.3A CN202510231421A CN120128365A CN 120128365 A CN120128365 A CN 120128365A CN 202510231421 A CN202510231421 A CN 202510231421A CN 120128365 A CN120128365 A CN 120128365A
Authority
CN
China
Prior art keywords
digital certificate
client
web application
authentication
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510231421.3A
Other languages
Chinese (zh)
Inventor
马超
吴奉轩
刘大冬
金凡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Financial Certification Authority Co ltd
Original Assignee
China Financial Certification Authority Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Financial Certification Authority Co ltd filed Critical China Financial Certification Authority Co ltd
Priority to CN202510231421.3A priority Critical patent/CN120128365A/en
Publication of CN120128365A publication Critical patent/CN120128365A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a system and a method for secure communication between a Web application and a local digital certificate application, which remove the dependence on SSL server certificates and solve the problem that each browser extension in the traditional browser extension mode is incompatible. The system comprises a digital certificate application server, a web application and a digital certificate application client, wherein the digital certificate application server is used for responding to a login request, carrying out identity authentication on the digital certificate application client, sending a session key to the digital certificate application client after the identity authentication is passed, responding to an access request, carrying out identity authentication on the web application, sending the session key to the web application after the identity authentication is passed, the web application is used for sending an authentication request to the digital certificate application client through a cross-domain resource access mechanism, and the digital certificate application client is used for verifying a request head of the authentication request according to a preset white list and establishing a secure communication channel after the authentication is passed.

Description

System and method for secure communication of Web applications with local digital certificate applications
Technical Field
The application relates to the technical field of communication, in particular to a system and a method for safely communicating a Web application with a local digital certificate application.
Background
With the widespread popularity of Web applications and the increasing importance of digital certificates in network security, secure communication between Web applications and local digital certificate applications is becoming a critical issue. Common solutions in the related art include a browser extension mode and a WebSocket mode. The browser expansion mode is that a user installs a specific expansion program in the browser, and the expansion program communicates with a local application program through an API provided by the browser. The WebSocket mode is that the Web application establishes connection with the local application program through a WebSocket protocol. The local application typically runs on the user's local machine listening for a particular port. Once the connection is established, the Web application and the local application can transmit data in real time through the WebSocket channel. The SSL/TLS protocol (wss://) is combined in the communication process to ensure the safety of the communication.
In carrying out the present application, the applicant has found that the related art has at least the following problems:
The extension among the browser manufacturers is not universal, so that a user needs to develop and maintain multiple browser extensions for different browsers, the current Web application is mostly in an SSL mode, the WebSocket mode does not support cross-protocol integration, and an SSL service certificate needs to be applied, installed and maintained for a long time for a local digital certificate application program, so that the integration and maintenance cost is increased.
Disclosure of Invention
In view of this, the present application provides a system and a method for secure communication between a Web application and a local digital certificate application, which mainly aims to solve the problems that the expansion between browser manufacturers is not universal at present, so that a user needs to develop and maintain multiple browser expansions for different browsers, the current Web application is mostly in SSL mode, the WebSocket mode does not support cross-protocol integration, and an SSL service certificate needs to be applied, installed and maintained for a long time for the local digital certificate application, and the integration and maintenance costs are increased.
According to a first aspect of the present application there is provided a system for secure communication of a Web application with a local digital certificate application, the system comprising:
a digital certificate application server, a web application and a digital certificate application client;
the digital certificate application server is used for responding to a login request initiated by a digital certificate application client, acquiring first authentication data carried in the login request to carry out identity authentication on the digital certificate application client, generating an encryption result carrying a client session key after the identity authentication is passed, sending the encryption result to the digital certificate application client, responding to an access request initiated by a web application, acquiring identity information carried in the access request to carry out identity authentication on the web application, generating an encryption token carrying the client session key after the identity authentication is passed, and sending the encryption token to the web application;
the web application is used for sending an authentication request to the digital certificate application client through a cross-domain resource access mechanism, wherein the authentication request comprises an encryption token and second authentication data, and the second authentication data is generated based on client session key encryption;
the digital certificate application client is used for verifying the request head of the authentication request according to a preset white list, establishing a secure communication channel based on the encryption token and the second authentication data after verification is passed, and carrying out bidirectional secure communication with the web application by adopting the client session key.
Optionally, the digital certificate application client is configured to randomly select a local service port to start a local service, call a random number interface provided by the digital certificate application server, obtain the login random number, derive a key by using a hash value of secret information shared with the digital certificate application server, generate a first key, encrypt specified information by using the first key, generate the first authentication data, and send a login request carrying the first authentication data to the digital certificate application server, where the specified information includes, but is not limited to, an authentication identifier, the login random number, the local service port, and a timestamp.
Optionally, the digital certificate application server is configured to generate a second key by using a hash value of secret information shared with the digital certificate application client through a key derivation function, decrypt the first authentication data with the second key, determine that identity authentication passes if the specified information is obtained by successful decryption, encrypt the client session key, a timestamp and an authentication end identifier that are randomly generated with the second key, obtain an encryption result, and send the encryption result and the specified data to the digital certificate application client, so that the digital certificate application client decrypts the encryption result based on the first key, and obtains and stores the client session key, where the specified data includes, but is not limited to, an authentication state and a random number, and the random number is a parameter of a login request response.
Optionally, the web application comprises a web application front end and a web application server;
the web application front end is used for logging in a web application server, generating a web application session key and sending the access request to the web application server, wherein the web application comprises a web application front end and a web application server;
The web application server is used for signing service information and mechanism information in the access request according to a digital certificate private key configured in service, packaging a signature result and the access request into signature data, sending the signature data to the digital certificate application server, encrypting original text data of a digital envelope obtained through a web application session key, and transmitting the encrypted data ciphertext to the web application front end, wherein the original text data comprises but is not limited to an encryption token, a client session key and a service port;
The digital certificate application server is used for inquiring a public key certificate through an organization, verifying the signature data based on the public key certificate, if the signature data passes verification, determining that the identity authentication passes, adopting a key derivation function to conduct key derivation on a hash value of secret information shared with the digital certificate application client, generating a third key, encrypting a client session key and a timestamp by using the third key, generating the encryption token, generating a digital envelope by using the public key certificate of the Web application server, and sending the digital envelope to the Web application server, so that the Web application server decrypts the digital envelope by using the digital certificate private key to obtain original text data of the digital envelope.
Optionally, the Web application front end is configured to invoke an XMLHttpRequest or XDomainRequest interface in a browser to send an authentication request to the digital certificate application client, where request data in the authentication request includes, but is not limited to, an encrypted token and second authentication data, where the second authentication data is generated by encrypting a client session key, and an original text of the second authentication data includes, but is not limited to, an application name, a service flow, and an authentication identifier.
Optionally, the digital certificate application client reads the address and port of the Web application server indicated by the Origin field in the request header, determines whether the address and port exist in the preset whitelist, if so, decrypts the encrypted token, obtains a client session key carried in the encrypted token, decrypts the second authentication data by using the client session key, and when the digital certificate application client successfully decrypts the second authentication data, sends prompt information for indicating authentication success to the Web application, and establishes a secure communication channel with the Web application, so that the Web application and the digital certificate application client use the client session key to perform encrypted data interaction.
According to a second aspect of the present application there is provided a method of secure communication of a Web application with a local digital certificate application, the method comprising:
The method comprises the steps that a digital certificate application server responds to a login request initiated by a digital certificate application client, first authentication data carried in the login request are obtained to carry out identity authentication on the digital certificate application client, an encryption result carrying a client session key is generated after the identity authentication is passed, and the encryption result is sent to the digital certificate application client;
the digital certificate application server responds to an access request initiated by a web application, acquires identity information carried in the access request to carry out identity authentication on the web application, generates an encryption token carrying a client session key after the identity authentication is passed, and sends the encryption token to the web application;
the web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, wherein the authentication request comprises an encryption token and second authentication data, and the second authentication data is generated based on client session key encryption;
And the digital certificate application client verifies the request head of the authentication request according to a preset white list, establishes a secure communication channel based on the encryption token and the second authentication data after the verification is passed, and adopts the client session key to carry out bidirectional secure communication with the web application.
Optionally, the method further comprises:
The digital certificate application client randomly selects a local service port to start local service, and calls a random number interface provided by the digital certificate application server to acquire the login random number;
The digital certificate application client adopts a hash value of secret information shared with the digital certificate application server to conduct key derivation, and a first key is generated;
the digital certificate application client encrypts specified information by using the first key, generates the first authentication data, and sends a login request carrying the first authentication data to the digital certificate application server, wherein the specified information comprises, but is not limited to, an authentication identifier, the login random number, the local service port and a time stamp.
Optionally, obtaining the first authentication data carried in the login request to perform identity authentication on the digital certificate application client, generating an encryption result carrying a session key of the client after the identity authentication is passed, and sending the encryption result to the digital certificate application client, including:
The digital certificate application server uses a hash value of secret information shared with the digital certificate application client to conduct key derivation through a key derivation function, generates a second key, and decrypts the first authentication data by adopting the second key;
If the specified information is successfully decrypted, the digital certificate application server determines that the identity authentication passes, encrypts the client session key, the timestamp and the authentication end identifier which are randomly generated by adopting the second key to obtain an encryption result, and sends the encryption result and specified data to the digital certificate application client so that the digital certificate application client decrypts the encryption result based on the first key to acquire and store the client session key, wherein the specified data comprises but is not limited to an authentication state and a random number, and the random number is a parameter responded by a login request.
Optionally, acquiring identity information carried in the access request, performing identity authentication on the web application, generating an encrypted token carrying a client session key after the identity authentication is passed, and sending the encrypted token to the web application, where the step of sending the encrypted token includes:
The web application front end logs in a web application server, generates a web application session key and sends the access request to the web application server, wherein the web application comprises a web application front end and a web application server;
The web application server signs service information and organization information in the access request according to a digital certificate private key configured in service, packages a signature result and the access request into signature data, and sends the signature data to the digital certificate application server, so that the digital certificate application server inquires a public key certificate through the organization information, and verifies the signature data by adopting the public key certificate;
If the signature data passes verification, the digital certificate application server determines that identity authentication passes, adopts a key derivation function to derive a key of a hash value of secret information shared with the digital certificate application client, generates a third key, and encrypts a client session key and a timestamp by using the third key to generate the encrypted token;
The digital certificate application server generates a digital envelope by using a public key certificate of the Web application server, and sends the digital envelope to the Web application server, so that the Web application server decrypts the digital envelope through the digital certificate private key to obtain original text data of the digital envelope, wherein the original text data comprises but is not limited to an encryption token, the client session key and the service port;
The web application server encrypts the obtained original text data of the digital envelope through the web application session key and transmits the encrypted data ciphertext to the web application front end.
Optionally, the web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, including:
The Web application front end calls an XMLHttpRequest or XDomainRequest interface in a browser to send an authentication request to the digital certificate application client, wherein request data in the authentication request comprises but is not limited to an encryption token and second authentication data;
the second authentication data is generated through client session key encryption, and the original text of the second authentication data comprises, but is not limited to, an application name, service flow and an authentication identifier.
Optionally, the digital certificate application client verifies the request header of the authentication request according to a preset white list, establishes a secure communication channel based on the encrypted token and the second authentication data after verification is passed, and performs bidirectional secure communication with the web application by adopting the client session key, including:
The digital certificate application client reads the address and the port of the Web application server indicated by the Origin field in the request header and judges whether the address and the port exist in the preset white list;
If so, the digital certificate application client decrypts the encrypted token, acquires a client session key carried in the encrypted token, and decrypts the second authentication data by adopting the client session key;
And when the digital certificate application client successfully decrypts the second authentication data, sending prompt information for indicating authentication success to the Web application, and establishing a secure communication channel with the Web application so that the Web application and the digital certificate application client adopt the client session key to carry out encrypted data interaction.
By means of the technical scheme, the system and the method for the secure communication between the Web application and the local digital certificate application are provided, the digital certificate application server responds to a login request initiated by the digital certificate application client, obtains first authentication data carried in the login request to carry out identity authentication on the digital certificate application client, generates an encryption result carrying a client session key after the identity authentication passes, and sends the encryption result to the digital certificate application client. The digital certificate application server responds to an access request initiated by the web application, acquires identity information carried in the access request to carry out identity authentication on the web application, generates an encryption token carrying a client session key after the identity authentication is passed, and sends the encryption token to the web application. The web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, the authentication request including an encryption token and second authentication data, the second authentication data generated based on client session key encryption. And the digital certificate application client verifies the request head of the authentication request according to a preset white list, establishes a secure communication channel based on the encryption token and the second authentication data after the verification is passed, and adopts the session key of the client to carry out bidirectional secure communication with the web application. According to the embodiment of the application, the distribution of the session key between the Web application and the local digital certificate application client is completed through the trusted server, and the two-way secure communication is realized by combining the encryption token and the second authentication data encrypted based on the client session key, so that illegal access, data tampering and man-in-the-middle attack are effectively prevented, the communication safety is improved, the dependence on SSL server certificates is removed, and the application, installation and maintenance costs of the local SSL certificates are reduced. In addition, a cross-domain resource access mechanism is adopted, so that the universal browser can be universally used on a plurality of main stream browsers by one-time installation, and the problem that each browser extension in the traditional browser extension mode is incompatible is solved.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a schematic structural diagram of a system for secure communication between a Web application and a local digital certificate application according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a system for securely communicating a Web application with a local digital certificate application according to an embodiment of the present application;
Fig. 3 is a schematic flow chart of a method for secure communication between a Web application and a local digital certificate application according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the application to those skilled in the art.
The embodiment of the application provides a system for secure communication between a Web application and a local digital certificate application, which comprises a digital certificate application server 11, a Web application 12 and a digital certificate application client 13 as shown in figure 1.
The digital certificate application server 11 is configured to respond to a login request initiated by the digital certificate application client, obtain first authentication data carried in the login request to authenticate the digital certificate application client 13, generate an encryption result carrying a client session key after the identity authentication is passed, send the encryption result to the digital certificate application client 13, respond to an access request initiated by the web application 12, obtain identity information carried in the access request to authenticate the web application 12, and generate an encryption token carrying the client session key after the identity authentication is passed, and send the encryption token to the web application 12. The web application 12 is configured to send an authentication request to the digital certificate application client 13 via a cross-domain resource access mechanism, the authentication request including an encryption token and second authentication data, the second authentication data being generated based on the client session key encryption. The digital certificate application client 13 is configured to verify a request header of the authentication request according to a preset whitelist, establish a secure communication channel based on the encrypted token and the second authentication data after the verification is passed, and perform bidirectional secure communication with the web application 12 using a client session key.
Further, as a refinement and extension of the foregoing embodiment, for a complete description of the implementation procedure of this embodiment, a system for secure communication between a Web application and a local digital certificate application is provided, as shown in fig. 2, where the Web application 12 includes a Web application front end 121 and a Web application server 122.
In the embodiment of the present application, the digital certificate application client 13 is configured to randomly select a local service port to start local 127.0.0.1 service, and call a random number interface provided by the digital certificate application server to obtain a login random number random. Next, the digital certificate application client 13 generates a first key c_auth_key by performing key derivation using a hash value of secret information (such as a PIN code, a password, etc.) shared with the digital certificate application server 11. Subsequently, the first authentication data auth_data1 is generated by encrypting the specified information, that is, the authentication identification, the login random number, the local service port, the time stamp, and the like, using the first key c_auth_key. The information such as the authentication identifier, the login random number, the local service port, and the time stamp may be symmetrically encrypted by using a national encryption algorithm SM4 or the like or a non-national encryption algorithm AES or the like. Finally, the login request carrying the first authentication data auth_data1 is sent to the digital certificate application server 11.
In the embodiment of the present application, the digital certificate application server 11 is configured to generate the second key s_auth_key by performing key derivation using the hash value of the secret information shared with the digital certificate application client 13 through a key derivation function. Next, the first authentication data is decrypted using the second key s_auth_key, and if the decryption is successful, the digital certificate application server 11 determines that the identity authentication of the digital certificate application client 13 passes, and encrypts the randomly generated client session key c_ sessionkey, the timestamp, and the authentication end identifier using the second key s_auth_key. It should be noted that, the encryption algorithm SM4 or the like or the non-national encryption algorithm AES or the like may be used to encrypt the c_ sessionkey, the timestamp and the authentication end identifier, to obtain an encryption result, and send the encryption result and the specified data to the digital certificate application client 13, so that the digital certificate application client 13 decrypts the encryption result based on the first key c_auth_key, and obtains and stores the client session key c_ sessionkey in the decryption result. The above specified data includes, but is not limited to, an authentication state and a random number, wherein the random number is only a parameter for responding to the login request.
In the embodiment of the present application, the web application front end 121 is configured to log in to the web application server 122, generate a web application session key, and send an access request to the web application server 122. The request information mainly includes appid (identification certificate application), u_name (user name of digital certificate service to be accessed), s_name (service name to be accessed), and the like.
The web application server 122 is configured to sign service information and organization information in the access request according to a digital certificate private key (supporting asymmetric algorithms such as RSA and SM 2) configured in the service, package the signature result and the access request into signature data, send the signature data to the digital certificate application server 11, encrypt the original text data of the digital envelope obtained through the web application session key, and send the encrypted data ciphertext to the web application front end 121, where the original text data of the digital envelope includes information such as an encryption token, a client session key c_ sessionkey, and a service port.
The digital certificate application server 11 is configured to query a public key certificate through organization information, verify signature data with the public key certificate, if the signature data passes verification, determine that the Web application 12 passes identity authentication, derive a hash value of secret information (such as a PIN, a password, etc.) shared with the digital certificate application client 13 by using a key derivation function, generate a third key s_auth_key, encrypt the client session key c_ sessionkey and a timestamp with the third key s_auth_key, generate an encrypted token, generate a digital envelope with the public key certificate of the Web application server 122, and send the digital envelope to the Web application server 122, so that the Web application server 122 decrypts the digital envelope with the digital certificate private key to obtain original data of the digital envelope, i.e. obtain information such as an encrypted token, a client session key c_ sessionkey, a service port, etc.
In the embodiment of the present application, the Web application front end 122 is configured to invoke interfaces such as XMLHttpRequest or XDomainRequest in the browser to send an authentication request to the digital certificate application client 13, where request data in the authentication request includes, but is not limited to, an encrypted token and second authentication data auth_data3, where the second authentication data auth_data3 is generated by encrypting the client session key c_ sessionkey, and an original text of the second authentication data auth_data3 includes, but is not limited to, information such as an application name, service flow, and an authentication identifier.
In the embodiment of the present application, the digital certificate application client 13 reads the address and port of the Web application server indicated by the Origin field in the http request header, and determines whether the address and port exist in the preset whitelist. If so, the digital certificate application client decrypts the encrypted token, acquires a client session key c_ sessionkey carried in the encrypted token, decrypts the second authentication data auth_data3 by using the client session key c_ sessionkey, and when the digital certificate application client successfully decrypts the second authentication data auth_data3, sends prompt information for indicating authentication success to the Web application 12, and establishes a secure communication channel with the Web application 12, so that the Web application 12 and the digital certificate application client 13 perform encrypted data interaction by using the client session key c_ sessionkey. Otherwise, returning abnormal error information.
It should be noted that, when the digital certificate application client 13 receives any service logic request sent by the Web application 12, the address and port information of the Web application server indicated by the Origin field in the http request header are checked first, if the information is in the white list of the digital certificate application client, the subsequent application request service logic is continued, otherwise, the digital certificate application client 13 returns the request exception error information, and terminates the subsequent service processing.
The application provides a system for secure communication between a Web application and a local digital certificate application, wherein a digital certificate application server responds to a login request initiated by a digital certificate application client, acquires first authentication data carried in the login request, carries out identity authentication on the digital certificate application client, generates an encryption result carrying a client session key after the identity authentication passes, and sends the encryption result to the digital certificate application client. The digital certificate application server responds to an access request initiated by the web application, acquires identity information carried in the access request to carry out identity authentication on the web application, generates an encryption token carrying a client session key after the identity authentication is passed, and sends the encryption token to the web application. The web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, the authentication request including an encryption token and second authentication data, the second authentication data generated based on client session key encryption. And the digital certificate application client verifies the request head of the authentication request according to a preset white list, establishes a secure communication channel based on the encryption token and the second authentication data after the verification is passed, and adopts the session key of the client to carry out bidirectional secure communication with the web application. According to the embodiment of the application, the distribution of the session key between the Web application and the local digital certificate application client is completed through the trusted server, and the two-way secure communication is realized by combining the encryption token and the second authentication data encrypted based on the client session key, so that illegal access, data tampering and man-in-the-middle attack are effectively prevented, the communication safety is improved, the dependence on SSL server certificates is removed, and the application, installation and maintenance costs of the local SSL certificates are reduced. In addition, a cross-domain resource access mechanism is adopted, so that the universal browser can be universally used on a plurality of main stream browsers by one-time installation, and the problem that each browser extension in the traditional browser extension mode is incompatible is solved.
The embodiment of the application provides a method for secure communication between a Web application and a local digital certificate application, as shown in fig. 3, comprising the following steps:
301. The digital certificate application server responds to a login request initiated by the digital certificate application client, acquires first authentication data carried in the login request, performs identity authentication on the digital certificate application client, generates an encryption result carrying a client session key after the identity authentication is passed, and sends the encryption result to the digital certificate application client.
In the embodiment of the application, firstly, the digital certificate application client randomly selects an available local service port, and a 127.0.0.1 local service can be started after the local service port is selected, so that the problem that the local service cannot be started normally due to the fact that the port is occupied or impossibly used because the service port is not random is solved. The service port is a port for providing service for the front end of the Web application by the local digital certificate application client, is a communication port of the service end at the two communication ends, and is unchanged after the local service is started and selected, and the next service is started and reselected. The local service is a main logic of the digital certificate client program, and mainly provides the local digital certificate service for the Web application front end. Next, the digital certificate application client invokes the digital certificate application server to acquire a random number interface to acquire a login random number random. It should be noted that the login random number random is an unpredictable value dynamically generated in the authentication process. In the embodiment of the application, the main purposes of the digital certificate application client taking the login random number are to enhance security, ensure the uniqueness of a session, assist in timestamp verification and simplify key management. By introducing dynamic random numbers, the security and reliability of authentication can be effectively improved, and various potential security threats are prevented.
Next, the digital certificate application client performs key derivation using a hash value of the secret information shared with the digital certificate application server, and generates a first key c_auth_key. In digital certificate applications, secret information is typically referred to as a PIN code, password, or other authentication information set by the user. The hash value of this information is used for key derivation to ensure the security and reliability of the authentication process. Using the hash value, keys for authentication and encryption can be generated without exposing sensitive information. Wherein the key derivation is used to generate a key suitable for use by the encryption algorithm from the original key material. It increases the security of the system by increasing the randomness and complexity of the keys and can generate a plurality of different keys for different encryption operations.
Further, the digital certificate application client encrypts the specified information by using the first key c_auth_key, generates first authentication data auth_data1, and sends a login request carrying the first authentication data auth_data1 to the digital certificate application server. Wherein the specified information includes, but is not limited to, an authentication identification, a login random number, a local service port, and a timestamp. The digital certificate application client may use the first key c_auth_key, and use a national encryption algorithm SM4 or the like or a non-national encryption algorithm AES or the like to symmetrically encrypt information such as the authentication identifier, the login random number, the local service port, the timestamp and the like.
Subsequently, the digital certificate application server performs key derivation using the hash value of the secret information shared with the digital certificate application client through the key derivation function, generates a second key s_auth_key, and decrypts the first authentication data auth_data1 using the second key s_auth_key. If the specified information is successfully decrypted, the digital certificate application server determines that the identity authentication of the digital certificate application client passes, at the moment, a client session key c_ sessionkey is randomly generated, and the randomly generated client session key c_ sessionkey, the timestamp and the authentication ending identifier are encrypted by adopting a second key s_auth_key. The client session key c_ sessionkey, the timestamp and the authentication end identifier can be symmetrically encrypted by adopting a national encryption algorithm SM4 and the like or a non-national encryption algorithm AES and the like. And finally, the encryption result and the appointed data are transmitted to the digital certificate application client side together, so that the digital certificate application client side obtains a client side session key c_ sessionkey based on the encryption result decrypted by the first key c_auth_key, and performs local encryption storage. The client session key c sessionkey is used for secure communication with the Web application front-end. Wherein the specified data includes, but is not limited to, an authentication state and a random number that is only a parameter of the login request response.
In the embodiment of the application, the key derivation is performed by using the random login random number and the hash value of the shared secret information, and the generated first key c_auth_key and second key s_auth_key have high randomness and complexity, so that the risk of guessing or violent cracking of the keys is effectively prevented. Meanwhile, different random numbers are used in each login request, so that the system security is further enhanced, and replay attack is prevented. Meanwhile, through the combination of information such as the timestamp and the local service port, the data packet of each login request is unique, and session hijacking and man-in-the-middle attack are prevented. Further, the digital certificate application server not only carries out identity authentication on the client, but also generates a session key after authentication is passed and sends the session key to the client in an encryption mode, and the client decrypts and stores the session key, so that the identity authentication of the client by the server and the identity authentication of the server by the client are realized, and a bidirectional authentication mechanism of the system is enhanced.
302. The digital certificate application server responds to an access request initiated by the web application, acquires identity information carried in the access request to carry out identity authentication on the web application, generates an encryption token carrying a client session key after the identity authentication is passed, and sends the encryption token to the web application.
In the embodiment of the application, the construction of the web application can be divided into two main parts, namely a web application front end and a web application service end. The web application front end is mainly responsible for the display of a user interface and the direct interaction with a user, and comprises the aspects of web page design, user interaction logic, the realization of a front end technology and the like. The web application server processes the back-end logic, including server programming, database management, development and maintenance of API interfaces, etc., to ensure that the request sent by the front-end can be properly responded and processed.
In the actual running process, a user logs in a Web application server through a Web application front end (usually referred to as a browser), and when the Web application server logging-in operation is completed, the system generates a Web application session key. The Web application session key is a piece of random, unique data generated by the server for managing and identifying the user's session after the user successfully logs into the Web application. This piece of data is typically used for data exchange in encrypted sessions, ensuring the security and integrity of the data against illegal access or tampering by third parties. Further, the Web application front end sends an access request for acquiring the digital certificate service Token to the Web application server. The request information mainly includes appid (identification certificate application), u_name (user name of digital certificate service to be accessed), s_name (service name to be accessed), and the like. Wherein appid is a unique identifier that is used to assist the web application server in determining the source of the request. Through appid, the web application server may verify that the application has rights to access the digital certificate service. u_name is the unique identifier of the user, helping the server to determine the identity of the requesting user. u_name is typically generated by the web application server and assigned to a user at the time of user registration or login. The web application server verifies if the username exists and if it has been authenticated. This ensures that only legitimate users can acquire Token. s_name is typically a predefined service name, and the server checks whether the user has permission to access the service based on s_name. Further, the web application server signs service information and organization information in the access request according to a digital certificate private key configured in the service, and packages the signature result together with the original data to form signature data. And then, the signature data is sent to the digital certificate application server, so that the digital certificate application server inquires the public key certificate through the organization information and verifies the signature data by adopting the public key certificate. The digital certificate private key supports asymmetric algorithms such as RSA, SM2 and the like. If the signature data passes verification, the digital certificate application server determines that the identity authentication of the Web application passes, and then adopts a key derivation function to derive a key from a hash value of secret information shared with the digital certificate application client, so as to generate a third key s_auth_key. The client session key c sessionkey and the timestamp are encrypted using the third key s_auth_key, generating an encrypted Token. The generation process and the value of the third key are consistent with those of the second key s_auth_key. The information such as the client session key c_ sessionkey and the timestamp can be symmetrically encrypted by adopting a national encryption algorithm SM4 and the like or a non-national encryption algorithm AES and the like. Then, the digital certificate application server generates a digital envelope by using the public key certificate of the Web application server, and sends the digital envelope to the Web application server, so that the Web application server decrypts the digital envelope through the digital certificate private key to obtain an encrypted Token, a client session key c_ sessionkey and a service port. Further, the web application server encrypts the obtained original text data of the digital envelope through the web application session key, the original text data of the digital envelope includes but is not limited to an encryption Token, a client session key c_ sessionkey and a service port, and in the actual running process, the digital envelope may also include information such as a timestamp, a key validity period and the like, and the encrypted data ciphertext is transferred to the web application front end. Finally, the web application front end uses the web session key to decrypt the ciphertext to obtain the original text data of the digital envelope, namely the token, the c_ sessionkey original text, the service port and other information.
In the embodiment of the application, the service information and the organization information in the access request are signed by adopting the digital certificate private key, and meanwhile, the public key certificate is utilized to verify the signature data, so that the integrity and the authenticity of the request are ensured. In addition, in the embodiment, a symmetric encryption algorithm such as a national encryption algorithm SM4 or a non-national encryption algorithm AES is adopted to encrypt the session key and the time stamp of the client, so that the safety of the communication process is further improved. The encryption measures effectively prevent the risk of theft or misuse of the session key in the transmission process, and ensure the safety and reliability of data transmission.
303. The web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, the authentication request including an encryption token and second authentication data, the second authentication data generated based on client session key encryption.
In the embodiment of the application, the front end of the Web application initiates a request to the local service by calling interfaces such as XMLHttpRequest or XDomainRequest and the like provided in the browser, so that the interaction with the local service is realized, and the compatibility and convenience of communication are ensured. Specifically, the front end code will initiate a request to local address 127.0.0.1:port, where port represents the port number that the local service listens to. In the request process, the Web application front end sends an authentication request to the digital certificate application client, and the request data mainly comprises an encryption Token and second authentication data auth_data3. The encrypted Token is a security mechanism for verifying the validity of the request, and the encrypted Token contains the client session key c_ sessionkey. The validity of the request is verified through the encrypted Token, and the client session key c_ sessionkey is embedded in the Token, so that the safety of communication is enhanced. The second authentication data auth_data3 is generated after encryption processing is performed through the client session key c_ sessionkey, and the original text of the second authentication data auth_data3 contains key authentication information, namely an application name, a service serial number, an authentication identifier and the like, so that the confidentiality and the integrity of the data are further ensured. The embodiment of the application not only can effectively prevent illegal requests and data tampering, but also can accurately identify and process legal service requests, thereby improving the safety and reliability of the system and providing safe and credible Web application interaction experience for users.
304. And the digital certificate application client verifies the request head of the authentication request according to a preset white list, establishes a secure communication channel based on the encryption token and the second authentication data after the verification is passed, and adopts the session key of the client to carry out bidirectional secure communication with the web application.
In the embodiment of the application, after receiving the authentication request sent by the front end of the Web application, the digital certificate application client first needs to verify the http request header information. Specifically, the digital certificate application client reads the Origin field in the request header information, which contains the source address and port number of the request. The digital certificate application client then compares the read address and port with a preset whitelist. The white list stores a list of addresses and ports that allow communication in advance, and if a matching address and port are found in the white list, the digital certificate application client will perform the next operation, namely decrypting the encrypted Token. The encrypted Token contains the client session key c_ sessionkey, and once c_ sessionkey is successfully decrypted, the digital certificate application client continues to decrypt the second authentication data auth_data3 using the client session key c_ sessionkey. After the digital certificate application client successfully decrypts the second authentication data auth_data3, an explicit hint is sent to the Web application, which indicates that the authentication process has been successfully completed. The client establishes a secure communication channel with the Web application, so that the Web application and the digital certificate application client can encrypt data interaction between the Web application and the digital certificate application by using the client session key c_ sessionkey, and the security of data transmission is ensured. If any problem occurs in the verification process, such as that the address and the port are not in the white list, or an error occurs in the decryption process, the digital certificate application client will not continue to establish the secure communication channel, but will return an abnormal error message to the Web application, notifying the Web application that the authentication has failed.
According to the method provided by the embodiment of the application, the digital certificate application server responds to the login request initiated by the digital certificate application client, acquires the first authentication data carried in the login request to carry out identity authentication on the digital certificate application client, generates an encryption result carrying a client session key after the identity authentication passes, and sends the encryption result to the digital certificate application client. The digital certificate application server responds to an access request initiated by the web application, acquires identity information carried in the access request to carry out identity authentication on the web application, generates an encryption token carrying a client session key after the identity authentication is passed, and sends the encryption token to the web application. The web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, the authentication request including an encryption token and second authentication data, the second authentication data generated based on client session key encryption. And the digital certificate application client verifies the request head of the authentication request according to a preset white list, establishes a secure communication channel based on the encryption token and the second authentication data after the verification is passed, and adopts the session key of the client to carry out bidirectional secure communication with the web application. According to the embodiment of the application, the distribution of the session key between the Web application and the local digital certificate application client is completed through the trusted server, and the two-way secure communication is realized by combining the encryption token and the second authentication data encrypted based on the client session key, so that illegal access, data tampering and man-in-the-middle attack are effectively prevented, the communication safety is improved, the dependence on SSL server certificates is removed, and the application, installation and maintenance costs of the local SSL certificates are reduced. In addition, a cross-domain resource access mechanism is adopted, so that the universal browser can be universally used on a plurality of main stream browsers by one-time installation, and the problem that each browser extension in the traditional browser extension mode is incompatible is solved.
From the above description of the embodiments, it will be clear to those skilled in the art that the present application may be implemented in hardware, or may be implemented by means of software plus necessary general hardware platforms. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective implementation scenario of the present application.
Those skilled in the art will appreciate that the drawing is merely a schematic illustration of a preferred implementation scenario and that the modules or flows in the drawing are not necessarily required to practice the application.
Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above-mentioned inventive sequence numbers are merely for description and do not represent advantages or disadvantages of the implementation scenario.
The foregoing disclosure is merely illustrative of some embodiments of the application, and the application is not limited thereto, as modifications may be made by those skilled in the art without departing from the scope of the application.

Claims (12)

1. A system for secure communication between a Web application and a local digital certificate application, the system comprising a digital certificate application server, a Web application, and a digital certificate application client;
the digital certificate application server is used for responding to a login request initiated by a digital certificate application client, acquiring first authentication data carried in the login request to carry out identity authentication on the digital certificate application client, generating an encryption result carrying a client session key after the identity authentication is passed, sending the encryption result to the digital certificate application client, responding to an access request initiated by a web application, acquiring identity information carried in the access request to carry out identity authentication on the web application, generating an encryption token carrying the client session key after the identity authentication is passed, and sending the encryption token to the web application;
the web application is used for sending an authentication request to the digital certificate application client through a cross-domain resource access mechanism, wherein the authentication request comprises an encryption token and second authentication data, and the second authentication data is generated based on client session key encryption;
the digital certificate application client is used for verifying the request head of the authentication request according to a preset white list, establishing a secure communication channel based on the encryption token and the second authentication data after verification is passed, and carrying out bidirectional secure communication with the web application by adopting the client session key.
2. The system of claim 1, wherein the digital certificate application client is configured to randomly select a local service port to start a local service, invoke a random number interface provided by the digital certificate application server, obtain the login random number, derive a key using a hash value of secret information shared with the digital certificate application server, generate a first key, encrypt specified information using the first key, generate the first authentication data, and send a login request carrying the first authentication data to the digital certificate application server, where the specified information includes, but is not limited to, an authentication identifier, the login random number, the local service port, and a timestamp.
3. The system of claim 1, wherein the digital certificate application server is configured to derive a second key by using a hash value of secret information shared with the digital certificate application client through a key derivation function, generate the second key, decrypt the first authentication data using the second key, and if the specified information is obtained by successful decryption, determine that the identity authentication passes, encrypt the client session key, the timestamp, and the authentication end identifier that are randomly generated using the second key, obtain an encryption result, and send the encryption result and the specified data to the digital certificate application client, so that the digital certificate application client decrypts the encryption result based on the first key, and obtains and stores the client session key, where the specified data includes, but is not limited to, an authentication state and a random number, and the random number is a parameter in response to the login request.
4. The system of claim 1, wherein the web application comprises a web application front end and a web application server;
the web application front end is used for logging in a web application server, generating a web application session key and sending the access request to the web application server, wherein the web application comprises a web application front end and a web application server;
The web application server is used for signing service information and mechanism information in the access request according to a digital certificate private key configured in service, packaging a signature result and the access request into signature data, sending the signature data to the digital certificate application server, encrypting original text data of a digital envelope obtained through a web application session key, and transmitting the encrypted data ciphertext to the web application front end, wherein the original text data comprises but is not limited to an encryption token, a client session key and a service port;
The digital certificate application server is used for inquiring a public key certificate through an organization, verifying the signature data based on the public key certificate, if the signature data passes verification, determining that the identity authentication passes, adopting a key derivation function to conduct key derivation on a hash value of secret information shared with the digital certificate application client, generating a third key, encrypting a client session key and a timestamp by using the third key, generating the encryption token, generating a digital envelope by using the public key certificate of the Web application server, and sending the digital envelope to the Web application server, so that the Web application server decrypts the digital envelope by using the digital certificate private key to obtain original text data of the digital envelope.
5. The system of claim 4, wherein the Web application front end is configured to invoke an XMLHttpRequest or XDomainRequest interface in a browser to send an authentication request to the digital certificate application client, wherein the request data in the authentication request includes, but is not limited to, an encrypted token and second authentication data, wherein the second authentication data is generated by client session key encryption, and wherein the originals of the second authentication data include, but are not limited to, an application name, a service flow, and an authentication identifier.
6. The system of claim 1, wherein the digital certificate application client reads an address and a port of a Web application server indicated by an Origin field in the request header, determines whether the address and the port exist in the preset whitelist, if so, decrypts the encrypted token, obtains a client session key carried in the encrypted token, decrypts the second authentication data using the client session key, and when the digital certificate application client successfully decrypts the second authentication data, sends prompt information indicating authentication success to the Web application, and establishes a secure communication channel with the Web application, so that the Web application and the digital certificate application client perform encrypted data interaction using the client session key.
7. A method for secure communication between a Web application and a local digital certificate application, comprising:
The method comprises the steps that a digital certificate application server responds to a login request initiated by a digital certificate application client, first authentication data carried in the login request are obtained to carry out identity authentication on the digital certificate application client, an encryption result carrying a client session key is generated after the identity authentication is passed, and the encryption result is sent to the digital certificate application client;
the digital certificate application server responds to an access request initiated by a web application, acquires identity information carried in the access request to carry out identity authentication on the web application, generates an encryption token carrying a client session key after the identity authentication is passed, and sends the encryption token to the web application;
the web application sends an authentication request to the digital certificate application client through a cross-domain resource access mechanism, wherein the authentication request comprises an encryption token and second authentication data, and the second authentication data is generated based on client session key encryption;
And the digital certificate application client verifies the request head of the authentication request according to a preset white list, establishes a secure communication channel based on the encryption token and the second authentication data after the verification is passed, and adopts the client session key to carry out bidirectional secure communication with the web application.
8. The method of claim 7, wherein the method further comprises:
The digital certificate application client randomly selects a local service port to start local service, and calls a random number interface provided by the digital certificate application server to acquire the login random number;
The digital certificate application client adopts a hash value of secret information shared with the digital certificate application server to conduct key derivation, and a first key is generated;
the digital certificate application client encrypts specified information by using the first key, generates the first authentication data, and sends a login request carrying the first authentication data to the digital certificate application server, wherein the specified information comprises, but is not limited to, an authentication identifier, the login random number, the local service port and a time stamp.
9. The method of claim 8, wherein obtaining the first authentication data carried in the login request performs identity authentication on the digital certificate application client, and after the identity authentication is passed, generating an encryption result carrying a client session key, and sending the encryption result to the digital certificate application client, including:
The digital certificate application server uses a hash value of secret information shared with the digital certificate application client to conduct key derivation through a key derivation function, generates a second key, and decrypts the first authentication data by adopting the second key;
If the specified information is successfully decrypted, the digital certificate application server determines that the identity authentication passes, encrypts the client session key, the timestamp and the authentication end identifier which are randomly generated by adopting the second key to obtain an encryption result, and sends the encryption result and specified data to the digital certificate application client so that the digital certificate application client decrypts the encryption result based on the first key to acquire and store the client session key, wherein the specified data comprises but is not limited to an authentication state and a random number, and the random number is a parameter responded by a login request.
10. The method of claim 7, wherein obtaining the identity information carried in the access request authenticates the web application, and after the identity authentication is passed, generating an encrypted token carrying a client session key, and sending the encrypted token to the web application, comprises:
The web application front end logs in a web application server, generates a web application session key and sends the access request to the web application server, wherein the web application comprises a web application front end and a web application server;
The web application server signs service information and organization information in the access request according to a digital certificate private key configured in service, packages a signature result and the access request into signature data, and sends the signature data to the digital certificate application server, so that the digital certificate application server inquires a public key certificate through the organization information, and verifies the signature data by adopting the public key certificate;
If the signature data passes verification, the digital certificate application server determines that identity authentication passes, adopts a key derivation function to derive a key of a hash value of secret information shared with the digital certificate application client, generates a third key, and encrypts a client session key and a timestamp by using the third key to generate the encrypted token;
The digital certificate application server generates a digital envelope by using a public key certificate of the Web application server, and sends the digital envelope to the Web application server, so that the Web application server decrypts the digital envelope through the digital certificate private key to obtain original text data of the digital envelope, wherein the original text data comprises but is not limited to the encryption token, the client session key and the service port;
The web application server encrypts the obtained original text data of the digital envelope through the web application session key and transmits the encrypted data ciphertext to the web application front end.
11. The method of claim 7, wherein the web application sending an authentication request to the digital certificate application client via a cross-domain resource access mechanism comprises:
The Web application front end calls an XMLHttpRequest or XDomainRequest interface in a browser to send an authentication request to the digital certificate application client, wherein request data in the authentication request comprises but is not limited to an encryption token and second authentication data;
the second authentication data is generated through client session key encryption, and the original text of the second authentication data comprises, but is not limited to, an application name, service flow and an authentication identifier.
12. The method of claim 7, wherein the digital certificate application client verifying the request header of the authentication request according to a preset whitelist, and establishing a secure communication channel based on the encrypted token and the second authentication data after the verification is passed, and performing bidirectional secure communication with the web application using the client session key, comprising:
The digital certificate application client reads the address and the port of the Web application server indicated by the Origin field in the request header and judges whether the address and the port exist in the preset white list;
If so, the digital certificate application client decrypts the encrypted token, acquires a client session key carried in the encrypted token, and decrypts the second authentication data by adopting the client session key;
And when the digital certificate application client successfully decrypts the second authentication data, sending prompt information for indicating authentication success to the Web application, and establishing a secure communication channel with the Web application so that the Web application and the digital certificate application client adopt the client session key to carry out encrypted data interaction.
CN202510231421.3A 2025-02-28 2025-02-28 System and method for secure communication between web application and local digital certificate application Pending CN120128365A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510231421.3A CN120128365A (en) 2025-02-28 2025-02-28 System and method for secure communication between web application and local digital certificate application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510231421.3A CN120128365A (en) 2025-02-28 2025-02-28 System and method for secure communication between web application and local digital certificate application

Publications (1)

Publication Number Publication Date
CN120128365A true CN120128365A (en) 2025-06-10

Family

ID=95916845

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510231421.3A Pending CN120128365A (en) 2025-02-28 2025-02-28 System and method for secure communication between web application and local digital certificate application

Country Status (1)

Country Link
CN (1) CN120128365A (en)

Similar Documents

Publication Publication Date Title
CN102217277B (en) Method and system for token-based authentication
CN102017578B (en) Network helper for authentication between a token and verifiers
CA2463034C (en) Method and system for providing client privacy when requesting content from a public server
CN103763631B (en) Authentication method, server and television set
CN108494811B (en) Data transmission security authentication method and device
CN111901346B (en) Identity authentication system
US8595501B2 (en) Network helper for authentication between a token and verifiers
WO2016177052A1 (en) User authentication method and apparatus
KR100957044B1 (en) Mutual authentication method using Kerberos and its system
CN103906052B (en) A kind of mobile terminal authentication method, Operational Visit method and apparatus
CN114513339A (en) Security authentication method, system and device
CN112448958B (en) Domain policy issuing method and device, electronic equipment and storage medium
CN118174921A (en) Multi-factor SSH login authentication method based on national encryption algorithm and supporting bidirectional authentication
CN116707961A (en) User authentication method, computer equipment and computer storage medium
CN119484898A (en) Encrypted video playback method, device, storage medium and computer equipment
KR20170111809A (en) Bidirectional authentication method using security token based on symmetric key
CN119109963B (en) TLCP secure channel communication method and system for intelligent password key
CN102869010A (en) Method and system for single sign-on
JP2004274134A (en) Communication method and communication system, server and client using this communication method
CN113676468B (en) Three-party enhanced authentication system design method based on message verification technology
CN117728958A (en) A communication method, device and system
CN117675175A (en) Secret communication method and system for HTTP
WO2020037958A1 (en) Gba-based client registration and key sharing method, device, and system
CN120128365A (en) System and method for secure communication between web application and local digital certificate application
CN116347444A (en) Policy authentication method and device and communication equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination