Security certificate gateway

Abstract

The invention discloses a security certificate gateway, comprising a client crypto module, a client business module, a service business module and a service crypto module, wherein the client business module is used as an agent of an application client and used for calling the client crypto module and the service business module interactively to build an encrypted connection; and the service business module is used for calling the service crypto module and the service business module to build a secure encrypted channel. Based on the high-strength identity authentication service, the high-strength data link encryption service and the digital signature and authentication service of a digital certificate, the gateway provided by the invention effectively protects secure access of network resources, and supports B/S applications of a hypertext transport protocol (HTTP) and hypertext transfer protocol secure (HTTPS) as well as common C/S applications of a file transfer protocol (FTP), a remote desktop and the like.

Description

Technical field: [0001] The invention relates to a network security technology, in particular to a gateway for improving network security. Background technique: [0002] With the rapid development of the network, network applications have been widely used due to their high efficiency and convenience, such as online securities, online banking, e-government, e-commerce, corporate remote office, etc. More and more important businesses are handled online, and more and more important information is transmitted in the network. How to protect the safe access of these important resources and the safe transfer of important data are important issues faced by network applications, but the usual network applications There are the following security risks: [0003] There is no effective identity authentication mechanism: the weak authentication method of user name + password is generally adopted. This mode of authenticating users has great hidden dangers, which are specifically manifest...

AI Technical Summary

Problems solved by technology

[0007] 1. The application cannot obtain the digital certificate information of the accessing user: the general SSL connection can only provide verification of the user's certificate and encrypt the transmitted data, but cannot parse user information (username, ID card, user unit, etc.) from the digital certificate ), so the application cannot perform more subtle identity authentication or secondary development on the user based on the certificate information

[0008] 2. There is no effective log record and audit function for the accessed users, access time, accessed client IP, accessed resources, etc.

[0009] 3. The general SSL secure connection service and the application itself are installed on the same server. Because the encryption and decryption operations of the SSL secure connection service itself occupy a large amount of server CPU resources, the CPU resources for the application itself are insufficient, resulting in processing The efficiency is greatly reduced

[0010] 4. Single protection for HTTP: Due to the limitations of the SSL protocol, general SSL can only transform HTTP into HTTPS, but is invalid for other TCP / IP protocols, that is, it can only be applied to B / S architecture and cannot Network transmission applied to C / S architecture

Images