CN104168565A - Method for controlling safe communication of intelligent terminal under undependable wireless network environment - Google Patents
Method for controlling safe communication of intelligent terminal under undependable wireless network environment Download PDFInfo
- Publication number
- CN104168565A CN104168565A CN201410397121.4A CN201410397121A CN104168565A CN 104168565 A CN104168565 A CN 104168565A CN 201410397121 A CN201410397121 A CN 201410397121A CN 104168565 A CN104168565 A CN 104168565A
- Authority
- CN
- China
- Prior art keywords
- network access
- access device
- intelligent terminal
- wireless network
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a method for controlling safe communication of an intelligent terminal under an undependable wireless network environment. The method is used for safe communication conducted when the intelligent terminal has access to the Internet through a second network access device. The method comprises the following steps that firstly, a verification request is sent to the second network access device through a first wireless network access device; secondly, if the second network access device passes the verification request, request information for having access to the Internet is sent to the second network access device through the first wireless network access device, wherein the request information is encrypted; thirdly, the feedback information from the second network access device is received, wherein the feedback information comprises intermediate reply information returned to the second network access device by a server or a device which is requested through the request information, wherein the feedback information is encrypted.
Description
Technical field
The present invention relates to computer realm, especially computer and field of information security technology, particularly, relate to control method and the corresponding control device of intelligent terminal safety communication under a kind of untrusted wireless network environment.
Background technology
Along with scientific and technical development, people in daily life, in work and study, more and more be unable to do without the Internet, and along with the rapid raising of Internet technology, wireless network is prevalent in each place of people's daily life.Such as, family expenses wifi, free wifi that handles official business wifi and provide as library, coffee shop etc., these wifi are that AP connects ONU or switch by netting twine, described ONU or switch are connected to convergence-level switch by optical fiber again, at present, we can enjoy in most public places the enjoyment of online.But, just because of wifi focus, accessing the network interface that becomes users, it is more and more important that the fail safe of described wifi also seems.At one, preferably change in example, current most intelligent terminal can both use mobile phone net purchase, mobile phone ebanking services, transferring account with mobile phone and network communication etc., once our residing network environment has had the hidden danger in safety, the personal information of described intelligent terminal is likely revealed, further, cause huge property loss.Further, some illegal businessman is for oneself private interests or obtain other people security information, can the wireless network environment a little less than relative thin in network security be attacked or be tackled, or the website of intelligent terminal access is proceeded to malice, fake site, can also distort the response data that returns to intelligent terminal with reconstructed network resource, therefore, the access of wifi focus is being faced with stern challenge, in the wifi environment of malice, falseness, our online can not get any guarantee, further, has no any fail safe.
The present invention is directed to described wireless network secure hidden danger, a kind of control method of intelligent terminal safety communication under untrusted wireless network environment is provided, particularly, described invention, by cryptographic algorithm, is carried out communication with the trusted node of an effective safety, further, carry out communication with the Internet, even if in the wifi of untrusted environment, the attack that also can resist from other people also effectively prevents the leakage of data, and the online environment of a safety is provided like this.
Summary of the invention
It for network access equipment in prior art, may be the defect of insincere equipment, the control method that the object of this invention is to provide intelligent terminal safety communication under a kind of untrusted wireless network environment, it carries out safety communication while accessing the Internet for an intelligent terminal by second network access device, particularly, comprise the steps:
A. by the first wireless network access device, to second network access device, send checking request;
If b. described second network access device is asked by described checking, by described the first wireless network access device, to described second network access device, send the solicited message of access the Internet, described request information is enciphered message;
C. receive the feedback information from described second network access device, described feedback information comprises the middle response message that server that described request information asks or device return to described second network access device, and described feedback information is enciphered message.
Further, according to described control method, the described step of sending the solicited message of access the Internet to described second network access device by described the first wireless network access device comprises the steps:
B1. between described intelligent terminal and described second network access device, set up encrypted tunnel;
B2. by described encrypted tunnel send the solicited message of described access the Internet.
Preferably, in a kind of intelligent terminal under untrusted wireless network environment the control device of intelligent terminal safety communication, it carries out safety communication for an intelligent terminal during by second network access device access the Internet, comprising:
The first dispensing device, it is for sending checking request by the first wireless network access device to second network access device;
The second dispensing device, it is for when described second network access device is during by described checking request, by described the first wireless network access device, to described second network access device, send the solicited message of access the Internet, wherein, described request information is enciphered message; And
First receiving device, it is for receiving the feedback information from described second network access device, described feedback information comprises the middle response message that server that described request information asks or device return to described second network access device, and described feedback information is enciphered message.
Preferably, described the second dispensing device comprises:
The first processing unit, it for setting up encrypted tunnel between described intelligent terminal and described second network access device; And
The 3rd dispensing device, its for by described encrypted tunnel send the solicited message of described access the Internet.
Preferably, described encrypted tunnel is as any in lower channel:
-SSL encrypted tunnel;
-IPSEC encrypted tunnel.
According to another aspect of the present invention, the auxiliary control method of intelligent terminal safety communication under a kind of untrusted wireless network environment, it carries out safety communication while accessing the Internet for an intelligent terminal by second network access device, comprises the steps:
I. receive the solicited message forwarding by the first wireless network access device, described request information is the solicited message of the access the Internet that sends of an intelligent terminal, described request information is enciphered message, and wherein, described intelligent terminal is directly connected with described the first wireless network access device;
Ii. described request information is decrypted and is obtained destination address and the relevant information of described request the Internet that information is accessed;
Iii. described destination address and relevant information are carried out issuing described destination address after package;
Iv. receive the middle response message from described destination address;
V. response message in the middle of described is encrypted, and obtains feedback information;
Vi. described feedback information is sent to described the first wireless network access device, so that described the first wireless network access device is transmitted to described intelligent terminal by described feedback information.
Preferably, the sub controlling unit of intelligent terminal safety communication under untrusted wireless network environment in a kind of second network access device, it carries out safety communication while accessing the Internet for an intelligent terminal by second network access device, comprising:
The 4th receiving system, it is for receiving the solicited message forwarding by the first wireless network access device, described request information is the solicited message of the access the Internet that sends of an intelligent terminal, described request information is enciphered message, wherein, described intelligent terminal is directly connected with described the first wireless network access device;
The 4th decryption device, it is for being decrypted and obtaining destination address and the relevant information of described request the Internet that information is accessed to described request information;
The 4th processing unit, it is for carrying out issuing described destination address after package to described destination address and relevant information;
The 5th receiving system, it is for receiving the middle response message from described destination address;
The 4th encryption device, it is for response message in the middle of described is encrypted, and obtains feedback information; And
The 4th dispensing device, it is for sending to described feedback information described the first wireless network access device, so that described the first wireless network access device is transmitted to described intelligent terminal by described feedback information.
Preferably, described enciphered message realizes by asymmetric encryption mechanism, and in described intelligent terminal, stores the private key of described intelligent terminal.
Preferably, described second network access device is any in following equipment:
-mono-Wifi access point;
-mono-cable network access device.
Preferably, described second network access device has fixed ip address.
The present invention by setting up a trusted node in existing network, between described intelligent terminal and described credible contact, be provided with encrypted tunnel, when further, described intelligent terminal is connected with described trusted node, man-in-the-middle attack can be resisted and data prevent network interception.Further, during intelligent terminal access untrusted wifi network, first find the described trusted node setting, carry out mutually strong identity authentication and set up enciphered data passage.When then described intelligent terminal need to be accessed Internet resources, directly do not use untrusted wifi network to connect and send, and by the enciphered data passage of having set up, access request is sent to trusted node.Further, described trusted node receives from described intelligent terminal request, and described request is sent to Internet resources.Finally, the information exchange that described trusted node is returned to described real Internet resources is crossed enciphered data passage and is sent to described intelligent terminal, completes the object of described intelligent terminal secure access Internet resources.
Accompanying drawing explanation
By reading the detailed description of non-limiting example being done with reference to the following drawings, it is more obvious that other features, objects and advantages of the present invention will become:
Fig. 1 illustrates according to the specific embodiment of the present invention, a kind of under untrusted wireless network environment the schematic flow sheet of the control method of intelligent terminal safety communication;
Fig. 2 illustrates according to the specific embodiment of the present invention, the described schematic flow sheet of the solicited message of access the Internet that sends to described second network access device by described the first wireless network access device;
Fig. 3 illustrates according to the specific embodiment of the present invention, the schematic flow sheet of the auxiliary control method of intelligent terminal safety communication under a kind of untrusted wireless network environment;
Fig. 4 illustrates according to the specific embodiment of the present invention, the flow process frame diagram of the control method of intelligent terminal safety communication under a kind of untrusted wireless network environment;
Fig. 5 illustrates according to the specific embodiment of the present invention, the flow process topological diagram of the control method of intelligent terminal safety communication under a kind of untrusted wireless network environment; And
Fig. 6 illustrates according to the specific embodiment of the present invention, the schematic diagram of intelligent terminal safety communication under a kind of untrusted wireless network environment.
Embodiment
In order better to make technical scheme of the present invention clearly show, below in conjunction with accompanying drawing, the invention will be further described.
Those skilled in the art understand, the invention provides the control method of intelligent terminal safety communication under a kind of untrusted wireless network environment, by set up a trusted node in existing network, when further, described intelligent terminal is connected with described trusted node, man-in-the-middle attack can be resisted and data prevent network interception.During intelligent terminal access untrusted wifi network, first find the described trusted node setting, carry out strong identity authentication and set up enciphered data passage.Further, when described intelligent terminal need to be accessed Internet resources, by the enciphered data passage of having set up, access request is sent to trusted node.Further, described trusted node receives from described intelligent terminal request, and described request is sent to Internet resources.Finally, the information exchange that described trusted node is returned to described real Internet resources is crossed enciphered data passage and is sent to described intelligent terminal, completes described intelligent terminal and may access the object of Internet resources in untrusted wireless network.
Fig. 1 illustrates according to the specific embodiment of the present invention, a kind of under untrusted wireless network environment the schematic flow sheet of the control method of intelligent terminal safety communication.It will be appreciated by those skilled in the art that when described control method is accessed the Internet for an intelligent terminal by second network access device and carry out safety communication, particularly, comprise the steps:
First, enter step S101, by the first wireless network access device, to second network access device, send checking request, described the first wireless network refers to a kind of wireless network of untrusted, described network may cause the harassing and wrecking of rogue program while using, and providing of Internet resources etc. unsafe factor is provided.Described the first wireless network access device refers to the intelligent terminal that we use, and can be smart mobile phone, notebook, panel computer etc.Described second wireless network be there is fixing ip by optical fiber, be connected to the secure network of the Internet, the external security proxy service of described network adopts the ssl protocol of two-way certificate verification.Described second network access device refers to the switch that has trusted node, is provided with trusted node certificate CertServ and private key thereof in the trusted node of described equipment.Further, the APP application connecting for safety is installed in described intelligent terminal, described APP is provided with the certificate CertServ of trusted node, terminal certificate CertClient and private key.Particularly, the object of described step is in order to make described the first wireless network access device and described second network access device produce credible connection by described APP, and visit the Internet by described credible connection, rather than directly by described the first wireless network.
Particularly, in described the first wireless network access device, should be built-in with the first dispensing device, the effect of described the first dispensing device is to second network access device, to send checking request by the first wireless network access device.Further, first described intelligent terminal is connected in described the first wireless network by wifi, then use specific APP to attempt connecting the specific IP of described second network access device, preferably, described IP can be 202.13.234.18, use CertServ checking opposite end whether to have thereby whether corresponding private key checking opposite end is trusted node, the described method by certificate verification and private key deciphering belongs to current existing knowledge, does not repeat them here.
At one, preferably change in example, described IP can also be 202.13.234.50, further, those skilled in the art understand, described fixedly IP preferably adopts fixed ip address, for example, meet the IP address of 202.13.234.XX condition, and changes in example at other, can take other IP addresses, this does not affect flesh and blood of the present invention yet.
Then, enter step S102, if described second network access device is asked by described checking, by described the first wireless network access device, to described second network access device, send the solicited message of access the Internet, described request information is enciphered message, further, the object of described step S102 is for described the Internet request information is encrypted when outwards sending, described encryption is in order to guarantee that described enciphered message is not revealed and is not stolen, further, between described intelligent terminal and described second network access device, set up encrypted tunnel, the described encrypted tunnel of setting up will be talked about in embodiment, do not repeat them here.
Particularly, described intelligent terminal is encrypted described request information, further, by described first network access device, described request information exchange is crossed to the access device that described encrypted tunnel sends to described second wireless network, described second network access device receives the solicited message of the access the Internet after described encryption.
At one, preferably change in example, described intelligent terminal can be connected to described second network access device by a lot of different passages, particularly, described second wireless network can be provided with a plurality of different nodes, described node refers to the access device that can receive described enciphered message and described authorization information, further, a plurality of described nodes are connected to described second network access device, further, those skilled in the art understand, in the described similar and daily online of mode that described second wireless network is arranged to node, download software, described download can have multiple choices, for example Shanghai Telecom is downloaded, Beijing Netcom downloads etc.It will be appreciated by those skilled in the art that the described example that changes belongs to a kind of in specific embodiment, does not affect technical scheme of the present invention.
Finally, enter step S103, reception is from the feedback information of described second network access device, and described feedback information comprises the middle response message that server that described request information asks or device return to described second network access device, and described feedback information is enciphered message.The object of described step is to receive described feedback information, and described feedback information is the information that the Internet of described request information request returns, and is the response message to described request information, receives the information from the Internet.
Those skilled in the art understand, in described the first wireless network, also should be built-in with first receiving device, described first receiving device is the feedback information receiving from described second network access device, described feedback information comprises the middle response message that server that described request information asks or device return to described second network access device, and described feedback information is enciphered message.Further, after executing described step S103, described intelligent terminal is tackled described enciphered message and is decrypted operation, finally obtains the described feedback information from the Internet.Particularly, described feedback information sends to described intelligent terminal by described encrypted tunnel, described intelligent terminal receives and comprises server that described request information asks or the feedback information of device from described second network access device, and described feedback information is carried out to private key deciphering, described intelligent terminal is shown to the information after described feedback on described display screen again.
Fig. 2 illustrates according to the specific embodiment of the present invention, and the described schematic flow sheet of the solicited message of access the Internet that sends to described second network access device by described the first wireless network access device, particularly, comprises the steps:
First enter step S201, between described intelligent terminal and described second network access device, set up encrypted tunnel.Those skilled in the art understand, when described intelligent terminal carries out safety communication while accessing the Internet by second network access device, also should be provided with the second dispensing device, the object of described the second dispensing device is when described second network access device is during by described checking request, by described the first wireless network access device, to described second network access device, send the solicited message of access the Internet, wherein, described request information is enciphered message, further, described the second dispensing device also should comprise: the first processing unit, it for setting up encrypted tunnel between described intelligent terminal and described second network access device, the 3rd dispensing device, its for by described encrypted tunnel send the solicited message of described access the Internet.
Particularly, the object of setting up encrypted tunnel between described intelligent terminal and described second network access device is when making described intelligent terminal and described second network access device carry out communication, described Content of communciation is not stolen by others, and described encrypted tunnel can guarantee the access the Internet of described communication safety in the wireless network of untrusted.
Particularly, after checking request by described step S101, the solicited message that described intelligent terminal sends will be encrypted, by described encrypted tunnel, sends to described second network access device, second network access device is decrypted described enciphered message, obtains described raw requests information.
Then enter step S202, by described encrypted tunnel, send the solicited message of described access the Internet.It will be appreciated by those skilled in the art that the object of sending the solicited message of described access the Internet by described encrypted tunnel is for the raw requests information of described intelligent terminal is had access to the Internet in the environment of a feature safety.
Further, described request information be by deciphering after raw requests information, the access device of described second wireless network be by fiber direct connection to the Internet, further, described access is the access with safety guarantee.
Fig. 3 illustrates according to the specific embodiment of the present invention, the schematic flow sheet of the auxiliary control method of intelligent terminal safety communication under a kind of untrusted wireless network environment, particularly, described flow process has mainly been set forth the effect that the access device in described second wireless network plays in described secure communication, mainly comprises the steps:
First, enter step S301, receive the solicited message forwarding by the first wireless network access device, described request information is the solicited message of the access the Internet that sends of an intelligent terminal, described request information is enciphered message, wherein, described intelligent terminal is directly connected with described the first wireless network access device, particularly, access device in described second wireless network receives after described request information, described request information is decrypted, and the object of described step is in order to make the solicited message after described deciphering be received and to reply by described the Internet.
Further, in access device in described second wireless network, should be equipped with the 4th receiving system, the object of described the 4th receiving system is to receive the solicited message forwarding by the first wireless network access device, described request information is the solicited message of the access the Internet that sends of an intelligent terminal, described request information is enciphered message, wherein, described intelligent terminal is directly connected with described the first wireless network access device.
Then, enter step S302, described request information is decrypted and is obtained destination address and the relevant information of described request the Internet that information is accessed.Particularly, the object of described step is to obtain destination address and the relevant information that described in raw requests data, intelligent terminal is accessed.
Those skilled in the art understand, in described second network access device, should be equipped with the 4th decryption device, the effect of described the 4th decryption device is described request information to be decrypted and to be obtained destination address and the relevant information of described request the Internet that information is accessed, particularly, described request information is received by described the 4th receiving system, then by described the 4th decryption device, obtains destination address and the relevant information of the Internet of accessing.
Then, enter step S303, described destination address and relevant information are carried out issuing described destination address after package, it will be appreciated by those skilled in the art that described package refers to the processing of packing of described relevant information, facilitates communication.Further, the object of described step S303 is that described destination address and relevant information are packed, and prevents that described content from being intercepted decoding by third party.
Particularly, according to described package processing procedure, in described second network access device, should be equipped with the 4th processing unit, the effect of described the 4th processing unit is described destination address and relevant information to carry out issuing described destination address after package.Further, it will be appreciated by those skilled in the art that described processing unit has the function of package processing capacity and the information of transmission.
Again then, enter step S304, reception is from the middle response message of described destination address, particularly, in the middle of described, response message refers to by the Internet feedack, described feedback information is according to the decision of described request information, and the object of described step S304 is to obtain our the needed feedback information with safety certification by sequence of operations such as described encrypted tunnel, deciphering, package, transmissions.
Further, according to the embodiment of described step S304, in described second network access device, should be equipped with the 5th receiving system, the object of described the 5th receiving system is the middle response message receiving from described destination address.
After execution of step S304, enter step S305, response message in the middle of described is encrypted, and obtains feedback information.Described response message in the middle of described is encrypted, and the order that obtains feedback information is to prevent that described feedback information is in sending to the process of described intelligent terminal, by third party, tackled and kidnap or distort the feedback information that reconstructed network resource returns to intelligent terminal.
Further, according to the described process that response message in the middle of described is encrypted, described second network access device should be built-in with the 4th encryption device, and the object of described encryption device is that response message in the middle of described is encrypted, and obtains feedback information.Particularly, described in the middle of response message by being received by described the 5th receiving system, and by described the 4th encryption device, thereby obtain described feedback information.
Finally, execution step S306, described feedback information is sent to described the first wireless network access device, so that described the first wireless network access device is transmitted to described intelligent terminal by described feedback information, particularly, the object of described step is in order to allow described intelligent terminal obtain described feedback information.
Particularly, described feedback information is described intelligent terminal by the relevant internet content of the safety that online obtains in untrusted network.Those skilled in the art understand, in described second network access device, should be equipped with the 4th dispensing device, the effect of described the 4th dispensing device is that described feedback information is sent to described the first wireless network access device, particularly, described the 4th dispensing device sends to described the first wireless network access device by described feedback information, described first network access device receives described feedback information by described first receiving device, and described feedback information is sent to described intelligent terminal.
Preferably, described encrypted tunnel can be SSL encrypted tunnel.Particularly; described SSL encrypted tunnel is global many esbablished corporations for a kind of encryption mechanism of protecting the safety of sensitive data in transport process and adopting; mainly comprise two aspects of server authentication stage and user authentication phase; particularly; the foundation of described SSL encrypted tunnel belongs to current existing knowledge, does not repeat them here.
At another, preferably change in example, described encrypted tunnel can also be used the mode of IPSEC encrypted tunnel, described IPSEC refers to Internet protocol safety, particularly, a kind of frame structure of open standard, the communication of the security service of encrypting by use safety to guarantee to maintain secrecy on Internet protocol network.Further, the mode that it will be appreciated by those skilled in the art that the described IPSEC of described employing is set up described encrypted tunnel and is belonged to the specific embodiment of the present invention, do not affect technical scheme of the present invention, further, described IPSEC is currently available technology, does not repeat them here.
Preferably, described enciphered message realizes by asymmetric encryption mechanism, and in described intelligent terminal, stores the private key of described intelligent terminal.Described asymmetric encryption mechanism refers to a kind of cryptographic algorithm, described cryptographic algorithm is a kind of cipher mode popular in Vehicles Collected from Market, and particularly, its implication refers to a kind of rivest, shamir, adelman, further, rivest, shamir, adelman needs two keys: public-key cryptography and private cipher key.Public-key cryptography and private cipher key are a pair of, if data are encrypted with public-key cryptography, only have with corresponding private cipher key and could decipher; If data are encrypted with private cipher key, only have so with corresponding public-key cryptography and could decipher.Because what encryption and decryption were used is two different keys, so this algorithm is called rivest, shamir, adelman.Further, at one particularly in embodiment, A generate pair of secret keys also using wherein one open as Public key to B; After being used described key to be encrypted described confidential information, the B that obtains described Public key sends to again A; A is decrypted the information after encrypting with own another private key of preserving again.Further, A sends to B after can using the PKI of B to sign to described confidential information again; Party B carries out sign test with the private spoon of oneself to described data again.
Preferably, described second network access device is a Wifi access point, particularly, described second network access device can pass through wired connection, also can be linked into described the Internet by wireless connections, it will be appreciated by those skilled in the art that described access way belongs to embodiment, do not affect technical scheme of the present invention, do not repeat them here.
Preferred a variation in example, described step S302 and step S303 can merge, be described request information is decrypted, obtain destination address and the relevant information of described request the Internet that information is accessed, and described destination address and relevant information are carried out issuing described destination address after package, described described step S302 and step S303 are merged and do not affect technical scheme of the present invention.
Fig. 4 illustrates according to the specific embodiment of the present invention, the flow process frame diagram of the control method of intelligent terminal safety communication under a kind of untrusted wireless network environment.
Particularly, described the first wireless network and described second wireless network verify, and set up described encrypted tunnel, further.Described the first dispensing device sends described enciphered message to the four receiving systems, described the 4th receiving system sends described enciphered message to described the 4th decryption device after receiving described enciphered message, described the 4th decryption device is deciphered described enciphered message, by described the 4th casing device, described enciphered message is carried out to package processing, and described packet information is sent to described the 3rd dispensing device, the 3rd dispensing device is sent to the Internet by described packet information, described packet information is received in the Internet, and described feedback information is issued to described the 5th receiving system, described the 5th receiving system receives after described feedback information, described feedback information is sent to the 4th decryption device, described the 4th decryption device is deciphered described feedback information, and described decryption information is sent to the 4th dispensing device, described the 4th dispensing device sends described decryption information to described first receiving device, described first receiving device is received after described feedback information, described feedback information is sent to described intelligent terminal.
Fig. 5 illustrates according to the specific embodiment of the present invention, the flow process topological diagram of the control method of intelligent terminal safety communication under a kind of untrusted wireless network environment.Particularly, described a plurality of intelligent terminal can be respectively simultaneously or be asynchronously linked into described the first wireless network access device, described the first wireless network access device is sent to described second network access device by described enciphered message, described second network access device is deciphered described encrypted content, and described information is passed to the Internet, further, described the Internet feeds back described relevant information.
Further, extremely embodiment illustrated in fig. 5 with reference to above-mentioned Fig. 1, those skilled in the art understand, the invention provides a kind of scheme, by intelligent terminal and trustable network access device, the second network access device for example providing in the present invention, carries out communication, thereby make to adopt under the prerequisite of encryption mode at intelligent terminal and described second network access device, it is safe making communication between the two.By such mode, even the network access equipment that intelligent terminal is directly accessed, for example the first wireless network access device is unsafe, due to the encryption in above-mentioned communication process, making communicating by letter between described intelligent terminal and Internet resources is safety all the time, and reason is that described communication is by the switching of described second network access device.
Further, those skilled in the art understand, described the first wireless network access device can be also a network access equipment based on wired, and described second network access device can be wireless network access device, also can be cable network access device, for example, be the Wifi network access equipment can family using, also can a cable router, this does not affect technical scheme of the present invention, does not repeat them here.
Further, it will be appreciated by those skilled in the art that in order to solve secure access Internet resources problem under untrusted WIFI environment, the invention provides a kind of method based on trusted node proxy access Internet resources.In order to achieve the above object, to choose the condition of trusted node as follows in the present invention:
(1) have and stablize credible circuit accessing Internet.
(2) node system is safe, is difficult for being broken.
(3) node externally provides the agent connection service of high safety.
(4) node can be self-built or be selected existing service.
In the present invention, intelligent terminal and trusted node, for example the TSM Security Agent condition of contact between second network access device provided by the present invention is as follows:
(1) essential by high-intensity authentication when intelligent terminal is connected with trusted node, both sides' part of should testing the body mutually.
(2) what intelligent terminal and trusted node were set up is connected and must can prevents man-in-the-middle attack.
(3) intelligent terminal and trusted node are set up is connected to encryption connection, and the data of transmission are not ravesdropping and distort.
(4) intelligent terminal can also can adopt existing security protocol by custom protocol with safe connection the between trusted node, as used digital certificate as ssl protocol or the IPSEC agreement of authentication mechanism.
In the present invention, the implementation step of intelligent terminal secure access Internet resources under untrusted WIFI environment is as follows:
(1) intelligent terminal access WIFI environment.
(2) intelligent terminal connects trusted node, uses strong identity authentication mechanism to confirm that the node connecting is to realize the trusted node of setting.
(3) intelligent terminal and trusted node secure exchange key, set up safety and connect.
(4) intelligent terminal sends the request of access Internet resources, and access request connects encryption by safety and sends trusted node to.
(5) trusted node decoding request, then sends access request to the Internet.
(6) trusted node receives that Internet resources receive the response, and message is connected to encrypted transmission to intelligent terminal by safety.
(7) intelligent terminal decrypt, the Internet resources that complete once safety obtain.
For example, in a preferred embodiment of the invention, in implementing the process of the inventive method, trusted node is for building voluntarily, by the direct accessing Internet of optical fiber, IP address is 202.13.234.XX, and external security proxy service adopts the ssl protocol of two-way certificate verification, has disposed trusted node certificate CertServ and private key thereof in node; The APP application that connects for safety the built-in certificate CertServ of trusted node have been installed, terminal certificate CertClient and private key in intelligent terminal.The concrete steps of intelligent terminal secure access Internet resources under untrusted wifi environment are as follows:
(1) intelligent terminal access wifi network.
(2) safety of intelligent terminal connects APP trial and connects 202.13.234.XX, use CertServ checking opposite end whether to have thereby whether corresponding private key checking opposite end is trusted node, and use CertClient and trusted node to set up safe SSL encrypted tunnel.
(3) intelligent terminal access www.taobao.com, sends to trusted node by the request of access www.taobao.com by encrypted tunnel.
(4), after trusted node decryption information, to www.taobao.com, initiate to connect and send access request.
(5) trusted node receives the echo message of www.taobao.com.
(6) echo message is sent to by encrypted tunnel can only terminal for trusted node, can only after terminal deciphering, show echo message.
Said process specifically as shown in Figure 6.
The invention discloses a kind of method in untrusted wifi net environment intelligent terminal secure access the Internet, belong to computer and field of information security technology, specific as follows: (1) first sets a trusted node in existing network, intelligent terminal and credible contact set particular safety measure, can resist man-in-the-middle attack and data prevent network interception when intelligent terminal is connected with trusted node.(2) when intelligent terminal accesses untrusted wifi network, find the trusted node of setting, carry out mutually strong identity authentication and set up enciphered data passage.(3), when intelligent terminal need to be accessed Internet resources, directly do not use untrusted wifi network to connect and send, and by the enciphered data passage of having set up, access request is sent to trusted node.(4) trusted node receives intelligent terminal request, and request is sent to real Internet resources.(5) information exchange that trusted node is returned to real Internet resources is crossed enciphered data passage and is sent to intelligent terminal, completes the target of intelligent terminal secure access Internet resources.
Feature of the present invention is that the setting by trusted node is connected with safety, the access to netwoks of intelligent terminal is converted to connection trusted node, by trusted node, completed the access of the Internet, avoid various may the interference in untrusted network environment, realized the target of intelligent terminal secure access Internet resources.
Further, extremely embodiment illustrated in fig. 6 with reference to above-mentioned Fig. 1, those skilled in the art understand, the invention discloses a kind of method in untrusted wifi net environment intelligent terminal secure access the Internet, belong to computer and field of information security technology, specific as follows: (1) first sets a trusted node in existing network, intelligent terminal and credible contact set particular safety measure, can resist man-in-the-middle attack and data prevent network interception when intelligent terminal is connected with trusted node.(2) when intelligent terminal accesses untrusted wifi network, find the trusted node of setting, carry out mutually strong identity authentication and set up enciphered data passage.(3), when intelligent terminal need to be accessed Internet resources, directly do not use untrusted wifi network to connect and send, and by the enciphered data passage of having set up, access request is sent to trusted node.(4) trusted node receives intelligent terminal request, and request is sent to real Internet resources.(5) information exchange that trusted node is returned to real Internet resources is crossed enciphered data passage and is sent to intelligent terminal, completes the target of intelligent terminal secure access Internet resources.
Feature of the present invention is that the setting by trusted node is connected with safety, the access to netwoks of intelligent terminal is converted to connection trusted node, by trusted node, completed the access of the Internet, avoid various may the interference in untrusted network environment, realized the target of intelligent terminal secure access Internet resources.
Further, it will be appreciated by those skilled in the art that in order to solve secure access Internet resources problem under untrusted WIFI environment, the invention provides a kind of method based on trusted node proxy access Internet resources.In order to achieve the above object, to choose the condition of trusted node as follows in the present invention:
(1) have and stablize credible circuit accessing Internet.
(2) node system is safe, is difficult for being broken.
(3) node externally provides the agent connection service of high safety.
(4) node can be self-built or be selected existing service.
In the present invention, the TSM Security Agent condition of contact between intelligent terminal and trusted node is as follows:
(1) essential by high-intensity authentication when intelligent terminal is connected with trusted node, both sides' part of should testing the body mutually.
(2) what intelligent terminal and trusted node were set up is connected and must can prevents man-in-the-middle attack.
(3) intelligent terminal and trusted node are set up is connected to encryption connection, and the data of transmission are not ravesdropping and distort.
(4) intelligent terminal can also can adopt existing security protocol by custom protocol with safe connection the between trusted node, as used digital certificate as ssl protocol or the IPSEC agreement of authentication mechanism.
In the present invention, the implementation step of intelligent terminal secure access Internet resources under untrusted WIFI environment is as follows:
(1) intelligent terminal access WIFI environment.
(2) intelligent terminal connects trusted node, uses strong identity authentication mechanism to confirm that the node connecting is to realize the trusted node of setting.
(3) intelligent terminal and trusted node secure exchange key, set up safety and connect.
(4) intelligent terminal sends the request of access Internet resources, and access request connects encryption by safety and sends trusted node to.
(5) trusted node decoding request, then sends access request to the Internet.
(6) trusted node receives that Internet resources receive the response, and message is connected to encrypted transmission to intelligent terminal by safety.
(7) intelligent terminal decrypt, the Internet resources that complete once safety obtain.
In implementing the process of the inventive method, trusted node is for building voluntarily, and by the direct accessing Internet of optical fiber, IP address is 202.13.234.XX, external security proxy service adopts the ssl protocol of two-way certificate verification, has disposed trusted node certificate CertServ and private key thereof in node; The APP application that connects for safety the built-in certificate CertServ of trusted node have been installed, terminal certificate CertClient and private key in intelligent terminal.The concrete steps of intelligent terminal secure access Internet resources under untrusted wifi environment are as follows:
(1) intelligent terminal access wifi network.
(2) safety of intelligent terminal connects APP trial and connects 202.13.234.XX, use CertServ checking opposite end whether to have thereby whether corresponding private key checking opposite end is trusted node, and use CertClient and trusted node to set up safe SSL encrypted tunnel.
(3) intelligent terminal access www.taobao.com, sends to trusted node by the request of access www.taobao.com by encrypted tunnel.
(4), after trusted node decryption information, to www.taobao.com, initiate to connect and send access request.
(5) trusted node receives the echo message of www.taobao.com.
(6) echo message is sent to by encrypted tunnel can only terminal for trusted node, can only after terminal deciphering, show echo message.
Above specific embodiments of the invention are described.It will be appreciated that, the present invention is not limited to above-mentioned specific implementations, and those skilled in the art can make various distortion or modification within the scope of the claims, and this does not affect flesh and blood of the present invention.
Claims (10)
1. a control method for intelligent terminal safety communication under untrusted wireless network environment, it carries out safety communication for an intelligent terminal during by second network access device access the Internet, it is characterized in that, comprises the steps:
A. by the first wireless network access device, to second network access device, send checking request;
If b. described second network access device is asked by described checking, by described the first wireless network access device, to described second network access device, send the solicited message of access the Internet, described request information is enciphered message;
C. receive the feedback information from described second network access device, described feedback information comprises the middle response message that server that described request information asks or device return to described second network access device, and described feedback information is enciphered message.
2. control method according to claim 1, is characterized in that, the described step of sending the solicited message of access the Internet to described second network access device by described the first wireless network access device comprises the steps:
B1. between described intelligent terminal and described second network access device, set up encrypted tunnel;
B2. by described encrypted tunnel send the solicited message of described access the Internet.
In intelligent terminal under untrusted wireless network environment a control device for intelligent terminal safety communication, it carries out safety communication for an intelligent terminal during by second network access device access the Internet, it is characterized in that, comprising:
The first dispensing device, it is for sending checking request by the first wireless network access device to second network access device;
The second dispensing device, it is for when described second network access device is during by described checking request, by described the first wireless network access device, to described second network access device, send the solicited message of access the Internet, wherein, described request information is enciphered message; And
First receiving device, it is for receiving the feedback information from described second network access device, described feedback information comprises the middle response message that server that described request information asks or device return to described second network access device, and described feedback information is enciphered message.
4. control device according to claim 3, is characterized in that, described the second dispensing device comprises:
The first processing unit, it for setting up encrypted tunnel between described intelligent terminal and described second network access device; And
The 3rd dispensing device, its for by described encrypted tunnel send the solicited message of described access the Internet.
5. control method according to claim 1 and 2 and/or according to the control device described in claim 3 or 4, is characterized in that, described encrypted tunnel is as any in lower channel:
-SSL encrypted tunnel;
-IPSEC encrypted tunnel.
6. an auxiliary control method for intelligent terminal safety communication under untrusted wireless network environment, it carries out safety communication for an intelligent terminal during by second network access device access the Internet, it is characterized in that, comprises the steps:
I. receive the solicited message forwarding by the first wireless network access device, described request information is the solicited message of the access the Internet that sends of an intelligent terminal, described request information is enciphered message, and wherein, described intelligent terminal is directly connected with described the first wireless network access device;
Ii. described request information is decrypted and is obtained destination address and the relevant information of described request the Internet that information is accessed;
Iii. described destination address and relevant information are carried out issuing described destination address after package;
Iv. receive the middle response message from described destination address;
V. response message in the middle of described is encrypted, and obtains feedback information;
Vi. described feedback information is sent to described the first wireless network access device, so that described the first wireless network access device is transmitted to described intelligent terminal by described feedback information.
7. a sub controlling unit for intelligent terminal safety communication under untrusted wireless network environment in second network access device, it carries out safety communication for an intelligent terminal during by second network access device access the Internet, it is characterized in that, comprising:
The 4th receiving system, it is for receiving the solicited message forwarding by the first wireless network access device, described request information is the solicited message of the access the Internet that sends of an intelligent terminal, described request information is enciphered message, wherein, described intelligent terminal is directly connected with described the first wireless network access device;
The 4th decryption device, it is for being decrypted and obtaining destination address and the relevant information of described request the Internet that information is accessed to described request information;
The 4th processing unit, it is for carrying out issuing described destination address after package to described destination address and relevant information;
The 5th receiving system, it is for receiving the middle response message from described destination address;
The 4th encryption device, it is for response message in the middle of described is encrypted, and obtains feedback information; And
The 4th dispensing device, it is for sending to described feedback information described the first wireless network access device, so that described the first wireless network access device is transmitted to described intelligent terminal by described feedback information.
8. according to described in any one in claim 1 to 7, it is characterized in that, described enciphered message realizes by asymmetric encryption mechanism, and in described intelligent terminal, stores the private key of described intelligent terminal.
9. according to described in any one in claim 1 to 8, it is characterized in that, described second network access device is any in following equipment:
-mono-Wifi access point;
-mono-cable network access device.
10. according to described in any one in claim 1 to 9, described second network access device has fixed ip address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410397121.4A CN104168565A (en) | 2014-08-13 | 2014-08-13 | Method for controlling safe communication of intelligent terminal under undependable wireless network environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410397121.4A CN104168565A (en) | 2014-08-13 | 2014-08-13 | Method for controlling safe communication of intelligent terminal under undependable wireless network environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104168565A true CN104168565A (en) | 2014-11-26 |
Family
ID=51912157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410397121.4A Pending CN104168565A (en) | 2014-08-13 | 2014-08-13 | Method for controlling safe communication of intelligent terminal under undependable wireless network environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104168565A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104955036A (en) * | 2015-07-07 | 2015-09-30 | 北京长亭科技有限公司 | Secure networking method and device in public Wi-Fi (wireless fidelity) environment |
| CN105208029A (en) * | 2015-09-30 | 2015-12-30 | 北京奇虎科技有限公司 | Data processing method and terminal device |
| WO2017054617A1 (en) * | 2015-09-29 | 2017-04-06 | 华为技术有限公司 | Wifi network authentication method, device and system |
| CN106921630A (en) * | 2015-12-25 | 2017-07-04 | 航天信息股份有限公司 | Method for interchanging data and equipment |
| CN108924830A (en) * | 2018-07-25 | 2018-11-30 | 努比亚技术有限公司 | network authentication method, mobile terminal and storage medium |
| CN110191152A (en) * | 2019-04-23 | 2019-08-30 | 金卡智能集团股份有限公司 | Safe and reliable communication means for intelligent gauge |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102428675A (en) * | 2009-05-20 | 2012-04-25 | 微软公司 | Portable secure computing network |
| CN102474516A (en) * | 2009-07-31 | 2012-05-23 | 高通股份有限公司 | Device, method, and apparatus for authentication on untrusted networks via trusted networks |
-
2014
- 2014-08-13 CN CN201410397121.4A patent/CN104168565A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102428675A (en) * | 2009-05-20 | 2012-04-25 | 微软公司 | Portable secure computing network |
| CN102474516A (en) * | 2009-07-31 | 2012-05-23 | 高通股份有限公司 | Device, method, and apparatus for authentication on untrusted networks via trusted networks |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104955036A (en) * | 2015-07-07 | 2015-09-30 | 北京长亭科技有限公司 | Secure networking method and device in public Wi-Fi (wireless fidelity) environment |
| WO2017054617A1 (en) * | 2015-09-29 | 2017-04-06 | 华为技术有限公司 | Wifi network authentication method, device and system |
| US10743180B2 (en) | 2015-09-29 | 2020-08-11 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for authenticating WIFI network |
| CN105208029A (en) * | 2015-09-30 | 2015-12-30 | 北京奇虎科技有限公司 | Data processing method and terminal device |
| CN105208029B (en) * | 2015-09-30 | 2018-01-16 | 北京奇虎科技有限公司 | A kind of data processing method and terminal device |
| CN106921630A (en) * | 2015-12-25 | 2017-07-04 | 航天信息股份有限公司 | Method for interchanging data and equipment |
| CN108924830A (en) * | 2018-07-25 | 2018-11-30 | 努比亚技术有限公司 | network authentication method, mobile terminal and storage medium |
| CN110191152A (en) * | 2019-04-23 | 2019-08-30 | 金卡智能集团股份有限公司 | Safe and reliable communication means for intelligent gauge |
| CN110191152B (en) * | 2019-04-23 | 2022-07-26 | 金卡智能集团股份有限公司 | Safe and reliable communication method for intelligent meter |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8467532B2 (en) | System and method for secure transaction of data between a wireless communication device and a server | |
| CN103763315B (en) | A kind of trust data access control method being applied to mobile device cloud storage | |
| US8763097B2 (en) | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication | |
| CN105993146B (en) | Method and apparatus for establishing secured session with client device | |
| CN103229452B (en) | The identification of mobile hand-held device and communication authentication | |
| CN103428221B (en) | Safe login method, system and device to Mobile solution | |
| CN101772024B (en) | User identification method, device and system | |
| CN104205891A (en) | Virtual sim card cloud platform | |
| CN103415008A (en) | Encryption communication method and encryption communication system | |
| Rahman et al. | Security in wireless communication | |
| CN104168565A (en) | Method for controlling safe communication of intelligent terminal under undependable wireless network environment | |
| CN105429962B (en) | A kind of general go-between service construction method and system towards encryption data | |
| CN108683510A (en) | A kind of user identity update method of encrypted transmission | |
| CN109729523A (en) | A kind of method and apparatus of terminal networking certification | |
| CN102202299A (en) | Realization method of end-to-end voice encryption system based on 3G/B3G | |
| CN109218263A (en) | A kind of control method and device | |
| CN105162808A (en) | Safety login method based on domestic cryptographic algorithm | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| JP2016519873A (en) | Establishing secure voice communication using a generic bootstrapping architecture | |
| CN107026823A (en) | Applied to the access authentication method and terminal in WLAN WLAN | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| CN110493162A (en) | Identity identifying method and system based on wearable device | |
| CN103024735B (en) | Method and equipment for service access of card-free terminal | |
| Sathyan et al. | Multi-layered collaborative approach to address enterprise mobile security challenges | |
| CN105812218A (en) | Method for realizing multi-VPN-protocol application access, middleware and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Han Honghui Document name: Notification that Application Deemed to be Withdrawn |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141126 |