HTTPS bidirectional authentication to build mobile device security system

Source: Internet
Author: User

HTTPS bidirectional authentication to build mobile device security system

For enterprise projects with high security requirements, we sometimes want to be able to authenticate clients. At this point we can use the two-way authentication mechanism of HTTPS to implement this function.

One-way authentication: Ensure that the server is true and that the channel is secure (symmetric key);
Two-way authentication: To ensure that the client and server are true, the channel is secure (symmetric key);

To implement such a complete security system, a CA or OpenSSL self-built CA is required to manage the signing of client certificates. As the project requirements scenario may be, a front-end Web site dedicated to the issuance of certificates, e-mail to download the client certificate mail to the mobile side, the user clicks the link in the Mail download certificate, one-time valid, unable to repeat the download.

Mobile apps can continue to log in using the account, the server will verify the relationship between the account and the client certificate, so that the user account and device binding, user account can only be installed on the user's client certificate of the mobile side login.

The technical details here are Nginx's request for authentication through the client certificate, which add_header the client certificate information into the backend. The server verifies that the user-client certificate correspondence is correct before processing the request.

Nginx is set ssl_client_certificate to your CA certificate path, so Nginx will only receive client certificates that have been issued.

Enabled ssl_verify_client,则开启双向认证 .

There are some variables in nginx that can be used $ssl_client_cert (full certificate), (the $ssl_client_s_dn subject name of the client certificate), $ssl_client_serial (the serial number your CA has issued-their certificate) $ssl_client_verify (which you should check for SUCCESS) . We're all over. Add_header can take these variables to the backend server for processing

HTTPS bidirectional authentication to build mobile device security system

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.