CN104580172B - A kind of data communications method and device based on https agreements - Google Patents
A kind of data communications method and device based on https agreements Download PDFInfo
- Publication number
- CN104580172B CN104580172B CN201410823078.3A CN201410823078A CN104580172B CN 104580172 B CN104580172 B CN 104580172B CN 201410823078 A CN201410823078 A CN 201410823078A CN 104580172 B CN104580172 B CN 104580172B
- Authority
- CN
- China
- Prior art keywords
- server
- certificate
- digital
- root
- browser
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 82
- 238000000034 method Methods 0.000 title claims abstract description 58
- 239000013589 supplement Substances 0.000 claims description 12
- 101100217298 Mus musculus Aspm gene Proteins 0.000 claims description 11
- 230000008520 organization Effects 0.000 claims description 9
- 230000000977 initiatory effect Effects 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- TVZRAEYQIKYCPH-UHFFFAOYSA-N 3-(trimethylsilyl)propane-1-sulfonic acid Chemical compound C[Si](C)(C)CCCS(O)(=O)=O TVZRAEYQIKYCPH-UHFFFAOYSA-N 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of data communications method and device based on https agreements, wherein methods described includes:In browser side base the access request to server is initiated in Https agreements;Receive the digital certificate for the server that the server returns for the access request;The root certificate for judging the digital certificate of the server is that the root authority that the current operation system where browser is trusted is issued;If not, the root authority that the root certificate for judging the digital certificate of the server, which is browser, is trusted is issued;If the root authority that the root certificate of the digital certificate of the server, which is browser, is trusted is issued, the browser is determined communication encryption information with the server and communicated using the communication encryption information.The present invention can enrich the mode being authenticated to digital certificate, and the digital certificate for adding server passes through the probability of certification.
Description
Technical field
The present invention relates to the technical field of browser, and in particular to a kind of data communications method based on https agreements with
A kind of and data communication equipment based on https agreements.
Background technology
With the fast development and popularization of internet, increasing business depends on network technology, and in a network, make
With it is widest be exactly browser, user can browse webpage using browser, be uploaded or down operation etc..Normal conditions
Under, carried out between browser and server by HTTP (Hypertext transfer protocol, HTTP)
Communication, but http protocol is no any encryption measures in default situations, and all message is all in net with plaintext version
Transmitted on network, it is easy to cause secret sensitive information compromised.In order to strengthen the safety applications of browser, HTTPS (Hyper
Text Transfer Protocol over Secure Socket Layer, with safely for the HTTP passages of target) meet the tendency of and
It is raw.HTTPS is a kind of safe http protocol proposed on the basis of HTTP, therefore is properly termed as safe Hyper text transfer association
View.Http protocol is directly placed on Transmission Control Protocol, and HTTPS is proposed among HTTP and TCP plus last layer encryption layer SSL
(Secure Socket Layer, safe socket character).In terms of transmitting terminal, this layer is responsible for being sent to after HTTP content-encrypt
The TCP of lower floor, in terms of recipient, this layer of data deciphering for being responsible for sending TCP is reduced into HTTP content.
HTTPS needs once to be shaken hands between SSL clients (browser) and SSL service end before transmitting the data,
To establish the encrypted message of both sides' encrypted transmission data, during shaking hands, SSL service device can be by the SSL digital certificates of oneself
SSL clients are returned to, after SSL clients receive certificate information, whether the digital certificate of authentication server is trusted CA
(Certificate Authority, certification authority) is issued, if it is not, the source of explanation digital certificate is not power
Prestige mechanism (for example individual can make certificate, and for being deployed in fishing website, disguise oneself as regular webpage), can not ensure webpage
It is safe and reliable, then SSL clients can be provided on interface indicating risk warning.
At present, client in operating system by preserving, the reliable certificate authority machine through operating system certification
Structure carrys out the digital certificate legitimacy of authentication server, can be with after client obtains the root certificate of the digital certificate of server
Server root certificate is searched in the root authority of operating system trust, if searching successfully, illustrates the server
The digital certificate of return is reliable, otherwise, illustrates that the digital certificate that server returns is untrustworthy.
However, also occurring that some reliable CA root certificate does not have the situation for the certification for obtaining operating system, lead
Causing client, most the site certificate of these reliable ca authentications is risk website at last.For example, for " https//
Kyfw.12306.cn ", the issuer of its certificate is Sinorail Certification Authority, but it is not obtained
The certification of operating system, so it not inside the root authority of operating system trust, therefore client can provide
Risk reminder alerting.But in fact, the certificate of kyfw.12306.cn websites and website are under the jurisdiction of the Chinese Ministry of Railways in itself, being can
Trust.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State a kind of data communications method based on https agreements of problem and a kind of corresponding data communication dress based on https agreements
Put.
According to one aspect of the present invention, there is provided a kind of data communications method based on https agreements, methods described bag
Include:
In browser side base the access request to server is initiated in Https agreements;
Receive the digital certificate for the server that the server returns for the access request;
Judge whether the root certificate of the digital certificate of the server is trusted by browser place current operation system
Root authority issued;
If not, the root certificate that the root certificate for judging the digital certificate of the server, which is browser, is trusted is issued
Hair mechanism is issued;
If the root authority that the root certificate of the digital certificate of the server, which is browser, is trusted is issued, institute
Browser is stated to determine communication encryption information with the server and communicated using the communication encryption information.
Alternatively, the root authority that the browser is trusted is stored in trusted certificate in the form of digital finger-print
In white list, the root certificate of the digital certificate for judging the server is that the root certificate that browser is trusted issues machine
The step of structure is issued includes:
The digital finger-print of the root certificate of the digital certificate of the server is calculated using Secure Hash Algorithm SHA1;
Judge in the trusted certificate white list with the presence or absence of the numeral with the root certificate of the digital certificate of the server
The consistent digital finger-print of fingerprint.
Alternatively, the trusted certificate white list is stored in local and/or first server, described to judge the trust
With the presence or absence of the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of the server in certificate white list
Step includes:
In the root certificate that the trusted certificate white list being locally stored searches whether to have with the digital certificate of the server
The consistent digital finger-print of digital finger-print;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted
Issued;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request the
The digital finger-print one with the root certificate of the digital certificate of the server is searched in the newest trusted certificate white list of one server
The digital finger-print of cause, and the digital finger-print is sent to browser;
Receive first server for the inquiry request return with the root certificate of the digital certificate of the server
The consistent digital finger-print of digital finger-print, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue to hold
The numeral that row searches whether to have with the root certificate of the digital certificate of the server in the trusted certificate white list being locally stored
The step of fingerprint consistent digital finger-print.
Alternatively, it is described to judge in the trusted certificate white list with the presence or absence of the root with the digital certificate of the server
The step of digital finger-print of certificate consistent digital finger-print, also includes:
If searched in the newest trusted certificate white list of first server less than the digital certificate with the server
The consistent digital finger-print of the digital finger-print of root certificate, then the root certificate for judging the digital certificate of the server is not browser institute
The root authority of trust is issued.
Alternatively, the browser is corresponding with second server, and the second server is by operating system certification
The root authority of trust, the second server are used for the root that the digital certificate of the server is judged in browser
When certificate is not that the root authority that browser is trusted is issued, supplement certification is carried out to the server, and be logical
The server for crossing certification issues digital certificate again.
Alternatively, methods described also includes:
Issued if the root certificate of the digital certificate of the server is not the root authority that browser is trusted,
Then generate warning prompt information;
The warning prompt information is shown in browser side.
Alternatively, the digital certificate of the server also has digital certificate attribute information, the browser with it is described
Before the step of server is determined communication encryption information and communicated using the communication encryption information, methods described is also wrapped
Include:
Judge whether the digital certificate attribute information is legal;
If the digital certificate attribute information is legal, performs the browser and determine that communication encryption is believed with the server
The step of ceasing and using the communication encryption information to be communicated.
Alternatively, the digital certificate attribute information comprises at least one kind of following information:The use of the digital certificate
The website information of deadline range, server;
The step for judging whether the digital certificate attribute information is legal includes:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the numeral card
The useful life of book is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the network address of the server is judged
Information is legal.
Alternatively, methods described also includes:
If it is determined that the root authority that the root certificate of the digital certificate of the server is trust is issued, then exist
The authenticating party information that display is authenticated to the root certificate of the digital certificate of the server in the address field of browser, it is described to recognize
The side's of card information includes operating system certification or browser certification.
According to another aspect of the present invention, there is provided a kind of data communication equipment based on https agreements, described device bag
Include:
Access request initiation module, suitable for initiating the access request to server in Https agreements in browser side base;
Digital certificate receiving module, the server returned suitable for receiving the server for the access request
Digital certificate;
First judge module, suitable for judging whether the root certificate of digital certificate of the server ought where browser
The root authority that preceding operating system is trusted is issued;
Second judge module, suitable for the root certificate in the digital certificate for judging the server worked as where browser
When the root authority that preceding operating system is trusted is issued, the root certificate for judging the digital certificate of the server is not
It is that the root authority that browser is trusted is issued;
Communication module, the root certificate suitable for the digital certificate in the server are that the root certificate that browser is trusted is issued
When mechanism issues, the browser is determined communication encryption information with the server and carried out using the communication encryption information
Communication.
Alternatively, the root authority that the browser is trusted is stored in trusted certificate in the form of digital finger-print
In white list, second judge module includes:
Digital finger-print calculating sub module, suitable for the digital certificate using the Secure Hash Algorithm SHA1 calculating server
The digital finger-print of root certificate;
Digital finger-print matched sub-block, suitable for judging to whether there is and the server in the trusted certificate white list
The consistent digital finger-print of the digital finger-print of the root certificate of digital certificate.
Alternatively, the trusted certificate white list is stored in local and/or first server, the digital finger-print matching
Submodule is further adapted for:
In the root certificate that the trusted certificate white list being locally stored searches whether to have with the digital certificate of the server
The consistent digital finger-print of digital finger-print;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted
Issued;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request the
The digital finger-print one with the root certificate of the digital certificate of the server is searched in the newest trusted certificate white list of one server
The digital finger-print of cause, and the digital finger-print is sent to browser;
Receive first server for the inquiry request return with the root certificate of the digital certificate of the server
The consistent digital finger-print of digital finger-print, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue to hold
The numeral that row searches whether to have with the root certificate of the digital certificate of the server in the trusted certificate white list being locally stored
The step of fingerprint consistent digital finger-print.
Alternatively, the digital finger-print matched sub-block also includes:
If searched in the newest trusted certificate white list of first server less than the digital certificate with the server
The consistent digital finger-print of the digital finger-print of root certificate, then the root certificate for judging the digital certificate of the server is not browser institute
The root authority of trust is issued.
Alternatively, the browser is corresponding with second server, and the second server is by operating system certification
The root authority of trust, the second server are used for the root that the digital certificate of the server is judged in browser
When certificate is not that the root authority that browser is trusted is issued, supplement certification is carried out to the server, and be logical
The server for crossing certification issues digital certificate again.
Alternatively, described device also includes:
Prompt message generation module, the root certificate suitable for the digital certificate in the server are not that browser is trusted
When root authority is issued, warning prompt information is generated;
Reminding module, suitable for showing the warning prompt information in browser side.
Alternatively, the digital certificate of the server also has digital certificate attribute information, the browser with it is described
Before the step of server is determined communication encryption information and communicated using the communication encryption information, described device is also wrapped
Include:
3rd judge module, suitable for judging whether the digital certificate attribute information is legal.
Alternatively, the digital certificate attribute information comprises at least one kind of following information:The use of the digital certificate
The website information of deadline range, server;
3rd judge module is further adapted for:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the numeral card
The useful life of book is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the network address of the server is judged
Information is legal.
Alternatively, described device also includes:
Authenticating party information display module, the root certificate suitable for the digital certificate in the judgement server are the roots of trust
Certification authority is issued, then display is carried out to the root certificate of the digital certificate of the server in the address field of browser
The authenticating party information of certification, the authenticating party information include operating system certification or browser certification.
In embodiments of the present invention, when browser receives the digital certificate of the server of server return, if browsing
Device judges that the root certificate of the digital certificate of server is not that the root certificate that the current operation system where browser is trusted is issued
Mechanism is issued, then browser determines whether that the root certificate of the digital certificate of server is the root card that browser is trusted
Book issuing organization is issued, if so, the digital certificate for then judging the server is trust, and then browser and the service
Device is determined communication encryption information and communicated using the communication encryption information.By in current operation system to server
On the premise of the certification of the root certificate of digital certificate, increase the supplement verification process of browser, enrich and digital certificate is carried out
The mode of certification, the digital certificate of server is added by the probability of certification, is reduced because being demonstrate,proved in operating system trust
The certification renewal speed of book issuing organization is slow, the servers of some caused original trusts can not by operating system certification,
And it is considered as the situation generation of dangerous server.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of data communications method embodiment based on https agreements according to an embodiment of the invention
One step flow chart;
Fig. 2 shows a kind of data communications method embodiment based on https agreements according to an embodiment of the invention
Two step flow chart;
Fig. 3 shows a kind of data communications method embodiment based on https agreements according to an embodiment of the invention
Two digital certificate path schematic diagram;
Fig. 4 shows a kind of data communications method embodiment based on https agreements according to an embodiment of the invention
Two certificate management interface schematic diagram;
Fig. 5 shows a kind of data communications method embodiment based on https agreements according to an embodiment of the invention
Two schematic diagram of alarm prompt interface one;
Fig. 6 shows a kind of data communications method embodiment based on https agreements according to an embodiment of the invention
Two schematic diagram of alarm prompt interface two;
Fig. 7 shows a kind of data communication equipment embodiment based on https agreements according to an embodiment of the invention
Structured flowchart.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Reference picture 1, show a kind of data communications method embodiment based on https agreements of one embodiment of the invention
One step flow chart, may include steps of:
Step 101, the access request to server is initiated in Https agreements in browser side base;
Step 102, the digital certificate for the server that the server returns for the access request is received;
Step 103, judge the root certificate of the digital certificate of the server whether by browser place current operation system
The trusted root authority of system is issued;
Step 104, if the root certificate of the digital certificate of the server is not the current operation system institute where browser
The root authority of trust is issued, then the root certificate for judging the digital certificate of the server is that browser is believed
The root authority appointed is issued;
Step 105, if the root authority that the root certificate of the digital certificate of the server, which is browser, is trusted
Issued, the browser is determined communication encryption information with the server and communicated using the communication encryption information.
In embodiments of the present invention, when browser receives the digital certificate of the server of server return, if browsing
Device judges that the root certificate of the digital certificate of server is not that the root certificate that the current operation system where browser is trusted is issued
Mechanism is issued, then browser determines whether that the root certificate of the digital certificate of server is the root card that browser is trusted
Book issuing organization is issued, if so, the digital certificate for then judging the server is trust, and then browser and the service
Device is determined communication encryption information and communicated using the communication encryption information.By in current operation system to server
On the premise of the certification of the root certificate of digital certificate, increase the supplement verification process of browser, enrich and digital certificate is carried out
The mode of certification, the digital certificate of server is added by the probability of certification, is reduced because being demonstrate,proved in operating system trust
The certification renewal speed of book issuing organization is slow, the servers of some caused original trusts can not by operating system certification,
And it is considered as the situation generation of dangerous server.
Reference picture 2, show a kind of data communications method embodiment based on https agreements of one embodiment of the invention
Two step flow chart, may include steps of:
Step 201, the access request to server is initiated in Https agreements in browser side base;
Https agreements are the procotols that transmission, authentication is encrypted by SSL and Http protocol constructions, than
Http protocol securitys.
In the specific implementation, as user in browser side triggering Https links (for example, clicking on Https links or in address
Column input Https links) when, browser accesses this for access request of the trigger action generation based on Https agreements
Request sends that (Https uses port 443, rather than as Http to 443 ports of server corresponding to Https links
Communicated using port 80) in.Wherein, Https link be it is a kind of with https start URL, such as " https//
kyfw.12306.cn”。
, can be with the specific implementation, browser is sent the access request to server in addition to being linked including Https
The encryption rule that can be supported including browser, and browser can support SSL highests version number, compression algorithm list
Etc. information, wherein, the encryption rule can include one or more enciphering and deciphering algorithms.
Step 202, the digital certificate for the server that the server returns for the access request is received;
A set of digital certificate must have using the server of HTTPS agreements, after server receives access request, for
The access request, the digital certificate of server is returned to browser.Wherein, digital certificate is exactly to indicate communication in internet communication
The string number of each side's identity information, there is provided a kind of mode for verifying communication entity identity on the internet, its effect are similar
Identity card in the driving license of driver or daily life.
The digital certificate of server is installed on server apparatus, is added for proving the identity of server and carrying out communication
It is close, to prevent fraud fishing website.
Digital certificate is issued by certificate authority (Certificate Authority, abbreviation CA) center.Digital certificate can be with
Include following information:The group encryption/decryption algorithm and HASH algorithms, public affairs selected in the encryption rule that server is sent from browser
Key, Certificate Authority CA information (such as CA mark), the attribute information etc. of digital certificate path and digital certificate.
Wherein, the attribute information of digital certificate can include digital certificate useful life scope (including effectively starting when
Between and effectively terminate the time interval of time composition), the website information of server etc..
As shown in Fig. 3 digital certificate path schematic diagram, the certification path for the digital certificate that server returns can include
Two parts, a part be the digital certificate root certificate (root certificate is the certificate that Certificate Authority CA issues to oneself, installation
Root certificate means the trust to this CA), i.e. SRCA in Fig. 3, another part is the sub- certificate based on the root certificate, i.e.,
The digital certificate that this server of KYFW.12306.cn uses.
After browser receives the digital certificate of the server of server return, the safe transmission of browser can be used
Layer protocol (TLS) parses to digital certificate, to judge whether digital certificate effective, such as judge digital certificate whether be by
What the certification authority CA that browser is trusted was issued;And judge whether the attribute information of digital certificate is legal etc..Wherein, originally
In inventive embodiments, browser judge digital certificate whether be the processes issued of certification authority CA trusted by browser such as
Shown in step 203- steps 204.
Step 203, judge the root certificate of the digital certificate of the server whether by browser place current operation system
The trusted root authority of system is issued;If it is not, then perform step 204;If so, then perform step 206;
, can be according to digital certificate acquisition pair after browser receives the digital certificate of the server of server return
The root certificate answered, for example, obtaining root certificate from certification path.And then judge that the root certificate of digital certificate that server returns is
It is not that the root authority that the current operation system where browser is trusted is issued.
Specifically, there is the module of certificate management, the module is saved by operating system certification in operating system
The certificate that authoritative CA is issued, these certificates are all reliable.For example, in windows systems, certmgr.msc is run
Order, the interface of certificate management is opened, as shown in figure 4, in certificate management interface, " root authority of trust " section
Point following list of cert, it is the certificate that the authoritative CA by windows system authentications is issued.
Data in the module that browser passes through the certificate management for reading browser current operation system, judge that server returns
The root certificate of the digital certificate returned whether there is in the node of " root authority of trust " in the module, if
It is then to judge that the digital certificate is that the CA that current operation system is trusted is issued, otherwise, then it is not to work as to judge the digital certificate
What the CA that preceding operating system is trusted was issued.
Step 204, the root certificate for judging the digital certificate of the server is that the root certificate that browser is trusted is issued
Hair mechanism is issued;If it is not, then perform step 205;If so, then perform step 206;
Applied to the embodiment of the present invention, the trusted certificate white list of browser trust, the credentials are stored with browser
The information for the certification authority that the one or more browsers Jing Guo browser certification of book white list storage are trusted.Trusted certificate
White list can manually verify book issuing organization and be audited and included to obtain.In one embodiment, trusted certificate
White list can also obtain in the following way:Browser is corresponding with second server, and the second server is by operation system
Unite one of root authority CA of trust of certification, when the root certificate for the digital certificate that browser determining server returns
When the CA that current operation system where not being browser is trusted is issued, browser records the information of the server, and should
The information of server is sent to second server, and supplement certification is carried out to the server by second server, and for by recognizing
The server of card issues digital certificate again, and the digital certificate store that the server retrieves is trusted in browser
Trusted certificate white list.Certainly, trusted certificate white list can also obtain by other means, and the embodiment of the present invention need not to this
It is any limitation as.
In a kind of preferred embodiment of the embodiment of the present invention, step 204 can include following sub-step:
Sub-step S11, the numeral of the root certificate of the digital certificate of the server is calculated using Secure Hash Algorithm SHA1
Fingerprint;
After the root certificate that browser obtains the digital certificate that server returns, browser can use secure Hash to calculate
Method (Secure Hash Algorithm, abbreviation SHA1) calculates the digital finger-print of the root certificate of the digital certificate.Wherein, SHA1
It is primarily adapted for use in the Digital Signature Algorithm defined inside DSS (Digital Signature Standard, DSS)
(Digital Signature Algorithm DSA).It is less than the message of 2^64 positions for length, SHA1 can produce one 160
The eap-message digest (i.e. digital finger-print) of position, it can be used for verifying the integrality of data.
Sub-step S12, judge in the trusted certificate white list with the presence or absence of the root with the digital certificate of the server
The consistent digital finger-print of the digital finger-print of certificate.
In trusted certificate white list, stored by the root authority that browser is trusted in the form of digital finger-print.
After the digital finger-print of the root certificate of digital certificate of server is calculated, browser is further in trusted certificate white list
The digital finger-print of the middle root certificate for matching the digital certificate.
In a kind of preferred embodiment of the embodiment of the present invention, sub-step S12 may further include following sub-step:
Sub-step S121, the numeral for having with the server is searched whether in the trusted certificate white list being locally stored
The consistent digital finger-print of the digital finger-print of the root certificate of certificate;If so, sub-step S122 is then performed, if it is not, then performing sub-step
S123;
Sub-step S122, the root certificate for judging the digital certificate of the server are that the root certificate that browser is trusted is issued
Mechanism is issued;
Sub-step S123, the digital finger-print according to the root certificate of the digital certificate of the server generate inquiry request;
Sub-step S124, the inquiry request is sent to first server, the first server is used for according to described in
Inquiry request is searched and the root certificate of the digital certificate of the server in the newest trusted certificate white list of first server
The consistent digital finger-print of digital finger-print, and the digital finger-print is sent to browser;
Sub-step S125, receive first server and be directed to the digital certificate with the server that the inquiry request returns
Root certificate the consistent digital finger-print of digital finger-print, and store the numeral in the trusted certificate white list being locally stored and refer to
Line, continue executing with sub-step S121.
In actual applications, the trusted certificate white list that browser is trusted can be stored in local and/or browser is corresponding
First server in.In order to save interaction times, the inquiry pressure of first server is reduced, browser is being locally stored first
Trusted certificate white list in search whether exist it is consistent with the digital finger-print of the root certificate of the digital certificate of the server
Digital finger-print, if so, then the root certificate of the digital certificate of browser determining server is that the root certificate that browser is trusted is issued
Mechanism is issued;Otherwise, digital finger-print generation inquiry request of the browser according to the root certificate of the digital certificate of server, and will
Inquiry request is sent to first server.
It is white in the newest trusted certificate of first server according to the inquiry request after first server receives inquiry request
The digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of the server is searched in list, and will be described consistent
Digital finger-print be back to browser.Browser stores the consistent numeral in the trusted certificate white list being locally stored and referred to
Line, and it is continuing with matching the digital finger-print of the root certificate of the digital certificate in local trusted certificate white list.Now, due to
It is stored with the local trusted certificate white list of browser consistent with the digital finger-print of the root certificate of the digital certificate of server
Digital finger-print, then browser can be determined that the root certificate of the digital certificate of server is that the root certificate that browser is trusted issues machine
Structure is issued.
The root authority institute that if root certificate of the digital certificate of browser determining server, which is browser, is trusted
Issue, then the digital certificate of browser determining server is trust.
Step 205, browser generation alarm prompt, and the alarm prompt is shown in browser side;
If searched in the newest trusted certificate white list of first server less than the digital certificate with the server
The consistent digital finger-print of the digital finger-print of root certificate, then the information that first server can be matched with generation error, and by the mistake
The information of matching is sent to browser, and browser judges the root card of the digital certificate of the server according to the information of erroneous matching
Book is not that the root authority that browser is trusted is issued, and now, browser can generate warning prompt information, by this
To user, digital certificate corresponding to this server of warning user can not trust warning prompt information alert, and inquire
Whether user, which needs, is continued.In one embodiment, the alarm prompt of browser generation can be browser to address
Https links in column can add not trusted mark, as described in Figure 5.In another embodiment, alarm prompt
Can with as shown in fig. 6, if user selects to receive the server of the not trusted in alarm prompt, as shown in fig. 6, selection after
It is continuous to browse web sites, then continue executing with step 206.
Further, if the root certificate of the digital certificate of browser determining server is not the root certificate that browser is trusted
Issuing organization is issued, and browser can also record the domain name of the digital certificate and/or server, and by the digital certificate
And/or the domain name of server is sent to second server, supplement certification is carried out to it by second server, and certification by with
Afterwards, digital certificate is issued again for the server.By way of this supplement certification, the digital certificate for enriching server is recognized
The channel of card, improves authentication efficiency.
Step 206, the browser determines communication encryption information with the server and uses the communication encryption information
Communicated.
After browser judges that the digital certificate of the server of current accessed is trust, the digital certificate is determined whether
Attribute information it is whether legal.Its mode can be at least one of following manner:Judge current time information in the numeral
In the range of the useful life of certificate, if so, then judging that the useful life of digital certificate is legal;And the if net of the server
Location information is consistent with the website information of current accessed, then judges that the website information of the server is legal.
If browser judges that the digital certificate of the server of current accessed is trust and judges the digital certificate
After attribute information is legal, then browser judges that the digital certificate of the server is effective.Now, browser can be in browser
The authenticating party information that display is authenticated to the root certificate of the digital certificate of the server in address field, the authenticating party information
Including operating system certification or browser certification.
Meanwhile if browser judges that the digital certificate of the server is effective, browser determines that communication encryption is believed with server
Breath.Browser determines that the mode of communication encryption information can be with server:
If browser judges that digital certificate trust, or user receive the digital certificate of not trusted, browser
It can generate the password of a string of random numbers, and with the public key encryption provided in digital certificate;Then browser uses what is appointed
HASH algorithms calculate handshake information, and handshake information is encrypted using the random number of generation, will finally use public key encryption mistake
Random number, and be sent to server with the handshake information of random number encryption;Server receives the message of browser transmission
After, message is decrypted to the password for taking out random number using the private key of oneself, disappeared using shaking hands of sending of password decryption browser
Breath, and calculate using HASH algorithms the HASH values of the handshake information, verify its whether sent with browser it is consistent, if unanimously,
Server uses one section of handshake information of the random number encryption, is sent to browser;Browser is decrypted and calculates handshake information
HASH, if consistent with the HASH that service end is sent, now handshake procedure terminates, afterwards all communications of browser and server
Data are encrypted the random cipher generated by browser before and using symmetric encipherment algorithm.
In embodiments of the present invention, by certification of the current operation system to the root certificate of the digital certificate of server
Under the premise of, increase the supplement verification process of browser, enrich the mode being authenticated to digital certificate, add server
Digital certificate on the premise of user's Internet Security is ensured, is reduced user and receives alarm prompt by the probability of certification
Number, ensure that user online it is smooth, improve Consumer's Experience.
For embodiment of the method, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but this area
Technical staff should know that the present invention is not limited by described sequence of movement, because according to the present invention, some steps can
To carry out using other orders or simultaneously.Secondly, those skilled in the art should also know, implementation described in this description
Example belongs to preferred embodiment, necessary to involved action and the module not necessarily present invention.
Reference picture 7, show a kind of data communication equipment embodiment based on https agreements of one embodiment of the invention
Structured flowchart, following module can be included:
Access request initiation module 701, suitable for being asked in browser side base in the access that Https agreements are initiated to server
Ask;
Digital certificate receiving module 702, the clothes returned suitable for receiving the server for the access request
The digital certificate of business device;
First judge module 703, suitable for judging that the root certificate of digital certificate of the server is by browser institute
Issued in the root authority that current operation system is trusted;
Second judge module 704, it is not by browser institute suitable for the root certificate in the digital certificate for judging the server
When the root authority that current operation system is trusted is issued, the root certificate of the digital certificate of the server is judged
Whether the root authority that browser is trusted is issued;
Communication module 705, the root certificate suitable for the digital certificate in the server are the root certificates that browser is trusted
When issuing organization is issued, the browser determines communication encryption information with the server and uses the communication encryption information
Communicated.
In a kind of preferred embodiment of the embodiment of the present invention, the root authority that the browser is trusted is with number
The form of word fingerprint is stored in trusted certificate white list, and second judge module 704 includes:
Digital finger-print calculating sub module, suitable for the digital certificate using the Secure Hash Algorithm SHA1 calculating server
The digital finger-print of root certificate;
Digital finger-print matched sub-block, suitable for judging to whether there is and the server in the trusted certificate white list
The consistent digital finger-print of the digital finger-print of the root certificate of digital certificate.
In a kind of preferred embodiment of the embodiment of the present invention, the trusted certificate white list is stored in local and/or
In one server, the digital finger-print matched sub-block is further adapted for:
In the root certificate that the trusted certificate white list being locally stored searches whether to have with the digital certificate of the server
The consistent digital finger-print of digital finger-print;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted
Issued;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request the
The digital finger-print one with the root certificate of the digital certificate of the server is searched in the newest trusted certificate white list of one server
The digital finger-print of cause, and the digital finger-print is sent to browser;
Receive first server for the inquiry request return with the root certificate of the digital certificate of the server
The consistent digital finger-print of digital finger-print, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue to hold
The numeral that row searches whether to have with the root certificate of the digital certificate of the server in the trusted certificate white list being locally stored
The step of fingerprint consistent digital finger-print.
In a kind of preferred embodiment of the embodiment of the present invention, the digital finger-print matched sub-block also includes:
If searched in the newest trusted certificate white list of first server less than the digital certificate with the server
The consistent digital finger-print of the digital finger-print of root certificate, then the root certificate for judging the digital certificate of the server is not browser institute
The root authority of trust is issued.
In a kind of preferred embodiment of the embodiment of the present invention, the browser is corresponding with second server, and described second
Server is the root authority of the trust by operating system certification, and the second server in browser for sentencing
When the root certificate of the digital certificate of the fixed server is not that the root authority that browser is trusted is issued, to described
Server carries out supplement certification, and to issue digital certificate again by the server of certification.
In a kind of preferred embodiment of the embodiment of the present invention, described device also includes:
Prompt message generation module, the root certificate suitable for the digital certificate in the server are not that browser is trusted
When root authority is issued, warning prompt information is generated;
Reminding module, suitable for showing the warning prompt information in browser side.
In a kind of preferred embodiment of the embodiment of the present invention, the digital certificate of the server also has digital certificate category
Property information, determine communication encryption information in the browser and the server and communicated using the communication encryption information
The step of before, described device also includes:
3rd judge module, suitable for judging whether the digital certificate attribute information is legal.
In a kind of preferred embodiment of the embodiment of the present invention, the digital certificate attribute information comprises at least following information
One kind:Useful life scope, the website information of server of the digital certificate;
3rd judge module is further adapted for:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the numeral card
The useful life of book is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the network address of the server is judged
Information is legal.
In a kind of preferred embodiment of the embodiment of the present invention, described device also includes:
Authenticating party information display module, the root certificate suitable for the digital certificate in the judgement server are the roots of trust
Certification authority is issued, then display is carried out to the root certificate of the digital certificate of the server in the address field of browser
The authenticating party information of certification, the authenticating party information include operating system certification or browser certification.
For Fig. 7 device embodiment, because it is substantially similar to Fig. 2 embodiment of the method, so the ratio of description
Relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) realize that the data according to embodiments of the present invention based on https agreements are led to
Believe some or all functions of some or all parts in equipment.The present invention is also implemented as being used to perform institute here
The some or all equipment or program of device of the method for description are (for example, computer program and computer program production
Product).Such program for realizing the present invention can store on a computer-readable medium, or can have one or more
The form of signal.Such signal can be downloaded from internet website and obtained, and either be provided or on carrier signal to appoint
What other forms provides.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
Embodiment of the invention discloses that A1, a kind of data communications method based on https agreements, methods described include:
In browser side base the access request to server is initiated in Https agreements;
Receive the digital certificate for the server that the server returns for the access request;
Judge whether the root certificate of the digital certificate of the server is trusted by browser place current operation system
Root authority issued;
If not, the root certificate that the root certificate for judging the digital certificate of the server, which is browser, is trusted is issued
Hair mechanism is issued;
If the root authority that the root certificate of the digital certificate of the server, which is browser, is trusted is issued, institute
Browser is stated to determine communication encryption information with the server and communicated using the communication encryption information.
A2, the method as described in A1, the root authority that the browser is trusted are deposited in the form of digital finger-print
In trusted certificate white list, the root certificate of the digital certificate for judging the server is what browser was trusted for storage
The step of root authority is issued includes:
The digital finger-print of the root certificate of the digital certificate of the server is calculated using Secure Hash Algorithm SHA1;
Judge in the trusted certificate white list with the presence or absence of the numeral with the root certificate of the digital certificate of the server
The consistent digital finger-print of fingerprint.
A3, the method as described in A2, the trusted certificate white list is stored in local and/or first server, described
Judge in the trusted certificate white list with the presence or absence of consistent with the digital finger-print of the root certificate of the digital certificate of the server
Digital finger-print the step of include:
In the root certificate that the trusted certificate white list being locally stored searches whether to have with the digital certificate of the server
The consistent digital finger-print of digital finger-print;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted
Issued;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request the
The digital finger-print one with the root certificate of the digital certificate of the server is searched in the newest trusted certificate white list of one server
The digital finger-print of cause, and the digital finger-print is sent to browser;
Receive first server for the inquiry request return with the root certificate of the digital certificate of the server
The consistent digital finger-print of digital finger-print, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue to hold
The numeral that row searches whether to have with the root certificate of the digital certificate of the server in the trusted certificate white list being locally stored
The step of fingerprint consistent digital finger-print.
A4, the method as described in A3, it is described to judge to whether there is and the server in the trusted certificate white list
The step of digital finger-print of the root certificate of digital certificate consistent digital finger-print, also includes:
If searched in the newest trusted certificate white list of first server less than the digital certificate with the server
The consistent digital finger-print of the digital finger-print of root certificate, then the root certificate for judging the digital certificate of the server is not browser institute
The root authority of trust is issued.
A5, the method as described in A3 or A4, the browser are corresponding with second server, and the second server is process
The root authority of the trust of operating system certification, the second server are used to judge the server in browser
The root certificate of digital certificate when not being that root authority that browser is trusted is issued, the server is mended
Certification is filled, and to issue digital certificate again by the server of certification.
A6, the method as described in A1 or A2 or A3 or A4, in addition to:
Issued if the root certificate of the digital certificate of the server is not the root authority that browser is trusted,
Then generate warning prompt information;
The warning prompt information is shown in browser side.
A7, the method as described in A1 or A2, the digital certificate of the server also has digital certificate attribute information, in institute
Before the step of stating browser and the server determine communication encryption information and the use communication encryption information is communicated,
Methods described also includes:
Judge whether the digital certificate attribute information is legal;
If the digital certificate attribute information is legal, performs the browser and determine that communication encryption is believed with the server
The step of ceasing and using the communication encryption information to be communicated.
A8, the method as described in A7, the digital certificate attribute information comprise at least one kind of following information:The numeral
Useful life scope, the website information of server of certificate;
The step for judging whether the digital certificate attribute information is legal includes:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the numeral card
The useful life of book is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the network address of the server is judged
Information is legal.
A9, the method as described in A1, in addition to:
If it is determined that the root authority that the root certificate of the digital certificate of the server is trust is issued, then exist
The authenticating party information that display is authenticated to the root certificate of the digital certificate of the server in the address field of browser, it is described to recognize
The side's of card information includes operating system certification or browser certification.
Embodiment of the invention discloses that B10, a kind of data communication equipment based on https agreements, described device include:
Access request initiation module, suitable for initiating the access request to server in Https agreements in browser side base;
Digital certificate receiving module, the server returned suitable for receiving the server for the access request
Digital certificate;
First judge module, suitable for judging whether the root certificate of digital certificate of the server ought where browser
The root authority that preceding operating system is trusted is issued;
Second judge module, suitable for the root certificate in the digital certificate for judging the server worked as where browser
When the root authority that preceding operating system is trusted is issued, the root certificate for judging the digital certificate of the server is not
It is that the root authority that browser is trusted is issued;
Communication module, the root certificate suitable for the digital certificate in the server are that the root certificate that browser is trusted is issued
When mechanism issues, the browser is determined communication encryption information with the server and carried out using the communication encryption information
Communication.
B11, the device as described in B10, the root authority that the browser is trusted is in the form of digital finger-print
It is stored in trusted certificate white list, second judge module includes:
Digital finger-print calculating sub module, suitable for the digital certificate using the Secure Hash Algorithm SHA1 calculating server
The digital finger-print of root certificate;
Digital finger-print matched sub-block, suitable for judging to whether there is and the server in the trusted certificate white list
The consistent digital finger-print of the digital finger-print of the root certificate of digital certificate.
B12, the device as described in B11, the trusted certificate white list are stored in local and/or first server, institute
Digital finger-print matched sub-block is stated to be further adapted for:
In the root certificate that the trusted certificate white list being locally stored searches whether to have with the digital certificate of the server
The consistent digital finger-print of digital finger-print;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted
Issued;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request the
The digital finger-print one with the root certificate of the digital certificate of the server is searched in the newest trusted certificate white list of one server
The digital finger-print of cause, and the digital finger-print is sent to browser;
Receive first server for the inquiry request return with the root certificate of the digital certificate of the server
The consistent digital finger-print of digital finger-print, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue to hold
The numeral that row searches whether to have with the root certificate of the digital certificate of the server in the trusted certificate white list being locally stored
The step of fingerprint consistent digital finger-print.
B13, the device as described in B12, the digital finger-print matched sub-block also include:
If searched in the newest trusted certificate white list of first server less than the digital certificate with the server
The consistent digital finger-print of the digital finger-print of root certificate, then the root certificate for judging the digital certificate of the server is not browser institute
The root authority of trust is issued.
B14, the device as described in B12 or B13, the browser are corresponding with second server, and the second server is
The root authority of trust by operating system certification, the second server are used to judge the clothes in browser
When the root certificate of the digital certificate of business device is not that the root authority that browser is trusted is issued, the server is entered
Row supplement certification, and to issue digital certificate again by the server of certification.
B15, the device as described in B10 or B11 or B12 or B13, in addition to:
Prompt message generation module, the root certificate suitable for the digital certificate in the server are not that browser is trusted
When root authority is issued, warning prompt information is generated;
Reminding module, suitable for showing the warning prompt information in browser side.
B16, the device as described in B10 or B11, the digital certificate of the server also have digital certificate attribute information,
The browser and the server determine communication encryption information and are communicated using the communication encryption information the step of
Before, described device also includes:
3rd judge module, suitable for judging whether the digital certificate attribute information is legal.
B17, the device as described in B16, the digital certificate attribute information comprise at least one kind of following information:The number
Useful life scope, the website information of server of word certificate;
3rd judge module is further adapted for:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the numeral card
The useful life of book is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the network address of the server is judged
Information is legal.
B18, the device as described in B1, in addition to:
Authenticating party information display module, the root certificate suitable for the digital certificate in the judgement server are the roots of trust
Certification authority is issued, then display is carried out to the root certificate of the digital certificate of the server in the address field of browser
The authenticating party information of certification, the authenticating party information include operating system certification or browser certification.
Claims (18)
1. a kind of data communications method based on https agreements, methods described include:
In browser side base the access request to server is initiated in Https agreements;
Receive the digital certificate for the server that the server returns for the access request;
The root certificate for judging the digital certificate of the server is the root that the current operation system where browser is trusted
Certification authority is issued;
If not, the root certificate that the root certificate for judging the digital certificate of the server, which is browser, is trusted issues machine
Structure is issued;
If the root authority that the root certificate of the digital certificate of the server, which is browser, is trusted is issued, described clear
Device of looking at is determined communication encryption information with the server and communicated using the communication encryption information.
2. the method as described in claim 1, it is characterised in that the root authority that the browser is trusted is with numeral
The form of fingerprint is stored in trusted certificate white list, and whether clear the root certificate of the digital certificate for judging the server is
The step of root authority that device of looking at is trusted is issued includes:
The digital finger-print of the root certificate of the digital certificate of the server is calculated using Secure Hash Algorithm SHA1;
Judge in the trusted certificate white list with the presence or absence of the digital finger-print with the root certificate of the digital certificate of the server
Consistent digital finger-print.
3. method as claimed in claim 2, it is characterised in that the trusted certificate white list is stored in local and/or first
It is described to judge to whether there is and the root certificate of the digital certificate of the server in the trusted certificate white list in server
The step of digital finger-print consistent digital finger-print, includes:
In the number that the trusted certificate white list being locally stored searches whether to have with the root certificate of the digital certificate of the server
The consistent digital finger-print of word fingerprint;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted is issued
Hair;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request in the first clothes
Being engaged in, it is consistent with the digital finger-print of the root certificate of the digital certificate of the server to be searched in the newest trusted certificate white list of device
Digital finger-print, and the digital finger-print is sent to browser;
Receive first server and be directed to the numeral with the root certificate of the digital certificate of the server that the inquiry request returns
The consistent digital finger-print of fingerprint, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue executing with
The trusted certificate white list being locally stored searches whether the digital finger-print for having with the root certificate of the digital certificate of the server
The step of consistent digital finger-print.
4. method as claimed in claim 3, it is characterised in that it is described judge to whether there is in the trusted certificate white list with
The step of digital finger-print of the root certificate of the digital certificate of the server consistent digital finger-print, also includes:
If the root searched in the newest trusted certificate white list of first server less than the digital certificate with the server is demonstrate,proved
The consistent digital finger-print of the digital finger-print of book, then the root certificate for judging the digital certificate of the server is not that browser is trusted
Root authority issued.
5. the method as described in claim 3 or 4, it is characterised in that the browser is corresponding with second server, and described second
Server is the root authority of the trust by operating system certification, and the second server in browser for sentencing
When the root certificate of the digital certificate of the fixed server is not that the root authority that browser is trusted is issued, to described
Server carries out supplement certification, and to issue digital certificate again by the server of certification.
6. method as claimed in claim 1 or 2 or 3 or 4, it is characterised in that also include:
Issued, given birth to if the root certificate of the digital certificate of the server is not the root authority that browser is trusted
Into warning prompt information;
The warning prompt information is shown in browser side.
7. method as claimed in claim 1 or 2, it is characterised in that the digital certificate of the server also has digital certificate
Attribute information, determine communication encryption information with the server in the browser and led to using the communication encryption information
Before the step of letter, methods described also includes:
Judge whether the digital certificate attribute information is legal;
If the digital certificate attribute information is legal, performs the browser and determine communication encryption information simultaneously with the server
The step of being communicated using the communication encryption information.
8. method as claimed in claim 7, it is characterised in that the digital certificate attribute information comprises at least following information
It is a kind of:Useful life scope, the website information of server of the digital certificate;
The step for judging whether the digital certificate attribute information is legal includes:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the digital certificate
Useful life is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the website information of the server is judged
It is legal.
9. the method as described in claim 1, it is characterised in that also include:
If it is determined that the root authority that the root certificate of the digital certificate of the server is trust is issued, then browsing
The authenticating party information that display is authenticated to the root certificate of the digital certificate of the server in the address field of device, the authenticating party
Information includes operating system certification or browser certification.
10. a kind of data communication equipment based on https agreements, described device include:
Access request initiation module, suitable for initiating the access request to server in Https agreements in browser side base;
Digital certificate receiving module, the number of the server returned suitable for receiving the server for the access request
Word certificate;
First judge module, grasped suitable for judging whether current where browser the root certificate of digital certificate of the server is
Make the root authority that system is trusted to be issued;
Second judge module, suitable for the root certificate in the digital certificate for judging the server currently grasped as where browser
When making the root authority that system is trusted and issuing, judge whether clear the root certificate of the digital certificate of the server is
The root authority that device of looking at is trusted is issued;
Communication module, the root certificate suitable for the digital certificate in the server are the root authorities that browser is trusted
When issued, the browser is determined communication encryption information with the server and led to using the communication encryption information
Letter.
11. device as claimed in claim 10, it is characterised in that the root authority that the browser is trusted is with number
The form of word fingerprint is stored in trusted certificate white list, and second judge module includes:
Digital finger-print calculating sub module, the root card of the digital certificate suitable for calculating the server using Secure Hash Algorithm SHA1
The digital finger-print of book;
Digital finger-print matched sub-block, suitable for judging in the trusted certificate white list with the presence or absence of the numeral with the server
The consistent digital finger-print of the digital finger-print of the root certificate of certificate.
12. device as claimed in claim 11, it is characterised in that the trusted certificate white list is stored in local and/or
In one server, the digital finger-print matched sub-block is further adapted for:
In the number that the trusted certificate white list being locally stored searches whether to have with the root certificate of the digital certificate of the server
The consistent digital finger-print of word fingerprint;
If so, the root authority that the root certificate for then judging the digital certificate of the server, which is browser, is trusted is issued
Hair;
If it is not, then the digital finger-print according to the root certificate of the digital certificate of the server generates inquiry request;
The inquiry request is sent to first server, the first server is used for according to the inquiry request in the first clothes
Being engaged in, it is consistent with the digital finger-print of the root certificate of the digital certificate of the server to be searched in the newest trusted certificate white list of device
Digital finger-print, and the digital finger-print is sent to browser;
Receive first server and be directed to the numeral with the root certificate of the digital certificate of the server that the inquiry request returns
The consistent digital finger-print of fingerprint, and the digital finger-print is stored in the trusted certificate white list being locally stored, continue executing with
The trusted certificate white list being locally stored searches whether the digital finger-print for having with the root certificate of the digital certificate of the server
The step of consistent digital finger-print.
13. device as claimed in claim 12, it is characterised in that the digital finger-print matched sub-block also includes:
If the root searched in the newest trusted certificate white list of first server less than the digital certificate with the server is demonstrate,proved
The consistent digital finger-print of the digital finger-print of book, then the root certificate for judging the digital certificate of the server is not that browser is trusted
Root authority issued.
14. the device as described in claim 12 or 13, it is characterised in that the browser is corresponding with second server, described
Second server is the root authority of the trust by operating system certification, and the second server is for browsing
It is right when the root certificate of the digital certificate of the device judgement server is not that the root authority that browser is trusted is issued
The server carries out supplement certification, and to issue digital certificate again by the server of certification.
15. the device as described in claim 10 or 11 or 12 or 13, it is characterised in that also include:
Prompt message generation module, the root certificate suitable for the digital certificate in the server are not the root cards that browser is trusted
When book issuing organization is issued, warning prompt information is generated;
Reminding module, suitable for showing the warning prompt information in browser side.
16. the device as described in claim 10 or 11, it is characterised in that the digital certificate of the server also has numeral card
Book attribute information, determine communication encryption information in the browser and the server and carried out using the communication encryption information
Before the step of communication, described device also includes:
3rd judge module, suitable for judging whether the digital certificate attribute information is legal.
17. device as claimed in claim 16, it is characterised in that the digital certificate attribute information comprises at least following information
One kind:Useful life scope, the website information of server of the digital certificate;
3rd judge module is further adapted for:
Current time information is judged in the range of the useful life of the digital certificate, if so, then judging the digital certificate
Useful life is legal;
And/or
If the website information of the server is consistent with the website information of current accessed, the website information of the server is judged
It is legal.
18. device as claimed in claim 10, it is characterised in that also include:
Authenticating party information display module, the root certificate suitable for the digital certificate in the judgement server are the root certificates of trust
Issuing organization is issued, then display is authenticated to the root certificate of the digital certificate of the server in the address field of browser
Authenticating party information, the authenticating party information includes operating system certification or browser certification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410823078.3A CN104580172B (en) | 2014-12-24 | 2014-12-24 | A kind of data communications method and device based on https agreements |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410823078.3A CN104580172B (en) | 2014-12-24 | 2014-12-24 | A kind of data communications method and device based on https agreements |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104580172A CN104580172A (en) | 2015-04-29 |
| CN104580172B true CN104580172B (en) | 2017-12-12 |
Family
ID=53095353
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410823078.3A Active CN104580172B (en) | 2014-12-24 | 2014-12-24 | A kind of data communications method and device based on https agreements |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580172B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111683089A (en) * | 2020-06-08 | 2020-09-18 | 绿盟科技集团股份有限公司 | Method, server, medium and computer equipment for identifying phishing website |
Families Citing this family (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634744B (en) * | 2015-12-31 | 2020-01-21 | 北京元心科技有限公司 | Root certificate storage device and secure access method |
| CN107707508A (en) * | 2016-08-09 | 2018-02-16 | 中兴通讯股份有限公司 | Applied business recognition methods and device |
| CN107800675B (en) * | 2016-09-07 | 2020-04-07 | 深圳市腾讯计算机系统有限公司 | Data transmission method, terminal and server |
| CN106789897B (en) * | 2016-11-15 | 2019-08-06 | 沃通电子认证服务有限公司 | Digital certificate authentication method and system for application program for mobile terminal |
| CN108259406B (en) * | 2016-12-28 | 2020-12-29 | 中国电信股份有限公司 | Method and system for verifying SSL certificate |
| CN107566393A (en) * | 2017-09-26 | 2018-01-09 | 山东浪潮商用系统有限公司 | A kind of dynamic rights checking system and method based on trust certificate |
| CN107682371A (en) * | 2017-11-21 | 2018-02-09 | 北京安博通科技股份有限公司 | A kind of malice AP detection method and device |
| CN109861947B (en) * | 2017-11-30 | 2022-03-22 | 腾讯科技(武汉)有限公司 | Network hijacking processing method and device and electronic equipment |
| CN107864159A (en) * | 2017-12-21 | 2018-03-30 | 有米科技股份有限公司 | Communication means and device based on certificate and trust chain |
| CN110557255A (en) * | 2018-05-31 | 2019-12-10 | 北京京东尚科信息技术有限公司 | certificate management method and device |
| CN110581829A (en) * | 2018-06-08 | 2019-12-17 | 中国移动通信集团有限公司 | Communication method and device |
| CN108881484B (en) * | 2018-07-26 | 2021-04-02 | 杭州云缔盟科技有限公司 | Method for detecting whether terminal can access internet or not |
| CN109101813A (en) * | 2018-09-03 | 2018-12-28 | 郑州云海信息技术有限公司 | A kind of application program hold-up interception method and relevant apparatus |
| CN109657170B (en) * | 2018-10-17 | 2023-02-10 | 平安普惠企业管理有限公司 | Webpage loading method and device, computer equipment and storage medium |
| CN109660530B (en) * | 2018-12-08 | 2021-11-26 | 公安部第三研究所 | Information security protection method based on hardware certificate |
| CN110166470B (en) * | 2019-05-28 | 2022-07-19 | 奇安信科技集团股份有限公司 | Network service simulation method and device |
| CN111181912B (en) * | 2019-08-27 | 2021-10-15 | 腾讯科技(深圳)有限公司 | Browser identifier processing method and device, electronic equipment and storage medium |
| CN113328980B (en) * | 2020-02-29 | 2022-05-17 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
| CN112073401B (en) * | 2020-08-28 | 2022-05-10 | 苏州浪潮智能科技有限公司 | Method, program and medium for automatically updating certificate based on HTTPS (Hypertext transfer protocol secure) protocol web application |
| CN114143034A (en) * | 2021-11-01 | 2022-03-04 | 清华大学 | Network access security detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141447A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | HTTPS communication tunnel security check and content filtering system and method |
| CN101616165A (en) * | 2009-07-28 | 2009-12-30 | 江苏先安科技有限公司 | A kind of method of inquiring and authenticating issue of novel X 509 digital certificate white list |
| CN102611707A (en) * | 2012-03-21 | 2012-07-25 | 北龙中网(北京)科技有限责任公司 | Credible website identity installation and identification method |
| US8707028B2 (en) * | 2011-07-13 | 2014-04-22 | International Business Machines Corporation | Certificate-based cookie security |
-
2014
- 2014-12-24 CN CN201410823078.3A patent/CN104580172B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141447A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | HTTPS communication tunnel security check and content filtering system and method |
| CN101616165A (en) * | 2009-07-28 | 2009-12-30 | 江苏先安科技有限公司 | A kind of method of inquiring and authenticating issue of novel X 509 digital certificate white list |
| US8707028B2 (en) * | 2011-07-13 | 2014-04-22 | International Business Machines Corporation | Certificate-based cookie security |
| CN102611707A (en) * | 2012-03-21 | 2012-07-25 | 北龙中网(北京)科技有限责任公司 | Credible website identity installation and identification method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111683089A (en) * | 2020-06-08 | 2020-09-18 | 绿盟科技集团股份有限公司 | Method, server, medium and computer equipment for identifying phishing website |
| CN111683089B (en) * | 2020-06-08 | 2022-12-30 | 绿盟科技集团股份有限公司 | Method, server, medium and computer equipment for identifying phishing website |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104580172A (en) | 2015-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104580172B (en) | A kind of data communications method and device based on https agreements | |
| JP7090800B2 (en) | Distributed document and entity validation engine | |
| Dietz et al. | {Origin-Bound} Certificates: A Fresh Approach to Strong Client Authentication for the Web | |
| EP2263348B1 (en) | Method and system for displaying verification information indicators for a non-secure website | |
| CN101860540B (en) | Method and device for identifying legality of website service | |
| CN104038486B (en) | System and method for realizing user login identification based on identification type codes | |
| US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
| WO2015074547A1 (en) | Method for authenticating webpage content and browser | |
| CN105072125B (en) | A kind of http communication system and method | |
| CN107810617A (en) | Secret certification and supply | |
| US20120297187A1 (en) | Trusted Mobile Device Based Security | |
| CN104394172B (en) | Single-sign-on apparatus and method | |
| US20090077373A1 (en) | System and method for providing verified information regarding a networked site | |
| US20160241536A1 (en) | System and methods for user authentication across multiple domains | |
| CN111241533A (en) | Block chain-based password management method and device and computer-readable storage medium | |
| WO2015048039A1 (en) | Resource locators with keys | |
| US10341316B2 (en) | Injecting credentials into web browser requests | |
| CN101938473A (en) | Single-point login system and single-point login method | |
| Ouvrier et al. | Characterizing the HTTPS trust landscape: a passive view from the edge | |
| Cao et al. | Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel | |
| CN111081338A (en) | Safe human health parameter acquisition method | |
| Gruschka et al. | Analysis of the current state in website certificate validation | |
| Ghiglieri | Incorrect HTTPS Certificate Validation in Samsung Smart TVs | |
| AU2019204357B2 (en) | A system and method for certifying information | |
| Solbakken | Certificate security visualization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220718 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: Room 112, block D, No. 28, Xinjiekou outer street, Xicheng District, Beijing 100088 (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |