TW201605219A - Network device, register gateway and method for finishing applying certificate automatically - Google Patents
Network device, register gateway and method for finishing applying certificate automatically Download PDFInfo
- Publication number
- TW201605219A TW201605219A TW103125916A TW103125916A TW201605219A TW 201605219 A TW201605219 A TW 201605219A TW 103125916 A TW103125916 A TW 103125916A TW 103125916 A TW103125916 A TW 103125916A TW 201605219 A TW201605219 A TW 201605219A
- Authority
- TW
- Taiwan
- Prior art keywords
- voucher
- network device
- application
- message
- gateway
- Prior art date
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
一種申請憑證之網路裝置、註冊閘道器及其方法,特別係指一種自動完成憑證申請之網路裝置、註冊閘道器及其方法。A network device for applying for a voucher, a registration gateway, and a method thereof, in particular, a network device for automatically completing a voucher application, a registration gateway, and a method thereof.
數位憑證(在本發明中簡稱為「憑證」)是一種用於數位裝置的身分識別機制,是一個或一組檔案,該些檔案記錄數位憑證之擁有人的身份資料及公開金鑰(公鑰)。數位憑證可用來識別數位裝置,數位憑證的擁有人可向電腦系統認證自己的身分。A digital certificate (referred to simply as "voucher" in the present invention) is an identity recognition mechanism for a digital device, which is a file or a set of files that record the identity data of the owner of the digital certificate and the public key (public key) ). A digital certificate can be used to identify a digital device, and the owner of the digital certificate can authenticate himself to the computer system.
數位憑證可以由任何的單位核發,例如,許多公司或學校會使用自行核發的數位憑證,但實際上,未經過認證的單位所核發的憑證並不被公眾認可。若想要申請被公眾認可的數位憑證,則需要至經過認證的憑證申請中心申請。Digital certificates can be issued by any unit. For example, many companies or schools use digital certificates issued by themselves, but in reality, certificates issued by uncertified units are not recognized by the public. If you want to apply for a digital certificate that is recognized by the public, you will need to apply to the certified Voucher Application Center.
然而,目前數位憑證的申請流程非常繁雜,且數位憑證的申請流程中多處需要由人工進行,例如,申請憑證時至少需要人工填寫相關申請網頁,以及需要人工上傳憑證申請請求(CSR)檔,在憑證申請中心則需要人工檢核申請人的申請資格,在安裝憑證時則需要人工匯入等。明顯的,現行申請數位憑證來使用過程並不方便。However, the current application process for digital voucher is very complicated, and many applications in the digital voucher application process need to be manually performed. For example, at least the application webpage needs to be manually filled in when applying for the voucher, and a manual upload voucher application request (CSR) file is required. In the voucher application center, it is necessary to manually check the applicant's application qualification, and manual remittance is required when installing the voucher. Obviously, the current application for digital credentials is not convenient.
綜上所述,可知先前技術中長期以來一直存在憑證申請流程需要使用者介入的問題,因此有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that there has been a problem in the prior art that the voucher application process requires user intervention for a long time, and therefore it is necessary to propose an improved technical means to solve this problem.
有鑒於先前技術存在證申請流程需要使用者介入的問題,本發明遂揭露一種自動完成憑證申請之網路裝置、註冊閘道器及其方法,其中:In view of the prior art problem that the application process requires user intervention, the present invention discloses a network device for automatically completing a voucher application, a registration gateway, and a method thereof, wherein:
本發明所揭露之自動完成憑證申請之網路裝置,透過註冊閘道器與憑證管理伺服器連接,至少包含:請求處理模組,用以於憑證申請事件被觸發時產生憑證申請訊息;裝置傳輸模組,用以傳送憑證申請訊息至註冊閘道器,使註冊閘道器依據憑證申請訊息向憑證管理伺服器請求核發裝置憑證,及用以接收註冊閘道器所傳回之裝置憑證;憑證驗證模組,用以驗證裝置憑證,並儲存通過驗證之裝置憑證,藉以提供網路裝置使用通過驗證之裝置憑證。The network device for automatically completing the voucher application disclosed by the present invention is connected to the credential management server through the registration gateway, and at least includes: a request processing module, configured to generate a voucher application message when the voucher application event is triggered; a module, configured to transmit a voucher application message to the registration gateway, so that the registration gateway requests the verification certificate to the voucher management server according to the voucher application message, and receives the device voucher returned by the registration gateway; The verification module is configured to verify the device credentials and store the verified device credentials to provide the network device with the verified device credentials.
本發明所揭露之自動完成憑證申請之註冊閘道器,連接網路設備及憑證管理伺服器,至少包含:儲存媒體,用以儲存憑證管理伺服器所提供之閘道識別資料;閘道傳輸模組,用以接收網路設備於憑證申請事件被觸發時所傳送之憑證申請訊息;訊息處理模組,用以依據憑證申請訊息及閘道識別資料產生憑證請求訊息;其中,閘道傳輸模組更用以傳送憑證請求訊息傳送至憑證管理伺服器,使憑證管理伺服器核發裝置憑證,並將憑證管理伺服器所傳回之裝置憑證傳送到網路裝置。The registration gateway for automatically completing the voucher application disclosed in the present invention, the connection network device and the credential management server, at least comprising: a storage medium for storing the gateway identification data provided by the credential management server; the gateway transmission mode The group is configured to receive a voucher application message sent by the network device when the voucher application event is triggered; the message processing module is configured to generate a voucher request message according to the voucher application message and the gateway identification data; wherein the gateway transmission module Further, the method for transmitting the credential request message is transmitted to the credential management server, so that the credential management server issues the device credential and transmits the device credential returned by the credential management server to the network device.
本發明所揭露之自動完成憑證申請之方法,其步驟至少包括:憑證管理伺服器提供閘道識別資料予註冊閘道器;網路裝置於憑證申請事件被觸發時產生憑證申請訊息;網路裝置傳送憑證申請訊息至註冊閘道器;註冊閘道器依據憑證申請訊息及閘道識別資料產生憑證請求訊息;註冊閘道器將憑證請求訊息傳送至憑證管理伺服器,並等待憑證管理伺服器傳回所核發之裝置憑證;註冊閘道器傳送裝置憑證至網路裝置;網路裝置儲存並使用裝置憑證。The method for automatically completing a voucher application disclosed in the present invention comprises the steps of: the credential management server providing the gateway identification data to the registration gateway; and the network device generating the voucher application message when the voucher application event is triggered; the network device Transmitting the voucher application message to the registration gateway; the registration gateway generates a voucher request message according to the voucher application message and the gateway identification data; the registration gateway transmits the voucher request message to the voucher management server, and waits for the voucher management server to transmit Returning the device certificate issued; registering the gateway to transmit the device credentials to the network device; and the network device storing and using the device credentials.
本發明所揭露之網路裝置、註冊閘道器與方法如上,與先前技術之間的差異在於本發明透過在憑證申請事件於網路裝置上被觸發後,由網路裝置產生憑證申請訊息,並將所產生的憑證申請訊息傳送至註冊閘道器,註冊閘道器在依據憑證申請訊息及閘道識別資料產生憑證請求訊息後,將憑證請求訊息傳送至憑證管理伺服器,並在憑證管理伺服器將所核發之裝置憑證傳回給註冊閘道器後,註冊閘道器傳送裝置憑證給網路裝置使用,藉以解決先前技術所存在的問題,並可以達成方便使用者申請憑證的技術功效。The network device, the registration gateway and the method disclosed in the present invention are different from the prior art in that the present invention generates a voucher application message by the network device after being triggered on the network device by the voucher application event. And transmitting the generated voucher application message to the registration gateway device, and the registration gateway device transmits the voucher request message to the voucher management server after generating the voucher request message according to the voucher application message and the gateway identification data, and is in the voucher management After the server sends the issued device certificate back to the registered gateway device, the gateway device transmits the device certificate to the network device, thereby solving the problems existing in the prior art, and achieving the technical effect of facilitating the user to apply for the certificate. .
以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and embodiments of the present invention will be described in detail below with reference to the drawings and embodiments, which are sufficient to enable those skilled in the art to fully understand the technical means to which the present invention solves the technical problems, and The achievable effects of the present invention.
本發明可以提供使用者在網路裝置的管理介面中進行操作,使得網路裝置自動的透過註冊閘道器取得憑證管理伺服器(CA)所核發的裝置憑證,並在使用所獲得的裝置憑證。The invention can provide the user to operate in the management interface of the network device, so that the network device automatically obtains the device certificate issued by the credential management server (CA) through the registration gateway, and uses the obtained device credential. .
其中,隨著網路裝置的不同,網路裝置使用裝置憑證的方式也可能不同,例如,部分的網路裝置可以使用裝置憑證提供具有SSL的網頁管理介面,而另一部分的網路裝置則可能使用裝置憑證作為在網路上的識別資料,本發明並沒有特別的限制。The manner in which the network device uses the device credentials may be different depending on the network device. For example, some network devices may use the device credentials to provide a webpage management interface with SSL, while another portion of the network device may The present invention is not particularly limited insofar as it uses device credentials as identification data on the network.
以下先以「第1圖」本發明所提之自動完成憑證申請之網路架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有憑證管理伺服器100、網路裝置200、以及註冊閘道器300。The system operation of the present invention will be described below with reference to the network architecture diagram of the auto-complete voucher application proposed by the present invention in "FIG. 1". As shown in "FIG. 1", the system of the present invention includes a credential management server 100, a network device 200, and a registration gateway 300.
憑證管理伺服器100負責核發提供給網路裝置200使用的裝置憑證。The credential management server 100 is responsible for issuing device credentials that are provided for use by the network device 200.
網路裝置200具有裝置識別資料,網路裝置200負責透過註冊閘道器300向憑證管理伺服器100申請裝置憑證,並使用所申請到之裝置憑證。其中,網路裝置200可以如「第2圖」所示,包含請求處理模組220、裝置傳輸模組250、以及憑證驗證模組280。在部分的實施例中,網路裝置200更可以包含身分確認模組230。The network device 200 has device identification data, and the network device 200 is responsible for applying for device credentials to the voucher management server 100 through the registration gateway 300 and using the applied device credentials. The network device 200 can include a request processing module 220, a device transmission module 250, and a credential verification module 280 as shown in FIG. 2 . In some embodiments, the network device 200 further includes an identity confirmation module 230.
請求處理模組220負責在憑證申請事件被觸發時,產生憑證申請訊息。被請求處理模組220所產生的憑證申請訊息包含身分驗證資料以及憑證申請資料。其中,身分驗證資料至少包含網路裝置200之使用者的使用者識別資料以及網路裝置200的裝置識別資料等,憑證申請資料至少包含裝置識別資料以及請求處理模組220所產生的憑證申請請求。The request processing module 220 is responsible for generating a voucher application message when the voucher application event is triggered. The voucher application message generated by the request processing module 220 includes the identity verification data and the voucher application data. The identity verification data includes at least the user identification data of the user of the network device 200 and the device identification data of the network device 200, and the voucher application data includes at least the device identification data and the voucher application request generated by the request processing module 220. .
本發明所提之憑證申請事件是在網路裝置200之使用者欲為網路裝置申請裝置憑證時,對網路裝置所進行之特定操作而產生,例如,在網路裝置之管理介面中的特定按鈕被使用者點擊時產生,或是在使用者按壓網路裝置之控制面板上的特定按鍵時產生等,但憑證申請事件的產生時間並不以此為限。The voucher application event of the present invention is generated when a user of the network device 200 desires to apply for a device voucher for the network device, for example, in a management interface of the network device. The specific button is generated when the user clicks, or when the user presses a specific button on the control panel of the network device, but the time when the voucher application event is generated is not limited thereto.
請求處理模組220需要先產生金鑰,而後才能依據所產生的金鑰簽發憑證申請請求(CSR)。請求處理模組220所產生的金鑰通常包含公鑰(public key)與私鑰(private key),但本發明並不以此為限。一般而言,可以要求使用者輸入密碼,藉以保護請求處理模組220所產生之金鑰中的私鑰,但本發明並不以此為限。其中,請求處理模組220通常會使用預先設定的儲存格式儲存所產生的金鑰,也通常會使用預先設定的加密演算法加密私鑰。The request processing module 220 needs to generate a key before issuing a certificate request (CSR) according to the generated key. The key generated by the request processing module 220 usually includes a public key and a private key, but the invention is not limited thereto. In general, the user may be required to input a password to protect the private key in the key generated by the request processing module 220, but the invention is not limited thereto. The request processing module 220 usually stores the generated key using a preset storage format, and usually encrypts the private key using a preset encryption algorithm.
在部分的實施例中,請求處理模組220在簽發憑證申請請求時,可以依據網路裝置200的裝置識別資料產生申請主旨,並將所產生的申請主旨、所產生之金鑰中的公鑰、以及公鑰的簽章包裝為憑證申請請求。其中,請求處理模組220可以依照預先定義的格式產生申請主旨、可以依照預先設定的簽章演算法產生公鑰的簽章,也可以依照欲先設定的格式包裝產生憑證申請請求。In some embodiments, the request processing module 220 may generate an application subject according to the device identification data of the network device 200 when issuing the voucher application request, and generate the application subject and the public key in the generated key. And the signature of the public key is packaged as a voucher application request. The request processing module 220 may generate the signature of the application according to a preset signature algorithm according to a pre-defined format, or may generate a voucher application request according to a format to be set first.
在實務上,本發明所提之憑證申請請求的內容並不限於上述項目,例如,當網路裝置200提供網頁服務時,請求處理模組220所產生的憑證申請請求中也可以包含網路裝置200所提供的網站名稱等。In practice, the content of the voucher application request provided by the present invention is not limited to the above items. For example, when the network device 200 provides the web service, the voucher application request generated by the request processing module 220 may also include the network device. The name of the website provided by 200, etc.
特別值得一提的是,在部分的實施例中,請求處理模組220可以在憑證申請事件被觸發時,判斷網路裝置200的憑證申請狀態,並在憑證申請狀態未表示網路裝置200處於憑證申請中之狀態時,才會產生憑證申請訊息,並將所簽發的憑證申請訊息傳送到註冊閘道器300,以及將憑證申請狀態記錄為表示網路裝置200處於憑證申請中之狀態,並儲存所產生的憑證申請訊息。而當憑證申請狀態表示網路裝置200處於憑證申請中之狀態時,請求處理模組220可以直接讀取先前所儲存之憑證申請訊息,並將所讀取之憑證申請訊息傳送到註冊閘道器300。It is particularly worth mentioning that, in some embodiments, the request processing module 220 may determine the voucher application status of the network device 200 when the voucher application event is triggered, and does not indicate that the network device 200 is in the voucher application status. The voucher application message is generated when the status in the voucher application, and the issued voucher application message is transmitted to the registration gateway 300, and the voucher application status is recorded as indicating that the network device 200 is in the voucher application state, and Store the generated voucher application message. When the voucher application status indicates that the network device 200 is in the voucher application state, the request processing module 220 can directly read the previously stored voucher application message and transmit the read voucher application message to the registration gateway. 300.
此外,若請求處理模組220判斷在傳送憑證申請訊息到註冊閘道器300時,若裝置傳輸模組250與註冊閘道器300之間的連線異常,則請求處理模組220可以重新傳送所簽發的憑證申請訊息。In addition, if the request processing module 220 determines that the connection between the device transmission module 250 and the registration gateway 300 is abnormal when transmitting the voucher application message to the registration gateway 300, the request processing module 220 can retransmit. The voucher application message issued.
身分確認模組230可以驗證網路裝置200之使用者的使用者身分。一般而言,身分確認模組230會要求使用者輸入使用者識別資料,但身分確認模組230驗證使用者身份的方式並不以此為限。The identity confirmation module 230 can verify the user identity of the user of the network device 200. In general, the identity confirmation module 230 may require the user to input the user identification data, but the manner in which the identity verification module 230 verifies the identity of the user is not limited thereto.
身分確認模組230除了可以在使用者欲進入網路裝置200的管理介面時驗證使用者身份外,在部分的實施例中,身分確認模組230可以在請求處理模組220產生憑證申請訊息後,裝置傳輸模組250傳送憑證申請訊息前,再次驗證申使用者身分。The identity verification module 230 can verify the identity of the user when the user wants to enter the management interface of the network device 200. In some embodiments, the identity verification module 230 can generate the voucher application message after the request processing module 220 generates the voucher application message. Before the device transmission module 250 transmits the voucher application message, the user identity is verified again.
裝置傳輸模組250負責將請求處理模組220所產生之憑證申請訊息傳送到註冊閘道器300,也負責接收註冊閘道器300所傳回的裝置憑證。The device transmission module 250 is responsible for transmitting the voucher application message generated by the request processing module 220 to the registration gateway 300, and is also responsible for receiving the device voucher returned by the registration gateway device 300.
在部分的實施例中,裝置傳輸模組250可以在開始傳送憑證申請訊息到完整接收裝置憑證的過程中,持續偵測與註冊閘道器300的連接狀態,並可以在偵測到與註冊閘道器300的連線異常時,通知請求處理模組220重新傳送憑證申請訊息給註冊閘道器300。In some embodiments, the device transmission module 250 can continuously detect the connection status with the registration gateway 300 during the process of starting to transmit the voucher application message to the complete receiving device voucher, and can detect and register the gate. When the connection of the router 300 is abnormal, the notification request processing module 220 retransmits the voucher application message to the registration gateway 300.
憑證驗證模組280負責驗證裝置傳輸模組250所接收到的裝置憑證。在部分的實施例中,憑證驗證模組280可以判斷裝置憑證中所包含的根憑證是否正確,例如判斷根憑證是否來自憑證管理伺服器100,若是表示根憑證正確;憑證驗證模組280也可以判斷裝置憑證中所包含的裝置識別資料是否與網路裝置200相符,以及判斷裝置憑證中所包含的公鑰是否與請求處理模組220所產生之金鑰中的私鑰成對等,但憑證驗證模組280驗證裝置憑證之方式並不以上述為限。The credential verification module 280 is responsible for verifying the device credentials received by the device transport module 250. In some embodiments, the credential verification module 280 can determine whether the root credential included in the device credential is correct, for example, whether the root credential is from the credential management server 100, and if the root credential is correct, the credential verification module 280 can also Determining whether the device identification data included in the device voucher matches the network device 200, and determining whether the public key included in the device voucher is paired with the private key in the key generated by the request processing module 220, but the certificate The manner in which the verification module 280 verifies the device credentials is not limited to the above.
憑證驗證模組280也負責儲存通過驗證的裝置憑證,藉以提供網路裝置200使用通過驗證的裝置憑證。其中,憑證驗證模組280可以將通過驗證的裝置憑證儲存在網路裝置200的特定目錄中,但本發明並不以此為限。另外,憑證驗證模組280也可以在裝置憑證通過驗證後,刪除請求處理模組220所產生的憑證申請訊息。The credential verification module 280 is also responsible for storing the verified device credentials, thereby providing the network device 200 with the verified device credentials. The voucher verification module 280 can store the verified device voucher in a specific directory of the network device 200, but the invention is not limited thereto. In addition, the credential verification module 280 may delete the credential application message generated by the request processing module 220 after the device credential is verified.
註冊閘道器300負責依據網路裝置所傳送的憑證申請訊息代替網路裝置200向憑證管理伺服器100申請裝置憑證,並將憑證管理伺服器100核發給網路裝置200的裝置憑證傳回網路裝置200。其中,註冊閘道器300可以如「第3圖」所示,包含儲存媒體310、閘道傳輸模組350、以及訊息處理模組370。在部分的實施例中,註冊閘道器300更可以包含請求驗證模組360、以及憑證驗證模組380。The registration gateway 300 is responsible for requesting the device certificate from the voucher management server 100 in accordance with the voucher application message transmitted by the network device, and issuing the voucher management server 100 to the device voucher return network of the network device 200. Road device 200. The registration gateway 300 can include a storage medium 310, a gateway transmission module 350, and a message processing module 370 as shown in FIG. In some embodiments, the registration gateway 300 may further include a request verification module 360 and a credential verification module 380.
儲存媒體310負責儲存憑證管理伺服器100所提供之一閘道識別資料。The storage medium 310 is responsible for storing one of the gateway identification data provided by the credential management server 100.
閘道傳輸模組350負責接收網路設備200於憑證申請事件被觸發時所傳送的憑證申請訊息,並將訊息處理模組370所產生之憑證請求訊息以及儲存媒體310所儲存的閘道識別資料傳送到憑證管理伺服器100,使憑證管理伺服器100核發提供給網路裝置200使用的裝置憑證。The gateway transmission module 350 is responsible for receiving the voucher application message transmitted by the network device 200 when the voucher application event is triggered, and the voucher request message generated by the message processing module 370 and the gateway identification data stored in the storage medium 310. The certificate management server 100 is transmitted to the voucher management server 100 to issue the device credentials provided to the network device 200 for use.
閘道傳輸模組350也負責接收憑證管理伺服器100所傳送之裝置憑證,並將所接收到的裝置憑證傳送到網路裝置200。The gateway transmission module 350 is also responsible for receiving the device credentials transmitted by the credential management server 100 and transmitting the received device credentials to the network device 200.
其中,閘道傳輸模組350可以在開始傳送憑證請求訊息到完整接收到裝置憑證的過程中,偵測與憑證管理伺服器100的連線狀態,並在偵測到與憑證管理伺服器100的連線異常時,通知訊息處理模組370。The gateway transmission module 350 may detect the connection status with the credential management server 100 in the process of starting to transmit the credential request message to the complete receipt of the device credential, and detecting the credential management server 100 When the connection is abnormal, the message processing module 370 is notified.
請求驗證模組360可以對閘道傳輸模組350所接收到之憑證申請訊息進行憑證申請資格的檢核,並丟棄沒有通過憑證申請資格之檢核的憑證申請訊息。一般而言,請求驗證模組360可以判斷閘道傳輸模組350所接收到的憑證申請訊息是否確實由網路裝置200所傳送。請求驗證模組360也可以判斷憑證申請訊息中的使用者識別資料是否有效,例如,判斷使用者識別資料是否確實被註冊,或判斷該使用者是否完成付費程序等。請求驗證模組360還可以判斷網路裝置200所使用的網路位址是否被禁止憑證申請。甚至,請求驗證模組360還可以判斷憑證申請訊息中的網站名稱是否由使用者所註冊。但請求驗證模組360檢核憑證申請資格的方式並不以上述為限。The request verification module 360 can perform the verification of the voucher application qualification for the voucher application message received by the gateway transmission module 350, and discard the voucher application message that has not passed the verification of the voucher application qualification. In general, the request verification module 360 can determine whether the credential request message received by the gateway transmission module 350 is actually transmitted by the network device 200. The request verification module 360 can also determine whether the user identification data in the voucher application message is valid, for example, determine whether the user identification data is actually registered, or determine whether the user completes the payment process or the like. The request verification module 360 can also determine whether the network address used by the network device 200 is prohibited from applying for a voucher. In addition, the request verification module 360 can also determine whether the website name in the voucher application message is registered by the user. However, the manner in which the request verification module 360 checks the eligibility of the voucher application is not limited to the above.
請求驗證模組360也可以依照憑證申請訊息中的使用者識別資料及/或裝置識別資料判斷網路裝置200的憑證申請狀態,並在憑證申請狀態表示網路裝置200處於憑證申請中之狀態時,進一步比對閘道傳輸模組350所接收到之憑證申請訊息與申請中之憑證申請訊息,當閘道傳輸模組350所接收到之憑證申請訊息與申請中之憑證申請訊息不同時,或是憑證申請狀態未表示網路裝置200處於憑證申請中之狀態時,驗證憑證申請訊息。一般而言,請求驗證模組360可以依據憑證申請訊息中之公鑰的簽章,使用預先設定的簽章演算法驗證憑證申請訊息中的公鑰,可以判斷憑證申請訊息中的網路裝置識別資料是否正確,可以判斷公鑰的長度是否正確,可以判斷公鑰品質,可以檢查公鑰是否已存在等。但請求驗證模組360驗證憑證申請訊息的方式並不以上述為限。The request verification module 360 may also determine the voucher application status of the network device 200 according to the user identification data and/or the device identification data in the voucher application message, and when the voucher application status indicates that the network device 200 is in the voucher application state. Further comparing the voucher application message received by the gateway transmission module 350 with the voucher application message in the application, when the voucher application message received by the gateway transmission module 350 is different from the voucher application message in the application, or The voucher application message is verified when the voucher application status does not indicate that the network device 200 is in the voucher application status. In general, the request verification module 360 can use the pre-set signature algorithm to verify the public key in the voucher application message according to the signature of the public key in the voucher application message, and can determine the network device identification in the voucher application message. Whether the data is correct, you can judge whether the length of the public key is correct, you can judge the quality of the public key, and you can check whether the public key already exists. However, the manner in which the request verification module 360 verifies the voucher application message is not limited to the above.
訊息處理模組370負責依據閘道傳輸模組350所接收到的憑證申請訊息產生憑證請求訊息,並儲存所產生的憑證請求訊息。在部分的實施例中,訊息處理模組370可以在每一次需要產生憑證請求訊息時,產生一個交易代碼,並將儲存媒體310所儲存之閘道識別資料、所產生之交易代碼、閘道傳輸模組350所接收到的憑證申請訊息包裝為交易訊息後,對交易訊息進行簽章,以及將交易訊息以及交易訊息的簽章作為憑證請求訊息。其中,訊息處理模組370可以使用預先設定的格式包裝產生交易訊息,可以使用預先設定的簽章演算法產生交易訊息的簽章。The message processing module 370 is responsible for generating a credential request message according to the credential request message received by the gateway transmission module 350, and storing the generated credential request message. In some embodiments, the message processing module 370 can generate a transaction code each time a certificate request message needs to be generated, and store the gateway identification data stored in the storage medium 310, the generated transaction code, and the gateway transmission. After the voucher application message received by the module 350 is packaged as a transaction message, the transaction message is signed, and the transaction message and the signature of the transaction message are used as the voucher request message. The message processing module 370 can generate a transaction message by using a preset format package, and can generate a signature of the transaction message by using a preset signature algorithm.
實務上,訊息處理模組370包裝產生之交易訊息並不以閘道識別資料、交易代碼、憑證申請訊息為限,例如,訊息處理模組370還可以將依據憑證申請訊息中之使用者識別資料判斷出之裝置憑證的申請類型,及/或依據申請類型判斷出之裝置憑證的到期日包裝到交易訊息中。In practice, the transaction message generated by the message processing module 370 is not limited to the gateway identification data, the transaction code, and the voucher application message. For example, the message processing module 370 can also identify the user identification information in the voucher application message. The type of the device certificate is determined, and/or the expiration date of the device certificate determined according to the application type is packaged into the transaction message.
另外,訊息處理模組370也可以在請求驗證模組360判斷網路裝置200處於憑證申請中之狀態,且閘道傳輸模組350所接收到之憑證申請訊息與申請中之憑證申請訊息相同時,繼續完成前次申請;訊息處理模組370也可以在請求驗證模組360判斷網路裝置200未處理憑證申請中之狀態,或判斷網路裝置200處於憑證申請中之狀態,且閘道傳輸模組350所接收到之憑證申請訊息與申請中之憑證申請訊息不同時,才依據憑證申請訊息產生憑證請求訊息。In addition, the message processing module 370 can also determine, when the request verification module 360 determines that the network device 200 is in the voucher application state, and the credential request message received by the gateway transmission module 350 is the same as the voucher application message in the application. The message processing module 370 can also determine the status of the network device 200 not processing the voucher application, or determine the state of the network device 200 in the voucher application, and the gateway transmission. When the voucher application message received by the module 350 is different from the voucher application message in the application, the voucher request message is generated according to the voucher application message.
此外,訊息處理模組370還可以在閘道傳輸模組350通知與憑證管理伺服器100之連線異常中斷時,讀取在產生後便被儲存的憑證請求訊息,並再次透過閘道傳輸模組350重新傳送憑證請求訊息到憑證管理伺服器100,使憑證管理伺服器依據憑證請求訊息中所包含之相同的交易代碼重新提供網路裝置200之裝置憑證給註冊閘道器300,而不會產生新的裝置憑證。In addition, the message processing module 370 can also read the credential request message stored after the gateway transmission module 350 notifies the connection with the credential management server 100, and then transmit the credential request message again through the gateway transmission mode. The group 350 retransmits the credential request message to the credential management server 100, causing the credential management server to re-provide the device credential of the network device 200 to the registration gateway 300 according to the same transaction code included in the credential request message, without Generate a new device credential.
憑證驗證模組380可以驗證閘道傳輸模組350所接收到的裝置憑證。其中,憑證驗證模組380與網路裝置200中之憑證驗證模組280相似,可以使用判斷裝置憑證中所包含的根憑證是否正確、判斷裝置憑證中所包含的裝置識別資料是否與網路裝置200相符、判斷裝置憑證中所包含的公鑰是否與請求處理模組220所產生之金鑰中的私鑰成對等方式驗證裝置憑證,但本發明並不以此為限,例如,憑證驗證模組380還可以判斷裝置憑證中的憑證到期日是否與訊息處理模組370所判斷出之憑證到期日相符等。The credential verification module 380 can verify the device credential received by the gateway transmission module 350. The voucher verification module 380 is similar to the voucher verification module 280 in the network device 200, and can determine whether the root certificate included in the device voucher is correct, and whether the device identification data included in the device voucher is related to the network device. The device certificate is verified by the 200 match, determining whether the public key included in the device voucher is paired with the private key in the key generated by the request processing module 220, but the invention is not limited thereto, for example, voucher verification. The module 380 can also determine whether the voucher expiration date in the device voucher matches the voucher expiration date determined by the message processing module 370.
接著以一個實施例來解說本發明的運作系統與方法,並請參照「第4A圖」本發明所提之自動完成憑證申請之方法流程圖。在本實施例中,假設憑證管理伺服器100被設置於憑證管理中心,網路裝置200為網路附加儲存(Network Attached Storage, NAS)裝置,被設置於使用者家中,註冊閘道器300同樣由網路裝置200之開發廠商所製造,被設置於網路裝置200之開發廠商的機房中,但本發明並不以此為限,例如,註冊閘道器300也可以不為網路裝置200之開發廠商,且與憑證管理伺服器100一同被設置於憑證管理中心。Next, an operational system and method of the present invention will be described with reference to an embodiment, and reference is made to the flowchart of the method for automatically completing the voucher application proposed by the present invention in "FIG. 4A". In this embodiment, it is assumed that the credential management server 100 is installed in the credential management center, and the network device 200 is a network attached storage (NAS) device, which is installed in the user's home, and the registration gateway 300 is also the same. It is manufactured by the developer of the network device 200 and is installed in the equipment room of the developer of the network device 200. However, the present invention is not limited thereto. For example, the registration gateway 300 may not be the network device 200. The developer is installed in the voucher management center together with the voucher management server 100.
首先,憑證管理伺服器100可以提供閘道識別資料給註冊閘道器300(步驟402)。在本實施例中,假設網路裝置200之開發廠商在製造註冊閘道器300的過程中,透過憑證管理伺服器100取得核發給註冊閘道器300的閘道識別碼以及識別憑證,並定義識別憑證的有效期限、使用網域等相關資訊。First, the credential management server 100 can provide the gateway identification information to the registration gateway 300 (step 402). In the present embodiment, it is assumed that the developer of the network device 200 obtains the gateway identification code and the identification certificate issued to the registration gateway 300 through the voucher management server 100 in the process of manufacturing the registration gateway 300, and defines Identify the validity period of the voucher, use the domain and other related information.
在使用者購買網路裝置200後,使用者可以操作電腦連線到註冊閘道器100註冊使用者識別資料以及網路裝置200所使用之網頁管理介面的網站名稱。After the user purchases the network device 200, the user can operate the computer to connect to the registration gateway 100 to register the user identification data and the website name of the webpage management interface used by the network device 200.
而後,在使用者希望為網路裝置200的網頁管理介面加入SSL,則使用者可以先操作電腦登入網路裝置200的網頁管理介面,並在網頁管理介面中觸發憑證申請事件,藉以讓網路裝置200的網頁管理介面啟用SSL。在本實施例中,假設使用者透過點擊「申請憑證」的網頁按鍵觸發憑證申請事件。Then, when the user wants to add SSL to the webpage management interface of the network device 200, the user can first operate the webpage of the webpage management interface of the webpage device 200, and trigger a credential application event in the webpage management interface to allow the network to be used. The web page management interface of device 200 enables SSL. In this embodiment, it is assumed that the user triggers a voucher application event by clicking the web button of the "application voucher".
在憑證申請事件被觸發時,網路裝置200的請求處理模組220可以產生憑證申請訊息(步驟420)。在本實施例中,假設請求處理模組220會先要求使用者輸入密碼,在使用者輸入密碼後,請求處理模組220會產生RSA金鑰,並依照預設的AES-192-CBC加密演算法,使用使用者所輸入的密碼加密所產生的私鑰,並將加密後的私鑰以預設的PKCS#12格式儲存,之後,請求處理模組220會呼叫網路裝置200所提供的應用程式介面(Application Programming Interface, API),藉以取得網路裝置200之網頁管理介面的網站名稱以及網路裝置200的裝置識別資料,並使用所取得的網站名稱與裝置識別資料產生申請主旨,例如,「OU=裝置識別資料, CN=網站名稱」,接著,請求處理模組220會使用預設的SHA256 with RSA簽章演算法為所產生的公鑰簽章,並使用PKCS#10, RFC2986之格式將所產生的申請主旨、公鑰、以及公鑰的簽章包裝為憑證申請請求(CSR)。而後,請求處理模組220會取得使用者識別資料,並將包含使用者識別資料、裝置識別資料、與網站名稱之身分驗證資料以及包含裝置識別資料、網站名稱、與憑證申請請求之憑證申請資料作為憑證申請訊息。When the voucher application event is triggered, the request processing module 220 of the network device 200 can generate a credential request message (step 420). In this embodiment, it is assumed that the request processing module 220 first requires the user to input a password. After the user inputs the password, the request processing module 220 generates an RSA key and performs a predetermined AES-192-CBC encryption calculation. The method uses the password input by the user to encrypt the generated private key, and stores the encrypted private key in a preset PKCS#12 format. Then, the request processing module 220 calls the application provided by the network device 200. The application programming interface (API) is used to obtain the website name of the webpage management interface of the network device 200 and the device identification data of the network device 200, and use the obtained website name and device identification data to generate an application subject, for example, "OU = device identification data, CN = website name", then request processing module 220 will use the default SHA256 with RSA signature algorithm for the generated public key signature, and use the format of PKCS#10, RFC2986 The generated application subject, public key, and public key signature are packaged as a voucher application request (CSR). Then, the request processing module 220 obtains the user identification data, and includes the user identification data, the device identification data, the identity verification data of the website name, and the voucher application data including the device identification data, the website name, and the voucher application request. As a voucher application message.
在網路裝置200的請求處理模組220產生憑證申請訊息(步驟420)後,網路裝置200的裝置傳輸模組250可以將請求處理模組220所產生的憑證申請訊息傳送到註冊閘道器300(步驟435)。After the request processing module 220 of the network device 200 generates the voucher application message (step 420), the device transmission module 250 of the network device 200 can transmit the voucher application message generated by the request processing module 220 to the registration gateway. 300 (step 435).
事實上,網路裝置200的請求處理模組220更可以如「第4B圖」之流程所示,在憑證申請事件被觸發時,判斷網路裝置200的憑證申請狀態是否表示憑證申請中(步驟411),若否,則請求處理模組220可以記錄憑證申請狀態為表示網路裝置200的憑證申請中,產生憑證申請訊息(步驟420),儲存所產生的憑證申請訊息,並由網路裝置200的裝置傳輸模組250將所產生的憑證申請訊息傳送到註冊閘道器300(步驟435);若是,也就是網路裝置200處於憑證申請中之狀態,則請求處理模組220可以讀取被儲存的憑證申請訊息,並由裝置傳輸模組250將所讀出之憑證申請訊息傳送到註冊閘道器300(步驟435)。In fact, the request processing module 220 of the network device 200 can further determine whether the voucher application status of the network device 200 indicates the voucher application when the voucher application event is triggered, as shown in the flow of FIG. 4B. 411), if not, the request processing module 220 can record the voucher application status to the voucher application indicating the network device 200, generate a voucher application message (step 420), store the generated voucher application message, and the network device is The device transmission module 250 of 200 transmits the generated voucher application message to the registration gateway 300 (step 435); if so, that is, the network device 200 is in the state of the voucher application, the request processing module 220 can read The stored voucher application message is transmitted by the device transfer module 250 to the registered gateway device 300 (step 435).
另外,為了確保確實是使用者進行憑證的申請,因此,網路裝置200的身分確認模組230可以在網路裝置200的請求處理模組220產生憑證申請訊息(步驟420)後,網路裝置200的裝置傳輸模組250傳送憑證申請訊息到註冊閘道器300(步驟435)前,驗證網路裝置200之使用者的使用者身分。在本實施例中,也就是要求使用者輸入網路管理介面的識別資料。In addition, in order to ensure that the user is actually applying for the voucher, the identity verification module 230 of the network device 200 can generate the voucher application message (step 420) after the request processing module 220 of the network device 200 (step 420). The device transmission module 250 of 200 verifies the user identity of the user of the network device 200 before transmitting the voucher application message to the registration gateway 300 (step 435). In this embodiment, the user is required to input the identification data of the network management interface.
繼續回到「第4A圖」,在註冊閘道器300的閘道傳輸模組350接收到網路裝置200所傳送的憑證申請訊息後,註冊閘道器300的請求驗證模組360可以依據閘道傳輸模組350所接收到的憑證申請訊息檢核使用者的憑證申請資格(步驟440)。在本實施例中,假設請求驗證模組360會確認憑證申請訊息是由網路裝置200所發送,會依據憑證申請訊息之身分識別資料中的使用者識別資料判斷使用者的有效性,會依據身分識別資料中的使用者識別資料與網站名稱判斷網站名稱是否由使用者所註冊,會判斷網路裝置200所使用的網路位址是否被禁止等。Continuing back to FIG. 4A, after the gateway transmission module 350 of the registration gateway 300 receives the voucher application message transmitted by the network device 200, the request verification module 360 of the registration gateway 300 can be activated according to the gate. The voucher application message received by the channel transmission module 350 checks the user's voucher application qualification (step 440). In this embodiment, it is assumed that the request verification module 360 confirms that the voucher application message is sent by the network device 200, and determines the validity of the user according to the user identification data in the identity identification data of the voucher application message. The user identification data in the identity identification data and the website name determine whether the website name is registered by the user, and it is determined whether the network address used by the network device 200 is prohibited or the like.
在註冊閘道器300的請求驗證模組360依據註冊閘道器300的閘道傳輸模組350所接收到的憑證申請訊息檢核使用者的憑證申請資格(步驟440)後,註冊閘道器300的訊息處理模組370可以依據閘道傳輸模組350所接收到的憑證申請訊息以及儲存於註冊閘道器300之儲存媒體310中的閘道識別資料產生憑證請求訊息(步驟460)。在本實施例中,訊息處理模組370會先產生一個交易代碼,並讀取至儲存媒體310中讀取閘道識別資料,以及由憑證請求訊息中讀取出憑證申請請求,之後,使用預設的RFC3852格式,將閘道識別資料、交易代碼、以及憑證請求訊息包裝為交易訊息,並使用預定的SHA256 with RSA簽章演算法產生交易訊息的簽章後,將交易訊息以及交易訊息的簽章作為憑證請求訊息。After the request verification module 360 of the registration gateway 300 checks the user's voucher application qualification according to the voucher application message received by the gateway transmission module 350 of the registration gateway 300 (step 440), the gateway is registered. The message processing module 370 of the 300 can generate a credential request message according to the credential application message received by the gateway transmission module 350 and the gateway identification data stored in the storage medium 310 of the registration gateway 300 (step 460). In this embodiment, the message processing module 370 first generates a transaction code, reads the read gateway identification data into the storage medium 310, and reads the voucher application request from the voucher request message, and then uses the pre- The RFC3852 format is designed to package the gateway identification data, transaction code, and voucher request message into transaction messages, and use the predetermined SHA256 with RSA signature algorithm to generate the signature of the transaction message, and then sign the transaction message and the transaction message. The chapter serves as a credential request message.
事實上,註冊閘道器300的訊息處理模組370在依據憑證申請訊息以及閘道識別資料產生憑證請求訊息(步驟460)時,還可以如「第4C圖」之流程所示,先依據憑證申請訊息中之使用者識別資料判斷裝置憑證的申請類型(步驟462),並依據所判斷出之申請類型計算裝置憑證的到期日(步驟464)。In fact, when the message processing module 370 of the registration gateway device 300 generates a voucher request message according to the voucher application message and the gateway identification data (step 460), it may also be based on the voucher as shown in the flow of "4C chart". The user identification data in the application message determines the application type of the device voucher (step 462), and calculates the expiration date of the device voucher based on the determined application type (step 464).
在本實施例中,若註冊閘道器300的訊息處理模組370會先依據使用者識別資料檢查是否存在相對應之有效的裝置憑證,並依據使用者識別資料判斷使用者的付費狀況,當不存在有效的裝置憑證,且付費狀況表示該使用者可申請新憑證,則訊息處理模組370可以判斷申請類型為「新申請」,否則訊息處理模組370會丟棄憑證申請訊息以拒絕使用者的憑證申請。而當註冊閘道器300的訊息處理模組370判斷存在有效的裝置憑證,且付費狀況表示該使用者可申請新憑證時,訊息處理模組370可以選出最新核發的裝置憑證,並進一步判斷被選出之裝置憑證是否即將到期,例如,判斷裝置憑證的有效期限是否小於預定日數,若是,則訊息處理模組370可以判斷申請類型為「更新」,而若存在有效的裝置憑證,且付費狀況未表示該使用者可申請新憑證,或被選出之裝置憑證尚未即將到期時,訊息處理模組370可以判斷申請類型為「更名」/「重發」。In this embodiment, if the message processing module 370 of the registration gateway device 300 first checks whether there is a corresponding valid device certificate according to the user identification data, and determines the user's payment status according to the user identification data, when If there is no valid device certificate, and the payment status indicates that the user can apply for a new certificate, the message processing module 370 can determine that the application type is "new application", otherwise the message processing module 370 will discard the certificate application message to reject the user. Voucher application. When the message processing module 370 of the registration gateway 300 determines that there is a valid device certificate, and the payment status indicates that the user can apply for a new certificate, the message processing module 370 can select the latest issued device certificate and further determine the Whether the selected device certificate is about to expire, for example, determining whether the validity period of the device certificate is less than the predetermined number of days, and if so, the message processing module 370 can determine that the application type is "update", and if there is a valid device certificate, and the payment is made If the status does not indicate that the user can apply for a new voucher, or the selected device voucher has not expired, the message processing module 370 can determine that the application type is "rename" / "retransmission".
當申請類型為「新申請」時,註冊閘道器300的訊息處理模組370可以假設新申請的裝置憑證為一年期,因此,訊息處理模組370會將當下之時間視為申請時間,並計算申請時間之一年後的日期作為到期日,例如,當申請時間為2013/12/27 20:39:47,則到期日為2014/12/27 23:59:59;當申請類型為「更新」時,訊息處理模組370可以依據裝置憑證的憑證序號查詢當前的到期日,若預期裝置憑證為一年期,則訊息處理模組370會將當前之到期日加算一年,並以加算後的日期作為新的到期日,例如,不論裝置憑證的申請時間為何,當裝置憑證當前的到期日為2013/12/27 23:59:59,則新的到期日為2014/12/27 23:59:59;而當申請類型為「更名」或「重發」時,訊息處理模組370可以依據裝置憑證的憑證序號查詢到期日,並以原本的到期日作為新裝置憑證的到期日。When the application type is "new application", the message processing module 370 of the registration gateway 300 can assume that the newly applied device certificate is one year. Therefore, the message processing module 370 regards the current time as the application time. And calculate the date after one year of the application time as the due date. For example, when the application time is 2013/12/27 20:39:47, the due date is 2014/12/27 23:59:59; When the type is "update", the message processing module 370 can query the current expiration date according to the voucher number of the device voucher. If the expected device voucher is one-year, the message processing module 370 adds the current expiration date to one. Year, and the added date as the new expiration date, for example, regardless of the application time of the device voucher, when the current expiration date of the device voucher is 2013/12/27 23:59:59, the new expiration The date is 2014/12/27 23:59:59; and when the application type is "rename" or "retransmission", the message processing module 370 can query the expiration date according to the document serial number of the device voucher, and the original The date is the due date of the new device certificate.
在註冊閘道器300的訊息處理模組370依據憑證申請訊息中之使用者識別資料判斷裝置憑證的申請類型(步驟462),並依據所判斷出之申請類型計算裝置憑證的到期日(步驟464)後,訊息處理模組370可以將包含閘道識別資料、交易代碼、申請類型、預期到期日、以及憑證請求訊息包裝為交易訊息(步驟466),並在使用預定的簽章演算法產生交易訊息的簽章(步驟468)後,將交易訊息以及交易訊息的簽章作為憑證請求訊息,如此,訊息處理模組370便完成憑證請求訊息的產生(步驟460)。The message processing module 370 of the registration gateway 300 determines the application type of the device voucher according to the user identification data in the voucher application message (step 462), and calculates the expiration date of the device voucher according to the determined application type (step 464), the message processing module 370 can package the information including the gateway identification data, the transaction code, the application type, the expected expiration date, and the voucher request message as a transaction message (step 466), and using the predetermined signature algorithm. After the signature of the transaction message is generated (step 468), the transaction message and the signature of the transaction message are used as the voucher request message, and thus the message processing module 370 completes the generation of the voucher request message (step 460).
事實上,在註冊閘道器300的訊息處理模組370依據憑證申請訊息以及閘道識別資料產生憑證請求訊息(步驟460)前,訊息處理模組370更可以如「第4D圖」之流程所示,先依據憑證申請訊息中之使用者識別資料判斷網路裝置200是否未完成憑證申請(步驟451),若是,則訊息處理模組370可以進一步判斷註冊閘道器300的閘道傳輸模組350所接收到的憑證申請訊息是否與網路裝置200前次申請憑證時所傳送的憑證申請訊息相同(步驟453),若是,表示網路裝置200與前次進行相同的憑證申請,訊息處理模組370會繼續完成前次之申請(步驟459),之後,註冊閘道器300的閘道傳輸模組350可以等待憑證管理伺服器100傳回所核發之裝置憑證,並可以將所接收到的裝置憑證傳回網路裝置200(步驟486)。In fact, before the message processing module 370 of the registered gateway device 300 generates a voucher request message based on the voucher application message and the gateway identification data (step 460), the message processing module 370 can further perform the process of "4D". The message processing module 370 may further determine the gateway transmission module of the registered gateway device 300 according to the user identification data in the voucher application message to determine whether the network device 200 has not completed the voucher application (step 451). The received voucher application message is the same as the voucher application message transmitted by the network device 200 when the voucher was previously applied (step 453). If so, it indicates that the network device 200 performs the same voucher application as before, and the message processing mode is The group 370 will continue to complete the previous application (step 459), after which the gateway transmission module 350 of the registration gateway 300 can wait for the certificate management server 100 to return the issued device credentials and can receive the received The device credentials are passed back to the network device 200 (step 486).
而若註冊閘道器300的訊息處理模組370判斷網路裝置200沒有未完成的憑證申請,或是判斷網路裝置200有未完成的憑證申請,但註冊閘道器300的閘道傳輸模組350所接收到的憑證申請訊息與網路裝置200前次申請憑證時所傳送的憑證申請訊息不同,則表示網路裝置200需要申請新的裝置憑證,此時,註冊閘道器300的請求驗證模組360可以驗證憑證申請訊息(步驟455),訊息處理模組370可以在憑證申請訊息通過請求驗證模組360的驗證後,產生憑證請求訊息(步驟460)。其中,請求驗證模組360會使用預設的簽章演算法驗證憑證申請訊息中之憑證申請請求所包含的公鑰簽章,藉以判斷使用者擁有與公鑰對應的私鑰;請求驗證模組360也會判斷憑證申請請求之申請主旨的OU欄位與CN欄位的資料與裝置識別資料及提供網路裝置200之網頁管理介面的網站名稱相符,判斷憑證申請請求所包含之公鑰的長度是否正確,透過debian weak keys判斷金鑰的品質,以及判斷公鑰是否重複等。If the message processing module 370 of the registration gateway 300 determines that the network device 200 has no outstanding voucher application, or determines that the network device 200 has an uncompleted voucher application, but registers the gateway transmission mode of the gateway device 300. The voucher application message received by the group 350 is different from the voucher application message transmitted when the network device 200 previously applied for the voucher, indicating that the network device 200 needs to apply for a new device voucher. At this time, the request for registering the gateway device 300 is registered. The verification module 360 can verify the voucher application message (step 455), and the message processing module 370 can generate a voucher request message after the voucher application message is verified by the request verification module 360 (step 460). The request verification module 360 uses the preset signature algorithm to verify the public key signature included in the voucher application request in the voucher application message, so as to determine that the user has the private key corresponding to the public key; the request verification module 360 also judges that the OU field of the application request of the voucher application request matches the information of the CN field and the device identification information and the website name of the webpage management interface providing the network device 200, and determines the length of the public key included in the voucher application request. Whether it is correct, determine the quality of the key through debian weak keys, and determine whether the public key is duplicated.
繼續回到「第4A圖」,在註冊閘道器300的訊息處理模組370產生憑證請求訊息(步驟460)後,註冊閘道器300的閘道傳輸模組350可以將訊息處理模組370所產生的憑證請求訊息傳送到憑證管理伺服器100,並等待憑證管理伺服器100傳回所核發之裝置憑證(步驟470)。在本實施例中,假設閘道傳輸模組350如「第4E圖」之流程所示,在將憑證請求訊息傳送至憑證管理伺服器100(步驟471)時,會判斷與憑證管理伺服器100之間的連線是否異常中斷(步驟475),若是,則訊息處理模組370可以透過閘道傳輸模組350再次將所產生的憑證請求訊息發送到憑證管理伺服器100,或是由閘道傳輸模組350主動將訊息處理模組370所產生的憑證請求訊息再次發送到憑證管理伺服器100(步驟471),若否,則表示註冊閘道器300與憑證管理伺服器100之間的連線沒有中斷,在憑證管理伺服器100核發網路裝置200的裝置憑證後,閘道傳輸模組350可以接收到憑證管理伺服器100所傳回之網路裝置200的裝置憑證(步驟479)。Continuing back to FIG. 4A, after the message processing module 370 of the registration gateway 300 generates a credential request message (step 460), the gateway transmission module 350 of the registration gateway 300 can transmit the message processing module 370. The generated credential request message is transmitted to the credential management server 100 and waits for the credential management server 100 to return the issued device credential (step 470). In the present embodiment, it is assumed that the gateway transmission module 350, as shown in the flow of "FIG. 4E", determines the certificate management server 100 when transmitting the voucher request message to the voucher management server 100 (step 471). Whether the connection between the connection is abnormally interrupted (step 475), and if so, the message processing module 370 can send the generated voucher request message to the voucher management server 100 again through the gateway transmission module 350, or by the gateway. The transmission module 350 actively sends the credential request message generated by the message processing module 370 to the credential management server 100 (step 471). If not, it indicates the connection between the registered gateway 300 and the credential management server 100. The line is not interrupted. After the credential management server 100 issues the device credential of the network device 200, the gateway transmission module 350 can receive the device credential of the network device 200 returned by the credential management server 100 (step 479).
繼續回到「第4A圖」,在註冊閘道器300的閘道傳輸模組350將接收到憑證管理伺服器100所傳回的裝置憑證後,閘道傳輸模組350可以將所接收到的裝置憑證傳回網路裝置200(步驟486)。Continuing back to "FIG. 4A", after the gateway transmission module 350 of the registration gateway 300 receives the device credentials returned by the credential management server 100, the gateway transmission module 350 can receive the received The device credentials are passed back to the network device 200 (step 486).
實務上,在註冊閘道器300的閘道傳輸模組350將所接收到的裝置憑證傳回網路裝置200(步驟486)前,註冊閘道器300的憑證驗證模組380可以驗證所接收到的裝置憑證。在本實施例中,假設憑證驗證模組380可以依照預設的PKCS#7格式,由閘道傳輸模組350所接收到的裝置憑證中解析出根憑證、中繼憑證、與使用者憑證,並在使用預設的RFC5280格式解析各個憑證後,驗證裝置憑證的憑證鏈路,也就是串聯使用者憑證、中繼憑證至根憑證,藉以確認使用者憑證可以信賴,並確認根憑證是由憑證管理伺服器100所發出,之後,憑證驗證模組380可以比對使用者憑證中之申請主旨所包含的OU欄位與CN欄位的資料是否與憑證請求訊息中之憑證申請請求所包含的OU欄位與CN欄位的資料相符,並比對使用者憑證中之到期日是否與註冊閘道器300之訊息處理模組370所計算出的到期日相符,以及比對使用者憑證中的公鑰簽章是否與憑證請求訊息中之憑證申請請求所包含的公鑰簽章一致。In practice, the credential verification module 380 of the registration gateway 300 can verify the receipt before the gateway transmission module 350 of the registration gateway 300 transmits the received device credentials back to the network device 200 (step 486). Device credentials to. In this embodiment, it is assumed that the credential verification module 380 can parse the root credential, the relay credential, and the user credential in the device credential received by the gateway transmission module 350 according to the preset PKCS#7 format. After parsing each credential using the preset RFC5280 format, verify the credential link of the device credential, that is, the serial user credential, the relay credential to the root credential, thereby confirming that the user credential can be trusted, and confirming that the root credential is a credential After the management server 100 sends out, the voucher verification module 380 can compare the data of the OU field and the CN field included in the application subject in the user voucher with the OU included in the voucher application request in the voucher request message. The field matches the data of the CN field, and compares whether the expiration date in the user credential matches the expiration date calculated by the message processing module 370 of the registration gateway 300, and the comparison of the user credentials. Whether the public key signature is consistent with the public key signature contained in the voucher application request in the voucher request message.
在註冊閘道器300之閘道傳輸模組350所接收到的裝置憑證通過註冊閘道器300之憑證驗證模組380的驗證後,閘道傳輸模組350便可以將通過驗證的裝置憑證傳送到網路裝置200。After the device certificate received by the gateway transmission module 350 of the registered gateway 300 is verified by the certificate verification module 380 of the registration gateway 300, the gateway transmission module 350 can transmit the verified device certificate. Go to network device 200.
在網路裝置200的裝置傳輸模組250接收到註冊閘道器300所傳送的裝置憑證後,網路裝置200的憑證驗證模組280可以驗證裝置傳輸模組250所接收到的裝置憑證(步驟491)。在本實施例中,假設憑證驗證模組280可以依照預設的PKCS#7格式,由裝置傳輸模組250所接收到的裝置憑證中解析出根憑證、中繼憑證、與使用者憑證,並在使用預設的RFC5280格式解析各個憑證後,驗證裝置憑證的憑證鏈路,也就是串聯使用者憑證、中繼憑證至根憑證,藉以確認使用者憑證可以信賴,並確認根憑證是由憑證管理伺服器100所發出,之後,憑證驗證模組280可以比對使用者憑證中之申請主旨所包含的OU欄位與CN欄位的資料是否與憑證申請請求中之申請主旨所包含的OU欄位與CN欄位的資料相符,並比對使用者憑證中的公鑰是否與被網路裝置200之請求處理模組220產生並儲存的私鑰成對。After the device transmission module 250 of the network device 200 receives the device credentials transmitted by the registration gateway 300, the voucher verification module 280 of the network device 200 can verify the device credentials received by the device transmission module 250 (steps) 491). In this embodiment, it is assumed that the credential verification module 280 can parse out the root credential, the relay credential, and the user credential in the device credential received by the device transmission module 250 according to the preset PKCS#7 format, and After parsing each credential using the preset RFC5280 format, verify the credential link of the device credential, that is, the serial user credential, the relay credential to the root credential, to confirm that the user credential can be trusted, and confirm that the root credential is managed by the credential After the server 100 sends out, the voucher verification module 280 can compare whether the information of the OU field and the CN field included in the application subject in the user voucher and the OU field included in the application subject in the voucher application request. Corresponding to the data of the CN field, and comparing whether the public key in the user credential is paired with the private key generated and stored by the request processing module 220 of the network device 200.
在網路裝置200之裝置傳輸模組250所接收到的裝置憑證通過網路裝置200之憑證驗證模組280驗證後,憑證驗證模組280可以儲存通過驗證的裝置憑證,使得網路裝置200可以開始使用裝置憑證(步驟495)。在本實施例中,假設憑證驗證模組280依據網頁管理介面的設定,將網路裝置200之請求處理模組220所產生的金鑰、裝置憑證中的使用者憑證與中繼憑證安裝到網路裝置200的網頁管理介面中,並刪除請求處理模組220先前所儲存憑證申請訊息。After the device certificate received by the device transmission module 250 of the network device 200 is verified by the certificate verification module 280 of the network device 200, the certificate verification module 280 can store the verified device certificate, so that the network device 200 can The device credentials are used (step 495). In this embodiment, it is assumed that the credential verification module 280 installs the key generated by the request processing module 220 of the network device 200 and the user credential and the relay credential in the device credential to the web according to the setting of the webpage management interface. In the webpage management interface of the device 200, the request processing module 220 previously deletes the voucher application message.
如此,透過本發明,網路裝置200的使用者便可以僅在管理介面中觸發憑證申請事件,便可以完成網頁管理介面之憑證的安裝,使得網路裝置200提供SSL的連線。Thus, with the present invention, the user of the network device 200 can trigger the credential application event only in the management interface, and the installation of the credential of the webpage management interface can be completed, so that the network device 200 provides the SSL connection.
綜上所述,可知本發明與先前技術之間的差異在於具有在憑證申請事件於網路裝置上被觸發後,由網路裝置產生憑證申請訊息,並將所產生的憑證申請訊息傳送至註冊閘道器,註冊閘道器在依據憑證申請訊息及閘道識別資料產生憑證請求訊息後,將憑證請求訊息傳送至憑證管理伺服器,並在憑證管理伺服器將所核發之裝置憑證傳回給註冊閘道器後,註冊閘道器傳送裝置憑證給網路裝置使用之技術手段,藉由此一技術手段可以解決先前技術所存在憑證申請流程需要使用者介入的問題,進而達成方便使用者申請憑證的技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that after the voucher application event is triggered on the network device, the voucher application message is generated by the network device, and the generated voucher application message is transmitted to the registration. The gateway device, after the registration gateway generates the voucher request message according to the voucher application message and the gateway identification data, transmits the voucher request message to the voucher management server, and transmits the issued device voucher to the voucher management server. After registering the gateway device, the gateway device transmits the device certificate to the network device, and the technical means can solve the problem that the voucher application process in the prior art requires the user to intervene, thereby facilitating the user to apply. The technical effect of the voucher.
再者,本發明之自動完成憑證申請之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method for automatically completing the voucher application of the present invention can be implemented in hardware, software or a combination of hardware and software, or can be implemented in a centralized manner in a computer system or distributed among several interconnected computers with different components. The decentralized way of the system is implemented.
雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。While the embodiments of the present invention have been described above, the above description is not intended to limit the scope of the invention. Any modification of the form and details of the practice of the present invention, which is a matter of ordinary skill in the art to which the present invention pertains, is a patent protection of the present invention. range. The scope of the invention is to be determined by the scope of the appended claims.
100‧‧‧憑證管理伺服器
200‧‧‧網路裝置
220‧‧‧請求處理模組
230‧‧‧身分確認模組
250‧‧‧裝置傳輸模組
280‧‧‧憑證驗證模組
300‧‧‧註冊閘道器
310‧‧‧儲存媒體
350‧‧‧閘道傳輸模組
360‧‧‧請求驗證模組
370‧‧‧訊息處理模組
380‧‧‧憑證驗證模組
步驟402‧‧‧憑證管理伺服器提供閘道識別資料予註冊閘道器
步驟411‧‧‧網路裝置判斷憑證申請狀態是否表示憑證申請中
步驟415‧‧‧網路裝置記錄憑證申請狀態表示憑證申請中
步驟420‧‧‧網路裝置於憑證申請事件被觸發時產生憑證申請訊息
步驟431‧‧‧網路裝置驗證網路裝置之使用者身分
步驟435‧‧‧網路裝置傳送憑證申請訊息至註冊閘道器
步驟440‧‧‧註冊閘道器檢核憑證申請資格
步驟451‧‧‧註冊閘道器依據憑證申請訊息中之使用者識別資料判斷網路裝置是否未完成憑證申請
步驟453‧‧‧註冊閘道器判斷憑證申請訊息是否與前次之申請相同
步驟455‧‧‧註冊閘道器驗證憑證申請訊息
步驟459‧‧‧註冊閘道器繼續完成前次之申請
步驟460‧‧‧註冊閘道器依據憑證申請訊息及閘道識別資料產生憑證請求訊息
步驟462‧‧‧依據憑證申請訊息中之使用者識別資料判斷裝置憑證之申請類型
步驟464‧‧‧計算裝置憑證之到期日
步驟466‧‧‧產生交易訊息,交易訊息包含申請類型與到期日
步驟468‧‧‧對交易訊息進行簽章
步驟470‧‧‧註冊閘道器將憑證請求訊息傳送至憑證管理伺服器,並等待憑證管理伺服器傳回所核發之裝置憑證
步驟471‧‧‧註冊閘道器將憑證請求訊息傳送至憑證管理伺服器
步驟475‧‧‧註冊閘道器判斷與憑證管理伺服器間之連線是否異常中斷
步驟479‧‧‧註冊閘道器接收憑證管理伺服器所核發之裝置憑證
步驟486‧‧‧註冊閘道器傳送裝置憑證至網路裝置
步驟491‧‧‧網路裝置驗證裝置憑證
步驟495‧‧‧網路裝置儲存並使用裝置憑證100‧‧‧Voucher Management Server
200‧‧‧Network devices
220‧‧‧Request Processing Module
230‧‧‧ Identity Confirmation Module
250‧‧‧Device Transmission Module
280‧‧‧Voucher verification module
300‧‧‧Registered gateway
310‧‧‧Storage media
350‧‧‧Gateway transmission module
360‧‧‧Request verification module
370‧‧‧Message Processing Module
380‧‧‧Voucher Verification Module Step 402‧‧‧Voucher Management Server Provides Gateway Identification Information to Registered Gateways Step 411‧‧‧Network Device Determines Whether the Voucher Application Status Indicates Voucher Application Steps 415‧‧‧ The road device records the voucher application status indicating the voucher application step 420‧‧‧ The network device generates the voucher application message when the voucher application event is triggered. Step 431‧‧‧ The network device verifies the user identity of the network device Step 435‧‧ The network device transmits the voucher application message to the registration gateway step 440 ‧ ‧ Registered gateway check certificate application eligibility step 451 ‧ ‧ The registered gateway device determines whether the network device is based on the user identification data in the voucher application message Unfinished voucher application step 453‧‧‧Registered gateway to determine whether the voucher application message is the same as the previous application step 455‧‧‧Registered gateway verification voucher application message Step 459‧‧‧Registered gateway continues to complete the previous time Application Steps 460‧‧‧ Registered Gateways Generate Voucher Request Messages Based on Voucher Application Messages and Gateway Identification Data Step 462‧ The type of application for judging the device voucher based on the user identification data in the voucher application message Step 464‧‧‧ The expiration date of the computing device voucher Step 466‧‧‧ Generates a transaction message containing the application type and expiration date Step 468‧ ‧ Signing the transaction message Step 470‧‧‧ The registration gateway sends the voucher request message to the voucher management server and waits for the voucher management server to return the device certificate issued. Step 471‧‧‧ Register the gateway The voucher request message is transmitted to the voucher management server. Step 475‧‧‧ The registration gateway judges whether the connection between the voucher management server and the voucher management server is abnormally interrupted. Step 479‧‧‧ Registered gateway receives the device certificate issued by the credential management server Step 486‧‧‧Register the gateway transport device credentials to the network device Step 491‧‧‧Network device verification device voucher Step 495‧‧‧Network device store and use device credentials
第1圖為本發明所提之自動完成憑證申請之網路架構圖。 第2圖為本發明所提之自動完成憑證申請之網路裝置之元件示意圖。 第3圖為本發明所提之自動完成憑證申請之註冊閘道器之元件示意圖。 第4A圖為本發明所提之自動完成憑證申請之方法流程圖。 第4B圖為本發明所提之產生憑證申請訊息之附加方法流程圖。 第4C圖為本發明所提之產生憑證請求訊息之附加方法流程圖。 第4D圖為本發明所提之產生憑證請求訊息之附加方法流程圖。 第4E圖為本發明所提之接收裝置憑證之附加方法流程圖。FIG. 1 is a network architecture diagram of an auto-complete voucher application proposed by the present invention. 2 is a schematic diagram of components of a network device for automatically completing a voucher application according to the present invention. Figure 3 is a schematic diagram of the components of the registered gateway for the auto-complete voucher application of the present invention. 4A is a flow chart of a method for automatically completing a voucher application according to the present invention. FIG. 4B is a flow chart of an additional method for generating a voucher application message according to the present invention. Figure 4C is a flow chart of an additional method for generating a credential request message in accordance with the present invention. Figure 4D is a flow chart of an additional method for generating a credential request message in accordance with the present invention. Figure 4E is a flow chart showing an additional method of receiving a device credential according to the present invention.
步驟402‧‧‧憑證管理伺服器提供閘道識別資料予註冊閘道器 Step 402‧‧‧Voucher management server provides gateway identification information to the registered gateway
步驟420‧‧‧網路裝置於憑證申請事件被觸發時產生憑證申請訊息 Step 420‧‧‧ The network device generates a voucher application message when the voucher application event is triggered
步驟435‧‧‧網路裝置傳送憑證申請訊息至註冊閘道器 Step 435‧‧‧ The network device transmits the voucher application message to the registration gateway
步驟440‧‧‧註冊閘道器檢核憑證申請資格 Step 440‧‧‧Registration of registered gateway inspection certificate
步驟460‧‧‧註冊閘道器依據憑證申請訊息及閘道識別資料產生憑證請求訊息 Step 460‧‧‧ The registered gateway generates a voucher request message based on the voucher application message and the gateway identification data
步驟470‧‧‧註冊閘道器將憑證請求訊息傳送至憑證管理伺服器,並等待憑證管理伺服器傳回所核發之裝置憑證 Step 470‧‧‧ The registration gateway transmits the credential request message to the credential management server, and waits for the credential management server to return the issued device credential
步驟486‧‧‧註冊閘道器傳送裝置憑證至網路裝置 Step 486‧‧‧Register the gateway transmitter certificate to the network device
步驟491‧‧‧網路裝置驗證裝置憑證 Step 491‧‧‧Network Device Verification Device Credentials
步驟495‧‧‧網路裝置儲存並使用裝置憑證 Step 495‧‧‧Network device stores and uses device credentials
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW103125916A TWI533654B (en) | 2014-07-29 | 2014-07-29 | Network device, register gateway and method for finishing applying certificate automatically |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW103125916A TWI533654B (en) | 2014-07-29 | 2014-07-29 | Network device, register gateway and method for finishing applying certificate automatically |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201605219A true TW201605219A (en) | 2016-02-01 |
| TWI533654B TWI533654B (en) | 2016-05-11 |
Family
ID=55809759
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW103125916A TWI533654B (en) | 2014-07-29 | 2014-07-29 | Network device, register gateway and method for finishing applying certificate automatically |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI533654B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI775405B (en) * | 2021-04-23 | 2022-08-21 | 臺灣網路認證股份有限公司 | Credential management system for automatic network domain verification and method thereof |
-
2014
- 2014-07-29 TW TW103125916A patent/TWI533654B/en active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI775405B (en) * | 2021-04-23 | 2022-08-21 | 臺灣網路認證股份有限公司 | Credential management system for automatic network domain verification and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI533654B (en) | 2016-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7175269B2 (en) | Internet-of-Things Device Record Verification Method and Apparatus, and ID Authentication Method and Apparatus | |
| EP3665857B1 (en) | Blockchain architecture with record security | |
| WO2020062668A1 (en) | Identity authentication method, identity authentication device, and computer readable medium | |
| JP6914275B2 (en) | Payment authentication methods, devices, and systems for in-vehicle terminals | |
| US10505741B1 (en) | Cryptographically provable data certification and provenance | |
| US20200127813A1 (en) | Method and system for creating a user identity | |
| US8261080B2 (en) | System and method for managing digital certificates on a remote device | |
| US10708047B2 (en) | Computer-readable recording medium storing update program and update method, and computer-readable recording medium storing management program and management method | |
| WO2019094611A1 (en) | Identity-linked authentication through a user certificate system | |
| JP2005537559A (en) | Secure record of transactions | |
| JP6609788B1 (en) | Information communication device, authentication program for information communication device, and authentication method | |
| CN110189184B (en) | Electronic invoice storage method and device | |
| CN111160909B (en) | Hidden static supervision system and method for blockchain supply chain transaction | |
| WO2016054924A1 (en) | Identity authentication method, third-party server, merchant server and user terminal | |
| CN110535807B (en) | Service authentication method, device and medium | |
| CN103200176A (en) | Identification method, identification device and identification system based on bank independent communication channel | |
| CN113312664B (en) | User data authorization method and user data authorization system | |
| JP7493582B2 (en) | Transferring tokens between blockchain networks | |
| JP2023503607A (en) | Method and device for automatic digital certificate verification | |
| CN100527144C (en) | Method and device for accurate charging in digital copyright management | |
| JP2013179419A (en) | Network system, certificate management method, and certificate management program | |
| JP2003150735A (en) | Digital certificate system | |
| CN101582876A (en) | Method, device and system for registering user generated content (UGC) | |
| TWI533654B (en) | Network device, register gateway and method for finishing applying certificate automatically | |
| US10079680B2 (en) | Selective revocation of certificates |