[go: up one dir, main page]

CN115296863A - A method, device and storage medium for ensuring user safety - Google Patents

A method, device and storage medium for ensuring user safety Download PDF

Info

Publication number
CN115296863A
CN115296863A CN202210835077.5A CN202210835077A CN115296863A CN 115296863 A CN115296863 A CN 115296863A CN 202210835077 A CN202210835077 A CN 202210835077A CN 115296863 A CN115296863 A CN 115296863A
Authority
CN
China
Prior art keywords
certificate
target user
target
client certificate
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210835077.5A
Other languages
Chinese (zh)
Inventor
李�浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Cloud Technology Co Ltd
Original Assignee
China Telecom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Cloud Technology Co Ltd filed Critical China Telecom Cloud Technology Co Ltd
Priority to CN202210835077.5A priority Critical patent/CN115296863A/en
Publication of CN115296863A publication Critical patent/CN115296863A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本公开涉及网络安全技术领域,公开了一种保证用户安全的方法、装置及存储介质,该方法为:基于目标用户终端发起的HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证,基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,需要说明的是,上述证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的,并基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应,即根据绑定关系确定目标用户终端的目标客户端证书和绑定客户端证书是否一致,以此来判断是否有安全隐患,有效筛查出了冒用其他用户身份的行为,保证了用户的安全。

Figure 202210835077

The present disclosure relates to the technical field of network security, and discloses a method, a device and a storage medium for ensuring user security. The method includes: determining a target client certificate and a target user corresponding to the target user terminal based on an HTTPS request message initiated by a target user terminal Credential, based on the target user credential and the pre-established binding relationship between the certificate and the credential, to determine the binding client certificate bound to the target user credential. It should be noted that the above-mentioned binding relationship between the certificate and the credential is based on the target user terminal It is determined by the sent HTTPS connection establishment request message, and based on the target client certificate and the bound client certificate, it responds to the HTTPS request message, that is, the target client certificate of the target user terminal and the bound client certificate are determined according to the binding relationship. Whether the certificates are consistent can be used to judge whether there is a security risk, effectively screening out the behavior of fraudulently using the identity of other users, and ensuring the safety of users.

Figure 202210835077

Description

一种保证用户安全的方法、装置及存储介质A method, device and storage medium for ensuring user safety

技术领域technical field

本公开涉及网络安全技术领域,提供了一种保证用户安全的方法、装置及存储介质。The present disclosure relates to the technical field of network security, and provides a method, device and storage medium for ensuring user security.

背景技术Background technique

目前,用户终端在系统登录成功后都会获得一个凭证,如SessionId、AccessToken等,后续用户终端对该系统的访问都需要携带该凭证,以明确用户终端的身份、权限等。At present, after the user terminal successfully logs in to the system, it will obtain a credential, such as SessionId, AccessToken, etc., and the subsequent access of the user terminal to the system needs to carry the credential to clarify the identity and authority of the user terminal.

然而,上述凭证一般是随机字符串或Java网络服务(Java Web Service,JWS)的形式,上述凭证一旦泄露,攻击者(即其他用户)就可以使用上述凭证来访问用户终端在该系统的数据,即现有的使用HTTPS双向认证的方式,仅能判断该用户终端是受信任的用户终端,但无法判断该用户终端是否存在冒用其他用户终端身份的行为。However, the above-mentioned credentials are generally in the form of random character strings or Java Web Services (JWS). Once the above-mentioned credentials are leaked, an attacker (that is, other users) can use the above-mentioned credentials to access the data of the user terminal in the system. That is, the existing HTTPS two-way authentication method can only determine that the user terminal is a trusted user terminal, but cannot determine whether the user terminal is fraudulently using the identity of other user terminals.

发明内容Contents of the invention

本公开实施例提供一种保证用户安全的方法、装置及存储介质,用以筛查冒用其他用户身份的行为,进而保证了用户的安全。Embodiments of the present disclosure provide a method, device, and storage medium for ensuring user security, which are used to screen behaviors that impersonate other user identities, thereby ensuring user security.

本公开提供的具体技术方案如下:The specific technical solutions provided by the present disclosure are as follows:

第一方面,本公开实施例提供了一种保证用户安全的方法,包括:In the first aspect, the embodiment of the present disclosure provides a method for ensuring user security, including:

基于目标用户终端发起的超文本传输安全协议HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证;Determine the target client certificate and target user credentials corresponding to the target user terminal based on the HTTPS request message initiated by the target user terminal;

基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,其中,证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的;Determine the binding client certificate bound to the target user credential based on the target user credential and the pre-established binding relationship between the certificate and the credential, wherein the binding relationship between the certificate and the credential is based on the HTTPS connection establishment request sent by the target user terminal The news is confirmed;

基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应。Respond to the HTTPS request message based on the target client certificate and the binding client certificate.

可选地,证书与凭证的绑定关系通过以下方式确定:Optionally, the binding relationship between certificates and credentials is determined by the following methods:

在接收到目标用户终端发出的HTTPS连接建立请求消息时,从HTTPS连接建立请求消息中解析出客户端证书;When receiving the HTTPS connection establishment request message sent by the target user terminal, parse the client certificate from the HTTPS connection establishment request message;

基于客户端证书生成证书摘要,并基于证书摘要生成用户凭证;Generate a certificate digest based on the client certificate, and generate user credentials based on the certificate digest;

基于客户端证书和用户凭证,生成证书与凭证的绑定关系。Based on the client certificate and user credentials, a binding relationship between certificates and credentials is generated.

可选地,基于目标用户终端发起的HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证,包括:Optionally, based on the HTTPS request message initiated by the target user terminal, determine the target client certificate and target user credentials corresponding to the target user terminal, including:

在接收到目标用户终端发出的HTTPS请求消息时,从HTTPS请求消息中解析出目标客户端证书;When receiving the HTTPS request message sent by the target user terminal, parse out the target client certificate from the HTTPS request message;

基于目标客户端证书生成目标证书摘要,并基于目标证书摘要生成目标用户凭证,将生成的目标用户凭证确定为目标用户终端对应的目标用户凭证。A target certificate digest is generated based on the target client certificate, and a target user credential is generated based on the target certificate digest, and the generated target user credential is determined as the target user credential corresponding to the target user terminal.

可选地,基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,包括:Optionally, based on the target user credential and the pre-established binding relationship between the certificate and the credential, determining the bound client certificate bound to the target user credential includes:

在预先建立的证书与凭证的绑定关系中,查找与目标用户凭证绑定的客户端证书;Find the client certificate bound to the target user's certificate in the pre-established binding relationship between the certificate and the certificate;

将查找到的绑定的客户端证书作为绑定客户端证书。Use the found bound client certificate as the bound client certificate.

可选地,基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应,包括:Optionally, responding to the HTTPS request message based on the target client certificate and the bound client certificate, including:

若目标客户端证书和绑定客户端证书相同,则允许HTTPS请求消息进行访问;If the target client certificate is the same as the bound client certificate, HTTPS request messages are allowed to access;

若目标客户端证书和绑定客户端证书不同,则拦截HTTPS请求消息。If the target client certificate is different from the bound client certificate, intercept the HTTPS request message.

第二方面,本公开实施例还提供了一种保证用户安全的装置,包括:In the second aspect, the embodiment of the present disclosure also provides a device for ensuring user safety, including:

确定单元,用于基于目标用户终端发起的超文本传输安全协议HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证;A determining unit, configured to determine a target client certificate and a target user certificate corresponding to the target user terminal based on a hypertext transfer security protocol HTTPS request message initiated by the target user terminal;

绑定单元,用于基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,其中,证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的;The binding unit is configured to determine the binding client certificate bound to the target user credential based on the target user credential and the pre-established binding relationship between the certificate and the credential, wherein the binding relationship between the certificate and the credential is based on the target user terminal determined by the HTTPS connection establishment request message sent;

响应单元,用于基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应。The response unit is configured to respond to the HTTPS request message based on the target client certificate and the bound client certificate.

可选地,证书与凭证的绑定关系通过以下方式确定:Optionally, the binding relationship between certificates and credentials is determined by the following methods:

在接收到目标用户终端发出的HTTPS连接建立请求消息时,从HTTPS连接建立请求消息中解析出客户端证书;When receiving the HTTPS connection establishment request message sent by the target user terminal, parse the client certificate from the HTTPS connection establishment request message;

基于客户端证书生成证书摘要,并基于证书摘要生成用户凭证;Generate a certificate digest based on the client certificate, and generate user credentials based on the certificate digest;

基于客户端证书和用户凭证,生成证书与凭证的绑定关系。Based on the client certificate and user credentials, a binding relationship between certificates and credentials is generated.

可选地,基于目标用户终端发起的HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证,确定单元用于:Optionally, based on the HTTPS request message initiated by the target user terminal, determine the target client certificate and target user credentials corresponding to the target user terminal, and the determining unit is used for:

在接收到目标用户终端发出的HTTPS请求消息时,从HTTPS请求消息中解析出目标客户端证书;When receiving the HTTPS request message sent by the target user terminal, parse out the target client certificate from the HTTPS request message;

基于目标客户端证书生成目标证书摘要,并基于目标证书摘要生成目标用户凭证,将生成的目标用户凭证确定为目标用户终端对应的目标用户凭证。A target certificate digest is generated based on the target client certificate, and a target user credential is generated based on the target certificate digest, and the generated target user credential is determined as the target user credential corresponding to the target user terminal.

可选地,基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,绑定单元用于:Optionally, based on the target user credential and the pre-established binding relationship between the certificate and the credential, determine the bound client certificate bound to the target user credential, and the binding unit is used for:

在预先建立的证书与凭证的绑定关系中,查找与目标用户凭证绑定的客户端证书;Find the client certificate bound to the target user's certificate in the pre-established binding relationship between the certificate and the certificate;

将查找到的绑定的客户端证书作为绑定客户端证书。Use the found bound client certificate as the bound client certificate.

可选地,基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应,响应单元用于:Optionally, respond to the HTTPS request message based on the target client certificate and the bound client certificate, and the response unit is used for:

若目标客户端证书和绑定客户端证书相同,则允许HTTPS请求消息进行访问;If the target client certificate is the same as the bound client certificate, HTTPS request messages are allowed to access;

若目标客户端证书和绑定客户端证书不同,则拦截HTTPS请求消息。If the target client certificate is different from the bound client certificate, intercept the HTTPS request message.

第三方面,一种服务器,包括:In a third aspect, a server includes:

存储器,用于存储可执行指令;memory for storing executable instructions;

处理器,用于读取并执行存储器中存储的可执行指令,以实现如第一方面任一项的方法。A processor, configured to read and execute executable instructions stored in the memory, so as to implement the method according to any one of the first aspect.

第四方面,一种计算机可读存储介质,当所述存储介质中的指令由处理器执行时,使得所述处理器能够执行上述第一方面任一项所述的方法。In a fourth aspect, a computer-readable storage medium, when the instructions in the storage medium are executed by a processor, enables the processor to execute the method described in any one of the above-mentioned first aspects.

本公开有益效果如下:The beneficial effects of the disclosure are as follows:

综上所述,本公开实施例中,提供的一种保证用户安全的方法、装置及存储介质,该方法包括:基于目标用户终端发起的HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证,基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,需要说明的是,上述证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的,并基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应,即根据绑定关系确定目标用户终端的目标客户端证书和绑定客户端证书是否一致,以此来判断是否有安全隐患,有效筛查出了冒用其他用户身份的行为,保证了用户的安全。To sum up, in the embodiments of the present disclosure, a method, device and storage medium for ensuring user security are provided, the method includes: based on the HTTPS request message initiated by the target user terminal, determining the target client certificate corresponding to the target user terminal and the target user credential, based on the target user credential and the pre-established binding relationship between the certificate and the credential, determine the binding client certificate bound to the target user credential. It should be noted that the binding relationship between the above certificate and credential is based on Determine the HTTPS connection establishment request message sent by the target user terminal, and respond to the HTTPS request message based on the target client certificate and the bound client certificate, that is, determine the target user terminal’s target client certificate and bound client certificate according to the binding relationship. Determine whether the client certificate is consistent, so as to judge whether there is a security risk, effectively screen out the behavior of impersonating other user identities, and ensure the safety of users.

本公开的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本公开而了解。本公开的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

附图说明Description of drawings

此处所说明的附图用来提供对本公开的进一步理解,构成本公开的一部分,本公开的示意性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The drawings described here are used to provide a further understanding of the present disclosure, and constitute a part of the present disclosure. The schematic embodiments of the present disclosure and their descriptions are used to explain the present disclosure, and do not constitute improper limitations to the present disclosure. In the attached picture:

图1为本公开实施例中对用户安全进行保证的系统架构示意图;FIG. 1 is a schematic diagram of a system architecture for guaranteeing user security in an embodiment of the present disclosure;

图2为本公开实施例中一种保证用户安全的方法的流程示意图;FIG. 2 is a schematic flowchart of a method for ensuring user security in an embodiment of the present disclosure;

图3为本公开实施例中确定目标用户凭证的流程示意图;FIG. 3 is a schematic flow diagram of determining a target user credential in an embodiment of the present disclosure;

图4为本公开实施例中确定绑定客户端证书的流程示意图;FIG. 4 is a schematic flow diagram of determining to bind a client certificate in an embodiment of the present disclosure;

图5为本公开实施例中对HTTPS请求消息进行响应的示意图;5 is a schematic diagram of responding to an HTTPS request message in an embodiment of the present disclosure;

图6为应用场景中使用SHA256生成摘要证书的示意图;Figure 6 is a schematic diagram of using SHA256 to generate a summary certificate in an application scenario;

图7为应用场景中对目标客户端证书和目标用户凭证进行绑定的示意图;Fig. 7 is a schematic diagram of binding the target client certificate and the target user certificate in the application scenario;

图8为应用场景中运用绑定关系对用户凭证进行验证的示意图;FIG. 8 is a schematic diagram of using a binding relationship to verify user credentials in an application scenario;

图9为本公开实施例中一种保证用户安全的装置的逻辑架构示意图;FIG. 9 is a schematic diagram of a logical architecture of a device for ensuring user safety in an embodiment of the present disclosure;

图10为本公开实施例中服务器的实体架构示意图。FIG. 10 is a schematic diagram of a physical architecture of a server in an embodiment of the present disclosure.

具体实施方式Detailed ways

为使本公开实施例的目的、技术方案和优点更加清楚,下面将结合本公开实施例中的附图,对本公开的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开技术方案的一部分实施例,而不是全部的实施例。基于本公开文件中记载的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本公开技术方案保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions of the present disclosure will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present disclosure. Obviously, the described embodiments are the embodiment of the present disclosure. Some embodiments of the technical solution, but not all embodiments. Based on the embodiments recorded in this disclosure document, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of the technical solution of the disclosure.

本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够使用除了在这里图示或描述的那些以外的顺序实施。The terms "first", "second" and the like in the description and claims of the present invention and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein.

下面结合附图对本公开优选的实施方式进行详细说明。Preferred embodiments of the present disclosure will be described in detail below in conjunction with the accompanying drawings.

参阅图1所示,本公开实施例中,系统中包含了至少一个服务器和至少两个用户终端,在图1中,以用户终端1和用户终端2来表示与服务器连接的两个用户终端。在实施过程中,其中的一个用户终端(例如,用户终端1)在与服务器进行HTTPS双向认证的基础上生成用户凭证,其中的另一个用户终端(例如,用户终端2)在向服务器发出HTTPS请求消息时即有可能冒用上述用户凭证,从而带来安全隐患。本公开实施例中,目标用户终端通常为上述至少两个用户终端中的一个,针对目标用户终端运用预先建立的证书与凭证的绑定关系对发出HTTPS请求消息的目标用户终端进行验证,下面进行具体介绍。Referring to FIG. 1 , in the embodiment of the present disclosure, the system includes at least one server and at least two user terminals. In FIG. 1 , user terminal 1 and user terminal 2 represent the two user terminals connected to the server. In the implementation process, one of the user terminals (for example, user terminal 1) generates user credentials on the basis of HTTPS two-way authentication with the server, and the other user terminal (for example, user terminal 2) sends an HTTPS request to the server It is possible to fraudulently use the above user credentials when sending messages, which will bring security risks. In the embodiment of the present disclosure, the target user terminal is usually one of the above-mentioned at least two user terminals, and the target user terminal uses the pre-established binding relationship between the certificate and the certificate to verify the target user terminal that sends the HTTPS request message, as follows Specific introduction.

参阅图2所示,本公开实施例中,一种保证用户安全的具体流程如下:Referring to Figure 2, in the embodiment of the present disclosure, a specific process for ensuring user security is as follows:

步骤201:基于目标用户终端发起的超文本传输安全协议(HyperText TransferProtocol Secure,HTTPS)请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证。Step 201: Based on a HyperText Transfer Protocol Secure (HTTPS) request message initiated by a target user terminal, determine a target client certificate and a target user credential corresponding to the target user terminal.

实施过程中,确定目标用户终端对应的目标客户端证书和目标用户凭证的过程,参阅图3所示,包括:During the implementation process, the process of determining the target client certificate and target user credentials corresponding to the target user terminal, as shown in Figure 3, includes:

步骤2011:在接收到目标用户终端发出的HTTPS请求消息时,从HTTPS请求消息中解析出目标客户端证书。Step 2011: When receiving the HTTPS request message from the target user terminal, parse out the target client certificate from the HTTPS request message.

当目标用户终端向服务器发出HTTPS请求消息,例如,目标用户终端发出的接口访问请求消息,即在HTTPS握手时,服务器接收到该HTTPS请求消息即对该HTTPS请求消息进行解析,以获取其中包括的目标客户端证书。When the target user terminal sends an HTTPS request message to the server, for example, the interface access request message sent by the target user terminal, that is, during the HTTPS handshake, the server receives the HTTPS request message and parses the HTTPS request message to obtain the included Target client certificate.

需要说明的是,上述目标客户端证书与目标用户终端是一一对应的,并且,该目标客户端证书是服务器为目标用户终端唯一配置的,各个目标用户终端对应的目标客户端证书都是不同的。It should be noted that the above-mentioned target client certificate corresponds to the target user terminal one by one, and the target client certificate is uniquely configured by the server for the target user terminal, and the target client certificates corresponding to each target user terminal are different. of.

步骤2012:基于目标客户端证书生成目标证书摘要,并基于目标证书摘要生成目标用户凭证,将生成的目标用户凭证确定为目标用户终端对应的目标用户凭证。Step 2012: Generate a target certificate digest based on the target client certificate, generate a target user credential based on the target certificate digest, and determine the generated target user credential as the target user credential corresponding to the target user terminal.

由于目标客户端证书是一个文件,实施过程中,在确定出目标客户端证书后,运用SHA256、MD5或者SM3等算法将目标客户端证书生成目标证书摘要,从而为目标用户终端确定出体积更小更加私密的标识。进一步的,根据上述目标证书摘要生成目标用户凭证,即SessionId、AccessToken等,该生成的目标用户凭证即确定为目标用户终端对应的目标用户凭证,即与目标用户终端发出的HTTPS请求消息相对应的目标用户凭证。Since the target client certificate is a file, during the implementation process, after the target client certificate is determined, the target client certificate is generated using an algorithm such as SHA256, MD5 or SM3 to generate a target certificate summary, thereby determining a smaller file size for the target user terminal. More private identification. Further, the target user credentials, such as SessionId, AccessToken, etc., are generated according to the target certificate abstract above, and the generated target user credentials are determined as the target user credentials corresponding to the target user terminal, that is, corresponding to the HTTPS request message sent by the target user terminal. Target user credentials.

步骤202:基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,其中,证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的。Step 202: Determine the binding client certificate bound to the target user credential based on the target user credential and the pre-established binding relationship between the certificate and the credential, wherein the binding relationship between the certificate and the credential is based on the HTTPS sent by the target user terminal The connection establishment request message is determined.

首先,介绍下证书与凭证的绑定关系通过以下方式确定:First, the binding relationship between the certificate and the certificate is determined by the following methods:

(1)在接收到目标用户终端发出的HTTPS连接建立请求消息时,从HTTPS连接建立请求消息中解析出客户端证书。(1) When receiving the HTTPS connection establishment request message sent by the target user terminal, parse out the client certificate from the HTTPS connection establishment request message.

当目标用户终端向服务器发出HTTPS连接建立请求消息,服务器即对接收到的HTTPS连接建立请求消息进行解析,并确定出与目标用户终端对应的客户端证书,该客户端证书即作为目标用户终端后续在发出HTTPS请求消息时作为校准用的标识。When the target user terminal sends an HTTPS connection establishment request message to the server, the server parses the received HTTPS connection establishment request message and determines the client certificate corresponding to the target user terminal. Used as an identification for calibration when sending an HTTPS request message.

(2)基于客户端证书生成证书摘要,并基于证书摘要生成用户凭证。(2) Generate a certificate digest based on the client certificate, and generate user credentials based on the certificate digest.

实施过程中,在确定出客户端证书后,运用SHA256、MD5或者SM3等算法将客户端证书生成证书摘要,进一步的,根据上述证书摘要生成用户凭证,即SessionId、AccessToken等。During the implementation process, after the client certificate is determined, use algorithms such as SHA256, MD5 or SM3 to generate a certificate summary from the client certificate, and further, generate user credentials based on the above certificate summary, namely SessionId, AccessToken, etc.

(3)基于客户端证书和用户凭证,生成证书与凭证的绑定关系。(3) Based on the client certificate and the user certificate, a binding relationship between the certificate and the certificate is generated.

由于,后续目标用户终端对该服务器的访问都需要携带用户凭证,以明确用户的身份和权限等,为了在后续的过程中,方便对目标用户终端进行验证,将上述客户端证书和对应的用户凭证进行绑定,从而生成证书与凭证的绑定关系。Since subsequent target user terminals access to the server need to carry user credentials to clarify the user's identity and authority, etc., in order to facilitate the verification of the target user terminal in the subsequent process, the above client certificate and the corresponding user Credentials are bound to generate a binding relationship between certificates and credentials.

需要补充说明的是,由于向服务器发出HTTPS连接建立请求消息的目标用户终端的个数为多个,相应的,上述证书与凭证的绑定关系中也会存储多个客户端证书和用户凭证的配对。It should be added that since there are multiple target user terminals that send HTTPS connection establishment request messages to the server, correspondingly, multiple client certificates and user credentials will also be stored in the above-mentioned binding relationship between certificates and credentials. pair.

在目标用户终端发出HTTPS请求消息后,确定与目标用户凭证绑定的绑定客户端证书,参阅图4所示,具体包括:After the target user terminal sends an HTTPS request message, determine the binding client certificate bound to the target user credential, as shown in Figure 4, specifically including:

步骤2021:在预先建立的证书与凭证的绑定关系中,查找与目标用户凭证绑定的客户端证书。Step 2021: In the pre-established binding relationship between the certificate and the credential, search for the client certificate bound to the target user credential.

实施过程中,在根据HTTPS请求消息确定出目标用户凭证后,在上述预先建立的证书与凭证的绑定关系中,查找与该目标用户凭证绑定的客户端证书,即在上述绑定关系中查找与目标用户凭证相同的用户凭证。During the implementation process, after the target user credential is determined according to the HTTPS request message, in the above-mentioned pre-established binding relationship between the certificate and the credential, search for the client certificate bound to the target user credential, that is, in the above-mentioned binding relationship Find the same user credentials as the target user credentials.

如果在上述存储的绑定关系中查找到了与目标用户凭证相同的用户凭证,会进一步根据该相同的用户凭证查找所绑定的客户端证书。If the same user credential as the target user credential is found in the above-mentioned stored binding relationship, the bound client certificate will be further searched based on the same user credential.

如果在上述存储的绑定关系中查找不到与目标用户凭证相同的用户凭证,直接向外发出异常警报,即确定目标用户终端盗用非法的目标用户凭证进行访问。If no user credential identical to the target user credential can be found in the above-mentioned stored binding relationship, an abnormal alarm is sent out directly, that is, it is determined that the target user terminal embezzles an illegal target user credential for access.

步骤2022:将查找到的绑定的客户端证书作为绑定客户端证书。Step 2022: Use the found bound client certificate as the bound client certificate.

实施过程中,如果基于绑定关系查找到了与目标用户凭证相同的用户凭证,即将查找到的绑定的客户端证书作为绑定客户端证书,该绑定客户端证书即作为衡量目标用户终端是否存在冒用其他客户端的用户凭证的判定基准。During the implementation process, if the user credential identical to the target user credential is found based on the binding relationship, the bound client certificate found will be used as the bound client certificate, and the bound client certificate will be used to measure whether the target user terminal is Criteria for fraudulent use of user credentials of other clients.

步骤203:基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应。Step 203: Respond to the HTTPS request message based on the target client certificate and the bound client certificate.

实施过程中,根据目标客户端证书和绑定客户端证书是否一致来对上述HTTPS请求消息做出响应,具体的,参阅图5所示,包括:During the implementation process, respond to the above HTTPS request message according to whether the target client certificate and the bound client certificate are consistent. Specifically, refer to Figure 5, including:

步骤2031:若目标客户端证书和绑定客户端证书相同,则允许HTTPS请求消息进行访问。Step 2031: If the target client certificate is the same as the bound client certificate, allow the HTTPS request message to access.

第一种情况,目标客户端证书和绑定客户端证书相同,说明目标用户终端在发出HTTPS请求消息时对应的目标用户凭证与目标用户终端在发出连接建立请求消息时对应的用户凭证是一致的,并且,目标用户终端对应的客户端证书也是合法的,在这种情况下,则允许HTTPS请求消息进行访问,即继续响应上述HTTPS请求消息。In the first case, the target client certificate is the same as the bound client certificate, indicating that the target user credential corresponding to the target user terminal when sending the HTTPS request message is consistent with the corresponding user credential when the target user terminal is sending the connection establishment request message , and the client certificate corresponding to the target user terminal is also legal, in this case, the HTTPS request message is allowed to access, that is, continue to respond to the above HTTPS request message.

步骤2032:若目标客户端证书和绑定客户端证书不同,则拦截HTTPS请求消息。Step 2032: If the target client certificate is different from the bound client certificate, intercept the HTTPS request message.

第二种情况,目标客户端证书和绑定客户端证书相同,说明目标用户终端在发出HTTPS请求消息时对应的目标用户凭证与目标用户终端在发出连接建立请求消息时对应的用户凭证虽然是一致的,但是目标用户终端对应的客户端证书却是不合法的,即判定目标用户终端存在冒用用户凭证的行为,在这种情况下,则拦截HTTPS请求消息,即停止响应上述HTTPS请求消息。通常,在这种情况下,还会向外发出异常警报。In the second case, the target client certificate is the same as the bound client certificate, indicating that the target user credential corresponding to the target user terminal when sending the HTTPS request message is the same as the corresponding user credential when the target user terminal is sending the connection establishment request message Yes, but the client certificate corresponding to the target user terminal is illegal, that is, it is determined that the target user terminal has fraudulently used user credentials. In this case, intercept the HTTPS request message, that is, stop responding to the above HTTPS request message. Usually, in this case, an abnormal alert is also issued externally.

应用场景:Application scenario:

参阅图6所示,用户终端A与服务器进行交互的过程如下:用户终端A向服务器的网关发送HTTPS建立连接请求,即用户终端A想要在服务器登录,服务器的网关向用户终端A返回包含服务器公钥的证书,用户终端A验证服务器返回的证书的合法性,并从证书中获取公钥,在验证通过后,将包含客户端公钥的证书发送给服务器,为了便于后续绑定,服务器的网关校验客户端证书的合法性,从证书中获取公钥,并将证书通过SHA256算法生成证书摘要,之后,用户终端A发送自己支持的加密方案给服务器,服务器使用客户端(也就是用户终端A)公钥加密通信加密方案给客户端,这样,客户端能够使用客户端私钥解密方案产生随机数R,使用服务器公钥加密后传递给服务器,以便服务器使用服务器私钥解密,拿到私钥R,同时,客户端使用随机数R作为密钥进行HTTPS通信,并发送GET/user/{userId}给服务器,这样,服务器的网关能够在请求的Header中增加字段,用于存储客户端证书的摘要,并基于GET/user/{userId}{http请求header中包含客户端证书摘要}去请求相应的服务。Referring to Figure 6, the process of interaction between user terminal A and the server is as follows: user terminal A sends an HTTPS connection establishment request to the gateway of the server, that is, user terminal A wants to log in to the server, and the gateway of the server returns to user terminal A containing the server The public key certificate, user terminal A verifies the legitimacy of the certificate returned by the server, and obtains the public key from the certificate, and sends the certificate containing the client public key to the server after the verification is passed. The gateway verifies the legitimacy of the client certificate, obtains the public key from the certificate, and uses the certificate to generate a certificate summary through the SHA256 algorithm. After that, user terminal A sends the encryption scheme supported by itself to the server, and the server uses the client (that is, the user terminal A) The public key encryption communication encryption scheme is given to the client, so that the client can use the client private key decryption scheme to generate a random number R, encrypt it with the server public key and pass it to the server, so that the server can use the server private key to decrypt and get the private key. At the same time, the client uses the random number R as the key for HTTPS communication, and sends GET/user/{userId} to the server, so that the gateway of the server can add a field to the header of the request to store the client certificate , and request the corresponding service based on GET/user/{userId}{http request header contains client certificate summary}.

参阅图7所示,用户终端与服务器进行正常的交互过程如下:用户终端A在与服务器进行HTTPS双向认证的过程中,通过SHA256算法生成证书摘要后,将该生成的客户端证书的摘要发送给服务器的网关,进一步向网关发送POST/login消息,网关在请求的Header中增加字段,并在该字段中存入客户端证书的摘要,并且,网关向服务发送POST/login(http请求Header中包含客户端证书摘要)消息,对应的服务校验用户名密码等要素,校验成功后生成用户凭证即token,并取出请求Header中存储的值,即证书摘要,将证书摘要与该token进行绑定,由服务向网关发送OK(200)userInfo,网关向用户终端A发送OK(200)token,以使用户终端A携带该token进行后续的接口访问等,用户终端A向网关发送GET/user/{userId},网关在请求的Header中增加字段,用来存储客户端证书的摘要,网关继续向服务发送GET/user/{userId}{http请求header中包含客户端证书摘要},服务从上述cookie中获取token,校验token的有效性,同时,取出请求header中存储的值,并校验与token的绑定关系,由服务向网关发送OK(200)userInfo,网关将该OK(200)userInfo转发给用户终端A。Referring to Figure 7, the normal interaction process between the user terminal and the server is as follows: User terminal A generates a certificate digest through the SHA256 algorithm during the HTTPS two-way authentication with the server, and then sends the generated client certificate digest to The gateway of the server further sends a POST/login message to the gateway. The gateway adds a field to the header of the request, and stores the summary of the client certificate in this field, and the gateway sends a POST/login message to the service (the header of the http request contains client certificate summary) message, the corresponding service verifies the user name and password and other elements, generates the user credential (token) after the verification is successful, and takes out the value stored in the request Header, that is, the certificate summary, and binds the certificate summary to the token , the service sends OK (200) userInfo to the gateway, and the gateway sends OK (200) token to user terminal A, so that user terminal A carries the token for subsequent interface access, etc. User terminal A sends GET /user/{ userId}, the gateway adds a field in the header of the request to store the summary of the client certificate, the gateway continues to send GET/user/{userId}{the header of the http request contains the summary of the client certificate} to the service, and the service obtains from the above cookie Obtain the token, verify the validity of the token, and at the same time, take out the value stored in the request header, and verify the binding relationship with the token, the service sends OK (200) userInfo to the gateway, and the gateway forwards the OK (200) userInfo to user terminal A.

参阅图8所示,当有攻击者盗用了用户终端A的用户凭证(即token)后,用户终端A、攻击者和服务器三者之间的交互过程为:用户终端A的环境存在风险,导致登录凭证token被攻击者窃取,在这种情况下,攻击者使用自己的证书进行握手,同时使用窃取的其他用户的token,网关在接收到握手请求后,在请求的Header中增加字段,并在该字段中存储客户端证书的摘要,对应的服务取出请求Header中增加字段中存储的值,即客户端证书的摘要,校验与token的绑定关系,显然,攻击者使用的是其他用户的token,由绑定关系可知其他用户的token对应的是其他用户的证书摘要,这种情形下,其他用户的证书摘要与攻击者的证书摘要不相同,即判定校验不通过。服务向网关发送Unauthorized(401)告警,网关进一步将该Unauthorized(401)告警发送给攻击者。Referring to Fig. 8, when an attacker has embezzled the user credential (i.e. token) of user terminal A, the interaction process between user terminal A, the attacker and the server is as follows: the environment of user terminal A is risky, resulting in The login credential token is stolen by the attacker. In this case, the attacker uses his own certificate for the handshake, and at the same time uses the stolen token of other users. After receiving the handshake request, the gateway adds fields to the header of the request, and in This field stores the summary of the client certificate, and the value stored in the added field in the corresponding service extraction request Header, that is, the summary of the client certificate, verifies the binding relationship with the token. Obviously, the attacker uses another user's Token, from the binding relationship, it can be seen that the token of other users corresponds to the certificate digest of other users. In this case, the certificate digest of other users is different from the certificate digest of the attacker, that is, it is determined that the verification fails. The service sends an Unauthorized (401) alarm to the gateway, and the gateway further sends the Unauthorized (401) alarm to the attacker.

基于同一发明构思,参阅图9所示,本公开实施例中提供一种保证用户安全的装置,包括:Based on the same inventive concept, as shown in FIG. 9 , an embodiment of the present disclosure provides a device for ensuring user safety, including:

确定单元901,用于基于目标用户终端发起的超文本传输安全协议HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证;The determining unit 901 is configured to determine a target client certificate and a target user credential corresponding to the target user terminal based on a hypertext transfer security protocol HTTPS request message initiated by the target user terminal;

绑定单元902,用于基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,其中,证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的;Binding unit 902, configured to determine the binding client certificate bound to the target user credential based on the target user credential and the pre-established binding relationship between the certificate and the credential, wherein the binding relationship between the certificate and the credential is based on the target user Determined by the HTTPS connection establishment request message sent by the terminal;

响应单元903,用于基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应。The response unit 903 is configured to respond to the HTTPS request message based on the target client certificate and the bound client certificate.

可选地,证书与凭证的绑定关系通过以下方式确定:Optionally, the binding relationship between certificates and credentials is determined by the following methods:

在接收到目标用户终端发出的HTTPS连接建立请求消息时,从HTTPS连接建立请求消息中解析出客户端证书;When receiving the HTTPS connection establishment request message sent by the target user terminal, parse the client certificate from the HTTPS connection establishment request message;

基于客户端证书生成证书摘要,并基于证书摘要生成用户凭证;Generate a certificate digest based on the client certificate, and generate user credentials based on the certificate digest;

基于客户端证书和用户凭证,生成证书与凭证的绑定关系。Based on the client certificate and user credentials, a binding relationship between certificates and credentials is generated.

可选地,基于目标用户终端发起的HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证,确定单元901用于:Optionally, based on the HTTPS request message initiated by the target user terminal, determine the target client certificate and target user credentials corresponding to the target user terminal, and the determining unit 901 is configured to:

在接收到目标用户终端发出的HTTPS请求消息时,从HTTPS请求消息中解析出目标客户端证书;When receiving the HTTPS request message sent by the target user terminal, parse out the target client certificate from the HTTPS request message;

基于目标客户端证书生成目标证书摘要,并基于目标证书摘要生成目标用户凭证,将生成的目标用户凭证确定为目标用户终端对应的目标用户凭证。A target certificate digest is generated based on the target client certificate, and a target user credential is generated based on the target certificate digest, and the generated target user credential is determined as the target user credential corresponding to the target user terminal.

可选地,基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,绑定单元902用于:Optionally, based on the target user credential and the pre-established binding relationship between the certificate and the credential, determine the bound client certificate bound to the target user credential, and the binding unit 902 is configured to:

在预先建立的证书与凭证的绑定关系中,查找与目标用户凭证绑定的客户端证书;Find the client certificate bound to the target user's certificate in the pre-established binding relationship between the certificate and the certificate;

将查找到的绑定的客户端证书作为绑定客户端证书。Use the found bound client certificate as the bound client certificate.

可选地,基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应,响应单元903用于:Optionally, based on the target client certificate and the bound client certificate, responding to the HTTPS request message, the response unit 903 is configured to:

若目标客户端证书和绑定客户端证书相同,则允许HTTPS请求消息进行访问;If the target client certificate is the same as the bound client certificate, HTTPS request messages are allowed to access;

若目标客户端证书和绑定客户端证书不同,则拦截HTTPS请求消息。If the target client certificate is different from the bound client certificate, intercept the HTTPS request message.

基于同一发明构思,参阅图10所示,本公开实施例提供一种服务器,包括:存储器1001,用于存储可执行指令;处理器1002,用于读取并执行存储器中存储的可执行指令,并执行上述一种保证用户安全的方法中的任意一种方法。Based on the same inventive concept, as shown in FIG. 10 , an embodiment of the present disclosure provides a server, including: a memory 1001 for storing executable instructions; a processor 1002 for reading and executing the executable instructions stored in the memory, And execute any one of the above-mentioned methods for ensuring user safety.

基于同一发明构思,本公开实施例提供一种计算机可读存储介质,当所述存储介质中的指令由处理器执行时,使得所述处理器能够执行上述一种保证用户安全的方法中的任意一种方法。Based on the same inventive concept, an embodiment of the present disclosure provides a computer-readable storage medium. When the instructions in the storage medium are executed by a processor, the processor can perform any of the above methods for ensuring user security. a way.

综上所述,本公开实施例中,提供的一种保证用户安全的方法、装置及存储介质,该方法包括:基于目标用户终端发起的HTTPS请求消息,确定目标用户终端对应的目标客户端证书和目标用户凭证,基于目标用户凭证和预先建立的证书与凭证的绑定关系,确定与目标用户凭证绑定的绑定客户端证书,需要说明的是,上述证书与凭证的绑定关系是基于目标用户终端发出的HTTPS连接建立请求消息确定的,并基于目标客户端证书和绑定客户端证书,对HTTPS请求消息做出响应,即根据绑定关系确定目标用户终端的目标客户端证书和绑定客户端证书是否一致,以此来判断是否有安全隐患,有效筛查出了冒用其他用户身份的行为,保证了用户的安全。To sum up, in the embodiments of the present disclosure, a method, device and storage medium for ensuring user security are provided, the method includes: based on the HTTPS request message initiated by the target user terminal, determining the target client certificate corresponding to the target user terminal and the target user credential, based on the target user credential and the pre-established binding relationship between the certificate and the credential, determine the binding client certificate bound to the target user credential. It should be noted that the binding relationship between the above certificate and credential is based on Determine the HTTPS connection establishment request message sent by the target user terminal, and respond to the HTTPS request message based on the target client certificate and the bound client certificate, that is, determine the target user terminal’s target client certificate and bound client certificate according to the binding relationship. Determine whether the client certificate is consistent, so as to judge whether there is a security risk, effectively screen out the behavior of impersonating other user identities, and ensure the safety of users.

本领域内的技术人员应明白,本公开的实施例可提供为方法、系统、或计算机程序产品系统。因此,本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品系统的形式。Those skilled in the art should understand that the embodiments of the present disclosure may be provided as a method, a system, or a computer program product system. Accordingly, the present disclosure can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product system embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本公开是参照根据本公开的方法、设备(系统)、和计算机程序产品系统的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program product systems according to the present disclosure. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

显然,本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范围。这样,倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内,则本公开也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present disclosure without departing from the spirit and scope of the present disclosure. Thus, if these modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies thereof, the present disclosure also intends to include these modifications and variations.

Claims (10)

1.一种保证用户安全的方法,其特征在于,所述方法包括:1. A method for ensuring user safety, characterized in that the method comprises: 基于目标用户终端发起的超文本传输安全协议HTTPS请求消息,确定所述目标用户终端对应的目标客户端证书和目标用户凭证;Determine the target client certificate and target user credentials corresponding to the target user terminal based on the HTTPS request message initiated by the target user terminal; 基于所述目标用户凭证和预先建立的证书与凭证的绑定关系,确定与所述目标用户凭证绑定的绑定客户端证书,其中,所述证书与凭证的绑定关系是基于所述目标用户终端发出的HTTPS连接建立请求消息确定的;Determine a bound client certificate bound to the target user credential based on the target user credential and a pre-established binding relationship between the certificate and the credential, wherein the binding relationship between the certificate and the credential is based on the target Determined by the HTTPS connection establishment request message sent by the user terminal; 基于所述目标客户端证书和所述绑定客户端证书,对所述HTTPS请求消息做出响应。Responding to the HTTPS request message based on the target client certificate and the bound client certificate. 2.如权利要求1所述的方法,其特征在于,所述证书与凭证的绑定关系通过以下方式确定:2. The method according to claim 1, wherein the binding relationship between the certificate and the voucher is determined in the following manner: 在接收到所述目标用户终端发出的HTTPS连接建立请求消息时,从所述HTTPS连接建立请求消息中解析出客户端证书;When receiving the HTTPS connection establishment request message sent by the target user terminal, parsing the client certificate from the HTTPS connection establishment request message; 基于所述客户端证书生成证书摘要,并基于所述证书摘要生成用户凭证;generating a certificate digest based on the client certificate, and generating user credentials based on the certificate digest; 基于所述客户端证书和所述用户凭证,生成所述证书与凭证的绑定关系。Based on the client certificate and the user certificate, a binding relationship between the certificate and the certificate is generated. 3.如权利要求2所述的方法,其特征在于,所述基于目标用户终端发起的HTTPS请求消息,确定所述目标用户终端对应的目标客户端证书和目标用户凭证,包括:3. The method according to claim 2, wherein, determining the target client certificate and the target user certificate corresponding to the target user terminal based on the HTTPS request message initiated by the target user terminal comprises: 在接收到所述目标用户终端发出的HTTPS请求消息时,从所述HTTPS请求消息中解析出所述目标客户端证书;When receiving the HTTPS request message sent by the target user terminal, parsing the target client certificate from the HTTPS request message; 基于所述目标客户端证书生成目标证书摘要,并基于所述目标证书摘要生成目标用户凭证,将生成的目标用户凭证确定为所述目标用户终端对应的所述目标用户凭证。Generating a target certificate abstract based on the target client certificate, generating a target user credential based on the target certificate digest, and determining the generated target user credential as the target user credential corresponding to the target user terminal. 4.如权利要求1所述的方法,其特征在于,所述基于所述目标用户凭证和预先建立的证书与凭证的绑定关系,确定与所述目标用户凭证绑定的绑定客户端证书,包括:4. The method according to claim 1, wherein, based on the target user credential and the pre-established binding relationship between the certificate and credential, determine the bound client certificate bound to the target user credential ,include: 在预先建立的证书与凭证的绑定关系中,查找与所述目标用户凭证绑定的客户端证书;In the pre-established binding relationship between the certificate and the credential, search for the client certificate bound to the target user credential; 将查找到的绑定的客户端证书作为所述绑定客户端证书。The found bound client certificate is used as the bound client certificate. 5.如权利要求1-4任一项所述的方法,其特征在于,所述基于所述目标客户端证书和所述绑定客户端证书,对所述HTTPS请求消息做出响应,包括:5. The method according to any one of claims 1-4, wherein the responding to the HTTPS request message based on the target client certificate and the bound client certificate includes: 若所述目标客户端证书和所述绑定客户端证书相同,则允许所述HTTPS请求消息进行访问;If the target client certificate is the same as the bound client certificate, then allow the HTTPS request message to be accessed; 若所述目标客户端证书和所述绑定客户端证书不同,则拦截所述HTTPS请求消息。If the target client certificate is different from the bound client certificate, intercept the HTTPS request message. 6.一种保证用户安全的装置,其特征在于,包括:6. A device for ensuring user safety, characterized in that it comprises: 确定单元,用于基于目标用户终端发起的超文本传输安全协议HTTPS请求消息,确定所述目标用户终端对应的目标客户端证书和目标用户凭证;A determining unit, configured to determine a target client certificate and a target user credential corresponding to the target user terminal based on a hypertext transfer security protocol HTTPS request message initiated by the target user terminal; 绑定单元,用于基于所述目标用户凭证和预先建立的证书与凭证的绑定关系,确定与所述目标用户凭证绑定的绑定客户端证书,其中,所述证书与凭证的绑定关系是基于所述目标用户终端发出的HTTPS连接建立请求消息确定的;A binding unit, configured to determine a binding client certificate bound to the target user credential based on the target user credential and a pre-established binding relationship between the certificate and the credential, wherein the binding of the certificate to the credential The relationship is determined based on the HTTPS connection establishment request message sent by the target user terminal; 响应单元,用于基于所述目标客户端证书和所述绑定客户端证书,对所述HTTPS请求消息做出响应。A response unit, configured to respond to the HTTPS request message based on the target client certificate and the bound client certificate. 7.如权利要求6所述的装置,其特征在于,所述证书与凭证的绑定关系通过以下方式确定:7. The device according to claim 6, wherein the binding relationship between the certificate and the voucher is determined in the following manner: 在接收到所述目标用户终端发出的HTTPS连接建立请求消息时,从所述HTTPS连接建立请求消息中解析出客户端证书;When receiving the HTTPS connection establishment request message sent by the target user terminal, parsing the client certificate from the HTTPS connection establishment request message; 基于所述客户端证书生成证书摘要,并基于所述证书摘要生成用户凭证;generating a certificate digest based on the client certificate, and generating user credentials based on the certificate digest; 基于所述客户端证书和所述用户凭证,生成所述证书与凭证的绑定关系。Based on the client certificate and the user certificate, a binding relationship between the certificate and the certificate is generated. 8.如权利要求7所述的装置,其特征在于,所述基于目标用户终端发起的HTTPS请求消息,确定所述目标用户终端对应的目标客户端证书和目标用户凭证,确定单元用于:8. The device according to claim 7, wherein, based on the HTTPS request message initiated by the target user terminal, the target client certificate and the target user certificate corresponding to the target user terminal are determined, and the determining unit is used for: 在接收到所述目标用户终端发出的HTTPS请求消息时,从所述HTTPS请求消息中解析出所述目标客户端证书;When receiving the HTTPS request message sent by the target user terminal, parsing the target client certificate from the HTTPS request message; 基于所述目标客户端证书生成目标证书摘要,并基于所述目标证书摘要生成目标用户凭证,将生成的目标用户凭证确定为所述目标用户终端对应的所述目标用户凭证。Generating a target certificate abstract based on the target client certificate, generating a target user credential based on the target certificate digest, and determining the generated target user credential as the target user credential corresponding to the target user terminal. 9.一种服务器,其特征在于,包括:9. A server, characterized in that, comprising: 存储器,用于存储可执行指令;memory for storing executable instructions; 处理器,用于读取并执行所述存储器中存储的可执行指令,以实现如权利要求1-5任一项所述的方法。A processor, configured to read and execute the executable instructions stored in the memory, so as to implement the method according to any one of claims 1-5. 10.一种计算机可读存储介质,其特征在于,当所述存储介质中的指令由处理器执行时,使得所述处理器能够执行如权利要求1-5任一项所述的方法。10. A computer-readable storage medium, wherein when the instructions in the storage medium are executed by a processor, the processor is enabled to execute the method according to any one of claims 1-5.
CN202210835077.5A 2022-07-15 2022-07-15 A method, device and storage medium for ensuring user safety Pending CN115296863A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210835077.5A CN115296863A (en) 2022-07-15 2022-07-15 A method, device and storage medium for ensuring user safety

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210835077.5A CN115296863A (en) 2022-07-15 2022-07-15 A method, device and storage medium for ensuring user safety

Publications (1)

Publication Number Publication Date
CN115296863A true CN115296863A (en) 2022-11-04

Family

ID=83822136

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210835077.5A Pending CN115296863A (en) 2022-07-15 2022-07-15 A method, device and storage medium for ensuring user safety

Country Status (1)

Country Link
CN (1) CN115296863A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016045541A1 (en) * 2014-09-26 2016-03-31 阿里巴巴集团控股有限公司 Method and device for identifying the presence of man-in-the-middle
CN107508682A (en) * 2017-08-16 2017-12-22 努比亚技术有限公司 Browser certificate authentication method and mobile terminal
US20180124106A1 (en) * 2015-04-09 2018-05-03 Wandera Limited Detecting "man-in-the-middle' attacks
CN109688111A (en) * 2018-12-04 2019-04-26 国汽(北京)智能网联汽车研究院有限公司 A kind of vehicle identification Verification System and method adapting to V2X communication
CN113179323A (en) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016045541A1 (en) * 2014-09-26 2016-03-31 阿里巴巴集团控股有限公司 Method and device for identifying the presence of man-in-the-middle
CN105516066A (en) * 2014-09-26 2016-04-20 阿里巴巴集团控股有限公司 Method and device for identifying existence of intermediary
US20180124106A1 (en) * 2015-04-09 2018-05-03 Wandera Limited Detecting "man-in-the-middle' attacks
CN107508682A (en) * 2017-08-16 2017-12-22 努比亚技术有限公司 Browser certificate authentication method and mobile terminal
CN109688111A (en) * 2018-12-04 2019-04-26 国汽(北京)智能网联汽车研究院有限公司 A kind of vehicle identification Verification System and method adapting to V2X communication
CN113179323A (en) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment

Similar Documents

Publication Publication Date Title
US12250209B2 (en) Network identity protection method and device, and electronic equipment and storage medium
US10790976B1 (en) System and method of blockchain wallet recovery
US8196186B2 (en) Security architecture for peer-to-peer storage system
KR101019006B1 (en) Authentication and Partitioning System and Method for Replacing Cryptographic Keys
CN102647461B (en) Communication means based on HTTP, server, terminal
CN102378170B (en) Method, device and system of authentication and service calling
Kaur et al. A secure two‐factor authentication framework in cloud computing
CN111901346B (en) Identity authentication system
US20090240936A1 (en) System and method for storing client-side certificate credentials
KR20150036104A (en) Method, client, server and system of login verification
CN108243176B (en) Data transmission method and device
CN112711759A (en) Method and system for preventing replay attack vulnerability security protection
US20140032906A1 (en) Cryptographic authentication techniques for mobile devices
Parsovs Practical issues with TLS client certificate authentication
CN109831311B (en) Server verification method, system, user terminal and readable storage medium
CN112688773A (en) Token generation and verification method and device
CN111275419A (en) Block chain wallet signature right confirming method, device and system
WO2015158228A1 (en) Server, user equipment, and method for user equipment to interact with server
CN112600831B (en) Network client identity authentication system and method
CN118214586A (en) Identity authentication method, system, equipment and storage medium
CN105577606B (en) A kind of method and apparatus for realizing authenticator registration
Tan et al. Securing password authentication for web-based applications
US20240064006A1 (en) Identity authentication method and apparatus, storage medium, program, and program product
CN115296863A (en) A method, device and storage medium for ensuring user safety
CN114745115A (en) Information transmission method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20221104

RJ01 Rejection of invention patent application after publication