Shulou(Shulou.com)05/31 Report--

This article is about how to use encryption locks to achieve WEB program identity authentication, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

A brief introduction of Elite 5 encryption Lock identity Authentication Scheme

Elite 5 identity authentication "component" (Virbox WebServer) is a local Web service running on the user's computer (no need to access the Internet). It provides Web interface access to Elite 5 encryption locks. Web applications of Bhand S architecture only need to embed the code that calls the interface (cross-domain access) in the web code to access the encryption lock, obtain the encryption lock information, and achieve identity authentication function.

Different from the way COM components access the encryption lock, the Web interface provided by this product can be called by JavaScript. Developers do not need to learn additional skills to complete functional integration, which is compatible with mainstream browsers in the market (IE, Chrome, 360,Firefox, etc.).

Features of the scheme 1. Rapid development

Perfect interface documents, components and sample code to help developers quickly complete the encryption scheme

two。 Security scheme

The authentication data after encryption lock private key signature can not be forged. No matter the server uses HTTPS or HTTP protocol to communicate with the client, and the transmission data is plaintext or ciphertext, it does not affect the security of authentication data.

3. Double verification

The user name and password login authentication can be used at the same time to authenticate the account of the client user, and combined with hardware encryption lock authentication to achieve double authentication.

4. Compatible with multiple browsers

Elite 5 identity authentication scheme is compatible with mainstream browsers

Product architecture

Bhand S server: developer Bram S architecture application (website) server side, to provide services to users.

Browsers (client): users visit websites with specified domain names through browsers, including mainstream browsers: IE, Chrome, 360Security browser, 360Fast browser, Cheetah browser, etc.

Virbox WebServer: the authentication core component that provides a Web interface to access the encryption lock.

Virbox user tools: access Elite 5 encryption lock, cloud lock, soft lock, provide abstract access lock (including hardware lock, cloud lock, soft lock) interface.

Elite 5 encryption lock: the physical medium of identity authentication, which contains a unique device private key and provides an unforgeable device signature. Each elite 5 encryption lock generates a global unique key and certificate by the lock security chip before leaving the factory, and the hardware has the security characteristics of non-replicable and non-exportable key, which makes it more difficult to forge authentication.

Note: Virbox WebServer cannot communicate with the Elite 5 encryption lock directly, and needs to access the encryption lock indirectly through Virbox user tools, so you need to install Virbox WebServer and Virbox user tools (you can download the latest version through the official website) when deploying the software in the runtime environment.

Encryption scheme

The encryption scheme of Elite 5 identity authentication is based on the fact that the unique private key of the encryption lock device can not be tampered with and cannot be cloned, and it is verified by means of encryption lock private key signature and encryption lock public key verification.

Prerequisites for basic scheme

The encryption lock information (shell number, chip number, equipment certificate) has been saved on the server side of BPX S.

Bounce S server

When a client accesses the Bripple S server through a browser web page, the server first verifies the legitimacy of the client.

The server records the client session GUID

The verification data is generated according to the session GUID + random number + current UTC time combination, and the hash result of the verification data is calculated by the Hash algorithm, which is used to verify the legitimacy of the client.

The server returns the verification data to the client, waits for the client to sign the Hash result of the verification data using the private key of the local encryption lock, and returns the encryption lock information and the verification signature result to the server.

The server verifies the validity of the encryption lock. The server checks whether the encryption lock information uploaded by the client (shell number, chip number) is consistent with the database content, and verifies the legitimacy of the encryption lock.

The server verifies the validity of the data. After confirming the encryption lock method, the server verifies the validity of the private key signature using the public key of the device of the encryption lock. Only when the signature result is completely consistent with the verification data, it indicates that the encryption lock of the current client is valid.

Client

The user accesses some business functions of the Bamp S server through the browser web page of the client. When the server needs to verify the legitimacy of the client, the client needs to give the data returned by the server to the local elite 5 hardware lock for signature, and then return the signature result to the server for verification.

The client obtains the encryption lock information (shell number, chip number, device certificate) through the Virbox WebServer interface.

The client signs the encryption lock private key to the authentication data returned by the server through the Virbox WebServer interface.

The client sends the encryption lock information and the signed data of the private key of the encryption lock to the server for verification and verification.

Dual authentication scheme

On the basis of the implementation of the basic scheme, the Bhand S server can use user name and password login authentication at the same time to authenticate the client user's account, and combine with hardware encryption lock authentication to achieve double authentication.

When the client needs to carry out some special operations, the encryption lock authentication is carried out, and after the authentication is passed, the client is allowed to perform business functions.

Security.

The security of Elite 5 identity authentication is guaranteed by encryption scheme and Elite 5 hardware encryption lock hardware.

From the above, we can know that Virbox identity authentication, the server generates unique and non-replayable authentication data for each client, and then gives it to the client through the network. The client uses the private key of the encryption lock to sign the authentication data. Finally, the client submits the authentication to the BMab S server for authentication check at the server.

The generation of authentication data and the verification of signature results are completed at the server. The authentication data signed by the client using the encryption lock private key can not be forged. No matter the server uses HTTPS or HTTP protocol to communicate with the client, and the transmission data is plaintext or ciphertext, it does not affect the security of the authentication data.

Developers only need to ensure the following two characteristics of the authentication data generated by Bamp S server:

Uniqueness. Each client should have unique authentication data.

Anti-replay. The authentication data is only valid for a single time, and will be invalidated after expiration. It will be cleared immediately after verification to prevent the data from being reused.

Function integration

Developers refer to the example (web_server_test.html) to integrate the JS code calling Virbox WebServer into the web page of the business function, and trigger the relevant API calls according to the business process as appropriate.

We provide developers with installation packages for Virbox WebServer and user tools, as well as Virbox WebServer interface documentation and sample code (C #, Java). To get the development package, please contact the technical service personnel.

Developers need to refer to the sample program to complete the following tasks:

The BPX S server generates authentication data and calls the standard cryptography interface to realize the function of public key verification.

Data storage and verification logic are provided by the server of BPX S according to the encryption scheme.

The server needs to implement the account password login function and related data storage.

The server needs to record the officially released encryption lock information.

The client calls the Virbox WebServer interface to obtain the encryption lock information and submit it to the server.

The server implements the function of checking the validity of client encryption lock data.

Basic plan.

Double authentication scheme.

Environment deployment installation components

The following components need to be installed on the user's computer

Virbox user tool, developers can download the latest version through the official website.

Authentication component (Virbox WebServer), contact the technical service personnel for the latest release.

Deployment verification

Insert the Elite 5 hardware lock into the user's computer

Use the browser to open the test case (web_server_test.html), click "query WebServer version number" to return the current certification service version number, if no results are returned or prompt errors, please troubleshoot according to frequently asked questions.

Compatible browser

browser

Whether to support it or not

Remarks

IE support version: IE8, IE9, IE10, IE11Edge support

Chrome support

QQ Browser supports

Firefox supports HTTPS requires certificate to be added to the trust list 360supports extreme browsers, 360 security browsers FAQs HTTPS and HTTP protocol selection

The protocol of Virbox WebServer must be consistent with that of the JS S server. If the browser accesses the domain name using the HTTPS protocol, and the Virbox WebServer API is integrated in the returned page, you must ensure that the running Virbox WebServer is also HTTPS, otherwise the JS code integrated in the page code will return a failure. Otherwise, if the browser accesses the domain name using the HTTP protocol, the Virbox WebServer deployed by the client needs to be set to the HTTP protocol.

Virbox WebServer currently supports both HTTPS and HTTP protocols. Only one protocol can be selected during the operation of the current version of the service. The default configuration of the service is HTTPS. Developers can modify the configuration file (websrv_config.ini) in the installation directory, change protocol=HTTPS to protocol=HTTP, save the configuration file, and restart "VirboxWebServer". The configuration takes effect immediately.

Note: Virbox WebServer default installation directory C:\ Program Files (x86)\ senseshield\ ss_web

Whether the certificate is compatible with mainstream browser clients when selecting HTTPS protocol

Virbox WebServer uses the HTTPS protocol self-signed certificate and adds the root certificate to the trusted Root Certificate Authority of Windows certificate management during installation. All browsers (IE, Edge, Chrome, 360,360) that use Windows certificate management can access the Web interface normally without prompting for "wrong certificate".

Firefox (Firefox browser) does not use Windows certificate management. The current version requires users to manually access the Web API provided by Virbox WebServer. When prompted for "wrong certificate", you can add the certificate to the trust list, otherwise a failure will be returned when calling the JS code API for cross-domain access in the web page.

Does Virbox WebServer support cross-host access?

Virbox WebServer sets the HTTP protocol to support cross-host access using IP.

Virbox WebServer sets the HTTPS protocol, which only supports local access to the Web interface using the localhost domain name, and does not support other domain names and cross-host IP access.

Long waiting time for HTTPS browser's first request

When Virbox WebServer sets the HTTPS protocol, no matter entering the address of the interface directly through the browser or calling the interface through JS, you need to establish a HTTPS tunnel and verify the certificate for the first time, resulting in a long processing time for the request. Please wait patiently, but the recovery time for the second request is as long as the actual usage of the API.

Slow access occurs when changing a browser to access the Virbox WebServer interface for the first time.

Suggestion: 1. Developers can clearly identify the function in the web page is still running in the background, please prompt the user later; 2. If you can switch to HTTP protocol without considering security, there is no problem of slow return of the first request.

The above is how to use encryption locks to achieve WEB program identity authentication, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.