CN102695168A - Terminal equipment, encrypted gateway and method and system for wireless network safety communication - Google Patents
Terminal equipment, encrypted gateway and method and system for wireless network safety communication Download PDFInfo
- Publication number
- CN102695168A CN102695168A CN2012101588878A CN201210158887A CN102695168A CN 102695168 A CN102695168 A CN 102695168A CN 2012101588878 A CN2012101588878 A CN 2012101588878A CN 201210158887 A CN201210158887 A CN 201210158887A CN 102695168 A CN102695168 A CN 102695168A
- Authority
- CN
- China
- Prior art keywords
- session key
- gateway
- terminal equipment
- encryption
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides terminal equipment, an encrypted gateway and a method and a system for wireless network safety communication. The method for wireless network safety communication includes: acquiring encryption communication request information transmitted by the terminal equipment when the terminal equipment is accessed to a wireless network, wherein the encryption communication request information includes a user account of a user; acquiring a first session key and a second session key corresponding to the user account according to the encryption communication request information, wherein the second session key is obtained by encrypting the first session key by a user login password corresponding to the user account; and transmitting the second session key to the terminal equipment, and using the first session key to encrypt or decrypt data messages communicated with the terminal equipment. By the aid of the terminal equipment, the encrypted gateway, the method and the system, potential safety hazard in existing wireless network communication can be effectively avoided.
Description
Technical field
The present invention relates to the communication technology, relate in particular to a kind of terminal equipment, encrypt gateway, wireless network safety communication method and system.
Background technology
Along with development of wireless communication devices, increasing public place provides wireless network to insert the hotspot of the Internet, surfs the Net to be user-friendly to it terminal equipment that possesses radio communication.
Hotspot build very simple and cost, modulator-demodulator (modem) access network that its supplier only needs a wireless router or has a radio function gets final product.For example, (WiFi Access Point is called for short: WiFi AP) to the user free use WiFi AP access internet is provided through configuration WiFi (Wireless Fidelity) wireless access points in specific public places such as a lot of airports, hotel, coffee shop.When the user wants to surf the Net in these public places; Its terminal equipment communicates through WiFi wireless communication signals and WiFi AP; WiFi AP is connected to BAS Broadband Access Server (the Broadband Access Server of network side operator through cable network; Hereinafter to be referred as: the BAS server), insert the Internet through the BAS server and realize broadband access.When subscriber terminal equipment inserted the Internet through WiFi AP, because wireless network opening and hotspot are built characteristic of simple, the radio communication between subscriber terminal equipment and the WiFi AP was easy to attacked by the wireless signal listener on the one hand; Some WiFi access providers utilize the user to think freely to use the psychology of WiFi and the actual conditions that the user is difficult to distinguish the WiFi AP true and false on the other hand; And malice is built the WiFi AP of free use in public places, obtains user profile through the communication flows of monitoring on the WiFi AP.Therefore, wireless communication also provides invasion convenient to the hacker in the access the Internet of providing convenience for the user, thereby makes user terminal pass through to exist when wireless network inserts the Internet very big security risk.
Summary of the invention
First aspect of the present invention provides a kind of wireless network safety communication method, comprising:
Obtain the coded communication solicited message that terminal equipment sends when access of radio network, comprise user's user account in the said coded communication solicited message;
Obtain said user account corresponding first session key and second session key according to said coded communication solicited message; Wherein, said second session key obtains for adopting user's entry password corresponding with said user account that said first session key is encrypted;
Said second session key is sent to said terminal equipment, and utilize the said first session key pair data message of communicating by letter to encrypt or decryption processing with said terminal equipment.
Another aspect of the present invention provides a kind of wireless network safety communication method, comprising:
Send the coded communication solicited message through wireless network to encrypting gateway, comprise user's user account in the said coded communication solicited message;
Receive the second corresponding session key of said user account that said encryption gateway returns according to said coded communication solicited message, and utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain first session key;
Utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication.
Another aspect of the present invention provides a kind of encryption gateway, comprising:
Acquisition module is used to obtain the coded communication solicited message that terminal equipment sends when access of radio network, comprise user's user account in the said coded communication solicited message; And be used for obtaining said user account corresponding first session key and second session key according to said coded communication solicited message; Wherein, said second session key obtains for adopting the corresponding user's entry password of said user account that said first session key is encrypted;
Processing module is used for said second session key is sent to said terminal equipment, and utilizes the said first session key pair data message of communicating by letter with said terminal equipment to encrypt or decryption processing.
Another aspect of the present invention provides a kind of terminal equipment, comprising:
The encryption agents module is used for sending the coded communication solicited message through wireless network to encrypting gateway, comprises user's user account in the said coded communication solicited message; And receive the second corresponding session key of said user account that said encryption gateway returns according to said coded communication solicited message, and utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain first session key;
Communications Processor Module is used to utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication.
Another aspect of the present invention provides a kind of wireless network safety communication system, comprising: above-mentioned encryption gateway and the above-mentioned terminal equipment in the wireless network.
Technique effect of the present invention is: the encryption gateway that is provided with through network side operator responds the coded communication solicited message that subscriber terminal equipment in the wireless network sends; Utilize the user account that carries in the coded communication solicited message to obtain first session key; And utilize the user to obtain second session key with the corresponding user's entry password of sharing in advance of this user account of operator; And second session key fed back to corresponding terminal equipment; Terminal equipment utilizes user's entry password that the first same session key is obtained in second session key deciphering, thus terminal equipment with encrypting first session key that gateway utilizes both sides to obtain the communication data message is encrypted or is deciphered, improved the fail safe of telex network; Because being user and institute of operator, shares in advance user's entry password; And do not transmit this user's entry password in the mutual consulting session key, so the present invention has guaranteed that also the key that obtains in the key agreement process also is secret; Thereby effectively guarantee the communication security of user data on wireless channel and hotspot, thereby avoided the potential safety hazard that exists in the existing wireless communication.
Description of drawings
Fig. 1 is the flow chart of wireless network safety communication method embodiment one of the present invention;
Fig. 2 is for obtaining the particular flow sheet of session key among Fig. 1;
Fig. 3 is the flow chart of wireless network safety communication method embodiment two of the present invention;
Fig. 4 is the flow chart of wireless network safety communication method embodiment three of the present invention;
Fig. 5 encrypts the structural representation of gateway embodiment for the present invention;
Fig. 6 is the structural representation of terminal equipment embodiment of the present invention;
Fig. 7 is the structural representation of wireless network safety communication of the present invention system;
Fig. 8 be embodiment illustrated in fig. 7 in each the device between interactive signaling figure.
Embodiment
Specify technical scheme of the present invention below in conjunction with specific embodiment and corresponding accompanying drawing thereof.
Fig. 1 is the flow chart of wireless network safety communication method embodiment one of the present invention, and as shown in Figure 1, the method for present embodiment comprises:
There is multiple potential safety hazard in terminal equipment in the user side wireless network when access of radio network; These potential safety hazards equally also existed when therefore it inserted the Internet through the hotspot in the wireless network; For guaranteeing data message safe transmission on wireless channel and hotspot; Can adopt the ciphertext transmission to the data message of communicating by letter between terminal equipment and the BAS server; Promptly through between the BAS server of the hotspot of user side and network side, increasing the encryption gateway; Utilize encryption gateway and terminal equipment that the data message of communicating by letter between the two is encrypted or decryption processing; And encrypt that gateway will be encrypted or decryption processing after data message insert the Internet or encrypt gateway when having the BAS server capability directly access the Internet through the BAS server, thereby can guarantee the safe transmission of user's communications data on wireless channel and hotspot.
For making terminal equipment and encrypting and carry out the ciphertext transmission between the gateway; Terminal equipment needs before the communication data message, to carry out key agreement with the encryption gateway and obtains the session key that the two is used for secure communication; Therefore; Terminal equipment at first sends the coded communication solicited message to encrypting gateway before communication; And user's user account is carried in the coded communication solicited message, so that the encryption gateway that network side operator is provided with obtains the wildcard of its storage according to this user account, realize utilizing this wildcard to consult to obtain the session key that is used to communicate by letter.
In this step, when the encryption gateway receives the coded communication request of terminal equipment transmission, obtain the user account that wherein carries, so that the follow-up session key that obtains correspondence according to this user account.User account is user's existing user name on the network side carrier network, if the user had not before registered account information on the network side carrier network, also can pass through one of the interim registration of non-internet passage such as SMS or phone.The account information of user on carrier network comprises user account and user's entry password (or password); The user is when utilizing terminal equipment to send the coded communication request; User account is carried in the coded communication solicited message; And the wildcard that need not the two is that the corresponding user's entry password of user account transmits; Densification network was closed according to this user account obtained corresponding user's entry password or password, and can avoid wildcard to be obtained again, improve the fail safe in key agreement stage by the hacker.Wherein terminal equipment can be user terminals such as the user side user computer that uses wireless network online, mobile phone.The coded communication request can be started by the encryption agents module that is provided with on the terminal equipment; Be specially; When detecting terminal equipment, the encryption agents module carries out network when connecting with the internetwork connection mode of no security mechanism such as free WiFi; The encryption agents module just starts safe preliminary treatment measure, sends the coded communication solicited message to encrypting gateway, obtains session key alternately with the encryption gateway.
After the encryption gateway obtains the coded communication solicited message of terminal equipment transmission; User account is wherein obtained in parsing; Obtain the corresponding session key of this user account according to this user account; Fig. 2 is for obtaining the particular flow sheet of session key among Fig. 1, and is as shown in Figure 2, encrypts gateway and can adopt following steps to obtain session key:
Step 1021, obtain the user account that carries in the said coded communication solicited message.
Step 1022, send key request information, comprise said user account in the said key request information to customer data base.
For reducing the information processing capacity of encrypting gateway; Obtaining the work of key information can be handled by the customer data base that network side operator is provided with; Encrypt gateway and only the key information that customer data base returns is carried out encryption key distribution; Wherein customer data base can be for being used to store the database server of user account information, and it has stored user name and user's entry password that the user logins carrier network, perhaps stores the number of the account and corresponding user cipher used under some situation that the user arranges in advance.If dispose a plurality of gateways in the network side carrier network; Then encrypt gateway in this step when customer data base sends key request information; Also need the identification information of the encryption gateway in the present embodiment be carried in the key request information, so that customer data base feeds back to the corresponding gateway of identification information with the key information that obtains.
Corresponding first session key and second session key of said user account that step 1023, the said customer data base of reception return.
In the present embodiment; After the encryption gateway receives the coded communication solicited message; At first resolve and obtain the user account that wherein carries; The customer data base that is provided with to network side again sends key request information, and user account is carried in the key request information, so that customer data base finds corresponding key information according to this user account.For example; Customer data base generates the first session key Ka after receiving the key request information that carries the corresponding user name Ua of user A of encrypting the gateway transmission; And be that user name Ua finds corresponding user's entry password Pa according to user account; Utilize user's entry password Pa that the first session key Ka that generates is encrypted and obtain the second session key Ka '; First session key Ka that will generate afterwards and the second session key Ka ' that has encrypted send to the encryption gateway; Encrypt gateway and carry out encryption key distribution according to the key information that receives; The second session key Ka ' that is about to the unencrypted first session key Ka oneself reservation and will have encrypted feeds back to the subscriber terminal equipment of user side; The second session key Ka ' back that terminal equipment receives encryption is deciphered according to user's entry password Pa and is obtained the first session key Ka, thus terminal equipment with encrypt gateway and all obtain the first same session key Ka, follow-up this first session key Ka that can utilize encrypts or deciphers the message that sends and receive.Because it is to adopt user's entry password to carry out encrypted secret key information that the encryption gateway feeds back to second session key of terminal equipment; This user's entry password has only the encryption gateway (or customer data base) of operator and user to preserve; Therefore the second session key Ka ' is even stolen by the hacker on the wireless channel or on the hotspot; The hacker also can't obtain the first session key Ka that uses in the telex network, thereby can not crack the ciphertext of telex network, has guaranteed user's communications safety.
After the encryption gateway obtains the key information that comprises the first session key Ka and the second session key Ka '; The second session key Ka ' that encrypts is issued user's terminal equipment, obtain subscriber terminal equipment and encrypt the first session key Ka that uses in the gateway communication so that terminal equipment adopts the corresponding user's entry password Pa of user name Ua that this second session key Ka ' is deciphered.In follow-up communication, terminal equipment all utilizes the first session key Ka that the data message is encrypted or deciphered with the encryption gateway.Promptly, encrypt and send to said terminal equipment after gateway utilizes said first session key to encrypt the internet data message at network side; And send to the Internet after utilizing said first session key to decipher the ciphered data message that said terminal equipment sends; At user side, terminal equipment sends to said encryption gateway after utilizing said first session key to encrypt data message to be sent, so that said encryption gateway sends to the Internet after the ciphered data message is deciphered; And the internet data message of having been encrypted by said encryption gateway that will receive utilizes said first session key to decipher.And the data of on wireless channel and hotspot, transmitting are to carry out encrypted ciphertext through encrypting gateway or terminal equipment, and telex network is safe.
Wireless network in the present embodiment can be to adopt the WiFi connected mode to network, and also can other wireless connections modes network.The formation wireless network if the WiFi connected mode is networked; When then user's terminal equipment is through WiFi AP and encryption gateway communication; On wireless channel between terminal equipment and the WiFi AP, the WiFi AP and the data message of communicating by letter in WiFi AP and the wire message way of encrypting between the gateway all be ciphertext; Be the listener of wireless channel or the ciphertext that the malice supplier of WiFi AP can't crack communication; Communication security when therefore, adopting the method for present embodiment can guarantee fully that the user passes through wireless network and connects the Internet.
In practical application; Encrypt gateway and can know the terminal equipment of needs secure communication according to the source of sending the coded communication solicited message; The terminal equipment that also can be the current use of user is carried at its device identification in the coded communication solicited message; Especially when a plurality of terminal equipments of user use same user account to surf the Net, the sign of current terminal equipment is carried in the coded communication solicited message by encrypting gateway resolves and obtain, when follow-up encryption gateway obtains key information; Help second session key is sent to the corresponding terminal equipment of relevant device sign; Thereby the encryption key distribution of the equipment of realization, and in the follow-up data communication, encrypt gateway and also utilize the corresponding first session key pair message that the terminal equipment corresponding with device identification communicated by letter to encrypt or decipher.
Present embodiment responds the coded communication solicited message that subscriber terminal equipment in the wireless network sends through the encryption gateway that network side operator is provided with; Utilize the user account that carries in the coded communication solicited message to obtain first session key; And utilize the user to obtain second session key with the corresponding user's entry password of sharing in advance of this user account of operator; And second session key fed back to corresponding terminal equipment; Terminal equipment utilizes user's entry password that the first same session key is obtained in second session key deciphering, thus terminal equipment with encrypting first session key that gateway utilizes both sides to obtain the communication data message is encrypted or is deciphered, improved the fail safe of telex network; Because being user and institute of operator, shares in advance user's entry password; And do not transmit this user's entry password in the mutual consulting session key, so the present invention has guaranteed that also the key that obtains in the key agreement process also is secret; Thereby effectively guarantee the communication security of user data on wireless channel and hotspot, thereby avoided the potential safety hazard that exists in the existing wireless communication.
Fig. 3 is the flow chart of wireless network safety communication method embodiment two of the present invention, and as shown in Figure 3, the method for present embodiment comprises:
Step 201, send the coded communication solicited message to encrypting gateway, comprise user's user account in the said coded communication solicited message through wireless network.
Terminal equipment in the wireless network is for guaranteeing data message safe transmission on wireless channel and hotspot; Can send the coded communication solicited message to the encryption gateway that is provided with in network side operator through wireless network, to obtain the key information that is used for secure communication.
Specifically; After terminal equipment receives the access solicited message of user through wireless network connection the Internet; Send the coded communication solicited message through wireless network to the encryption gateway that is arranged on network side; And the user name that it is registered is carried in this coded communication solicited message, so that encrypt gateway obtains user security communication according to this user name key information on carrier network.In the practical application; Operator considers the user's security communication requirement, can specific security service and corresponding value-added service be provided for the user, and operator is on the one hand at network side configuration safety devices; Encrypt gateway etc. as being provided with at network side; The agent application that uses with the safety devices coupling of its setting also is provided on the other hand, like the encryption agents application program, so that the user downloads and installs terminal equipment with it; Through agent application, the user need not to change terminal equipment and only can obtain secure communication through just simply downloading and installing.In the embodiment of the invention; The user downloads encryption agents module application program to terminal equipment from carrier network; When the terminal equipment that this application program is installed utilizes wireless network to connect the Internet or predefined certain communication unsafe conditions of user when occurring, application program will start the pretreatment operation of consulting to obtain the session key that is used for secure communication for terminal equipment.
The second corresponding session key of said user account that step 202, the said encryption gateway of reception return according to said coded communication solicited message, and utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain first session key.
When the encryption gateway returns second session key according to said coded communication solicited message; The encryption agents module can require the user to import the corresponding user's entry password of its user account; According to this user's entry password second session key is deciphered, obtained first session key that is used for communication encryption.Because second session key that the encryption gateway returns also need utilize user's entry password to decipher; Even so second session key is stolen in wireless channel or on the hotspot; First session key that the user is used for communication encryption still is safe, so the key information that utilizes the method for present embodiment to obtain can guarantee the communication security of subscriber terminal equipment.
Step 203, utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication.
After obtaining first session key that is used for secure communication; When terminal equipment connects the Internet through wireless network; When the wireless network that forms like the WiFi AP through user side inserts the Internet; Send to said encryption gateway after can data message to be sent being utilized said first session key to encrypt, so that said encryption gateway sends to the Internet after the ciphered data message is deciphered; And the internet data message of having been encrypted by said encryption gateway that will receive utilizes said first session key to carry out decryption processing.
Terminal equipment sends datagram before the literary composition; Can also determine whether to carry out encryption according to the demand for security of data message to be sent; If data message to be sent is safe data; Need the personal information of safe transmission etc. like user's password of the online bank information or other users; Then utilize said first session key pair and the data message of said encryption gateway communication to carry out encryption, and the sign of will be the data message being carried out encryption send to said encryption gateway, so that said encryption gateway confirms that according to said sign corresponding data message is a ciphertext.It in most cases only is view Internet information that the user utilizes terminal equipment to get online without being tethered to a cable; Do not relate to the secure communication problem; In this case, terminal equipment can not carry out encryption to the data message of communicating by letter, and bears with the encryption and decryption processing of encrypting gateway to reduce terminal equipment.In the practical application; The encryption agents module of terminal equipment can the monitor user ' terminal equipment communication whether need safe handling; The information such as some responsive keyword that the website information of the webpage that links when inserting the Internet like the encryption agents module through monitoring terminal equipment or user click determine whether to launch the communication encryption and decryption and handle; Launch secure communication during like keywords such as the web page interlinkage of bank or user account and passwords, the message of communication is carried out encryption and decryption.
The present embodiment terminal equipment sends the coded communication solicited message through wireless network to the encryption gateway of network side operator configuration; And user account is carried in this information; Make that encrypting gateway obtains the wildcard between user and the operator according to this user account; Thereby obtain first session key and second session key of user security communication; After the encryption gateway feeds back to terminal equipment with second session key; Terminal equipment utilizes the corresponding user's entry password of this user account that first session key that is used for secure communication is obtained in its deciphering, thereby in the subsequent communications, communicating by letter between terminal equipment and the encryption gateway can utilize this first session key to encrypt or decryption processing; Make the communication security of user data on wireless channel and hotspot, thereby avoided the potential safety hazard that exists in the existing wireless communication.
With encrypt that gateway is mutual and consult to obtain session key before, terminal equipment can also carry out and encrypt the pretreatment operation that gateway connects so that follow-up terminal equipment to the encryption gateway that has connected alternately to obtain the session key of secure communication.
Fig. 4 is the flow chart of wireless network safety communication method embodiment three of the present invention, and as shown in Figure 4, the method for present embodiment before the step 201 of above-mentioned Fig. 3, can also comprise:
Step 2020, obtain the access solicited message that connects the Internet through wireless network.
Step 2021, start the encryption gateway that the search for networks side is provided with according to said access solicited message.
Step 2022, if search, then send connectivity request message to said encryption gateway.
The connection response information of step 2023, the said encryption gateway feedback of reception.
The encryption agents module of portable terminal can the supervisory user terminal equipment communication connected mode, this kind connected mode safety and need secure communication to handle in some cases whether; Be that terminal equipment is when passing through wireless network and connecting the Internet; The encryption agents module can judge that whether this connect safety; Handle for simplifying; Connecting to judge through wireless network whether the Internet is freely to insert as whether safe decision condition in the present embodiment, in other embodiments, can serve as to judge communication security whether condition with other qualificationss also.If the encryption agents module detects when terminal equipment adopts the internetwork connection mode that does not have security mechanism to carry out the network connection; When networking through free WiFi connected mode; The encryption agents module can start the encryption pretreatment operation, is specially: the encryption agents module starts seeks the encryption gateway that operator is provided with at network side, if find; Then send connection request to the encryption gateway that finds; Encrypt gateway to this connection request response after, encrypts and set up key agreement between gateway and the terminal equipment and communicate by letter and is connected, thereby follow-up encryption gateway can be further to the encryption gateway transmission coded communication solicited message of returning connection response information; And user's user account is carried in this coded communication solicited message; Encrypt and can obtain session key alternately with the customer data base of network side after gateway receives this confidential communication solicited message, its process of obtaining session key can be handled for the method described in the above embodiment of the present invention one, repeats no more at this.
The encryption agents module is before encrypting gateway transmission coded communication solicited message; Start and seek operator in the process of the encryption gateway that network side is provided with; The encryption agents module can also be suspended ongoing network communication data flow on the terminal equipment; As other networks that suspend subscriber terminal equipment connect behavior or usage behavior; Traffic flow information to avoid communicating by letter is obtained wrongly, after obtaining session key according to the encryption pretreatment operation that starts, can recover the network communication data flow that suspends again; And utilize the session key that obtains that the network communication data flow that recovers is encrypted or decryption processing, thereby guarantee the ongoing communication security of user.
Present embodiment is reaching on the basis of above-mentioned technique effect embodiment illustrated in fig. 3; Further start the encryption gateway that the search for networks side is provided with through the access solicited message of obtaining according to terminal equipment; And set up being connected between the encryption gateway search and the terminal equipment, so that closing with the densification network that has connected, follow-up terminal equipment consults to obtain session key alternately.
Fig. 5 encrypts the structural representation of gateway embodiment for the present invention; As shown in Figure 5; The encryption gateway of present embodiment comprises: acquisition module 30 and processing module 31, wherein, acquisition module 30; Be used to obtain the coded communication solicited message that terminal equipment sends when access of radio network, comprise user's user account in the said coded communication solicited message; And be used for obtaining said user account corresponding first session key and second session key according to said coded communication solicited message; Wherein, said second session key obtains for adopting the corresponding user's entry password of said user account that said first session key is encrypted; Processing module 31 is used for said second session key is sent to said terminal equipment, and utilizes the said first session key pair data message of communicating by letter with said terminal equipment to encrypt or decryption processing.
Specifically; When the acquisition module 30 of encryption gateway receives the coded communication solicited message of user side terminal equipment transmission; The user account that wherein carries is obtained in parsing, can be mutual according to this solicited message with the customer data base that network side operator is provided with, as sending key request information to customer data base; And user account is carried in the key request information; And customer data base generates first session key according to this key request information, and corresponding user's entry password is obtained in inquiry according to user account information, utilizes this user's entry password that first session key is encrypted and obtains second session key; First session key and second session key are fed back to corresponding encryption gateway; And encrypt gateway first session key oneself is kept, and second session key is returned to the terminal equipment that sends the coded communication solicited message, follow-up terminal equipment can be deciphered second session key according to its user's entry password and obtain first session key that is used for secure communication; Thereby encrypt first session key that gateway and terminal equipment all have pair communication data message to encrypt or decipher; When the encryption gateway is communicated by letter with terminal equipment, encrypt the processing module 31 of gateway and can utilize first session key that communication data is carried out encryption and decryption, guaranteed user's communications safety.
Present embodiment can be used for carrying out above-mentioned embodiment illustrated in fig. 1 one technical scheme, and its operation principle and the technique effect that reaches are similar, and detail repeats no more.
Fig. 6 is the structural representation of terminal equipment embodiment of the present invention; As shown in Figure 6; The terminal equipment of present embodiment comprises: encryption agents module 40 and Communications Processor Module 41; Wherein the encryption agents module 40, are used for sending the coded communication solicited message through wireless network to encrypting gateway, comprise user's user account in the said coded communication solicited message; And receive the second corresponding session key of said user account that said encryption gateway returns according to said coded communication solicited message, and utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain first session key; Communications Processor Module 41 is used to utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication.
Specifically, the encryption agents module 40 of terminal equipment starts the encryption gateway operation of seeking network side when detecting terminal equipment through wireless network connection the Internet, to consult to obtain the session key that user security is communicated by letter with the encryption gateway.The data message that Communications Processor Module 41 utilizes first session key that encryption agents module 40 obtains pair and network side to encrypt gateway communication is encrypted or decryption processing.In concrete the application, encryption agents module 40 also is used to obtain the access solicited message that connects the Internet through wireless network; Start the encryption gateway that the search for networks side is provided with according to said access solicited message; If search, then send connectivity request message to said encryption gateway; And receive the connection response information of said encryption gateway feedback; Thereby the encryption agents module can be connected according to definite the foundation with the encryption gateway of this connection response information, can further send the coded communication solicited message through wireless network to the encryption gateway that connects.
Specifically; When encryption agents module 40 is obtained terminal equipment through wireless network access the Internet; Will start and seek the operation that network side is encrypted gateway; And send connection request to connect to the encryption gateway that searches with this encryptions gateway, further send and encrypt current solicited message to the encryption gateway that connects, when receive encrypt second session key that gateway feeds back according to the coded communication solicited message after; Utilize user's entry password that second session key is deciphered and obtain first session key that is used to communicate by letter, thereby Communications Processor Module 41 just can utilize this first session key and the processing module 31 of encrypting gateway to carry out safe communication.
In the practical application, above-mentioned encryption agents module 40 is used for also judging whether through wireless network connection the Internet be free access; If then the encryption gateway to the network side that searches sends the coded communication solicited message, and suspends ongoing network communication data flow; Communications Processor Module 41 also is used for the network communication data flow through suspending with said encryption gateway communication recovery, and utilizes said first session key that the network communication data flow that recovers is encrypted or decryption processing.
Present embodiment can be used for carrying out above-mentioned Fig. 3 or technical scheme embodiment illustrated in fig. 4, and its operation principle and the technique effect that reaches are similar, and detail repeats no more.
Fig. 7 is the structural representation of wireless network safety communication of the present invention system, and as shown in Figure 7, the wireless network safety communication system of present embodiment comprises: the encryption gateway of network side and the terminal equipment in the user side wireless network.Wherein encrypt gateway and can be the encryption gateway of embodiment as shown in Figure 5; Also can be for except that carrying out above-mentioned function embodiment illustrated in fig. 5; The function that can also have the BAS server, when the encryption gateway had the function of carrying out the BAS server, it can be directly connected to the Internet with communicating by letter of terminal equipment; If when the encryption gateway only had the data function that obtains session key and encryption and decryption forwarding, it inserted the Internet through the BAS server.Among Fig. 7 the WiFi AP of user side can for subscriber terminal equipment through wireless network when networking hotspot, utilize WiFi reflector that radio modem forms etc. in WiFi AP that provides like the public place or the subscriber household network.Terminal equipment can be terminal equipment as shown in Figure 6; Terminal equipment will carry out secure communication; At first through from carrier network, downloading the encryption agents application program to terminal equipment; Follow-up when terminal equipment needs secure communication, encryption agents can start the encryption gateway of looking for network side, and with encrypt gateway and consult to be used for the session key of secure communication.In the present embodiment; Terminal equipment with encrypt that communicate by letter between the gateway be the communication ciphertext of utilizing first session key among above-mentioned arbitrary embodiment to encrypt; Therefore; The user data that is communication on wireless channel or the WiFi AP all is a ciphertext, thereby can avoid the potential safety hazard that exists in the existing radio communication.
Fig. 8 be embodiment illustrated in fig. 7 in interactive signaling figure between each device, as shown in Figure 8, when terminal equipment connects the Internet through wireless network; Its encryption agents finds the encryption gateway for it, and the request connection, encrypts gateway and responds corresponding connection request; Encryption agents is sent the coded communication application to encrypting gateway, according to this coded communication application, encrypts gateway to customer data base application session key; Customer data base returns session key to encrypting gateway; Encrypt gateway terminal equipment carried out session key distribution, promptly described in the foregoing description with first session key oneself reservation, and second session key is returned to terminal equipment; Follow-up terminal equipment obtains first session key after second session key is deciphered, thereby terminal equipment can utilize first session key and the densification network pass that obtain to carry out safe communication.
Present embodiment can be used for carrying out the technical scheme of above-mentioned arbitrary embodiment, and its operation principle and the technique effect that reaches are similar, and detail repeats no more.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each method embodiment can be accomplished through the relevant hardware of program command.Aforesaid program can be stored in the computer read/write memory medium.This program the step that comprises above-mentioned each method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
What should explain at last is: above each embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although the present invention has been carried out detailed explanation with reference to aforementioned each embodiment; Those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, perhaps to wherein part or all technical characteristic are equal to replacement; And these are revised or replacement, do not make the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.
Claims (17)
1. a wireless network safety communication method is characterized in that, comprising:
Obtain the coded communication solicited message that terminal equipment sends when access of radio network, comprise user's user account in the said coded communication solicited message;
Obtain said user account corresponding first session key and second session key according to said coded communication solicited message; Wherein, said second session key obtains for adopting user's entry password corresponding with said user account that said first session key is encrypted;
Said second session key is sent to said terminal equipment, and utilize the said first session key pair data message of communicating by letter to encrypt or decryption processing with said terminal equipment.
2. method according to claim 1 is characterized in that, saidly obtains said user account corresponding first session key and second session key according to said coded communication solicited message, comprising:
Obtain the user account that carries in the said coded communication solicited message;
Send key request information to customer data base, comprise said user account in the said key request information;
Receive corresponding first session key and second session key of said user account that said customer data base returns.
3. method according to claim 1 and 2 is characterized in that, utilizes the said first session key pair data message of communicating by letter with said terminal equipment to encrypt or decryption processing, comprising:
Send to said terminal equipment after utilizing said first session key to encrypt the internet data message; And
After utilizing said first session key to decipher, the ciphered data message that said terminal equipment is sent sends to the Internet.
4. method according to claim 1 and 2 is characterized in that, said wireless network adopts the WiFi connected mode to network.
5. a wireless network safety communication method is characterized in that, comprising:
Send the coded communication solicited message through wireless network to encrypting gateway, comprise user's user account in the said coded communication solicited message;
Receive the second corresponding session key of said user account that said encryption gateway returns according to said coded communication solicited message, and utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain first session key;
Utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication.
6. method according to claim 5 is characterized in that, the said wireless network that passes through also comprised before encrypting gateway transmission coded communication solicited message:
Obtain the access solicited message that connects the Internet through wireless network;
Start the encryption gateway that the search for networks side is provided with according to said access solicited message;
If search, then send connectivity request message to said encryption gateway;
Receive the connection response information of said encryption gateway feedback;
Correspondingly, the said wireless network that passes through sends the coded communication solicited message to encrypting gateway, is specially:
Send the coded communication solicited message through wireless network to the encryption gateway of feedback connection response information.
7. according to claim 5 or 6 described methods, it is characterized in that, utilize said first session key pair to encrypt or decryption processing, comprising with the data message of said encryption gateway communication:
Send to said encryption gateway after utilizing said first session key to encrypt the data message to be sent, so that said encryption gateway sends to the Internet after the ciphered data message is deciphered; And
Utilize said first session key to decipher the internet data message of having encrypted by said encryption gateway that receives.
8. method according to claim 7 is characterized in that, utilize said first session key pair encrypt with the data message of said encryption gateway communication or decryption processing before, also comprise:
Demand for security according to data message to be sent determines whether to carry out encryption; If data message to be sent is safe data; Then utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication; And the sign of will be the data message being carried out encryption sends to said encryption gateway, so that said encryption gateway confirms that according to said sign corresponding data message is a ciphertext.
9. according to claim 5 or 6 described methods, it is characterized in that, before encrypting gateway transmission coded communication solicited message, also comprise through wireless network:
Judgement connects through wireless network whether the Internet is free access, if then send the coded communication solicited message through wireless network to encrypting gateway, and suspend ongoing network communication data flow;
Correspondingly, utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain after first session key, also comprise:
Through the network communication data flow that suspends with said encryption gateway communication recovery, and utilize said first session key that the network communication data flow that recovers is encrypted or decryption processing.
10. encrypt gateway for one kind, it is characterized in that, comprising:
Acquisition module is used to obtain the coded communication solicited message that terminal equipment sends when access of radio network, comprise user's user account in the said coded communication solicited message; And be used for obtaining said user account corresponding first session key and second session key according to said coded communication solicited message; Wherein, said second session key obtains for adopting user's entry password corresponding with said user account that said first session key is encrypted;
Processing module is used for said second session key is sent to said terminal equipment, and utilizes the said first session key pair data message of communicating by letter with said terminal equipment to encrypt or decryption processing.
11. encryption gateway according to claim 10 is characterized in that, said acquisition module specifically is used for obtaining the user account that said coded communication solicited message is carried; Send key request information to customer data base, comprise said user account in the said key request information; Receive corresponding first session key and second session key of said user account that said customer data base returns.
12. according to claim 10 or 11 described encryption gateways; It is characterized in that; Said processing module specifically is used for said second session key is sent to said terminal equipment, and sends to said terminal equipment after utilizing said first session key to encrypt the internet data message; And send to the Internet after utilizing said first session key to decipher the ciphered data message that said terminal equipment sends.
13. a terminal equipment is characterized in that, comprising:
The encryption agents module is used for sending the coded communication solicited message through wireless network to encrypting gateway, comprises user's user account in the said coded communication solicited message; And receive the second corresponding session key of said user account that said encryption gateway returns according to said coded communication solicited message, and utilize the corresponding user's entry password of said user account that said second session key is deciphered and obtain first session key;
Communications Processor Module is used to utilize said first session key pair to encrypt or decryption processing with the data message of said encryption gateway communication.
14. terminal equipment according to claim 13 is characterized in that, said encryption agents module also is used to obtain the access solicited message that connects the Internet through wireless network; Start the encryption gateway that the search for networks side is provided with according to said access solicited message; If search, then send connectivity request message to said encryption gateway; And receive the connection response information that said encryption gateway feeds back, to send the coded communication solicited message to the encryption gateway of the said connection response information of feedback through wireless network.
15. according to claim 13 or 14 described terminal equipments; It is characterized in that; Said Communications Processor Module; Send to said encryption gateway after specifically being used for utilizing said first session key to encrypt the data message to be sent, so that said encryption gateway sends to the Internet after the ciphered data message is deciphered; And the internet data message of having been encrypted by said encryption gateway that will receive utilizes said first session key to decipher.
16., it is characterized in that said encryption agents module also is used for judging through wireless network connecting whether the Internet is free access according to claim 13 or 14 described terminal equipments; If then send the coded communication solicited message to encrypting gateway, and suspend ongoing network communication data flow through wireless network;
Communications Processor Module also is used for the network communication data flow through suspending with said encryption gateway communication recovery, and utilizes said first session key that the network communication data flow that recovers is encrypted or decryption processing.
17. a wireless network safety communication system is characterized in that, comprising: as in each described encryption gateway and the wireless network in the claim 10 ~ 12 like each described terminal equipment in the claim 13 ~ 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210158887.8A CN102695168B (en) | 2012-05-21 | 2012-05-21 | Terminal equipment, encrypted gateway and method and system for wireless network safety communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210158887.8A CN102695168B (en) | 2012-05-21 | 2012-05-21 | Terminal equipment, encrypted gateway and method and system for wireless network safety communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102695168A true CN102695168A (en) | 2012-09-26 |
| CN102695168B CN102695168B (en) | 2015-03-25 |
Family
ID=46860418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210158887.8A Active CN102695168B (en) | 2012-05-21 | 2012-05-21 | Terminal equipment, encrypted gateway and method and system for wireless network safety communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102695168B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103501494A (en) * | 2013-10-14 | 2014-01-08 | 中国联合网络通信集团有限公司 | Mobile hotspot terminal access method, mobile hotspot terminal and MME (mobile management entity) |
| CN104284329A (en) * | 2014-09-27 | 2015-01-14 | 无锡市恒通智能交通设施有限公司 | Client-side data encryption transmission method |
| CN104580086A (en) * | 2013-10-17 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Information transmission method, client side, server and system |
| CN105307160A (en) * | 2015-09-29 | 2016-02-03 | 北京元心科技有限公司 | Data transmission method and device by use of Wi-Fi network |
| CN105338524A (en) * | 2014-07-28 | 2016-02-17 | 阿里巴巴集团控股有限公司 | Information transmission method and device |
| CN106209756A (en) * | 2015-06-01 | 2016-12-07 | 华为技术有限公司 | Password update method, subscriber equipment, subscriber location servers and territory router |
| WO2017206125A1 (en) * | 2016-06-01 | 2017-12-07 | 华为技术有限公司 | Network connection method, and secure node determination method and device |
| CN110495135A (en) * | 2017-04-14 | 2019-11-22 | 三菱电机株式会社 | Key management system, communication equipment and key sharing method |
| CN111768162A (en) * | 2019-04-02 | 2020-10-13 | 上海观创智能科技有限公司 | Enterprise office management system and method |
| CN111917545A (en) * | 2020-08-18 | 2020-11-10 | 中国银行股份有限公司 | Key management method, device and system based on local area network |
| CN112632625A (en) * | 2020-12-31 | 2021-04-09 | 深圳昂楷科技有限公司 | Database security gateway system, data processing method and electronic equipment |
| CN113114648A (en) * | 2021-04-01 | 2021-07-13 | 山东高云半导体科技有限公司 | Method and device for realizing encrypted communication |
| CN113572591A (en) * | 2020-04-28 | 2021-10-29 | 北京科东电力控制系统有限责任公司 | Real-time high-concurrency safety access device and access method for intelligent energy service system |
| CN114520730A (en) * | 2020-11-20 | 2022-05-20 | 腾讯科技(深圳)有限公司 | Data transmission method, device, system, computer equipment and storage medium |
| CN114915435A (en) * | 2021-02-09 | 2022-08-16 | 网联清算有限公司 | Service data access method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101137123A (en) * | 2007-04-09 | 2008-03-05 | 中兴通讯股份有限公司 | Encrypted group calling, individual calling, and dynamic restructuring call implementing method of cluster system |
| WO2008113299A1 (en) * | 2007-03-22 | 2008-09-25 | Huawei Technologies Co., Ltd. | Authentication and secret key negotiation method, certification method, system and device |
| CN101296086A (en) * | 2008-06-18 | 2008-10-29 | 华为技术有限公司 | Method, system and device for access authentication |
-
2012
- 2012-05-21 CN CN201210158887.8A patent/CN102695168B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008113299A1 (en) * | 2007-03-22 | 2008-09-25 | Huawei Technologies Co., Ltd. | Authentication and secret key negotiation method, certification method, system and device |
| CN101137123A (en) * | 2007-04-09 | 2008-03-05 | 中兴通讯股份有限公司 | Encrypted group calling, individual calling, and dynamic restructuring call implementing method of cluster system |
| CN101296086A (en) * | 2008-06-18 | 2008-10-29 | 华为技术有限公司 | Method, system and device for access authentication |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103501494B (en) * | 2013-10-14 | 2016-08-10 | 中国联合网络通信集团有限公司 | Mobile hot terminal cut-in method, mobile hot terminal and mobile management entity |
| CN103501494A (en) * | 2013-10-14 | 2014-01-08 | 中国联合网络通信集团有限公司 | Mobile hotspot terminal access method, mobile hotspot terminal and MME (mobile management entity) |
| CN104580086A (en) * | 2013-10-17 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Information transmission method, client side, server and system |
| CN105338524A (en) * | 2014-07-28 | 2016-02-17 | 阿里巴巴集团控股有限公司 | Information transmission method and device |
| CN104284329A (en) * | 2014-09-27 | 2015-01-14 | 无锡市恒通智能交通设施有限公司 | Client-side data encryption transmission method |
| CN106209756B (en) * | 2015-06-01 | 2019-08-13 | 华为技术有限公司 | Password update method, user equipment, subscriber location servers and domain router |
| CN106209756A (en) * | 2015-06-01 | 2016-12-07 | 华为技术有限公司 | Password update method, subscriber equipment, subscriber location servers and territory router |
| CN105307160A (en) * | 2015-09-29 | 2016-02-03 | 北京元心科技有限公司 | Data transmission method and device by use of Wi-Fi network |
| US10841792B2 (en) | 2016-06-01 | 2020-11-17 | Huawei Technologies Co., Ltd. | Network connection method, method for determining security node, and apparatus |
| CN109155913A (en) * | 2016-06-01 | 2019-01-04 | 华为技术有限公司 | The determination method and device of method for connecting network, security node |
| WO2017206125A1 (en) * | 2016-06-01 | 2017-12-07 | 华为技术有限公司 | Network connection method, and secure node determination method and device |
| CN109155913B (en) * | 2016-06-01 | 2021-05-18 | 华为技术有限公司 | Network connection method, and method and device for determining security node |
| CN110495135A (en) * | 2017-04-14 | 2019-11-22 | 三菱电机株式会社 | Key management system, communication equipment and key sharing method |
| CN110495135B (en) * | 2017-04-14 | 2022-06-28 | 三菱电机株式会社 | Key management system, communication device, and key sharing method |
| CN111768162A (en) * | 2019-04-02 | 2020-10-13 | 上海观创智能科技有限公司 | Enterprise office management system and method |
| CN113572591A (en) * | 2020-04-28 | 2021-10-29 | 北京科东电力控制系统有限责任公司 | Real-time high-concurrency safety access device and access method for intelligent energy service system |
| CN113572591B (en) * | 2020-04-28 | 2023-09-29 | 北京科东电力控制系统有限责任公司 | Real-time high concurrency safety access device and access method for intelligent energy service system |
| CN111917545A (en) * | 2020-08-18 | 2020-11-10 | 中国银行股份有限公司 | Key management method, device and system based on local area network |
| CN114520730A (en) * | 2020-11-20 | 2022-05-20 | 腾讯科技(深圳)有限公司 | Data transmission method, device, system, computer equipment and storage medium |
| CN114520730B (en) * | 2020-11-20 | 2023-06-20 | 腾讯科技(深圳)有限公司 | Data transmission method, device, system, computer equipment and storage medium |
| CN112632625A (en) * | 2020-12-31 | 2021-04-09 | 深圳昂楷科技有限公司 | Database security gateway system, data processing method and electronic equipment |
| CN114915435A (en) * | 2021-02-09 | 2022-08-16 | 网联清算有限公司 | Service data access method and system |
| CN114915435B (en) * | 2021-02-09 | 2024-03-19 | 网联清算有限公司 | Service data access method and system |
| CN113114648A (en) * | 2021-04-01 | 2021-07-13 | 山东高云半导体科技有限公司 | Method and device for realizing encrypted communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102695168B (en) | 2015-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102695168A (en) | Terminal equipment, encrypted gateway and method and system for wireless network safety communication | |
| Datta et al. | A survey on IoT architectures, protocols, security and smart city based applications | |
| CN103596173B (en) | Wireless network authentication method, client and service end wireless network authentication device | |
| JP6837609B1 (en) | Systems and methods for end-to-end secure communication in device-to-device communication networks | |
| CN101651682B (en) | Method, system and device of security certificate | |
| EP3057351B1 (en) | Access method, system, and device of terminal, and computer storage medium | |
| EP3131322B1 (en) | Virtual card downloading method and terminal | |
| CN104270250B (en) | WiFi internets online connection authentication method based on asymmetric whole encryption | |
| CN103929748A (en) | Internet of things wireless terminal, configuration method thereof and wireless network access point | |
| CN104580086A (en) | Information transmission method, client side, server and system | |
| US20140380443A1 (en) | Network connection in a wireless communication device | |
| CN101742508A (en) | System and method for transmitting files between WAPI terminal and application server | |
| CN102739642A (en) | Permitting access to a network | |
| CN105337740A (en) | Identity verification method, client, relay device and server | |
| CN102638459A (en) | Authentication information transmission system, authentication information transmission service platform and authentication information transmission method | |
| KR101835640B1 (en) | Method for authentication of communication connecting, gateway apparatus thereof, and communication system thereof | |
| CN102143492B (en) | Method for establishing virtual private network (VPN) connection, mobile terminal and server | |
| WO2015117351A1 (en) | Wifi connection method, device and system, and computer storage medium | |
| CN106452999B (en) | Intelligent household appliance and method and device for safely accessing intelligent household appliance | |
| CN110191052A (en) | Across the protocol network transmission method of one kind and system | |
| CA2838244C (en) | Establishing communications with a secure network | |
| CN110166410B (en) | Method and terminal for safely transmitting data and multimode communication terminal | |
| CN107172616A (en) | Apparatus and method for connecting mobile device and field apparatus | |
| EP3320648A1 (en) | Two-user authentication | |
| WO2008010857A2 (en) | System and method for secure network browsing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |