TW201511515A - Method of dynamically adjusting cloud certificate status verification - Google Patents

Method of dynamically adjusting cloud certificate status verification Download PDF

Info

Publication number
TW201511515A
TW201511515A TW102132133A TW102132133A TW201511515A TW 201511515 A TW201511515 A TW 201511515A TW 102132133 A TW102132133 A TW 102132133A TW 102132133 A TW102132133 A TW 102132133A TW 201511515 A TW201511515 A TW 201511515A
Authority
TW
Taiwan
Prior art keywords
ocsp
cloud
voucher
status
dynamically adjusting
Prior art date
Application number
TW102132133A
Other languages
Chinese (zh)
Other versions
TWI539784B (en
Inventor
Yung-Chu Chen
Chang-Cheng Jian
jing-rong Lin
Pin-Jung Chiang
Gan-How Chang
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW102132133A priority Critical patent/TWI539784B/en
Publication of TW201511515A publication Critical patent/TW201511515A/en
Application granted granted Critical
Publication of TWI539784B publication Critical patent/TWI539784B/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a method of dynamically adjusting cloud certificate status verification, which provides a high-confidence message verification protection based on the online certificate status protocol, hereinafter abbreviated as OCSP, and then uses a method of cloud system architecture to provide faster certificate status inquiry and verification services. Primarily, the OCSP system of a certificate management center analyzes the existent past inquiry usage record on the OCSP server end and obtains the certificate serial number group record with high inquiry frequency, so as to pre-issue OCSP response messages with OCSP server end certificate signature based on the aforementioned record. The content of these messages includes the certificate status information to be inquired, the effective time period and the electronic signature guarantee of reliable OCSP service. Furthermore, a high-speed certificate status verification service system (Hi-OCSP) is established through the method of cloud system architecture for storing these pre-issued OCSP response messages. The OCSP user end application system may use the standard application program interface of OCSP specification in wired and wireless network environments to rapidly find safe and reliable certificate status information.

Description

動態調整雲端憑證狀態驗證之方法 Method for dynamically adjusting cloud certificate status verification

本發明係有關於一種動態調整雲端憑證狀態驗證之方法,特別是指如何在節省使用頻寬的條件下,快速地取得高信任度的電子憑證狀態之資訊。 The invention relates to a method for dynamically adjusting cloud voucher status verification, in particular to how to quickly obtain high-trust electronic voucher status information under the condition of saving bandwidth.

先前技術於中華民國發明專利第20120804號「具有高信任度的分散式快速驗證憑證狀態之方法」一案中,是藉由OCSP服務主系統,針對憑證管理中心中所有的憑證之狀態資訊皆簽發與封裝成OCSP Response,並存放至輕型OCSP子系統(LightWeight OCSP)系統中。使用者要查詢目前憑證狀態時,可直接至輕型OCSP子系統進行狀態的查詢,而無需至OCSP服務主系統進行查詢。此法的缺點是: The prior art in the case of the Republic of China Invention Patent No. 20120804 "Method for Decentralized Quick Verification Voucher Status with High Confidence" is issued by the OCSP service main system for the status information of all the voucher in the voucher management center. It is packaged into an OCSP Response and stored in the Light OCSP subsystem (LightWeight OCSP) system. When the user wants to query the current voucher status, the user can directly query the status of the light OCSP subsystem without querying the OCSP service main system. The disadvantages of this method are:

1.需要處理所有的異動資料,此處理流程上OCSP服務主系統會耗費很多系統資源與網路傳輸頻寬的占用。 1. All transaction data needs to be processed. The OCSP service main system consumes a lot of system resources and network transmission bandwidth.

2.輕型OCSP子系統中儲存許多OCSP Response是使用者不會進行查詢的資料,造成資料庫空間的浪費。 2. Many OCSP Responses stored in the lightweight OCSP subsystem are data that the user does not query, resulting in wasted database space.

3. OCSP服務主系統使用密碼模組進行OCSP Response數位簽章保護,簽章作業的次數會相當高, 全部更新與預先簽發每一張憑證狀態之新OCSP Response將會耗費很多的時間與系統效能。 3. The OCSP service main system uses the password module to perform OCSP Response digital signature protection, and the number of signature operations will be quite high. A new OCSP Response with all updates and pre-signed status for each voucher will take a lot of time and system performance.

本發明之目的即在於提供一種動態調整雲端憑證狀態驗證之方法,係加強舊有的憑證狀態查詢方法所不足之處,以動態調整的方法,避免頻寬與硬體密碼模組簽章處理時間之耗費,同時可減少資料庫空間之需求,進而提供使用者快速取得與驗證電子憑證之狀態。 The object of the present invention is to provide a method for dynamically adjusting cloud voucher status verification, which is to reinforce the shortcomings of the old voucher status query method, and to dynamically adjust the method to avoid the bandwidth and hardware cryptographic module signature processing time. The cost, while reducing the need for database space, provides users with a quick access to and verification of electronic credentials.

達成上述發明目的之動態調整雲端憑證狀態驗證之方法,可藉由本發明所提供之動態調整雲端憑證狀態驗證之方法來達成。在本發明中,預先分析現有OCSP服務主系統的查詢使用記錄,OCSP服務主系統找出被查詢頻率高的憑證序號,再使用儲存於硬體保密器中的OCSP伺服器金鑰,將這些憑證序號的相對應憑證狀態資訊,進行預先簽章與封裝成線上憑證狀態通信協定之回覆訊息Hi-OCSP Response封包。 The method for dynamically adjusting the cloud credential status verification to achieve the above object can be achieved by the method for dynamically adjusting the cloud credential status verification provided by the present invention. In the present invention, the query usage record of the existing OCSP service main system is analyzed in advance, and the OCSP service main system finds the certificate serial number with high frequency of inquiry, and then uses the OCSP server key stored in the hardware security device to use these credentials. The corresponding voucher status information of the serial number, and a reply message Hi-OCSP Response packet pre-signed and encapsulated into an online voucher status communication protocol.

同時Hi-OCSP Response訊息中的「Next Update(下次更新與有效時間)」時間屬性值,必須可動態的依據被查詢頻率的高與低,若是高頻率查詢之憑證序號,可以設定為較短的下次更新Hi-OCSP Response之時間,若是低頻率查詢之憑證序號,可以設定為較長的下次更新Hi-OCSP Response之時間,這樣可以更彈性地安排OCSP服務主系統預先簽發各個憑證之相對應OCSP Response之運作時間,這樣OCSP服務主系統就不必集中在同一個時間大量的更新與重新簽發 OCSP Response,也可以加速與提高查詢狀態之可靠性。最後再透過雲端儲存架構與方法,存入至雲端Hi-OCSP(High Speed LightWeight OCSP System)系統。 At the same time, the "Next Update" time attribute value in the Hi-OCSP Response message must be dynamically dependent on the high or low frequency of the query. If the certificate number of the high frequency query is set, it can be set to be shorter. The next time the Hi-OCSP Response is updated, if it is the voucher number of the low frequency query, it can be set to the longer time of the next update Hi-OCSP Response, so that the OCSP service main system can be more flexibly arranged to pre-issue each voucher. Corresponding to the operating time of OCSP Response, so that the OCSP service main system does not have to concentrate on a large number of updates and re-issuances at the same time. OCSP Response can also speed up and improve the reliability of the query status. Finally, through the cloud storage architecture and method, it is stored in the Hi-OCSP (High Speed Light Weight OCSP System) system.

接著,當使用者使用OCSP用戶端工具發送OCSPRequest至雲端Hi-OCSP系統進行憑證狀態查詢與驗證時,若在雲端Hi-OCSP系統中無儲存該筆Hi-OCSP Response,或對應的Hi-OCSP Response已經逾時,則雲端Hi-OCSP系統向OCSP服務主系統請求重新為該待查詢的憑證序號之憑證狀態簽發最新的Hi-OCSP Response;然後OCSP服務主系統將會把新簽發的Hi-OCSP Response更新到雲端Hi-OCSP系統中,讓雲端Hi-OCSP系統可以繼續服務該OCSP用戶端。 Then, when the user uses the OCSP client tool to send the OCSPRequest to the cloud Hi-OCSP system for voucher status query and verification, if the Hi-OCSP Response is not stored in the cloud Hi-OCSP system, or the corresponding Hi-OCSP Response If the time has expired, the cloud Hi-OCSP system requests the OCSP service main system to re-issue the latest Hi-OCSP Response for the voucher status of the voucher number to be queried; then the OCSP service main system will send the newly issued Hi-OCSP Response Updated to the cloud Hi-OCSP system to allow the cloud Hi-OCSP system to continue to serve the OCSP client.

同時,當OCSP服務主系統透過憑證狀態異動資料庫系統偵測到CA憑證管理中心進行憑證異動作業時,將會因應憑證狀態異動,立即簽發新的Hi-OCSP Response封包,並即時更新到雲端Hi-OCSP系統端。 At the same time, when the OCSP service main system detects the credential transaction operation through the voucher status transaction database system, it will immediately issue a new Hi-OCSP Response packet in response to the voucher status change, and immediately update to the cloud Hi. -OCSP system side.

本發明所提供之動態調整雲端憑證狀態驗證之方法,與其他習用技術相互比較時,更具備下列優點: The method for dynamically adjusting the cloud voucher status verification provided by the present invention has the following advantages when compared with other conventional technologies:

1.本發明由於雲端Hi-OCSP系統中只存放較常使用的Hi-OCSP Response封包,因此可節省雲端Hi-OCSP與OCSP服務主系統之間的頻寬。 1. The present invention saves the bandwidth between the cloud Hi-OCSP and the OCSP service main system because only the Hi-OCSP Response packet used in the cloud is stored in the cloud Hi-OCSP system.

2.本發明與既有的OCSP服務主系統相較,由於只更新雲端Hi-OCSP中的異動資料,因此可降低OCSP服務主系統與HSM之間的簽章次數。 2. Compared with the existing OCSP service main system, the present invention can reduce the number of signatures between the OCSP service main system and the HSM by updating only the transaction data in the cloud Hi-OCSP.

3.本發明因為於雲端Hi-OCSP系統中只存放較常使用的Hi-OCSP Response封包,因此可減少雲端Hi-OCSP系統所需的資料庫容量。 3. The present invention can reduce the database capacity required for the cloud Hi-OCSP system because only the Hi-OCSP Response packets used in the cloud are stored in the cloud Hi-OCSP system.

4.本發明由於雲端Hi-OCSP系統中只存放較常使用的Hi-OCSP Response封包,因此當檢查雲端Hi-OCSP系統中快要過期的Hi-OCSP Response的數量,可以減少所需要檢查Hi-OCSP Response的數量,減少系統檢查時間。 4. The present invention stores only the Hi-OCSP Response packets that are frequently used in the cloud Hi-OCSP system. Therefore, when checking the number of Hi-OCSP Responses that are about to expire in the cloud Hi-OCSP system, the Hi-OCSP can be reduced. The number of Responses reduces the system check time.

11‧‧‧OCSP用戶端 11‧‧‧OCSP client

12‧‧‧雲端Hi-OCSP系統 12‧‧‧Cloud Hi-OCSP System

13‧‧‧已簽章的Hi-OCSP Response 13‧‧‧Signed Hi-OCSP Response

14‧‧‧OCSP服務主系統 14‧‧‧OCSP service main system

15‧‧‧安全簽章保密器 15‧‧‧Safety Seal Security

16‧‧‧CA系統 16‧‧‧CA system

17‧‧‧憑證異動資料 17‧‧‧Voucher transaction data

18‧‧‧憑證狀態異動資料庫 18‧‧‧Voucher Status Transaction Database

M11‧‧‧OCSP請求訊息 M11‧‧‧OCSP request message

M12‧‧‧OCSP回應訊息 M12‧‧‧OCSP response message

21‧‧‧OCSP服務主系統 21‧‧‧OCSP service main system

22‧‧‧雲端Hi-OCSP系統 22‧‧‧Cloud Hi-OCSP System

23‧‧‧安全簽章保密器 23‧‧‧Safety Seal Security

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1為本發明動態調整雲端憑證狀態驗證之方法系統架構圖;以及圖2為本發明動態調整雲端憑證狀態驗證之方法預先分析現有資料之示意圖。 The detailed description of the present invention and the accompanying drawings will be further understood. The technical content of the present invention and the purpose of the present invention are as follows: FIG. 1 is a system architecture diagram of a method for dynamically adjusting cloud voucher status verification according to the present invention; FIG. 2 is a schematic diagram of a method for dynamically adjusting cloud voucher status verification according to the present invention to pre-analyze existing data.

如圖1,為本發明動態調整雲端憑證狀態驗證之方法,說明如下。 FIG. 1 is a schematic diagram of a method for dynamically adjusting cloud voucher status verification according to the present invention.

首先,預先分析現有OCSP服務主系統14的查詢使用記錄,OCSP服務主系統14找出被查詢頻率高的憑證序號,再使用儲存於安全簽章保密器15中的OCSP伺服器金鑰,將這些憑證序號的相對應憑證狀態資訊,進行預先簽章與封裝成已簽章的Hi-OCSP Response 13封包,並存入至雲端Hi-OCSP系統12。 First, the query usage record of the existing OCSP service main system 14 is analyzed in advance, and the OCSP service main system 14 finds the voucher serial number of the frequently queried frequency, and then uses the OCSP server key stored in the security signature security device 15 to The corresponding voucher status information of the voucher serial number is pre-signed and encapsulated into a signed Hi-OCSP Response 13 packet and stored in the cloud Hi-OCSP system 12.

之後OCSP用戶端11藉由OCSP用戶端應用模組,發送OCSP請求訊息M11到雲端Hi-OCSP系統12,進行高可信度的憑證狀態查詢與驗證作業。雲端Hi-OCSP系統12分析所接收到的OCSP請求訊息M11,取得相對應的OCSP回應訊 息M12,然後將OCSP回應訊息M12傳送給予OCSP用戶端11。 The OCSP client 11 then sends an OCSP request message M11 to the cloud Hi-OCSP system 12 via the OCSP client application module to perform a high-confidence credential status query and verification operation. The cloud Hi-OCSP system 12 analyzes the received OCSP request message M11 and obtains a corresponding OCSP response message. The message M12 is then transmitted to the OCSP client 11 for the OCSP response message M12.

當OCSP用戶端11收到雲端Hi-OCSP系統12所回傳的OCSP回應訊息M12,藉由OCSP用戶端應用模組,進行內容分析,並且以OCSP服務主系統14的OCSP伺服器憑證,驗證該OCSP回應訊息是否確實為OCSP服務主系統14所簽發,若驗證無誤,再取得待查詢的憑證狀態,並且驗證OCSP回應訊息M12內容的訊息時間之設定,是否仍為有效可信賴的時間區間內;若OCSP回應訊息M12內容中的OCSP服務主系統14電子簽章驗證無誤,且OCSP回應訊息M12內容的時間設定符合可信賴的時間規定之內,即可確認OCSP回應訊息M12所記載的憑證狀態資訊是可靠信任的。 When the OCSP client 11 receives the OCSP response message M12 sent back by the cloud Hi-OCSP system 12, the content analysis is performed by the OCSP client application module, and the OCSP server certificate of the OCSP service host system 14 is used to verify the OCSP client. Whether the OCSP response message is actually issued by the OCSP service main system 14, if the verification is correct, the voucher status is still obtained, and the setting of the message time of the content of the OCSP response message M12 is verified to be still within the valid and reliable time interval; If the OCSP service main system 14 electronic signature verification in the content of the OCSP response message M12 is correct, and the time setting of the content of the OCSP response message M12 meets the trusted time requirement, the voucher status information recorded by the OCSP response message M12 can be confirmed. It is reliable and trustworthy.

上述步驟中,雲端Hi-OCSP系統12若因無儲存該相對應的OCSP回應訊息M12,或相對應的OCSP回應訊息M12已經逾時,則雲端Hi-OCSP系統12請求OCSP服務主系統14,進行簽發對應的Hi-OCSP Response封包,然後OCSP服務主系統14將會把已簽發的Hi-OCSP Response 13封包更新到雲端Hi-OCSP系統12中,並且將OCSP回應訊息M12傳送給予OCSP用戶端11。 In the above steps, if the cloud Hi-OCSP system 12 has not stored the corresponding OCSP response message M12, or the corresponding OCSP response message M12 has expired, the cloud Hi-OCSP system 12 requests the OCSP service host system 14 to perform The corresponding Hi-OCSP Response packet is issued, and then the OCSP service host system 14 will update the issued Hi-OCSP Response 13 packet to the cloud Hi-OCSP system 12, and transmit the OCSP response message M12 to the OCSP client 11.

同時,由憑證管理中心-CA系統16負責產生憑證狀態異動資訊17。憑證狀態異動資訊17包含有憑證序號、憑證狀態、發生時間、憑證用戶所屬分類群組、自訂欄位內容。若CA系統16內的監控模組,偵測出OCSP服務主系統14中的憑證發生狀態異動,便將憑證狀態異動的相關資訊,透過安全且穩定的傳輸通道,儲存到憑證狀態異動資料庫18。 At the same time, the voucher management center-CA system 16 is responsible for generating the voucher status transaction information 17. The voucher status change information 17 includes the voucher serial number, the voucher status, the occurrence time, the classification group to which the voucher user belongs, and the content of the customized field. If the monitoring module in the CA system 16 detects the state change of the certificate in the OCSP service main system 14, the related information of the voucher state change is stored in the voucher state transaction database through the secure and stable transmission channel. .

由OCSP服務主系統14內所使用的常駐系統模組,監控憑證狀態異動資料庫18中的資料異動,再由OCSP服務主系統14系統上所設置的憑證資料查詢模組,進行憑證資料查詢比對,若查詢到該資料庫資料有所異動,OCSP服務主系統14將依據該資料庫中的憑證狀態異動資料,並且使用安全簽章保密器15上的電子簽章模組,立即地針對這些憑證狀態異動資料,加入電子簽章的保護,以成為Hi-OCSP Response訊息,接著OCSP服務主系統14將產製出的Hi-OCSP Response訊息標記在該主機的記錄資料庫裡面。同時,OCSP服務主系統14將已簽發的Hi-OCSP Response 13封包,即時更新到雲端Hi-OCSP系統12。 The resident system module used in the OCSP service main system 14 monitors the data change in the voucher state transaction database 18, and then the voucher data query module set on the system of the OCSP service main system 14 performs the voucher data query ratio. Yes, if the data of the database is changed, the OCSP service main system 14 will immediately target these according to the voucher status transaction data in the database and use the electronic signature module on the security signature security device 15. The voucher status transaction data is added to the protection of the electronic signature to become the Hi-OCSP Response message, and then the OCSP service main system 14 marks the produced Hi-OCSP Response message in the record database of the host. At the same time, the OCSP service main system 14 updates the issued Hi-OCSP Response 13 packet to the cloud Hi-OCSP system 12 in real time.

如圖2所示,為預先分析現有資料機制的方法。 As shown in Figure 2, it is a method of analyzing existing data mechanisms in advance.

首先,預先分析現有OCSP服務主系統21中OCSP伺服器端的查詢與使用記錄,OCSP服務主系統21找出被查詢頻率高的憑證序號,再使用儲存於硬體保密器23中的OCSP伺服器金鑰,將這些憑證序號的相對應憑證狀態資訊,進行預先簽章與封裝成Hi-OCSP Response封包,並將此Hi-OCSP Response訊息中的「Next Update(下次更新與有效時間)」時間屬性值,動態的依據被查詢頻率的高或低,設定為較短或長的時間。若是高頻率查詢之憑證序號,可以設定為較短的下次更新Hi-OCSP Response之時間,可以更彈性地安排OCSP服務主系統預先簽發各個憑證之相對應OCSP Response之運作時間,這樣OCSP服務主系統就不必集中在同一個時間大量的更新與重新簽發OCSP Response。 First, the query and usage records of the OCSP server end in the existing OCSP service main system 21 are analyzed in advance, and the OCSP service main system 21 finds the certificate serial number with high frequency of inquiry, and then uses the OCSP server gold stored in the hardware security device 23. Key, pre-signature and encapsulation of the corresponding voucher status information of these voucher serial numbers into Hi-OCSP Response packets, and the "Next Update" time attribute in the Hi-OCSP Response message The value, the dynamic basis is set to a shorter or longer time depending on whether the frequency of the query is high or low. If the certificate number of the high frequency query is set to a shorter time for updating the Hi-OCSP Response, the OCSP service main system can be more flexibly arranged to pre-issue the corresponding OCSP Response operation time of each certificate, so that the OCSP service master The system does not have to concentrate on updating and reissuing OCSP Responses at the same time.

完成上述簽章與封裝步驟後,將Hi-OCSP Response發送到雲端Hi-OCSP系統22,若是後續有OCSP用 戶端要請求查詢時,便可即時的將Hi-OCSP Response訊息透過雲端Hi-OCSP系統22傳送給予OCSP用戶端。 After completing the above-mentioned signature and packaging steps, the Hi-OCSP Response is sent to the cloud Hi-OCSP system 22, if it is followed by OCSP When the client requests an inquiry, the Hi-OCSP Response message can be immediately transmitted to the OCSP client through the cloud Hi-OCSP system 22.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請貴局核准本件發明專利申請案,以勵發明,至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

11‧‧‧OCSP用戶端 11‧‧‧OCSP client

12‧‧‧雲端Hi-OCSP系統 12‧‧‧Cloud Hi-OCSP System

13‧‧‧已簽章的Hi-OCSP Response 13‧‧‧Signed Hi-OCSP Response

14‧‧‧OCSP服務主系統 14‧‧‧OCSP service main system

15‧‧‧安全簽章保密器 15‧‧‧Safety Seal Security

16‧‧‧CA系統 16‧‧‧CA system

17‧‧‧憑證異動資料 17‧‧‧Voucher transaction data

18‧‧‧憑證狀態異動資料庫 18‧‧‧Voucher Status Transaction Database

M11‧‧‧OCSP請求訊息 M11‧‧‧OCSP request message

M12‧‧‧OCSP回應訊息 M12‧‧‧OCSP response message

Claims (9)

一種動態調整雲端憑證狀態驗證之方法,包含以下步驟:a.由憑證管理中心之憑證認證中心(Certification Authority,CA)主機產生憑證狀態異動資訊;b.該憑證管理中心之CA主機係以安全且穩定的傳輸通道,發送該產生憑證狀態異動資訊至憑證狀態異動資料庫;c.線上憑證狀態協定(Online Certificate Status Protocol,OCSP)服務主系統監控該憑證狀態異動資料庫,發現存在有異動資料之後,由該OCSP服務主系統所查詢到的憑證狀態異動資訊,與安全簽章保密器之簽章功能,簽發出與這些憑證狀態異動資訊相對應的最新線上憑證狀態通信協定之回覆訊息(Hi-OCSP Response)訊息;d.該OCSP用戶端透過所指引的雲端Hi-OCSP系統的OCSP網址所在,發送該OCSP請求訊息,到該雲端Hi-OCSP系統,進行憑證狀態查詢作業;e.該雲端Hi-OCSP系統分析所接收到的該OCSP請求訊息,並取得相對應的該OCSP回應訊息,然後傳送給予OCSP用戶端,以完成高信任度的快速憑證狀態查詢之作業;f.該雲端Hi-OCSP系統分析所接收到的該OCSP請求訊息,如果無儲存該相對應的該OCSP回應訊息,或相對應的該OCSP回應訊息已經逾時,則該雲端Hi-OCSP系統請求該OCSP服務主系統進行簽發對應的該Hi-OCSP Response封包。 A method for dynamically adjusting cloud credential status verification includes the following steps: a. generating credential status transaction information by a credential authentication authority (CA) host of the credential management center; b. the CA host of the credential management center is secure and a stable transmission channel, sending the generated voucher state transaction information to the voucher state transaction database; c. An online certificate status protocol (OCSP) service main system monitors the voucher state transaction database, and finds that there is transaction data The voucher status transaction information queried by the OCSP service main system, and the signature function of the security signature security device, issue a reply message of the latest online voucher status communication protocol corresponding to the voucher status transaction information (Hi- OCSP Response) message; d. The OCSP client sends the OCSP request message through the OCSP address of the cloud Hi-OCSP system that is directed to the cloud Hi-OCSP system for voucher status query operation; e. the cloud Hi - The OCSP system analyzes the received OCSP request message and obtains the corresponding OCSP response The message is then transmitted to the OCSP client to complete the high-trust fast voucher status query operation; f. The cloud Hi-OCSP system analyzes the received OCSP request message, if the corresponding OCSP response is not stored If the message or the corresponding OCSP response message has expired, the cloud Hi-OCSP system requests the OCSP service main system to issue the corresponding Hi-OCSP Response packet. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中該OCSP用戶端係為符合OCSP協定的應用程式或者系統,該OCSP用戶端應用程式將設置於電腦主機上面或者攜帶式的智慧型主機上。 The method for dynamically adjusting cloud credential status verification according to claim 1, wherein the OCSP client is an OCSP-compliant application or system, and the OCSP client application is set on a computer host or portable. On the smart host. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中該憑證狀態異動資訊所傳遞的過程,係加入網際網路上應用於資料安全傳輸通道(Secure Sockets Layer,SSL)與傳輸層安全協定(Transport Layer Security,TLS)的安全傳輸通道服務,來提供通信安全及資料的完整性。 For example, the method for dynamically adjusting cloud voucher status verification according to claim 1 of the patent application scope, wherein the process of transmitting the voucher state transaction information is added to the Internet for use in a Secure Sockets Layer (SSL) and transmission. Transport Layer Security (TLS) secure transport channel service to provide communication security and data integrity. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中該OCSP用戶端中另包含發送的憑證查詢請求訊息,係與雲端Hi-OCSP系統所回應的該Hi-OCSP Response訊息皆符合該OCSP協定的規範。 The method for dynamically adjusting the cloud credential status verification according to the first aspect of the patent application, wherein the OCSP client further includes a sent credential query request message, and the Hi-OCSP Response message that is responded to by the cloud Hi-OCSP system. All comply with the specifications of the OCSP Agreement. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中該雲端Hi-OCSP系統係加入授權管理機制,只接受與處理特定已被授權的該OCSP用戶端所發送的憑證狀態查詢請求。 The method for dynamically adjusting cloud voucher status verification according to claim 1, wherein the cloud Hi-OCSP system joins an authorization management mechanism and only accepts and processes the voucher status sent by the specific authorized OCSP client. Query request. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中該雲端Hi-OCSP系統與該OCSP用戶端另加入系統校時機制,以確認系統互動之間時間的正確性。 The method for dynamically adjusting cloud credential status verification according to claim 1, wherein the cloud Hi-OCSP system and the OCSP client further add a system calibration mechanism to confirm the correctness of time between system interactions. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中該OCSP用戶端係發送該OCSP請求訊息給予該OCSP服務主系統,進行高信任度的憑證狀態查詢。 The method for dynamically adjusting cloud credential status verification according to claim 1, wherein the OCSP client sends the OCSP request message to the OCSP service main system to perform a high-trust voucher status query. 如申請專利範圍第1項所述之動態調整雲端憑證狀態驗證之方法,其中另包括預先分析現有資料機制方法,其包含 以下步驟:a.該OCSP服務主系統分析現有該OCSP服務主系統中OCSP伺服器端的查詢與使用記錄,找出被查詢頻率高的憑證序號;b.該OCSP服務主系統係透過安全加密通道,發送到負責儲存的該雲端Hi-OCSP系統上的資料庫裡面; The method for dynamically adjusting cloud voucher status verification as described in claim 1 of the patent application, further comprising a method for pre-analysing an existing data mechanism, which includes The following steps: a. The OCSP service main system analyzes the query and usage records of the OCSP server end in the existing OCSP service main system, and finds the certificate serial number with high frequency of inquiry; b. The main system of the OCSP service system passes the secure encryption channel. Sent to the database on the cloud Hi-OCSP system responsible for storage; 如申請專利範圍第8項所述之動態調整雲端憑證狀態驗證之方法,其中該預先分析現有資料機制方法中之Hi-OCSP Response訊息中的「下次更新與有效時間(Next Update)」時間屬性值,係依據該Hi-OCSP Response訊息之使用頻率多寡,進行彈性地延長與設定。 The method for dynamically adjusting cloud voucher status verification according to item 8 of the patent application scope, wherein the “Next Update” time attribute in the Hi-OCSP Response message in the existing data mechanism method is pre-analyzed. The value is flexibly extended and set according to the frequency of use of the Hi-OCSP Response message.
TW102132133A 2013-09-06 2013-09-06 Dynamically adjust the method of cloud certificate status verification TWI539784B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102132133A TWI539784B (en) 2013-09-06 2013-09-06 Dynamically adjust the method of cloud certificate status verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102132133A TWI539784B (en) 2013-09-06 2013-09-06 Dynamically adjust the method of cloud certificate status verification

Publications (2)

Publication Number Publication Date
TW201511515A true TW201511515A (en) 2015-03-16
TWI539784B TWI539784B (en) 2016-06-21

Family

ID=53186899

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102132133A TWI539784B (en) 2013-09-06 2013-09-06 Dynamically adjust the method of cloud certificate status verification

Country Status (1)

Country Link
TW (1) TWI539784B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI628935B (en) * 2016-01-29 2018-07-01 中華電信股份有限公司 Request traffic grouping method
TWI644542B (en) * 2016-01-29 2018-12-11 中華電信股份有限公司 Pre-signature method
TWI646808B (en) * 2016-01-29 2019-01-01 中華電信股份有限公司 Request traffic prediction method
TWI718033B (en) * 2020-03-18 2021-02-01 中華電信股份有限公司 System and method for online certificate status query responder

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI628935B (en) * 2016-01-29 2018-07-01 中華電信股份有限公司 Request traffic grouping method
TWI644542B (en) * 2016-01-29 2018-12-11 中華電信股份有限公司 Pre-signature method
TWI646808B (en) * 2016-01-29 2019-01-01 中華電信股份有限公司 Request traffic prediction method
TWI718033B (en) * 2020-03-18 2021-02-01 中華電信股份有限公司 System and method for online certificate status query responder

Also Published As

Publication number Publication date
TWI539784B (en) 2016-06-21

Similar Documents

Publication Publication Date Title
US11924358B2 (en) Method for issuing digital certificate, digital certificate issuing center, and medium
US10728229B2 (en) Method and device for communicating securely between T-box device and ECU device in internet of vehicles system
US9172544B2 (en) Systems and methods for authentication between networked devices
WO2018121249A1 (en) Ssl protocol-based access control method and device
US9043600B2 (en) Security model for industrial devices
US9130926B2 (en) Authorization messaging with integral delegation data
CN105656859B (en) Tax control equipment software safety online upgrading method and system
US9288234B2 (en) Security policy enforcement
US9800556B2 (en) Systems and methods for providing data security services
WO2018017609A1 (en) Secure asynchronous communications
US20160226829A1 (en) Systems and methods for secure data exchange
CN109981680B (en) Access control implementation method and device, computer equipment and storage medium
US20140331287A1 (en) Authentication policy enforcement
TWI539784B (en) Dynamically adjust the method of cloud certificate status verification
CN113225351B (en) Request processing method and device, storage medium and electronic equipment
CN114257376B (en) Digital certificate updating method, device, computer equipment and storage medium
CN106209903A (en) A kind of remote access financial system with encryption device
KR101839048B1 (en) End-to-End Security Platform of Internet of Things
CN112118242A (en) Zero trust authentication system
EP4203377A1 (en) Service registration method and device
US10972912B1 (en) Dynamic establishment of trust between locally connected devices
CN107888615B (en) Safety authentication method for node registration
WO2018219260A1 (en) Method, device and system for binding mobile phone number
WO2023160299A1 (en) Device physical identity authentication method and apparatus, and system and first platform
WO2021143028A1 (en) Internet of things equipment authentication method, electronic device and storage medium

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees