CN104580189B - A kind of safe communication system - Google Patents
A kind of safe communication system Download PDFInfo
- Publication number
- CN104580189B CN104580189B CN201410849875.9A CN201410849875A CN104580189B CN 104580189 B CN104580189 B CN 104580189B CN 201410849875 A CN201410849875 A CN 201410849875A CN 104580189 B CN104580189 B CN 104580189B
- Authority
- CN
- China
- Prior art keywords
- encryption
- network server
- certificate
- connection
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of safe communication system, the system includes: secure browser device and network server, the secure browser device, comprising: browser main business scheduler module and encryption subprocess module.Wherein, the encryption subprocess of the encryption subprocess module acts on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel as connection, and data forwarding, and encryption connection is established with the network server by the encryption subprocess module and is communicated, it ensure that the safe transmission of business datum, the risk that business datum leakage can be reduced, improves the safety and reliability of business data transmission.
Description
Technical field
The present invention relates to Internet technical fields, more particularly to a kind of safe communication system.
Background technique
Browser refers to the html file content that can show web page server or file system, and allow user and these
A kind of software of file interaction.Browser mainly passes through http protocol and webpage is interacted and obtained with web page server, exists for user
Image, animation, text, video, sound and Streaming Media etc. are shown in webpage, are rated as the client-side program being most widely used
One of.Common browser includes the IE of Microsoft, the Safari of apple, the Chrome of Google, 360 safety browsings on PC
Device, search dog high speed browser etc..
With the fast development of internet, network application has become a kind of trend, and more and more network applications can be with
It realizes in a browser, such as Internet securities, Web bank, E-Government, e-commerce, online working.And then it is more and more
Important information circulate in a network, but the network application authentication mechanism in browser is weaker, the security risks such as plaintext transmission
Information-based development is seriously hindered, how to protect the circulation safety of these data is that browser realizes network application faces one
A major issue.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State the safe communication system of problem.
According to one aspect of the present invention, a kind of safe communication system is provided, comprising: secure browser device and network
Server;Wherein, the network server is communicated for establishing encryption connection with the secure browser device;And institute
After stating the success of encryption connection connection setup, business datum is executed by the second encrypted tunnel with the secure browser device and is handed over
Mutually;The secure browser device, comprising: browser main business scheduler module and encryption subprocess module, wherein the browsing
Device main business scheduler module, for start in browser client encryption that is communicated with browser main business process into
The encryption subprocess module of journey, wherein the encryption subprocess is used to realize the first encrypted tunnel to second as connection agency
The conversion and data forwarding of encrypted tunnel;The encryption subprocess module, comprising: agent sub-module, for browser master
Business process is listened to, and obtains the first connection request that the browser main business process is sent;And in the encryption
After connection communication is successfully established, the encryption subprocess executes business datum in first encrypted tunnel and the second encrypted tunnel
Between forwarding;Secure connection submodule, for being taken according to first connection request, the encryption subprocess and the network
Business device establishes encryption connection communication;Wherein, first encrypted tunnel is the browser main business process and encryption
The secured communication channel of process;Second encrypted tunnel is the secure communication of the encryption subprocess and the network server
Channel.
The present embodiment can realize turning for the first encrypted tunnel to the second encrypted tunnel as agency by encryption subprocess
It changes and data forwarding, success establishes the encryption of a safety between the main business process and network server of browser
Channel ensure that the safe transmission of business datum, can reduce the risk of business datum leakage, improve the peace of business data transmission
Full property and reliability.Moreover, because the present embodiment realizes above-mentioned function by browser, therefore uses browser clients in user
During end, browser client can start encryption subprocess automatically and establish between main business process and network server
Exit passageway realizes above-mentioned function, improves browser and network server carries out the safety and reliability of stream compression, make
Secure browser is obtained to be achieved.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of the implementation method of secure browser according to an embodiment of the invention;
Fig. 2 shows a kind of flow charts of the implementation method of secure browser according to an embodiment of the invention;
Fig. 3 shows a kind of agency mechanism schematic diagram of encryption subprocess according to an embodiment of the invention;
Fig. 4 shows the handshake procedure signal of encryption subprocess and network server according to an embodiment of the invention
Figure;
Fig. 5 shows a kind of structural block diagram of safe communication system according to an embodiment of the invention;
Fig. 6 shows a kind of structural block diagram of safe communication system according to an embodiment of the invention;
Fig. 7 shows a kind of structural block diagram of the encryption subprocess module provided according to embodiments of the present invention;And
Fig. 8 shows a kind of structural block diagram of the browser main business scheduler module provided according to embodiments of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Embodiment one:
Referring to Fig.1, a kind of implementation method embodiment of secure browser according to an embodiment of the invention is shown
Flow chart of steps can specifically include following steps:
Step 102, start the encryption subprocess communicated with browser main business process in browser client,
In, the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel, and number as connection
According to forwarding.
The website needs of financial business are related to by with safety for number of site, such as website of bank, Alipay website
Encryption data is carried out for (HTTP-Hypertext transfer protocol, the hypertext transfer protocol) channel HTTP of target
Transmission, but browser main business process and network server use different cryptographic protocol or algorithm sometimes, both cause
Can not direct communication, can not access to the webpage of the network server.
In the present embodiment, a kind of secure browser client is provided, is also provided in a browser and browser master
The encryption subprocess that business process is communicated.In order to enable secure browser can be realized, need first in browser clients
Start the encryption subprocess communicated with browser main business process in end.The encryption subprocess functions primarily as
Connection agency realizes the conversion and data forwarding of the first encrypted tunnel to the second encrypted tunnel.Made using encryption subprocess
For the agency of main business process, the safe passing that can be encrypted with browser main business process can also take with network
The secure communication that business device is encrypted, is such as sent to the business datum of browser main business process by the first encrypted tunnel
Subprocess is encrypted, which is transferred to network server by the second encrypted tunnel for business datum, realizes that data turn
The connection of hair and two encrypted tunnels.
It should be noted that under normal conditions, the main business process of browser is directly communicated with network server, but
It is, when to be communicated for the channel HTTP of target safely, if the data that main business process can not feed back network server
Information is parsed, and is started the encryption subprocess and is connected as agency, i.e., the described encryption subprocess as the main business into
Agency between journey and the network server.Above-mentioned first encrypted tunnel is the browser main business process in the present embodiment
With the secured communication channel of the encryption subprocess;Second encrypted tunnel is the encryption subprocess and network server
Secured communication channel.Therefore the encryption subprocess is logical by the first encryption that will encrypt subprocess and the main business process
Road is converted to the second encrypted tunnel of encryption subprocess and network server, to realize the main business process and the network
Connection agency between server.Encryption subprocess is sent to by first encrypted tunnel certainly for main business process
The business datum can be sent to network server by the second encrypted tunnel by business datum, encryption subprocess.
Step 104, the encryption subprocess listens to browser main business process, and obtains the browser main business
The first connection request that business process is sent.
Encryption subprocess browser main business process is listened to, be in order to obtain at the first time browser main business into
The first connection request that journey is sent.When specific implementation, encryption subprocess can be by serve port to the browser main business
Process is listened to.When encrypting subprocess and listening to the first connection request and arrive, encryption subprocess receive the main business into
The first connection request that journey is sent.The first connection request that the browser main business process is sent, can specifically include business
Data.
Step 106, it establishes encryption according to first connection request, the encryption subprocess and the network server and connects
Connect letter.
After encryption subprocess receives the first connection request that main business process is sent, the encryption subprocess foundation
First connection request, establishes encryption connection with the network server and communicates.The encryption subprocess and the network take
Business device establishes encryption connection communication, i.e., it is peace with confirmation that the described encryption subprocess and the network server, which carry out safety certification,
Entirely, legal communication party, to establish the channel of secure communication.
It should be noted that the encryption subprocess is established encryption connection with the network server and is communicated, combining encryption
Subprocess also can communicate with main business process, thus encrypt subprocess respectively with main business process and network server this
Both ends establish corresponding connection, and encryption connection communication can be used as the bridge that the both ends carry out data exchange.
Step 108, after encryption connection connection setup success, the encryption subprocess executes business datum described
Forwarding between first encrypted tunnel and the second encrypted tunnel.
First encrypted tunnel described in the present embodiment is the peace of the browser main business process and the encryption subprocess
Full communication channel;Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.
The encryption subprocess is successfully established encryption connection with the network server and communicates, it is meant that encryption subprocess with
Data, and the encrypted processing of these data can be mutually sent between network server, it is ensured that the safety of stream compression
Reliably.Business datum in first connection request received can be sent to network server by encryption subprocess, be had
Body, encryption subprocess executes forwarding of the business datum between first encrypted tunnel and the second encrypted tunnel, that is, encrypts
Subprocess can receive business datum by first encrypted tunnel, after being decrypted, then using the second encrypted tunnel agreement
Encryption method to business datum process encryption after, be sent to the network server.The business datum described in this way is just from first
Encrypted tunnel is forwarded to the second encrypted tunnel, represents business datum from main business process and is forwarded to network server.
The present embodiment start first in browser client encryption that is communicated with browser main business process into
Journey, wherein the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel as connection, with
And data forwarding;Then the encryption subprocess listens to browser main business process, and obtains the browser main business
The first connection request that business process is sent;Then it is taken according to first connection request, the encryption subprocess and the network
Business device establishes encryption connection communication;Finally after encryption connection connection setup success, the encryption subprocess executes business
Forwarding of the data between first encrypted tunnel and the second encrypted tunnel;Wherein, first encrypted tunnel is described clear
Look at device main business process and it is described encryption subprocess secured communication channel;Second encrypted tunnel is the encryption subprocess
With the secured communication channel of the network server.The present embodiment can realize the first encryption as agency by encryption subprocess
Channel to the second encrypted tunnel conversion and data forwarding, success browser main business process and network server it
Between establish the encrypted tunnel of a safety, ensure that the safe transmission of business datum, the wind of business datum leakage can be reduced
Danger, improves the safety and reliability of business data transmission.Moreover, because the present embodiment realizes above-mentioned function by browser,
Therefore during user uses browser client, browser client can start encryption subprocess in main business automatically
Exit passageway is established between process and network server, realizes above-mentioned function, is improved browser and is counted with network server
According to the safety and reliability of circulation, so that secure browser is achieved.
Embodiment two:
On the basis of the above embodiments, the present embodiment continues to discuss the implementation method of secure browser.
Referring to Fig. 2, a kind of implementation method embodiment of secure browser according to an embodiment of the invention is shown
Flow chart of steps can specifically include following steps:
Step 202, start the encryption subprocess communicated with browser main business process in browser client,
In, the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel, and number as connection
According to forwarding.
Start the encryption subprocess communicated with browser main business process in the present embodiment in browser client,
It can be started automatically by browser, specifically, when browser main business process and network server communication failure, browser is certainly
The dynamic starting encryption subprocess, the encryption subprocess receives the first connection request of main business process, according to described first
The business datum for including in connection request carries out respective handling, forms agency's connection of browser main business process.
Above-mentioned first encrypted tunnel is the peace of the browser main business process and the encryption subprocess in the present embodiment
Full communication channel;Second encrypted tunnel is the secured communication channel of the encryption subprocess and network server.Therefore institute
The first encrypted tunnel of subprocess Yu the main business process will encrypt by stating encryption subprocess and passing through, be converted to encrypt subprocess and
Second encrypted tunnel of network server, to realize that the connection between the main business process and the network server is acted on behalf of.
The business datum of encryption subprocess is sent to by first encrypted tunnel certainly for main business process, encryption subprocess can
The business datum is sent to network server by the second encrypted tunnel.
In the present embodiment, browser main business process and encryption subprocess use agency and two kinds of communication modes of IPC, thus
Encryption subprocess can be used as connection agency, be responsible for and the first encrypted tunnel of browser main business process, arrive and network server
The second encrypted tunnel channel conversion and data forwarding, and IPC communication mode be responsible for inter-process data transmitting.The present embodiment
In, encryption subprocess acts on behalf of realization mechanism as shown in figure 3, can specifically include such as flowering structure:
Main thread: reading all kinds of configurations, and creation listening thread, main business thread and browser host process IPC are logical.
Intercepting thread: for monitoring serve port, when with the presence of main business process connection request and receive (accept) at
Function executes corresponding agent operation.
Business processing thread: respective encrypted channel is established respectively with main business process and network server both ends and connect and ties up
It holds, to carry out the data exchange at both ends as bridge.
Step 204, the encryption subprocess listens to browser main business process, and obtains the browser main business
The first connection request that business process is sent.
The encryption subprocess listens to browser main business process, can specifically be accomplished by the following way:
The encryption subprocess creates intercepting thread;The intercepting thread carries out the browser main business process by serve port
It listens to.When intercepting thread, which listens to the first connection request, to arrive, the first connection request that the main business process is sent is received.
The first connection request that the browser main business process is sent, can specifically include business datum.Subprocess is encrypted to browsing
Device main business process is listened to, and is the first connection request in order to obtain the transmission of browser main business process at the first time.
Step 206, it establishes encryption according to first connection request, the encryption subprocess and the network server and connects
Connect letter.
It establishes and encrypts according to first connection request, the encryption subprocess and the network server in the present embodiment
Connection communication can specifically include following sub-step:
Sub-step one, after confirming that first connection request receives successfully, the encryption subprocess and the network are taken
Business device successively carries out encryption data negotiation and certificate verification.
Sub-step two establishes the browser client and net after encryption data negotiation finishes and certificate verification passes through
The encryption connection of network server communicates.
It should be noted that encrypting subprocess and network server progress encryption data negotiation in the sub-step one
The step of, it can specifically be accomplished by the following way: firstly, the encryption subprocess sends client to the network server
Hold hello messages, wherein the client hello message includes the first encryption data of the browser client, and described first
Encryption data includes several protocol versions;Secondly, the network server is greeted to the encryption subprocess back services end
Message, wherein the server-side hello messages include the second encryption data of the server client, the second encryption number
According to include: from first encryption data select protocol version.It should be noted that above-mentioned client hello message and
Server-side hello messages are used to determine the safe transmission ability of both sides, including several protocol versions, session identification, cipher suite
Equal attributes, and generate and exchange random number.
Client hello message (ClientHello message) is as browser client and network server Handshake Protocol
A piece of news after the encryption subprocess sends client hello message to the network server, waits network service
Device returns to Server Hello message.The definition of client-side issue message structure:
1, Clien_vision indicates client protocol version used in this session.If protocol version is 1.1.
2, Radom is the random information that client generates, and content includes always and random number.
3, session_id is the session identification that client uses in this connection.Session_id is a variable length word
Section, value are determined by server.If not reusable session identification wishes to negotiate security parameter, which is sky, no
Then indicate that client wishes to reuse the session.This session identification may be before connection identifier, current connection identifier or its
He is in the connection identifier of connection status.Session identification generate after should unanimously remain to by time-out delete or it is related to this session
Connection encounter fatal error and be closed.One session failed or then relative connection should all be forced to close when being closed
It closes.
4, cipher_suites is the cipher suit list that client is supported, client should be used according to cipher suite
Priority orders arrangement, the cipher suite of highest priority should rank the first.If session identity fields are not empty, this field
Cipher suite used in the session that will be reused should be included at least.Each cipher suite include a Diffie-Hellman, one
Encryption Algorithm and a checking algorithm.Server will select a matching cipher suite in cipher suit list, such as
Fruit not can matched cipher suite, should return and shake hands failure warning message and close connection.
5, compression_methods is the compression algorithm list that client is supported, client should be according to compression
The priority orders arrangement that algorithm uses, the compression algorithm of highest priority rank the first.Server will be in compression algorithm list
One matching compression algorithm of middle selection must include pneumatics compression algorithm, such client and server total energy in list
Negotiate consistent compression algorithm.
It should be noted that if server can find matched cipher suite, server from client hello message
The server-side hello messages (Server Hello message) are sent as the reply to client hello message.If can not find
Matched cipher suite, server will respond warning message.
Certificate verification is successively carried out with the network server it should be noted that encrypting subprocess in the sub-step one
The step of, can specifically include: the encryption subprocess carries out unidirectional certificate verification to the network server;Or, described add
Close subprocess and the network server carry out two-way certificate verification.
In an alternative embodiment of the invention, when carrying out the two-way authentication of digital certificate, the encryption subprocess pop-up
Certificate selection frame, and show in the certificate selection frame letter for each user certificate that the browser loads in the terminal
Breath;The user certificate of user's selection is received by the certificate selection frame.
Further include: the encryption subprocess shows password entry message, and the password entry message is for prompting user defeated
Enter the corresponding protection password of the user certificate;The encryption subprocess receives the protection password of user's input, and protects to stating
Password is verified, and is confirming the access right for protecting the user that confirms password to have the user certificate.
In the present embodiment, in order to guarantee to access the safety of website and user, CA mechanism is that different websites promulgates different
Website certificate, while different user certificates is promulgated for the different user of different web sites.Wherein, in digital certificate include website or
The contents such as the information and digital signature of the public key of user, website or user.
In mutual authentication process, the encryption subprocess can be hit by a bullet out certificate choice box in browser client, and
The information for each user certificate that the browser loads in the terminal is shown in the certificate selection frame;Pass through the certificate
Choice box receives the user certificate of user's selection, and user is after selecting user certificate, the encryption subprocess display port
Input message is enabled, the password entry message is such as inputted for prompting user to input the corresponding protection password of the user certificate
Personal identification number (Personal Identification Number, PIN), the encryption subprocess receive the guarantor of user's input
Retaining enables, and verifies to protection password is stated, i.e., by protecting password that can authenticate to user identity, confirmation user is
The no use claim with the user certificate, to correctly confirm that the protection confirms password the use afterwards in protection password entry
Family has the access right of the user certificate.Also, above-mentioned user certificate and protection password can be used as user certificate certification
Authentication data in the process is sent to network server.
Optionally, further includes: the encryption subprocess prompts user to be inserted into security key storage hardware by prompt information,
User certificate is stored in the security key storage hardware;It is close that the encryption subprocess call driver detects the safety
Key storage hardware;After detecting the security key storage hardware, the encryption subprocess obtains the security key storage
The information of the user certificate stored in hardware.
When browser client loads user certificate, the encryption subprocess described first prompts user to be inserted by prompt information
Security key storage hardware, the security key storage hardware, that is, USB Key, it is a kind of hardware device of USB interface, built-in list
Piece machine or intelligent card chip have certain memory space, can store the private key and digital certificate of user, utilize USB Key
Built-in public key algorithm realizes the certification to user identity.Since private key for user is stored in coded lock, theoretically using any
Mode can not all be read, therefore ensure that the safety of user authentication.
The encryption subprocess identifies security key storage hardware by driving, and according to the hardware certificate carrier double
Cryptographic calculation is carried out into certification authentication process.For example, if necessary to two-way authentication, the encryption in SSL connection establishment process
Subprocess can prompt user to be inserted into security key storage hardware, i.e. USBKey equipment.Security key storage hardware is inserted into user
After automatic identification and certificate selection dialog box can be popped up, prompt user to select certificate.The encryption subprocess automatic identification peace
Full key storage hardware needs to rely on two key messages in CSP registry entry: SKFImagePath: specified SKF dynamic base
Path and TokenVidPid: string format.
The VendorID and ProductID of KEY equipment, the format of use similar to HKEY_LOCAL_MACHINE SYSTEM
CurrentControlSet Enum format namely VID_XXXX&PID_XXXX in USB.Browser can be set by USBKey
Standby vendorid, productid is associated with respective drive, completes relevant operation.Browser will not store the pin of user's input
Password will not store the private key information in USBKey.Detailed process is as follows: being firstly connected to USBKey equipment;Then it opens
Respective application (Application), Application are determined by user's selection;Then corresponding container (Container) is opened,
Container is determined by user's selection;Then checking PIN code (Personal Identity Number) can prompt again after authentication error defeated
Enter;Then signing certificate information is obtained;Then encrypted certificate information is obtained;Last pass hull closure disconnects.
1, unilateral authentication
In an alternative example of an embodiment of the present invention, the encryption subprocess carries out the network server unidirectional
Certificate verification can specifically be accomplished by the following way: send firstly, the encryption subprocess receives the network server
Server-side certificate message, the server-side certificate message includes the website signing certificate of the network server;Secondly, described
Encryption subprocess authenticates the website signing certificate of the network server.Below to server-side certificate message (Server
Certificate message) it is illustrated, network server needs to send a server-side certificate message to client, the message
Always after server-side hello messages, when the cipher suite in choosing uses RSA or ECC or ECDHE algorithm, the clothes
The content for end certificate message of being engaged in is server-side mark and IBC common parameter, negotiates IBC for client and server and discloses ginseng
Number.Diffie-Hellman and the relationship of credential key type are as shown in table 1.
Diffie-Hellman | Credential key type |
RSA | RSA public key, it is necessary to use the public key in encrypted certificate |
IBC | Server-side mark and IBC common parameter |
IBSDH | Server-side mark and IBC common parameter |
ECC | ECC public key, it is necessary to use the public key in encrypted certificate |
ECDHE | ECC public key, it is necessary to use the public key in encrypted certificate |
Table 1, Diffie-Hellman and credential key type of relationship table
2, two-way authentication
In an alternative example of an embodiment of the present invention, the encryption subprocess and the network server carry out two-way
Certificate verification can specifically be accomplished by the following way:
1) the encryption subprocess receives the server-side certificate message that the network server is sent, the server-side certificate
Message includes the website signing certificate of the network server;
2) the encryption subprocess receives the certificate verification request message that the network server is sent, the certificate verification
Request message is used to indicate the certificate verification for carrying out client;
3) the encryption subprocess receives the server-side cipher key exchange message that the network server is sent, including key is handed over
Change parameter;
4) the encryption subprocess receives the server-side that the network server is sent and greets the message that finishes;
5) the encryption subprocess authenticates the website signing certificate;
6) after website signing certificate certification passes through, the encryption subprocess sends client to the network server
Certificate message is held, the client certificate message includes the signing certificate of the browser client, so that the network service
Device authenticates the signing certificate.
In an alternative example of an embodiment of the present invention, the method further includes the steps that key exchanges: described to add
Pre- master key is randomly generated according to the key exchange parameters in close subprocess, wherein the pre- master key is using the network
The encrypted public key of server carries out what computations obtained by elliptic curve cryptography SM2;The encryption subprocess uses
The pre- master key generates Client Key Exchange message, and is sent to network server, so that the network server obtains
The pre- master key.
In a kind of optional example of the embodiment of the present invention, the method further includes the steps that verifying certificate signature, specifically
It include: that the encryption subprocess obtains the signature check parameter calculated according to website signing certificate, and generates client certificate school
It tests message and is sent to the network server;The encryption subprocess sends client password specification to the network server and becomes
More message is completed with characterizing the negotiation of encryption data;The encryption subprocess sends client to the network server and shakes hands
End message;The encryption subprocess receives the server-side password specification change message that the network server is sent, with characterization
Approve the negotiation of the encryption data;The encryption subprocess receives the server-side that the network server is sent end of shaking hands and disappears
Breath.It should be noted that all having been carried out strictly to server certificate in each SSL handshake process of the close SSL connection procedure of state
Verifying.
In the present embodiment, above-mentioned encryption data negotiation, certificate verification, key exchange and signature authentication are all clear in safety
It lookes in the encryption subprocess of device client and the handshake procedure of network server and to execute.In the present embodiment, two-way authentication is used
The asymmetric arithmetic of double certificate mechanism, certificate uses SM2 algorithm, is based on ECDSA signature using signing certificate and realizes that identity is recognized
Card is based on ECDH using encrypted certificate and realizes key agreement.The SM4 algorithm used encrypts data, uses SM3 algorithm pair
Data are made a summary.
Wherein, SM2 algorithm (SM2algorithm) is a kind of ellipse curve public key cipher algorithm, key length 256
Bit.SM3 algorithm (SM3algorithm) is a kind of cryptographic Hash algorithm, and key length is 128 bits, SM4 algorithm
It (SM4algorithm) is a kind of block cipher, block length is 128 bits, and key length is 128 bits.
As shown in figure 4, the handshake procedure of encryption subprocess and network server includes:
4.02, encryption subprocess sends client hello message ClientHello to network server.
4.04, network server sends server-side hello messages SeverHello to the safe secure browser client
Encryption subprocess.
Wherein, network server finds matched cipher suite from ClientHello message, sends SeverHello and makees
To reply, if can not find matched cipher suite, warning message is sent.In the SeverHello, Sever_vision is indicated
The version number that server is supported, such as 1.1;The random number that Radom server end generates;The session that session_id server-side uses
Mark;The cipher suite that cipher_suites server-side is chosen from ClientHello message;compression_methods
The compression algorithm that server-side is chosen from ClientHello message.
4.06, network server sends server-side certificate message Certificate and gives encryption subprocess.
I.e. this message content of SeverCertificate is signing certificate and encrypted certificate.It signs and demonstrate,proves such as the website of server-side
Book (X.509 sequence)
4.08, network server sends certificate verification request message SeverRequest and gives encryption subprocess.
Certificate is provided by SeverRequest message calls client.Specify auth type (ECDSA) simultaneously
4.10, network server sends server-side cipher key exchange message SeverKeyExchange and gives encryption subprocess.
SeverKeyExchange calculates the pre- master key for generating 48 bytes for client.Public key can be directly from service
It is obtained in the encrypted certificate at device end.As pre- master key pre_master_seceret key, and use clothes are randomly generated in client
The public key of business device certificate carries out ECDH operation
4.12, network server transmission greets the message SeverHelloDone that finishes and gives encryption subprocess.
The hello message phase that SeverHelloDone characterizes handshake procedure is completed, and then the response of client is waited to disappear
Breath.
4.14, encryption subprocess sends client key exchange message Certificate to network server.
I.e. ClientCertificate message is a piece of news after the completion of hello message phase, as included client
Signing certificate (X.509 sequence).
4.16, encryption subprocess sends client key exchange message ClientKeyExchange to network server.
The pre- master key of the public key encryption of network server in ClientKeyExchange message.
4.18, encryption subprocess sends certificate verification message CertificateVerify to network server.
It is the legitimate holder for being enough certificate that CertificateVerify message, which is used to identify client,.In the present embodiment,
Prompt user can prompt user to input protection password after being inserted into USBKey, which carries verifying within the message and use
Whether family is legal.
Such as, client carries out ESDSA signature to the abstract of handshaking information using the ECC private key of signing certificate
4.20, encryption subprocess sends client password specification change message ChangeCipherSpec and gives network service
Device.
I.e. ClientChangeCipherSpec message shows that algorithm and key agreement are completed to server-side.
4.22, encryption subprocess sends client and shakes hands end message Finished to network server.
In the present embodiment, random number, the random number of server-side, pre_master_ of the subprocess according to client are encrypted
Seceret calculates master_seceret using key algorithm, then reuses random number and master_seceret is calculated very
Then encryption after all handshake informations abstract is formed ClientFinished message and sent out to server-side by positive data encryption key
It send.
4.24, network server send server-side password specification change message ChangeCipherSpec to encryption son into
Journey.
4.26, network server send server-side shake hands end message Finished to encryption subprocess.
Server-side verifies client certificate, uses the signature of the signing certificate verifying client of client.Service uses certainly
The encryption key of body and progress ECDH operation, obtain pre_master_seceret, are calculated using the same algorithm of client
Master_seceret and data encryption key verify the correctness of SeverFinished message, send to client
SeverChangeCipherSpec message, express one's approval algorithm and key agreement.
The certification of browser client and network server both sides is completed by above-mentioned handshake procedure, key agreement waited
Journey, so that end can be engaged in respectively using the calculated key encryption of negotiation using data by encrypting subprocess and network clothes.
Step 208, after encryption connection connection setup success, the encryption subprocess and network clothes are established as
The second encrypted tunnel that business device securely communicates.
The process coded communication in the second encrypted tunnel of the encryption subprocess and the network server.Specifically, may be used
The data communicated in the second encrypted tunnel to encrypt business datum using symmetric encipherment algorithm SM4.
Step 210, the encryption subprocess creates business processing thread;The business processing thread is respectively with described first
Encrypted tunnel and second encrypted tunnel establish connection.
The business processing thread of the encryption subprocess creation, the between the encryption subprocess and main business process
The second encrypted tunnel between one encrypted tunnel and the encryption subprocess and network server all establishes connection.The business
Handle the data exchange that thread specifically carries out both ends as the bridge between the main business process and the network server.
Step 212, after encryption connection connection setup success, the encryption subprocess executes business datum described
Forwarding between first encrypted tunnel and the second encrypted tunnel.
Encryption subprocess described in the present embodiment executes business datum in first encrypted tunnel and the second encrypted tunnel
Between forwarding, can specifically be accomplished by the following way: the business processing thread is connect by first encrypted tunnel
Receive the first business datum that the browser main business process is sent;The business processing thread is using the first symmetry algorithm to institute
It states the first business datum to be decrypted, obtains original service data;The business processing thread uses the second symmetry algorithm
The original service data are encrypted, second business datum is obtained;The business processing thread, which uses, to be passed through
Second business datum is sent to the network server between second encrypted tunnel.It should be noted that the above process
It is that subprocess is encrypted in data communication process respectively to the process of two channel datas conversion.
In an alternative example of an embodiment of the present invention, the encryption subprocess and the browser main business process are logical
It crosses handshake procedure and establishes encryption connection communication, and after encryption connection communicates successfully, be established as the browser main business process
The first encrypted tunnel securely communicated with the encryption subprocess;Wherein, it is executed in the handshake procedure non-by first
Symmetry algorithm executes two-way certificate verification, key exchange between the encryption subprocess and the browser main business process,
And execute certificate verification;Symmetric key is generated in the key exchange process.It should be noted that the first asymmetric arithmetic has
Body can be RSA Algorithm.
In an alternative example of an embodiment of the present invention, the implementation method of the secure browser further include: the industry
The first connection request is encrypted to obtain the second connection request by the second symmetry algorithm for business processing thread;The business
It handles thread and second connection request is sent to the network server;The business processing thread receives the network clothes
The second connection reply that business device is fed back based on second connection request;Second connection request passes through second connection reply
Second symmetry algorithm is decrypted to obtain the first connection reply, and feeds back to the browser main business process.
It should be noted that the detailed process of business processing thread is as follows: (1) Receiving Agent data, specific Receiving Agent
The http request data of connection.(2) SSL connection is carried out with network server, specifically includes SSL establishment of connection, SSL association
View is negotiated, negotiating algorithm, and client certificate verification (crl checking or OCSP certification) (3) is interacted with web server.It specifically will generation
Reason connection http request data issue Web server via the channel SSL of Encryption Algorithm, obtain the http of Web server
response.(4) web servers return data is sent to connect to agency.Specifically by the http response of network server
It is given to agency's connection.(5) connection is closed.In case of mistake in business processing flow, then connection is closed, while giving agency's connection
Return to the wrong page.It should be noted that second symmetry algorithm specifically can be national secret algorithm.
It should be noted that being obtained using the safe practice solution network application authentication of SSL and data security
Extensive to approve, also built-in SSL module, professional SSL hardware product are also extensive in the browser and network server of mainstream
It uses.But also all there is certain limitation in current SSL product:
(1) current SSL product generallys use single certificate mechanism.And double certificate mechanism is current PKI Public Key Infrastructure
The prevailing model of (Public Key Infrastructure) System Construction.The present embodiment, which carries out identity using signing certificate, to be recognized
Card is carried out the exchange and protection of key using encrypted certificate, has played the advantage of PKI technology unsymmetrical key.
(2) symmetry algorithm disclosed in foreign countries is generallyd use in current SSL product, does not meet security requirements, had certain
Risk.Password product symmetry algorithm uses SM1 algorithm or SM4 algorithm in the present embodiment.
(3) current certificate asymmetric arithmetic uses RSA Algorithm, and the elliptic curve cipher (ECC) that the present embodiment uses
It is a kind of public key cryptography than RSA with greater security, higher efficiency, there is encryption/decryption, digital signature and key agreement
Etc. important cryptographic function, it can safely and conveniently meet user identity identification in various information networks, electronic information
The true and false identifies and the important information security demands such as secrecy transmission, is the core technology of information security field, and gradually all
Multinational border and national standards organizations are adopted as public key cryptography standard (IEEE P1363, ANSI X9, ISO/IEC and IETF etc.), will
One of the mainstream cryptographic technique that Information Security Industry circle uses can be become.China is ordered by domestic ECC (ECDSA+ECDH) algorithm
Entitled SM2.
The implementation method of secure browser provided in this embodiment may be implemented to meet China's PKI mechanism and password product
The rapid growth of the safe network browsing device of management policy, normalization and network application to the management of internal security product all rises
To positive impetus.
For embodiment of the method, for simple description, therefore, it is stated as a series of action combinations, but this field
Technical staff should be aware of, and embodiment of that present invention are not limited by the describe sequence of actions, because implementing according to the present invention
Example, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know that, specification
Described in embodiment belong to preferred embodiment, the actions involved are not necessarily necessary for embodiments of the present invention.
Embodiment three
On the basis of the above embodiments, the present embodiment also discloses a kind of safe communication system.
Referring to Fig. 5, the structural block diagram of safe communication system embodiment according to an embodiment of the invention is shown.
Referring to Fig. 6, shows secure browser in safe communication system embodiment according to an embodiment of the invention and fill
The structural block diagram set.
The safe communication system, comprising: secure browser device 504 and network server 502.
Wherein, the network server 502 is communicated for establishing encryption connection with the secure browser device;And
After encryption connection connection setup success, business datum is executed by the second encrypted tunnel with the secure browser device
Interaction.
The secure browser device 504, comprising: browser main business scheduler module 50402 and encryption subprocess module
50404。
Wherein, the browser main business scheduler module 50402, for the starting in browser client and browser master
The encryption subprocess module for the encryption subprocess that business process is communicated, wherein the encryption subprocess is used for as connection
Agency realizes the conversion and data forwarding of the first encrypted tunnel to the second encrypted tunnel.
The encryption subprocess module 50404, comprising: agent sub-module 504042, for browser main business process
It is listened to, and obtains the first connection request that the browser main business process is sent.And it is communicated in the encryption connection
After being successfully established, the encryption subprocess executes business datum and turns between first encrypted tunnel and the second encrypted tunnel
Hair.
Secure connection submodule 504044, for according to first connection request, the encryption subprocess and the net
Network server establishes encryption connection communication.
Wherein, first encrypted tunnel is the secure communication of the browser main business process and the encryption subprocess
Channel;Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.
The website needs of financial business are related to by with safety for number of site, such as website of bank, Alipay website
Encryption data is carried out for (HTTP-Hypertext transfer protocol, the hypertext transfer protocol) channel HTTP of target
Transmission, but browser main business process and network server use different cryptographic protocol or algorithm sometimes, both cause
Can not direct communication, can not access to the webpage of the network server.
In the present embodiment, a kind of secure browser client is provided, is also provided in a browser and browser master
The encryption subprocess that business process is communicated.In order to enable secure browser can be realized, need first in browser clients
Start the encryption subprocess communicated with browser main business process in end.The encryption subprocess functions primarily as
Connection agency realizes the conversion and data forwarding of the first encrypted tunnel to the second encrypted tunnel.Made using encryption subprocess
For the agency of main business process, the safe passing that can be encrypted with browser main business process can also take with network
The secure communication that business device is encrypted, is such as sent to the business datum of browser main business process by the first encrypted tunnel
Subprocess is encrypted, which is transferred to network server by the second encrypted tunnel for business datum, realizes that data turn
The connection of hair and two encrypted tunnels.
It should be noted that under normal conditions, the main business process of browser is directly communicated with network server, but
It is, when to be communicated for the channel HTTP of target safely, if the data that main business process can not feed back network server
Information is parsed, and is started the encryption subprocess and is connected as agency, i.e., the described encryption subprocess as the main business into
Agency between journey and the network server.Above-mentioned first encrypted tunnel is the browser main business process in the present embodiment
With the secured communication channel of the encryption subprocess;Second encrypted tunnel is the encryption subprocess and network server
Secured communication channel.Therefore the encryption subprocess is logical by the first encryption that will encrypt subprocess and the main business process
Road is converted to the second encrypted tunnel of encryption subprocess and network server, to realize the main business process and the network
Connection agency between server.Encryption subprocess is sent to by first encrypted tunnel certainly for main business process
The business datum can be sent to network server by the second encrypted tunnel by business datum, encryption subprocess.
After encryption subprocess receives the first connection request that main business process is sent, the encryption subprocess foundation
First connection request, establishes encryption connection with the network server and communicates.The encryption subprocess and the network take
Business device establishes encryption connection communication, i.e., it is peace with confirmation that the described encryption subprocess and the network server, which carry out safety certification,
Entirely, legal communication party, to establish the channel of secure communication.It should be noted that the encryption subprocess and the network
Server establishes encryption connection communication, and combining encryption subprocess also can communicate with main business process, thus encrypt it is sub into
Journey establishes corresponding connection to main business process and this both ends of network server respectively, and encryption connection communication can be used as described two
End carries out the bridge of data exchange.
First encrypted tunnel described in the present embodiment is the peace of the browser main business process and the encryption subprocess
Full communication channel;Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.
The encryption subprocess is successfully established encryption connection with the network server and communicates, it is meant that encryption subprocess with
Data, and the encrypted processing of these data can be mutually sent between network server, it is ensured that the safety of stream compression
Reliably.Business datum in first connection request received can be sent to network server by encryption subprocess, be had
Body, encryption subprocess executes forwarding of the business datum between first encrypted tunnel and the second encrypted tunnel, that is, encrypts
Subprocess can receive business datum by first encrypted tunnel, after being decrypted, then using the second encrypted tunnel agreement
Encryption method to business datum process encryption after, be sent to the network server.The business datum described in this way is just from first
Encrypted tunnel is forwarded to the second encrypted tunnel, represents business datum from main business process and is forwarded to network server.
The present embodiment start first in browser client encryption that is communicated with browser main business process into
Journey, wherein the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel as connection, with
And data forwarding;Then the encryption subprocess listens to browser main business process, and obtains the browser main business
The first connection request that business process is sent;Then it is taken according to first connection request, the encryption subprocess and the network
Business device establishes encryption connection communication;Finally after encryption connection connection setup success, the encryption subprocess executes business
Forwarding of the data between first encrypted tunnel and the second encrypted tunnel;Wherein, first encrypted tunnel is described clear
Look at device main business process and it is described encryption subprocess secured communication channel;Second encrypted tunnel is the encryption subprocess
With the secured communication channel of the network server.The present embodiment can realize the first encryption as agency by encryption subprocess
Channel to the second encrypted tunnel conversion and data forwarding, success browser main business process and network server it
Between establish the encrypted tunnel of a safety, ensure that the safe transmission of business datum, the wind of business datum leakage can be reduced
Danger, improves the safety and reliability of business data transmission.Moreover, because the present embodiment realizes above-mentioned function by browser,
Therefore during user uses browser client, browser client can start encryption subprocess in main business automatically
Exit passageway is established between process and network server, realizes above-mentioned function, is improved browser and is counted with network server
According to the safety and reliability of circulation, so that secure browser is achieved.
In an alternative embodiment of the invention, agent sub-module 504042 listens to line for encryption subprocess creation
Journey;The intercepting thread listens to the main business process by serve port.
In an alternative embodiment of the invention, the secure connection submodule 504044, for confirming that described first connects
It connects after requesting to receive successfully, the encryption subprocess successively carries out encryption data negotiation with the network server and certificate is recognized
Card;After encryption data negotiation finishes and certificate verification passes through, the encryption of the browser client and network server is established
Connection communication.
The secure connection submodule 504044 sends client to the network server for the encryption subprocess
Hello messages, wherein the client hello message includes the first encryption data of the browser client, and described first adds
Ciphertext data includes several protocol versions;Receive the server-side hello messages of the network server feedback, wherein the service
End hello messages include the second encryption data of the server client, and second encryption data includes: from described first
The protocol version selected in encryption data;The network server 502 is used for the secure browser device back services
Hold hello messages.
The secure connection submodule 504044, for carrying out unidirectional certificate verification to the network server;Or, described
It encrypts subprocess and the network server carries out two-way certificate verification.
The agent sub-module 504042, is also used to create business processing thread;The business processing thread respectively with institute
It states the first encrypted tunnel and second encrypted tunnel establishes connection.
The agent sub-module 504042, for being received using the business processing thread by first encrypted tunnel
The first business datum that the main business process is sent;Place is decrypted to first business datum using the first symmetry algorithm
Reason obtains original service data;The original service data are encrypted using the second symmetry algorithm, obtain described the
Two business datums;Second business datum is sent to the network server using by second encrypted tunnel;Institute
Network server 502 is stated, the second business number is sent by second encrypted tunnel for receiving the secure browser
According to.
The network server 502, the server-side certificate message for sending the network server are clear to the safety
Look at device, the server-side certificate message includes the website signing certificate of the network server;In the secure browser device,
The secure connection submodule 504044, the server-side certificate message sent for receiving the network server;And it is described
Encryption subprocess authenticates the website signing certificate of the network server.
The network server 502, the server-side certificate message for the network server give the secure browser,
The server-side certificate message includes the website signing certificate of the network server;Send server-side cipher key exchange message, institute
Stating server-side cipher key exchange message includes key exchange parameters;Certificate verification request message is sent, the certificate verification request disappears
Breath is used to indicate the certificate verification for carrying out client;It sends server-side and greets the message that finishes;And receive the secure browser
The client certificate message that device is sent, authenticates signing certificate, the client certificate message includes that the safety is clear
Look at the signing certificate of device client.The secure connection submodule 504044 receives the network for the encryption subprocess
The server-side certificate message that server is sent;The encryption subprocess receives the server-side key that the network server is sent and hands over
Change message;The encryption subprocess receives the certificate verification request message that the network server is sent;The encryption subprocess
It receives the server-side that the network server is sent and greets the message that finishes;The encryption subprocess to the website signing certificate into
Row certification;After website signing certificate certification passes through, the encryption subprocess sends client to the network server
Certificate message, the client certificate message include the signing certificate of the browser client.
The secure connection submodule 504044 is also used to that pre- master key is randomly generated according to the key exchange parameters,
Wherein, the pre- master key is to be added using the encrypted public key of the network server by elliptic curve cryptography SM2
It is close to be calculated;The encryption subprocess generates Client Key Exchange message using the pre- master key, and is sent to net
Network server;The network server 502 is also used to receive the cipher key exchange message that the secure browser device is sent, from
The pre- master key is obtained in the cipher key exchange message.
The secure connection submodule 504044 is also used to obtain the signature check ginseng calculated according to website signing certificate
Number, and generate client certificate verification message and be sent to the network server;The encryption subprocess is to the network service
Device sends client password specification and changes message, is completed with characterizing the negotiation of encryption data;The encryption subprocess is to the net
Network server sends client and shakes hands end message;It is close that the encryption subprocess receives the server-side that the network server is sent
Code specification changes message, to characterize the negotiation for approving the encryption data;The encryption subprocess receives the network server hair
The server-side sent is shaken hands end message;The network server 502 is also used to successively receive the secure browser device and sends
Client certificate verification message, client password specification change message and client shake hands end message;And it successively sends
Server-side password specification change message and server-side shake hands end message to the secure browser device.
In the present embodiment, secure browser client 504 is using encryption 50404 proxy-explorer main business of subprocess module
Scheduler module 50402, encryption data negotiation is carried out by handshake procedure with network server 502, certificate verification, key exchange and
The SSL encryptions communication process such as signature authentication, specific handshake procedure is as shown in figure 4, related handshaking information and Encryption Algorithm refer to
The discussion of two part of embodiment.
Further include: the secure connection submodule 504044 is also used to after encryption connection connection setup success, builds
Found the second encrypted tunnel securely communicated for the encryption subprocess and the network server.
The agent sub-module 504042 is also used to using the encryption subprocess and the main business process by shaking hands
Process establishes encryption connection communication, and after encryption connection communicates successfully, is established as the main business process and encryption
The first encrypted tunnel that process securely communicates;Wherein, it executes in the handshake procedure and is executed by the first asymmetric arithmetic
Two-way certificate verification, cipher key interaction between the encryption subprocess and the main business process, and execute certificate verification;Institute
It states cipher key interaction and generates symmetric key in the process.
The agent sub-module 504042 is also used to the business processing thread the first connection request is symmetrical by second
Algorithm is encrypted to obtain the second connection request;Second connection request is sent to described by the business processing thread
Network server;The business processing thread receives the network server and connects based on second connection request is fed back second
It scoops out and answers;Second connection request is decrypted second connection reply to obtain the first connection by the second symmetry algorithm
Response, and feed back to the main business process;The network server 502 is sent for receiving the secure browser device
The second connection request, to second connection request processing after generate the second connection reply, will second connection reply hair
Give the secure browser device.
The crypto process submodule 50404, further includes: hardware management module 504046 passes through for encrypting subprocess
Driving identification security key storage hardware.Certification authentication module 504048 is used for and according to the hardware certificate carrier two-way
Cryptographic calculation is carried out in certification authentication process.
It should be noted that being referred to encryption subprocess module shown in Fig. 7 is a kind of its knot in specific implementation
Structure block diagram can be understood that encryption subprocess module includes: configuration module 702, proxy module 704 (with above-mentioned agency
Submodule is corresponding), CTL management module 706, CRL management module 708, Session management module 710, certification authentication module 712,
SSL link block 714 (corresponding with above-mentioned secure connection submodule), USBKey operation module 716 are (with above-mentioned hardware management submodule
Block is corresponding).CTL management module 706, CRL management module 708 are corresponding with above-mentioned certification authentication submodule,
Wherein, proxy module receives the connection of browser main business scheduler module, according to browser main business scheduler module
The type of connection carries out respective handling, forms the connection agency of browser main business scheduler module.CTL module is trusted for managing
Root certificate list.CRL management module manages local CRL list for obtaining CRL list.Session management module administration agent
The session of process and web server connection.SSL link block is responsible for establishing the secure connection with network server.USBKey
Management module is responsible for operating USBKey equipment.Configuration module is responsible for reading, storing the relevant configuration of client.
Wherein, for CTL management module 706, its working principles are as follows: CTL, which describes browser, trusts root certificate column
Table is used for authentication server end certificate.In secure browser client, the trust root certificate of support is PEM coding mode, simultaneously
Support two kinds of certificate addition manners: 1) root certificate is trusted in addition inside program;2) root certificate, configuration text are trusted in configuration file addition
Part uses des encrypting storing.Wherein, CTL is configurable to not support to import and export function.
For CRL management module 708, its working principles are as follows: CRL describes the certificate revocation of certification authority CA
List, essence are certificate serial numbers, and certificate serial number is indicated with the Integer that ASN.1 is encoded.One in X509v3 certificate
Extension (OID 2.5.29.31) is used to specify the CRL publishing point of the certificate.Device pair in the secure browser of the present embodiment
CRL has carried out local cache, while CRL is searched and carried out level-one index according to CA.The step of to the verification operation of CRL, is as follows: (1)
Obtain certificate in Issuer item, position corresponding CA node, if Issuer be not present or can not find it is CA corresponding,
Then it is considered illegal certificate.((2) use CRL item all under the dichotomizing search CA.
For Session management module 710, SSL connection needs increase by 4 times on the basis of shaking hands for TCP 3 times shakes hands, even
Connecing establishment process is that the connection than relatively time-consuming, therefore before preservation Session, multiplexing can effectively optimize switching performance.This
In the secure browser device of embodiment after completion is established in a SSL connection, host+port to session can be established
Memory index, subsequent operation can be multiplexed before session, as session validity period be 1 hour.Browser closing, USBKey
Session before being emptied when equipment extraction.
For certification authentication module 612, if necessary to two-way authentication, the encryption subprocess in SSL connection establishment process
User can be prompted to be inserted into security key storage hardware, i.e. USBKey equipment.It can after user is inserted into security key storage hardware
Automatic identification simultaneously pops up certificate selection dialog box, and user is prompted to select certificate.The encryption subprocess automatic identification security key
Storage hardware needs to rely on two key messages in CSP registry entry: SKFImagePath: the path of specified SKF dynamic base
And TokenVidPid: string format.The VendorID and ProductID of KEY equipment, the format of use is similar to HKEY_
LOCAL_MACHINE SYSTEM CurrentControlSet Enum format namely VID_XXXX&PID_ in USB
XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, complete relevant operation.It is clear
Device of looking at will not store the pin password of user's input, will not store the private key information in USBKey.Detailed process is as follows: first
It is connected to USBKey equipment;Then respective application (Application) is opened, Application is determined by user's selection;Then
It opens corresponding container (Container), Container is determined by user's selection;Then checking PIN code (person identification
Code), it can prompt to re-enter after authentication error;Then signing certificate information is obtained;Then encrypted certificate information is obtained;Finally close
Hull closure disconnects.
In the present embodiment, for the credentials verification process of above method embodiment, the certification authentication of server end is occurred
During Handshake Protocol, after browser receives ServerHelloDone message, before transmission Certificate message.Card
Book verifying mainly ensures the reasonability of server, and verification process depends on CTL, CRL module, and detailed process is tested in subprocess certificate
It is carried out in card thread pool.Checking step is as follows: initialization trusted root list of cert;Check whether it is self-signed certificate;It checks
Certificate extension information;Check certificate trusting relationship;Check CRL list;Check certificate signature;Check certificate available time;Inspection
Book is investigated whether in blacklist.
It should be noted that a kind of structure referring to browser main business scheduler module shown in Fig. 8 in specific implementation
Block diagram, it is to be understood that browser main business scheduler module include: certificate display module 802, whitelist management module 804,
Network server certificate storage module 806 acts on behalf of setup module 808.Wherein certificate display module 802 is responsible for display number card
Book.Whitelist management module 804 is responsible for the web server list that the Encryption Algorithm of the present embodiment is supported in management.Network server
Certificate storage module 806 is used to store the certificate for being responsible for management network server.The agency's setting of setup module 808 is acted on behalf of to be responsible for setting
Set the agency with encryption subprocess.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple
Place illustrates referring to the part of embodiment of the method.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize one in safe communication system equipment according to an embodiment of the present invention
The some or all functions of a little or whole components.The present invention is also implemented as executing method as described herein
Some or all device or device programs (for example, computer program and computer program product).Such realization
Program of the invention can store on a computer-readable medium, or may be in the form of one or more signals.This
The signal of sample can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or mentions in any other forms
For.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of safe communication system, comprising: secure browser device and network server;Wherein,
The network server is communicated for establishing encryption connection with the secure browser device;And it is logical in the encryption connection
After letter is successfully established, service data interaction is executed by the second encrypted tunnel with the secure browser device;The safety is clear
Look at device device, comprising: browser main business scheduler module and encryption subprocess module, wherein the browser main business process
Module, in browser client starting communicated with browser main business process encrypt subprocess encryption into
Journey module, wherein the encryption subprocess, which is used to act on behalf of as connection, realizes turning for the first encrypted tunnel to the second encrypted tunnel
It changes and data forwarding;The encryption subprocess module, comprising: agent sub-module, for being carried out to browser main business process
It listens to, and obtains the first connection request that the browser main business process is sent;And in the encryption connection connection setup
After success, the encryption subprocess executes forwarding of the business datum between first encrypted tunnel and the second encrypted tunnel;
Secure connection submodule, for establishing and adding according to first connection request, the encryption subprocess and the network server
Close connection communication;Wherein, first encrypted tunnel is the safety of the browser main business process and the encryption subprocess
Communication channel;Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.
A2, system as described in a1, agent sub-module create intercepting thread for the encryption subprocess;It is described to listen to
Thread listens to the main business process by serve port.
A3, system as described in a1, the secure connection submodule, for confirm first connection request receive at
After function, the encryption subprocess and the network server successively carry out encryption data negotiation and certificate verification;In encryption data
After negotiation finishes and certificate verification passes through, establishes the browser client and communicated with the encryption connection of network server.
A4, the system as described in A3, the secure connection submodule are used for the encryption subprocess to the network service
Device sends client hello message, wherein the client hello message includes the first encryption number of the browser client
According to first encryption data includes several protocol versions;The server-side hello messages of the network server feedback are received,
Wherein, the server-side hello messages include the second encryption data of the server client, second encrypted packet
It includes: the protocol version selected from first encryption data;The network server, for being filled to the secure browser
Set back services end hello messages.
A5, the system as described in A3, the secure connection submodule, for carrying out unidirectional certificate to the network server
Certification;Or, the encryption subprocess and the network server carry out two-way certificate verification.
A6, system as described in a1, the agent sub-module are also used to create business processing thread;The business processing
Thread establishes connection with first encrypted tunnel and second encrypted tunnel respectively.
A7, the system as described in A6, the agent sub-module, for passing through described first using the business processing thread
Encrypted tunnel receives the first business datum that the main business process is sent;Using the first symmetry algorithm to the first business number
According to being decrypted, original service data are obtained;The original service data are carried out at encryption using the second symmetry algorithm
Reason obtains second business datum;It is described using second business datum is sent to by second encrypted tunnel
Network server;The network server passes through described in second encrypted tunnel transmission for receiving the secure browser
Second business datum.
A8, device as described in a5, the network server, the server-side certificate for sending the network server disappear
It ceases to the secure browser, the server-side certificate message includes the website signing certificate of the network server;The peace
In full browser device, the secure connection submodule, the server-side certificate message sent for receiving the network server;
And the encryption subprocess authenticates the website signing certificate of the network server.
A9, device as described in a5, the network server, the server-side certificate message for the network server are given
The secure browser, the server-side certificate message include the website signing certificate of the network server;Send server-side
Cipher key exchange message, the server-side cipher key exchange message includes key exchange parameters;Certificate verification request message is sent, it is described
Certificate verification request message is used to indicate the certificate verification for carrying out client;It sends server-side and greets the message that finishes;And it receives
The client certificate message that the secure browser device is sent, authenticates signing certificate, the client certificate message
Signing certificate including the secure browser client;The secure connection submodule is received for the encryption subprocess
The server-side certificate message that the network server is sent;The encryption subprocess receives the service that the network server is sent
Hold cipher key exchange message;The encryption subprocess receives the certificate verification request message that the network server is sent;It is described to add
Close subprocess receives the server-side that the network server is sent and greets the message that finishes;The encryption subprocess is to the website label
Name certificate is authenticated;After website signing certificate certification passes through, the encryption subprocess is sent out to the network server
Client certificate message is sent, the client certificate message includes the signing certificate of the browser client.
A10, the system as described in A9, the secure connection submodule are also used to random according to the key exchange parameters
Generate pre- master key, wherein the pre- master key is to pass through elliptic curve cipher using the encrypted public key of the network server
Algorithm SM2 carries out what computations obtained;The encryption subprocess generates client key exchange using the pre- master key and disappears
Breath, and it is sent to network server;The network server is also used to receive the key that the secure browser device is sent and hands over
Message is changed, the pre- master key is obtained from the cipher key exchange message.
A11, the system as described in A9, the secure connection submodule are also used to obtain according to the calculating of website signing certificate
Signature check parameter, and generate client certificate verification message and be sent to the network server;The encryption subprocess to
The network server sends client password specification and changes message, is completed with characterizing the negotiation of encryption data;Encryption
Process sends client to the network server and shakes hands end message;The encryption subprocess receives the network server hair
The server-side password specification change message sent, to characterize the negotiation for approving the encryption data;Described in the encryption subprocess receives
The server-side that network server is sent is shaken hands end message;The network server is also used to successively receive the safety browsing
Client certificate verification message, client password specification change message and the client that device device is sent are shaken hands end message;With
And successively transmission server-side password specification change message and server-side shake hands end message to the secure browser device.
A12, the system as described in A11, further includes: the secure connection submodule is also used to logical in the encryption connection
After letter is successfully established, it is established as the second encrypted tunnel that the encryption subprocess and the network server securely communicate.
A13, the system as described in A7, the agent sub-module are also used to using the encryption subprocess and the main business
Business process establishes encryption connection communication by handshake procedure, and after encryption connection communicates successfully, be established as the main business into
The first encrypted tunnel that journey and the encryption subprocess securely communicate;Wherein, it is executed in the handshake procedure and passes through first
Asymmetric arithmetic executes the two-way certificate verification encrypted between subprocess and the main business process, cipher key interaction, and
Execute certificate verification;Symmetric key is generated during the cipher key interaction.
A14, system as described in a1, the agent sub-module are also used to the business processing thread and ask the first connection
It asks and is encrypted to obtain the second connection request by the second symmetry algorithm;The business processing thread is connected described second
Request is sent to the network server;The business processing thread is received the network server and is asked based on second connection
It negates the second connection reply of feedback;Place is decrypted by the second symmetry algorithm in second connection reply by the second connection request
Reason obtains the first connection reply, and feeds back to the main business process;The network server, for receiving the safety browsing
The second connection request that device device is sent, to the second connection reply is generated after second connection request processing, by described second
Connection reply is sent to the secure browser device.
A15, system as described in a5, the encryption subprocess module, further includes: hardware management submodule, for encrypting
Subprocess passes through driving identification security key storage hardware;Certification authentication submodule is used for and according to the hardware certificate carrier
Cryptographic calculation is carried out in two-way certification authentication process.
Claims (13)
1. a kind of safe communication system, comprising: secure browser device and network server;
Wherein, the network server is communicated for establishing encryption connection with the secure browser device;And add described
After close connection communication is successfully established, service data interaction is executed by the second encrypted tunnel with the secure browser device;
The secure browser device, comprising: browser main business scheduler module and encryption subprocess module,
Wherein, the browser main business scheduler module, for the starting in browser client and browser main business process
The encryption subprocess module of the encryption subprocess communicated, wherein the encryption subprocess is used to realize as connection agency
The conversion and data forwarding of first encrypted tunnel to the second encrypted tunnel;
The encryption subprocess module, comprising:
Agent sub-module for listening to browser main business process, and obtains the browser main business process and sends
The first connection request;And after encryption connection connection setup success, the encryption subprocess executes business datum and exists
Forwarding between first encrypted tunnel and the second encrypted tunnel;The agent sub-module is also used to create business processing line
Journey;The business processing thread establishes connection with first encrypted tunnel and second encrypted tunnel respectively;
Secure connection submodule, for according to first connection request, the encryption subprocess to be built with the network server
Vertical encryption connection communication;
Wherein, first encrypted tunnel is that the secure communication of the browser main business process and the encryption subprocess is led to
Road;Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server;
Wherein, the system also includes agent sub-modules, for encryption subprocess creation intercepting thread;It is described to listen to line
Journey listens to the main business process by serve port.
2. the system as claimed in claim 1, it is characterised in that:
The secure connection submodule, for after confirming that first connection request receives successfully, the encryption subprocess and
The network server successively carries out encryption data negotiation and certificate verification;It is finished in encryption data negotiation and certificate verification passes through
Afterwards, the browser client is established to communicate with the encryption connection of network server.
3. system as claimed in claim 2, it is characterised in that:
The secure connection submodule sends client hello message to the network server for the encryption subprocess,
Wherein, the client hello message includes the first encryption data of the browser client, first encrypted packet
Include several protocol versions;Receive the server-side hello messages of the network server feedback, wherein the server-side greeting disappears
Breath includes the second encryption data of the server client, and second encryption data includes: from first encryption data
In select protocol version;
The network server is used for secure browser device back services end hello messages.
4. system as claimed in claim 2, it is characterised in that:
The secure connection submodule, for carrying out unidirectional certificate verification to the network server;Or, the encryption subprocess
Two-way certificate verification is carried out with the network server.
5. the system as claimed in claim 1, it is characterised in that:
The agent sub-module, for receiving the main business by first encrypted tunnel using the business processing thread
The first business datum that process is sent;First business datum is decrypted using the first symmetry algorithm, is obtained former
Beginning business datum;The original service data are encrypted using the second symmetry algorithm, obtain the second business datum;It adopts
Second business datum is sent to the network server with by second encrypted tunnel;
The network server sends second business by second encrypted tunnel for receiving the secure browser
Data.
6. system as claimed in claim 4, it is characterised in that:
The network server, for sending the server-side certificate message of the network server to the secure browser, institute
State the website signing certificate that server-side certificate message includes the network server;
In the secure browser device, the secure connection submodule, the service sent for receiving the network server
Hold certificate message;And the encryption subprocess authenticates the website signing certificate of the network server.
7. system as claimed in claim 4, it is characterised in that:
The network server, the server-side certificate message for the network server give the secure browser, the clothes
Business end certificate message includes the website signing certificate of the network server;Send server-side cipher key exchange message, the service
Holding cipher key exchange message includes key exchange parameters;Certificate verification request message is sent, the certificate verification request message is used for
Indicate the certificate verification of progress client;It sends server-side and greets the message that finishes;And receive the secure browser device hair
The client certificate message sent, authenticates signing certificate, and the client certificate message includes the secure browser visitor
The signing certificate at family end;
The secure connection submodule receives the server-side certificate that the network server is sent for the encryption subprocess and disappears
Breath;The encryption subprocess receives the server-side cipher key exchange message that the network server is sent;The encryption subprocess connects
Receive the certificate verification request message that the network server is sent;The encryption subprocess receives what the network server was sent
Server-side greets the message that finishes;The encryption subprocess authenticates the website signing certificate;It signs and demonstrate,proves when the website
After book certification passes through, the encryption subprocess sends client certificate message, the client certificate to the network server
Message includes the signing certificate of the browser client.
8. system as claimed in claim 7, it is characterised in that:
The secure connection submodule is also used to that pre- master key is randomly generated according to the key exchange parameters, wherein described pre-
Master key is to carry out computations by elliptic curve cryptography SM2 using the encrypted public key of the network server to obtain
's;The encryption subprocess generates Client Key Exchange message using the pre- master key, and is sent to network server;
The network server is also used to receive the cipher key exchange message that the secure browser device is sent, from the key
The pre- master key is obtained in exchange message.
9. system as claimed in claim 7, it is characterised in that:
The secure connection submodule is also used to obtain the signature check parameter calculated according to website signing certificate, and generates visitor
Family end certificate verification message is sent to the network server;The encryption subprocess sends client to the network server
Password specification changes message, is completed with characterizing the negotiation of encryption data;The encryption subprocess is sent to the network server
Client is shaken hands end message;The encryption subprocess receives the server-side password specification change that the network server is sent and disappears
Breath, to characterize the negotiation for approving the encryption data;The encryption subprocess receives the server-side that the network server is sent and holds
Hand end message;
The network server, be also used to successively receive client certificate verification message that the secure browser device sends,
Client password specification change message and client are shaken hands end message;And it successively sends server-side password specification and changes message
End message is shaken hands to the secure browser device with server-side.
10. system as claimed in claim 9, which is characterized in that further include:
The secure connection submodule is also used to after encryption connection connection setup success, be established as the encryption it is sub into
The second encrypted tunnel that journey and the network server securely communicate.
11. system as claimed in claim 5, it is characterised in that:
The agent sub-module is also used to add using the encryption subprocess and the main business process by handshake procedure foundation
Close connection communication, and after encryption connection communicates successfully, it is established as the main business process and the encryption subprocess is pacified
First encrypted tunnel of full communication;Wherein, it is executed in the handshake procedure and encryption is executed by the first asymmetric arithmetic
Two-way certificate verification, cipher key interaction between process and the main business process, and execute certificate verification;The cipher key interaction
Symmetric key is generated in the process.
12. the system as claimed in claim 1, it is characterised in that:
The agent sub-module is also used to the business processing thread and is added the first connection request by the second symmetry algorithm
Close processing obtains the second connection request;Second connection request is sent to the network service by the business processing thread
Device;The business processing thread receives the second connection reply that the network server is fed back based on second connection request;
Second connection reply is decrypted to obtain the first connection reply by the second symmetry algorithm for second connection request, and
Feed back to the main business process;
The network server, the second connection request sent for receiving the secure browser device, connects to described second
The second connection reply is generated after connecing request processing, second connection reply is sent to the secure browser device.
13. system as claimed in claim 4, which is characterized in that the encryption subprocess module, further includes:
Hardware management submodule passes through driving identification security key storage hardware for encrypting subprocess;
Certification authentication submodule carries out encryption fortune for and according to the hardware certificate carrier in two-way certification authentication process
It calculates.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410849875.9A CN104580189B (en) | 2014-12-30 | 2014-12-30 | A kind of safe communication system |
PCT/CN2015/094846 WO2016107318A1 (en) | 2014-12-30 | 2015-11-17 | Secure communication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410849875.9A CN104580189B (en) | 2014-12-30 | 2014-12-30 | A kind of safe communication system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104580189A CN104580189A (en) | 2015-04-29 |
CN104580189B true CN104580189B (en) | 2019-02-12 |
Family
ID=53095370
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410849875.9A Expired - Fee Related CN104580189B (en) | 2014-12-30 | 2014-12-30 | A kind of safe communication system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104580189B (en) |
WO (1) | WO2016107318A1 (en) |
Families Citing this family (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104618108B (en) * | 2014-12-30 | 2018-07-27 | 北京奇虎科技有限公司 | Safe communication system |
CN104580190B (en) * | 2014-12-30 | 2018-09-04 | 北京奇虎科技有限公司 | The implementation method and secure browser device of secure browser |
CN104639534B (en) * | 2014-12-30 | 2019-02-12 | 北京奇虎科技有限公司 | The loading method and browser device of web portal security information |
CN104580189B (en) * | 2014-12-30 | 2019-02-12 | 北京奇虎科技有限公司 | A kind of safe communication system |
US10728043B2 (en) * | 2015-07-21 | 2020-07-28 | Entrust, Inc. | Method and apparatus for providing secure communication among constrained devices |
CN105243330A (en) * | 2015-10-13 | 2016-01-13 | 武汉大学 | Protection method and system facing internal data transfer process of Android system |
CN105681279A (en) * | 2015-12-28 | 2016-06-15 | 上海瀚银信息技术有限公司 | Application data transmission method and mobile terminal |
CN106330942A (en) * | 2016-08-31 | 2017-01-11 | 成都秦川科技发展有限公司 | Information distribution method, apparatus and system based on Internet of Things information private channel and public network fuzziness |
CN108270739B (en) * | 2016-12-30 | 2021-01-29 | 华为技术有限公司 | Method and device for managing encryption information |
GB201710168D0 (en) * | 2017-06-26 | 2017-08-09 | Microsoft Technology Licensing Llc | Introducing middleboxes into secure communications between a client and a sever |
CN108429620B (en) * | 2018-01-25 | 2021-10-12 | 新华三技术有限公司 | Method and system for establishing secure connection, client and server |
CN109714337B (en) * | 2018-12-26 | 2021-08-10 | 网宿科技股份有限公司 | Data encryption transmission method and equipment |
CN110225515B (en) * | 2019-06-24 | 2022-08-23 | 喀斯玛(北京)科技有限公司 | Authentication management system, method and device |
EP3780535A1 (en) * | 2019-08-15 | 2021-02-17 | Robert Bosch GmbH | Process to establish a communication channel between a client and a server |
CN111381903B (en) * | 2020-03-18 | 2023-05-26 | 支付宝(杭州)信息技术有限公司 | Program running method, device, equipment and medium |
CN112020037A (en) * | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | Domestic communication encryption method suitable for rail transit |
CN112437437A (en) * | 2020-12-10 | 2021-03-02 | 深圳市天辰防务通信技术有限公司 | Method and system for carrying out point-to-point secret communication connection by utilizing 4G network |
CN112507269B (en) * | 2020-12-10 | 2023-08-08 | 中国农业科学院农业信息研究所 | Website background risk assessment system |
CN112613025A (en) * | 2020-12-30 | 2021-04-06 | 宁波三星医疗电气股份有限公司 | Communication method of USB (universal serial bus) equipment and browser on computer |
CN115085949A (en) * | 2021-03-10 | 2022-09-20 | 航天信息股份有限公司 | Data communication method and device based on national secret SSL transparent proxy |
CN113904773B (en) * | 2021-10-11 | 2023-07-07 | 博雅中科(北京)信息技术有限公司 | SSL connection establishment method, SSL connection establishment device, electronic equipment and computer readable storage medium |
CN114143082B (en) * | 2021-11-30 | 2023-10-13 | 北京天融信网络安全技术有限公司 | Encryption communication method, system and device |
CN114553957B (en) * | 2022-01-10 | 2024-05-24 | 网宿科技股份有限公司 | Service system and method compatible with national cipher and international HTTPS transmission |
CN114553476B (en) * | 2022-01-10 | 2024-06-25 | 网宿科技股份有限公司 | HTTPS request processing method and device based on national secret and international algorithm |
CN115001936B (en) * | 2022-07-18 | 2023-05-02 | 确信信息股份有限公司 | Operation and maintenance management system and method based on management agent and computer equipment |
CN115987688B (en) * | 2023-03-20 | 2023-08-01 | 北京网藤科技有限公司 | Method and system for guaranteeing safe communication between PLC and upper computer |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1359074A (en) * | 2001-11-29 | 2002-07-17 | 上海格尔软件股份有限公司 | SSLL proxy method with MIME data type filter technology |
CN1879382A (en) * | 2003-11-04 | 2006-12-13 | Ntt通信公司 | Method, apparatus and program for establishing encrypted communication channel between apparatuses |
CN102103725A (en) * | 2009-12-22 | 2011-06-22 | 新竹货运股份有限公司 | Information processing system, processing station and method for card swiping on delivery |
CN103188074A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | Proxy method for improving SSL algorithm intensity of browser |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8190875B2 (en) * | 2007-03-22 | 2012-05-29 | Cisco Technology, Inc. | Reducing processing load in proxies for secure communications |
CN104580189B (en) * | 2014-12-30 | 2019-02-12 | 北京奇虎科技有限公司 | A kind of safe communication system |
CN104580190B (en) * | 2014-12-30 | 2018-09-04 | 北京奇虎科技有限公司 | The implementation method and secure browser device of secure browser |
-
2014
- 2014-12-30 CN CN201410849875.9A patent/CN104580189B/en not_active Expired - Fee Related
-
2015
- 2015-11-17 WO PCT/CN2015/094846 patent/WO2016107318A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1359074A (en) * | 2001-11-29 | 2002-07-17 | 上海格尔软件股份有限公司 | SSLL proxy method with MIME data type filter technology |
CN1879382A (en) * | 2003-11-04 | 2006-12-13 | Ntt通信公司 | Method, apparatus and program for establishing encrypted communication channel between apparatuses |
CN102103725A (en) * | 2009-12-22 | 2011-06-22 | 新竹货运股份有限公司 | Information processing system, processing station and method for card swiping on delivery |
CN103188074A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | Proxy method for improving SSL algorithm intensity of browser |
Also Published As
Publication number | Publication date |
---|---|
CN104580189A (en) | 2015-04-29 |
WO2016107318A1 (en) | 2016-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104580189B (en) | A kind of safe communication system | |
CN104639534B (en) | The loading method and browser device of web portal security information | |
CN104580190B (en) | The implementation method and secure browser device of secure browser | |
CN104618108B (en) | Safe communication system | |
WO2016107319A1 (en) | Method for loading secure key storage hardware, and browser client device | |
WO2017045552A1 (en) | Method and device for loading digital certificate in ssl or tls communication | |
US9887838B2 (en) | Method and device for secure communications over a network using a hardware security engine | |
CN110326267B (en) | Network security system, method and storage medium with substitute digital certificate | |
US9565180B2 (en) | Exchange of digital certificates in a client-proxy-server network configuration | |
CN103546289B (en) | USB (universal serial bus) Key based secure data transmission method and system | |
CN107425983A (en) | A kind of unified identity authentication method and system platform based on WEB service | |
US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
CN106790090A (en) | Communication means, apparatus and system based on SSL | |
CN107800675A (en) | A kind of data transmission method, terminal and server | |
KR102128244B1 (en) | Ssl/tls based network security apparatus and method | |
US9398024B2 (en) | System and method for reliably authenticating an appliance | |
WO2021041771A1 (en) | Decentralized techniques for verification of data in transport layer security and other contexts | |
CN112733129B (en) | Trusted access method for server out-of-band management | |
CN105471896B (en) | Proxy Method, apparatus and system based on SSL | |
Kwon et al. | (In-) security of cookies in HTTPS: Cookie theft by removing cookie flags | |
CN106453430A (en) | Method and device for verifying encrypted data transmission paths | |
CN113422753B (en) | Data processing method, device, electronic equipment and computer storage medium | |
CN115549929B (en) | SPA single packet authentication method and device based on zero trust network stealth | |
Solbakken | Certificate security visualization | |
CN118473715A (en) | Collaborative signature opening method and system based on ukey certificates |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190212 Termination date: 20211230 |