CN116094793A - Method and system for establishing connection between operation center and security equipment based on data certificate - Google Patents
Method and system for establishing connection between operation center and security equipment based on data certificate Download PDFInfo
- Publication number
- CN116094793A CN116094793A CN202211741207.5A CN202211741207A CN116094793A CN 116094793 A CN116094793 A CN 116094793A CN 202211741207 A CN202211741207 A CN 202211741207A CN 116094793 A CN116094793 A CN 116094793A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- operation center
- verification
- connection
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012795 verification Methods 0.000 claims abstract description 112
- 238000003860 storage Methods 0.000 claims description 17
- 238000004422 calculation algorithm Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 17
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 230000002457 bidirectional effect Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000000275 quality assurance Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for establishing connection between an operation center and safety equipment based on a data certificate, and belongs to the technical field of network safety application. The method of the invention comprises the following steps: generating a query list for querying the digital certificate; inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement; verifying the digital certificate, and if the verification is passed, retaining the called digital certificate; and determining a security device to be connected with an operation center, carrying out identity verification on the security device, if the identity verification passes, building a security interface based on a security API interface and the security device, and building connection between the operation center and the security device based on the called digital certificate and the security interface. The invention realizes the safe connection between the operation center and the safety equipment.
Description
Technical Field
The present invention relates to the field of network security applications, and more particularly, to a method and system for establishing connection between an operation center and a security device based on a data certificate.
Background
The intelligent security operation center and 10 kinds of security devices (security access gateway VPN, cloud platform flow security monitoring device, cloud desktop, SSL unloading device, DDoS flow cleaning, cloud platform attack traceability device, advanced unknown threat detection system, dynamic application protection system, threat information joint defense disposal device, big data situation perception flow probe) realize digital certificate security application, and the following key security elements must be realized:
1. the intelligent security operation center and the security equipment need to establish a secure connection capability based on the digital certificate, and strict bidirectional identity authentication based on the digital certificate needs to be carried out during access to identify the authenticity and validity of the identities of the two parties.
2. The important business information interaction is realized by using a digital signature technology, so that key information is prevented from being repudiated and tampered.
3. The internet security service system needs to carry out encryption protection on service sensitive information transmission, deploy an SSL security gateway and establish an SSL security channel based on a client certificate.
4. And part of information with strong sensitivity needs to be subjected to information confidentiality protection at an application layer, and a digital envelope technology can be used to ensure the safety of information content.
However, the prior art method has not fully realized the above-mentioned security elements.
Disclosure of Invention
In view of the above problems, the present invention provides a method for establishing connection between an operation center and a security device based on a data certificate, including:
storing a digital certificate related to establishing connection between an operation center and a security device, and monitoring a digital certificate state and a revocation state of the digital certificate to generate a query list for querying the digital certificate;
inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement;
verifying the digital certificate, and if the verification is passed, retaining the called digital certificate;
and determining a security device to be connected with an operation center, carrying out identity verification on the security device, if the identity verification passes, building a security interface based on a security API interface and the security device, and building connection between the operation center and the security device based on the called digital certificate and the security interface.
Optionally, verifying the digital certificate includes: identity verification, validity verification and validity verification.
Optionally, the method further comprises: and carrying out identity verification, validity verification and validity verification on the called digital certificate based on the standard algorithms.
Optionally, the method further comprises: before the connection between the operation center and the safety equipment is established, further identity verification, validity verification and validity verification are carried out on the data signature of the digital certificate, and after the further identity verification, the validity verification and the validity verification pass, the connection between the operation center and the safety equipment is established based on the fetched digital certificate and the safety interface.
Optionally, the method further comprises: after the connection between the operation center and the safety equipment is established, encrypting and decrypting the data transmitted between the operation center and the safety equipment.
In still another aspect, the present invention further provides a system for establishing connection between an operation center and a security device based on a data certificate, including:
the certificate module is used for storing a digital certificate related to the connection between an established operation center and the security equipment, and monitoring the digital certificate state and the revocation state of the digital certificate so as to generate a query list for querying the digital certificate;
the inquiry module is used for inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement;
the verification module is used for verifying the digital certificate, and if the verification is passed, the called digital certificate is reserved;
the connection module is used for determining the safety equipment to be connected with the operation center, carrying out identity verification on the safety equipment, if the identity verification passes, setting up a safety interface based on a safety API interface and the safety equipment, and setting up the connection between the operation center and the safety equipment based on the called digital certificate and the safety interface.
Optionally, verifying the digital certificate includes: identity verification, validity verification and validity verification.
Optionally, a plurality of standard algorithms are built in the query module, and the password service component performs identity verification, validity verification and validity verification on the called digital certificate based on the plurality of standard algorithms.
Optionally, the connection module is further configured to: before the connection between the operation center and the safety equipment is established, further identity verification, validity verification and validity verification are carried out on the data signature of the digital certificate, and after the further identity verification, the validity verification and the validity verification pass, the connection between the operation center and the safety equipment is established based on the fetched digital certificate and the safety interface.
Optionally, the connection module is further configured to encrypt and decrypt data transmitted between the operation center and the security device after the connection between the operation center and the security device is established.
Optionally, the query module includes: a cryptographic service component, the cryptographic service component comprising: the system comprises a cloud server crypto-engine, a virtual crypto-engine, a server crypto-engine and a signature verification server;
and uniformly scheduling the password resources, and managing equipment interfaces and password operations through the cloud server password machine, the virtual password machine, the server password machine and the signature verification server.
In yet another aspect, the present invention also provides a computing device comprising: one or more processors;
a processor for executing one or more programs;
the method as described above is implemented when the one or more programs are executed by the one or more processors.
In yet another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed, implements a method as described above.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a method for establishing connection between an operation center and safety equipment based on a data certificate, which comprises the following steps: storing a digital certificate related to establishing connection between an operation center and a security device, and monitoring a digital certificate state and a revocation state of the digital certificate to generate a query list for querying the digital certificate; inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement; verifying the digital certificate, and if the verification is passed, retaining the called digital certificate; and determining a security device to be connected with an operation center, carrying out identity verification on the security device, if the identity verification passes, building a security interface based on a security API interface and the security device, and building connection between the operation center and the security device based on the called digital certificate and the security interface. The invention realizes the safe connection between the operation center and the safety equipment.
Drawings
FIG. 1 is a flow chart of a method for establishing a connection between an operation center and a security device based on a data certificate according to the present invention;
fig. 2 is a block diagram of a system for establishing a connection between an operation center and a security device based on a data certificate according to the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention provides 10 types of security devices (a security access gateway VPN, a cloud platform flow security monitoring device, a cloud desktop, an SSL unloading device, DDoS flow cleaning, a cloud platform attack tracing device, an advanced unknown threat detection system, a dynamic application protection system, threat information joint defense processing equipment and a big data situation sensing flow probe) and an intelligent security operation center, which are used for establishing security connection based on a digital certificate, and simultaneously supporting bidirectional identity authentication and encryption transmission realization and application by using the digital certificate. The intelligent safety operation center is used as a service end, and the safety functions of identity authentication, data signature verification, data encryption and decryption and the like are realized by interfacing with the password service component and calling the password service component interface. The 10-class security devices (a secure access gateway VPN, a cloud platform flow security monitoring device, a cloud desktop, an SSL unloading device, a DDoS flow cleaning device, a cloud platform attack tracing device, an advanced unknown threat detection system, a dynamic application protection system, a threat information joint defense processing device and a big data situation perception flow probe) are used as clients, and are used for storing important information such as a user key and a digital certificate, and password operations such as identity authentication, digital signature and digital envelope encryption are required to be completed. Meanwhile, clear requirements of unified specifications such as functions, performances, compatibility, compliance and the like are required to be provided for the intelligent security operation center and 10 types of security equipment digital certificate media, so that security equipment manufacturers are guided to produce products meeting the requirements of security application systems according to the requirements of the specifications.
Example 1:
the invention provides a method for establishing connection between an operation center and safety equipment based on a data certificate, which is shown in figure 1 and comprises the following steps:
step 1, storing a digital certificate related to the connection of an established operation center and a security device, and monitoring a digital certificate state and a revocation state of the digital certificate to generate a query list for querying the digital certificate;
step 2, inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement;
step 3, verifying the digital certificate, and if the verification is passed, reserving the called digital certificate;
and 4, determining safety equipment to be connected with an operation center, carrying out identity verification on the safety equipment, if the identity verification passes, building a safety interface based on a safety API interface and the safety equipment, and building connection between the operation center and the safety equipment based on the called digital certificate and the safety interface.
Wherein verifying the digital certificate comprises: identity verification, validity verification and validity verification.
Wherein the method further comprises: and carrying out identity verification, validity verification and validity verification on the called digital certificate based on the standard algorithms.
Wherein the method further comprises: before the connection between the operation center and the safety equipment is established, further identity verification, validity verification and validity verification are carried out on the data signature of the digital certificate, and after the further identity verification, the validity verification and the validity verification pass, the connection between the operation center and the safety equipment is established based on the fetched digital certificate and the safety interface.
Wherein the method further comprises: after the connection between the operation center and the safety equipment is established, encrypting and decrypting the data transmitted between the operation center and the safety equipment.
The invention realizes the secure connection of 10 types of security equipment and an intelligent security operation center based on the digital certificate, and simultaneously supports the realization and application of bidirectional identity authentication and encryption transmission by using the digital certificate. And the safety device application interface specification is formulated, the uniformity of the safety device application interface is realized, and other safety devices of a manufacturer can be directly used in the later period as long as the safety device application interface specification is met. The method reduces the cost of software developers, is more convenient and quick, and has stronger selectivity to hardware. Meanwhile, the system has strong security defense performance, and reduces risks and difficulties in the management process. Finally, the characteristics of low cost, standard, compatibility, safety and the like are realized.
Example 2:
the present invention also provides a system 200 for establishing connection between an operation center and a security device based on a data certificate, as shown in fig. 2, including:
a certificate module 201, configured to store a digital certificate related to establishing connection between an operation center and a security device, and monitor a digital certificate status and a revocation status for the digital certificate, so as to generate a query list for querying the digital certificate;
a query module 202, configured to query the digital certificate status and the revocation status of the stored digital certificate based on the query list, so as to invoke a digital certificate that is not revoked and the digital certificate status meets the requirement;
the verification module 203 is configured to verify the digital certificate, and if the verification is passed, leave the invoked digital certificate;
the connection module 204 is configured to determine a security device to be connected to an operation center, perform identity verification on the security device, if the identity verification passes, build a security interface based on a security API interface and the security device, and build connection between the operation center and the security device based on the retrieved digital certificate and the security interface.
Wherein verifying the digital certificate comprises: identity verification, validity verification and validity verification.
The query module 203 is internally provided with a plurality of standard algorithms, and the password service component performs identity verification, validity verification and validity verification on the digital certificate based on the plurality of standard algorithms.
Wherein, the connection module 204 is further configured to: before the connection between the operation center and the safety equipment is established, further identity verification, validity verification and validity verification are carried out on the data signature of the digital certificate, and after the further identity verification, the validity verification and the validity verification pass, the connection between the operation center and the safety equipment is established based on the fetched digital certificate and the safety interface.
The connection module 204 is further configured to encrypt and decrypt data transmitted between the operation center and the security device after the connection between the operation center and the security device is established.
Wherein, the query module 203 includes: a cryptographic service component, the cryptographic service component comprising: the system comprises a cloud server crypto-engine, a virtual crypto-engine, a server crypto-engine and a signature verification server;
and uniformly scheduling the password resources, and managing equipment interfaces and password operations through the cloud server password machine, the virtual password machine, the server password machine and the signature verification server.
The operation center and the system of the invention jointly complete various security password authentication functions.
The query module 203 provides a unified and transparent security application interface for intelligent security operation center development, and realizes functions such as identity authentication and password service. The specific functions are described as follows:
identity authentication function:
the password service component provides identity authentication based on the digital certificate for the intelligent security operation center, automatically completes the state inquiry of the digital certificate and the inquiry of a certificate revocation list, and verifies the validity and the effectiveness of the certificate.
Password service function:
the cryptographic service component provides the following cryptographic services:
(1) RSA algorithm digital signature and signature verification conforming to PKCS#1 standard is provided.
(2) And providing SM2 algorithm digital signature and signature verification conforming to national standards.
(3) RSA algorithm digital signature and signature verification conforming to PKCS#7 standard is provided.
(4) SM2 algorithm message signing and signature verification conforming to national standards are provided.
(5) The digital envelope making and unsealing method of the RSA algorithm is in accordance with PKCS #7 standard, and functions of making digital envelopes, decrypting digital envelopes, making digital envelopes with signatures, decrypting digital envelopes with signatures and the like are provided. The digital signature in the digital envelope can be automatically identified and verified.
(6) The SM2 algorithm digital envelope making and unsealing which accords with the national standard is provided, and functions of making the digital envelope, decrypting the digital envelope, making the digital envelope with the signature, decrypting the digital envelope with the signature and the like are provided. The digital signature in the digital envelope can be automatically identified and verified.
The system is an integrated client security application environment, and consists of a client security interface and client password equipment. The client security interface provides a standard security API interface, and provides identity authentication, signature verification and data encryption and decryption services for the client through integration with a 10-class security device interface. The secure client cryptographic device serves as a carrier of a user digital certificate and public-private key pair and provides rich cryptographic functions such as data encryption/decryption, digital signature/verification, data summarization, key generation and management, key and certificate storage.
The invention realizes the following functions:
(1) Based on the identity authentication of the digital certificate, the relationship between the certificate and the certificate holder is authenticated.
(2) Various cryptographic operation functions such as digital signature and signature verification, digital envelope, message digest and the like are provided.
(3) Certificate reading, certificate verification and analysis, and the like.
(4) And supporting SSL security protocol and establishing secure connection with the WEB server.
The invention realizes the secure connection of 10 types of security equipment and an intelligent security operation center based on the digital certificate, and simultaneously supports the realization and application of bidirectional identity authentication and encryption transmission by using the digital certificate. And the safety device application interface specification is formulated, the uniformity of the safety device application interface is realized, and other safety devices of a manufacturer can be directly used in the later period as long as the safety device application interface specification is met. The method reduces the cost of software developers, is more convenient and quick, and has stronger selectivity to hardware. Meanwhile, the system has strong security defense performance, and reduces risks and difficulties in the management process. Finally, the characteristics of low cost, standard, compatibility, safety and the like are realized.
The security equipment needs to be adapted according to SM2 algorithm digital certificate media technical specification; the method comprises the steps of product requirements, chip hardware requirements, functional requirements, electrical appliance characteristic requirements, compliance standard requirements, safety requirements, compatibility requirements, appearance requirements, packaging requirements and the like; the performance requirement part provides the most basic performance requirement which the product needs to meet; the interface expansion requirement of the middle layer specifically comprises the expansion requirement of the national standard interface; in addition, the requirements of quality assurance, technical service and the like which are required to be provided by manufacturers are also specified.
The security device of the invention can use a digital certificate medium USBKEY (such as tax UKey).
The security device generates a p10 request, and after a certificate is applied, the certificate is imported into the device to realize bidirectional identity authentication and encryption transmission (the compatibility test of the security interface of the client is required to be completed).
The invention unifies the security equipment client application interface specification and the server interface specification, and realizes identity authentication and encryption transmission.
Example 3:
based on the same inventive concept, the invention also provides a computer device comprising a processor and a memory for storing a computer program comprising program instructions, the processor for executing the program instructions stored by the computer storage medium. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application SpecificIntegrated Circuit, ASIC), off-the-shelf Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computational core and control core of the terminal adapted to implement one or more instructions, in particular adapted to load and execute one or more instructions within a computer storage medium to implement the corresponding method flow or corresponding functions to implement the steps of the method in the embodiments described above.
Example 4:
based on the same inventive concept, the present invention also provides a storage medium, in particular, a computer readable storage medium (Memory), which is a Memory device in a computer device, for storing programs and data. It is understood that the computer readable storage medium herein may include both built-in storage media in a computer device and extended storage media supported by the computer device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also stored in the memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. The computer readable storage medium herein may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to implement the steps of the methods in the above-described embodiments.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the invention can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (13)
1. A method of establishing a connection between an operation center and a security device based on a data certificate, the method comprising:
storing a digital certificate related to establishing connection between an operation center and a security device, and monitoring a digital certificate state and a revocation state of the digital certificate to generate a query list for querying the digital certificate;
inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement;
verifying the digital certificate, and if the verification is passed, retaining the called digital certificate;
and determining a security device to be connected with an operation center, carrying out identity verification on the security device, if the identity verification passes, building a security interface based on a security API interface and the security device, and building connection between the operation center and the security device based on the called digital certificate and the security interface.
2. The method of claim 1, wherein said verifying said digital certificate comprises: identity verification, validity verification and validity verification.
3. The method according to claim 1, wherein the method further comprises: and carrying out identity verification, validity verification and validity verification on the called digital certificate based on the standard algorithms.
4. The method according to claim 1, wherein the method further comprises: before the connection between the operation center and the safety equipment is established, further identity verification, validity verification and validity verification are carried out on the data signature of the digital certificate, and after the further identity verification, the validity verification and the validity verification pass, the connection between the operation center and the safety equipment is established based on the fetched digital certificate and the safety interface.
5. The method according to claim 1, wherein the method further comprises: after the connection between the operation center and the safety equipment is established, encrypting and decrypting the data transmitted between the operation center and the safety equipment.
6. A system for establishing a connection between an operation center and a security device based on a data certificate, the system comprising:
the certificate module is used for storing a digital certificate related to the connection between an established operation center and the security equipment, and monitoring the digital certificate state and the revocation state of the digital certificate so as to generate a query list for querying the digital certificate;
the inquiry module is used for inquiring the digital certificate state and the revocation state of the stored digital certificate based on the inquiry list so as to call the digital certificate which is not revoked and the digital certificate state meets the requirement;
the verification module is used for verifying the digital certificate, and if the verification is passed, the called digital certificate is reserved;
the connection module is used for determining the safety equipment to be connected with the operation center, carrying out identity verification on the safety equipment, if the identity verification passes, setting up a safety interface based on a safety API interface and the safety equipment, and setting up the connection between the operation center and the safety equipment based on the called digital certificate and the safety interface.
7. The system of claim 6, wherein said verifying said digital certificate comprises: identity verification, validity verification and validity verification.
8. The system of claim 6, wherein the query module has a plurality of standard algorithms built therein, and the cryptographic service component performs authentication, validity and validity verification of the retrieved digital certificate based on the plurality of standard algorithms.
9. The system of claim 6, wherein the connection module is further configured to: before the connection between the operation center and the safety equipment is established, further identity verification, validity verification and validity verification are carried out on the data signature of the digital certificate, and after the further identity verification, the validity verification and the validity verification pass, the connection between the operation center and the safety equipment is established based on the fetched digital certificate and the safety interface.
10. The system of claim 6, wherein the connection module is further configured to encrypt and decrypt data transmitted between the operation center and the security device after establishing the connection between the operation center and the security device.
11. The system of claim 5, wherein the query module comprises: a cryptographic service component, the cryptographic service component comprising: the system comprises a cloud server crypto-engine, a virtual crypto-engine, a server crypto-engine and a signature verification server;
and uniformly scheduling the password resources, and managing equipment interfaces and password operations through the cloud server password machine, the virtual password machine, the server password machine and the signature verification server.
12. A computer device, comprising:
one or more processors;
a processor for executing one or more programs;
the method of any of claims 1-5 is implemented when the one or more programs are executed by the one or more processors.
13. A computer readable storage medium, characterized in that a computer program is stored thereon, which computer program, when executed, implements the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211741207.5A CN116094793A (en) | 2022-12-30 | 2022-12-30 | Method and system for establishing connection between operation center and security equipment based on data certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211741207.5A CN116094793A (en) | 2022-12-30 | 2022-12-30 | Method and system for establishing connection between operation center and security equipment based on data certificate |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116094793A true CN116094793A (en) | 2023-05-09 |
Family
ID=86209755
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211741207.5A Pending CN116094793A (en) | 2022-12-30 | 2022-12-30 | Method and system for establishing connection between operation center and security equipment based on data certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116094793A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596000A (en) * | 2024-01-19 | 2024-02-23 | 三未信安科技股份有限公司 | Communication method and system for cloud server crypto-engine host and virtual crypto-engine |
-
2022
- 2022-12-30 CN CN202211741207.5A patent/CN116094793A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596000A (en) * | 2024-01-19 | 2024-02-23 | 三未信安科技股份有限公司 | Communication method and system for cloud server crypto-engine host and virtual crypto-engine |
| CN117596000B (en) * | 2024-01-19 | 2024-03-22 | 三未信安科技股份有限公司 | Communication method and system for cloud server crypto-engine host and virtual crypto-engine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11489678B2 (en) | Platform attestation and registration for servers | |
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| CN112184222B (en) | Service processing method, device and equipment based on block chain | |
| US9998438B2 (en) | Verifying the security of a remote server | |
| CN110199285B (en) | Slave enclave binary | |
| CN103858130A (en) | Method, apparatus and terminal for administration of permission | |
| US20230229752A1 (en) | Attestation of application identity for inter-app communications | |
| CN112307515A (en) | Database-based data processing method and device, electronic equipment and medium | |
| CN111414640A (en) | Key access control method and device | |
| CN111416816A (en) | Access method and device of joint debugging interface, computer equipment and storage medium | |
| WO2024198933A1 (en) | Private key protection method, server access method, system, device, and storage medium | |
| CN114125027A (en) | Communication establishing method and device, electronic equipment and storage medium | |
| CN102156826A (en) | Provider management method and provider management system | |
| CN115473648B (en) | Certificate issuing system and related equipment | |
| CN116094793A (en) | Method and system for establishing connection between operation center and security equipment based on data certificate | |
| CN115329315A (en) | Service authentication method, device, storage medium and electronic equipment | |
| CN110602051B (en) | Information processing method based on consensus protocol and related device | |
| CN114329574B (en) | Encrypted partition access control method and system based on domain management platform and computing equipment | |
| CN117436875A (en) | Service execution method and device, storage medium and electronic equipment | |
| US20240095338A1 (en) | Isolated runtime environments for securing secrets used to access remote resources from compute instances | |
| CN114567446A (en) | Login authentication method and device, electronic equipment and storage medium | |
| CN114338036A (en) | A data communication method and device for a blockchain client | |
| CN117744117B (en) | Authority setting method, authority setting device, electronic equipment and computer readable storage medium | |
| CN115996126B (en) | Information interaction method, application device, auxiliary platform and electronic device | |
| US20230403138A1 (en) | Agentless single sign-on techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |