CN104821951B - A kind of method and apparatus of secure communication - Google Patents
A kind of method and apparatus of secure communication Download PDFInfo
- Publication number
- CN104821951B CN104821951B CN201510272533.XA CN201510272533A CN104821951B CN 104821951 B CN104821951 B CN 104821951B CN 201510272533 A CN201510272533 A CN 201510272533A CN 104821951 B CN104821951 B CN 104821951B
- Authority
- CN
- China
- Prior art keywords
- client
- destination server
- exit passageway
- server
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method and apparatus of secure communication.This method comprises: the request for establishing the first exit passageway that proxy server is sent according to client based on the certificate for the proxy server installed in the client-side, first exit passageway is established with the client, the communication request with destination server that the client is sent is received based on the first exit passageway;Proxy server is according to the information of the destination server carried in the communication request, certificate and the destination server based on the destination server establish the second exit passageway, according to the client-side information carried in the communication request, the session key based on client and the destination server described in the second exit passageway application;The session key applied is issued the client by the first exit passageway by proxy server, so that the client is communicated with the destination server by the session key.It can ensure communication safety using the embodiment of the present invention.
Description
Technical field
The present invention relates to fields of communication technology, more particularly to a kind of method and apparatus of secure communication.
Background technique
With e-commerce, the explosive growth of mobile Internet, people carry out being related to sensitive information by internet
Communication is more and more frequent, for example, carrying out internet financial transaction, therefore, network security is also become more and more important.
Currently, the communication data that the threat that network security is faced includes: communicating pair interaction is eavesdropped by third party;Or
Person, attacker establishes safe encrypted tunnel by forging server identity, with client, and passes through the safe encrypted tunnel and visitor
Family end communication, to extract client data.
Therefore, how to prevent communication data to be ravesdropping or attacker forges server identity and extracts client data, guarantor
The communication security between client and destination server is demonstrate,proved, current technical problem urgently to be solved is become.
Summary of the invention
In view of this, can guarantee that client and purpose take the invention proposes a kind of method and apparatus of secure communication
The communication security of business device.
Technical solution proposed by the present invention is:
A kind of method of secure communication, this method comprises:
Proxy server is sent according to client based on the certificate for the proxy server installed in the client-side
The request for establishing the first exit passageway establishes first exit passageway with the client, is based on first exit passageway
Receive the communication request with destination server that the client is sent;
Proxy server is based on the destination server according to the information of the destination server carried in the communication request
Certificate and the destination server establish the second exit passageway, according to the client-side information carried in the communication request, base
The session key of client and the destination server described in the second exit passageway application;
The session key applied is issued the client by first exit passageway by proxy server, so that institute
It states client and is communicated with the destination server by the session key.
A kind of device of secure communication, the device are located in proxy server, which includes the first secure communication module
With the second secure communication module;
First secure communication module, for according to client based on the agency service installed in the client-side
The request for establishing the first exit passageway that the certificate of device is sent, establishes first exit passageway with the client, is based on institute
It states the first exit passageway and receives the communication request with destination server that the client is sent, by the second secure communication module Shen
The session key that please be arrived issues the client by first exit passageway, so that the client and the purpose service
Device is communicated by the session key;
Second secure communication module, for the information according to the destination server carried in the communication request, base
The second exit passageway is established in the certificate of the destination server and the destination server, is carried according in the communication request
Client-side information, the session key based on client and the destination server described in the second exit passageway application.
As seen from the above technical solution, in the embodiment of the present invention, agency is set up between client and destination server
Server, by the identity of proxy server verifying client and the identity of destination server, it is ensured that it is both believable, and
And with client establish the first exit passageway, with destination server establish the second exit passageway, then proxy server by with
The second exit passageway that destination server is established, the session key communicated between client application and destination server,
And the session key applied is returned into client by the first exit passageway established with client, so that client and mesh
Server can be communicated by the session key, ensure that the communication security between client and destination server.
Further, since client only needs the certificate of installation agent server, and the certificate of magnanimity destination server is all
It is mounted on proxy server side, therefore, the memory space of client-side can be saved, simplify the certificate management of client-side.
Also, when different client needs are communicated with the destination server of magnanimity respectively, it is only necessary to agency's clothes
Business device executes certification authentication, installation and management to the destination server of these magnanimity and operates, and does not need each different client
It executes certification authentication, installation and management to the destination server of these magnanimity respectively to operate, each destination server also only needs
It verifies the identity of proxy server, need to separately verify the identity of each different client, it is thus possible to enough avoid network
Node as execute it is identical verifying, installation and management operation and caused by the wasting of resources.
Detailed description of the invention
Fig. 1 is the method flow diagram of secure communication provided in an embodiment of the present invention.
Fig. 2 is communication system composition schematic diagram provided in an embodiment of the present invention.
Fig. 3 is the hardware configuration connection figure of proxy server provided in an embodiment of the present invention.
Fig. 4 is the structural schematic diagram of the device of secure communication provided in an embodiment of the present invention.
Specific embodiment
Guaranteeing a kind of method of the communication security of client and destination server is: client obtains destination server first
Certificate the mesh if it is credible to verify destination server identity, is installed according to the identity of the certification authentication destination server
Server certificate, exit passageway is established based on the certificate and the destination server, then passes through the exit passageway and purpose
Server is communicated, to guarantee the communication security of client and destination server.
Wherein, the method for the identity of client validation destination server may include: that client checks destination server hair
Whether the certificate come is that the center certification (CA) trusted by the client is signed and issued, for example, the certificate of the server is
In the trusted certificate list of client local, alternatively, the server certificate be by some certificate agency authorization, and this
The certificate of the certificate agency of authorization is in the local trusted certificate list of client.
Therefore, in order to guarantee safety, it is necessary in the certificate for the destination server that client installation needs to log in, for example,
If user needs to log in certain internet banking system, the equipment such as U-shield that must just banking institution is used to provide install the bank server
Certificate.
However, various applications are increasingly enriched in today of mobile interchange fast development, one destination server of every access is all
Need to install the certificate of corresponding destination server, in this way, the certificate of client local will occupy after certificate reaches certain amount
The a large amount of memory space of client, certificate management also become complicated, moreover, different clients needs respectively to the purpose of magnanimity
The certificate of server carries out duplicate verifying, installation and management, also results in the wasting of resources of network node.
Based on above-mentioned analysis, the embodiment of the invention provides one kind securely communicates for client with destination server
Method, it can be ensured that the communication security between client and destination server, and the storage that can save client-side is empty
Between, simplify client certificate management, avoid duplicate certification authentication, installation and management caused by network node resource wave
Take.
Fig. 1 is the method flow diagram of secure communication provided in an embodiment of the present invention.
As shown in Figure 1, the process includes:
Step 101, card of the proxy server according to client based on the proxy server installed in the client-side
The request for establishing the first exit passageway that book is sent, establishes first exit passageway with the client, is based on described first
Exit passageway receives the communication request with destination server that the client is sent.
Step 102, proxy server is based on the mesh according to the information of the destination server carried in the communication request
Server certificate and the destination server establish the second exit passageway, according to the client carried in the communication request
Information, the session key based on client and the destination server described in the second exit passageway application.
Wherein, about the information content of destination server entrained in communication request and the content of client-side information, with
Can be realized subject to the communication request, the particular content embodiment of the present invention with no restrictions, for example, the letter of the destination server
Breath may include the identification information or address information of the destination server, and the client-side information may include the visitor
The Diffie-Hellman information and cryptography information that the certificate information at family end and the client are supported.
Step 103, the session key applied is issued the client by first exit passageway by proxy server
End, so that the client is communicated with the destination server by the session key.
Method between client and destination server as it can be seen that by setting up proxy server, by the agency as shown in Figure 1
Server and client establish the first exit passageway, establish the second exit passageway with destination server, then by taking with purpose
It is engaged in the second exit passageway that device establishes, the session key communicated between client application and destination server, and by Shen
The session key that please be arrived returns to client by the first exit passageway established with client, so that client and purpose service
Device can be communicated by the session key, ensure that the communication security between client and destination server.
Also, since client only needs the certificate of installation agent server, and the certificate of destination server is all mounted on
Proxy server side, and hence it is also possible to the certificate management saved the memory space of client-side, simplify client-side.
In method shown in Fig. 1, proxy server can also play the role of convergence to the destination server of magnanimity, avoid pair
The same destination server repeats the operation of verifying, installation and management in different client-sides, therefore can save net
The resource of network node.
Specifically, the mesh that proxy server carries in the communication request sent according to client by the first exit passageway
The information of server can when certificate based on the destination server and the destination server establish the second exit passageway
To judge whether the proxy server has installed the mesh according to the information of the destination server carried in the communication request
Server certificate, if so, the certificate based on the mounted destination server and the destination server establish the
Two exit passageways, if not, the proxy server obtains the certificate of the destination server, verifying, the certificate is legal
When, the certificate of the destination server is installed, the certificate for being then based on the mounted destination server establishes described second
Exit passageway.
As it can be seen that as long as proxy server had installed the certificate of destination server, if receiving other visitors again later
The communication request with the destination server that family end is sent, then proxy server, which does not need to repeat, installs the destination server
Certificate, it is only necessary to which certificate and destination server based on the mounted destination server establish the second exit passageway, and being based on should
Session key between second exit passageway application client and destination server.
In the following, implementing further combined with the relationship between client, destination server and proxy server to the present invention
What example provided is described in detail for client with the method that destination server securely communicates, and specifically refers to Fig. 2.
Fig. 2 is communication system composition schematic diagram provided in an embodiment of the present invention.
As shown in Fig. 2, the system includes client 201-1 to client 201-n, proxy server 202 and purpose service
Device 203-1 to destination server 203-m.
Wherein, client 201-1 is mounted with the certificate of proxy server 202 to client 201-n respectively, also, is needing
When communicating with any destination server in destination server 203-1 to destination server 203-m, it is based respectively on agency service
The certificate of device 202 establishes the first exit passageway 1-1 to the first exit passageway 1-n with proxy server 202, then passes through itself
The communication request with destination server is sent with the first exit passageway that proxy server 202 is established.
Proxy server 202 is asked in the communication that any client received in client 201-1 to client 201-n is sent
After asking, according to the information of the destination server carried in the communication request, judge whether the proxy server 202 has been mounted with
The certificate of the destination server, if so, the certificate based on the mounted destination server and the destination server establish the
Two exit passageways, if not, proxy server 202 first obtains the certificate of the destination server, and the certificate for verifying the acquisition is
It is no legal, if legal, the certificate of the destination server is installed, and the certificate of the destination server based on installation establishes
Two exit passageways, if illegal, proxy server 202 can refuse to install the certificate of the destination server, and to transmission
The client of request feeds back the incredible message of destination server by the first exit passageway.
Such as, it is assumed that client 201-1 is mounted with the certificate of proxy server 202, and is based on the certificate and agency service
Device 202 establishes the first exit passageway 1-1, by the first exit passageway 1-1 to proxy server 202 send and destination server
The communication request 1 of 203-2 communication, the information of destination server 203-2 is carried in the communication request 1, then, proxy server
202 will read the information of destination server 203-2 from the communication request 1, and proxy server 202 judges whether itself has installed
The certificate of destination server 203-2, it is assumed that it does not install, then proxy server 202 obtains the certificate of destination server 203-2, and
Verify obtain certificate it is whether legal, it is assumed that verification result be it is legal, then proxy server 202 install destination server 203-
2 certificate, certificate and destination server 203-2 based on mounted destination server 203-2 establish the second exit passageway 2-
2.Then proxy server 202 passes through the second exit passageway 2-2 to destination server 203-2 application client 201-1 and purpose
The session key of server 203-2 communication, returns to client by the first exit passageway 1-1 for the session key applied
201-1。
Continue upper example, it is assumed that proxy server 202 receives client 201-2 again and sends out by the first exit passageway 1-2 later
The communication request 2 communicated with destination server 203-2 sent, then proxy server 202 judges itself whether installed purpose clothes
Be engaged in device 203-2 certificate the result is that having installed, therefore, proxy server 202 is directly based upon mounted destination server
The certificate of 203-2 and destination server 203-2 establish the second exit passageway 2-2, by the second exit passageway 2-2 to purpose service
The session key that device 203-2 application client 201-2 is communicated with destination server 203-2, the session key applied is passed through
First exit passageway 1-2 returns to client 201-2.
By foregoing description as it can be seen that in the embodiment of the present invention, client is when needing to communicate with destination server, for applying
The communication path of session key is separated with actual use session key communication path, wherein is taken by client and agency
The second exit passageway application client between the first exit passageway and proxy server and destination server between business device
The session key communicated with destination server, the session key applied is directly used in the client and the purpose takes
The communication of business device, in other words, client and destination server are based on the session key and encrypt to communication data, and will add
Data after close issue other side by the communication link between client and destination server, for example, client 201-1 utilizes meeting
The communication data that words key pair issues destination server 203-2 is encrypted, by encrypted communication data by taking with purpose
Communication link 1 between business device 203-2 issues destination server 203-2, and client 201-2 is using session key to issuing purpose
The communication data of server 203-2 is encrypted, and encrypted communication data is passed through logical between destination server 203-2
Letter link 2 issues destination server 203-2.
Due to for applying for that the communication path of session key is separated with actual use session key communication path, because
, there is safety problem even with session key communication path in this, can also pass through the communication path weight of application session key
Newly apply for new session key, so that communication later becomes safety.
When wherein, by applying for that the communication path of session key applies for new session key again, Fig. 1 institute can be still used
Show method, at this point, the communication request in Fig. 1 is specifically session key update request, is based on the second exit passageway application client
When with the session key of destination server, application is the session key updated.
Further, it since proxy server and a large amount of clients establish the first exit passageway, and is taken with a large amount of purpose
Business device establishes the second exit passageway, therefore, security strategy can be arranged in proxy server, so that proxy server is according to peace
Full strategy judges whether to establish with the client when receiving the request for establishing the first exit passageway of client transmission
First exit passageway, alternatively, receive client transmission the communication request with destination server when, judge whether with
The destination server establishes the second exit passageway.Therefore, by the way that security strategy is arranged in proxy server side, so that agency's clothes
Business device is controlled according to the security strategy pair and client and the connection between destination server, and network is enabled to pacify
The management of full strategy and more new capital is more convenient, for example, not needing to distinguish in each client or each destination server
Corresponding security strategy is set.
Wherein, the position of proxy server in a network can be there are many selection, specifically can be according to application scenarios and peace
Full property requires to determine, for example, under broadband access scene, proxy server can be broadband server provider some after
Platform server.In order to improve safety, the attack protection of proxy server needs to reach certain rank.
In order to further improve the security, the embodiment of the present invention proposes, client-side can also be further in itself setting
Security strategy, for example, client after being mounted with the certificate of proxy server, can forbid installing the proxy server
Other certificates in addition bring peace so that the Malware in client be avoided to install the certificate of incredible server privately
Full hidden danger.
In above-described embodiment, the security protocol and communication that are based on for establishing the first exit passageway and the second exit passageway
Agreement, the embodiment of the present invention with no restrictions, are assisted for example, safe socket character (Secure Socket Layer, SSL) can be based on
View establishes the first exit passageway and the second exit passageway by TCP connection.
As it can be seen that client only needs to install the certificate of a proxy server, later client using the embodiment of the present invention
The certificate for installing corresponding destination server again is not all needed when establishing encryption session with all purposes server, therefore is saved
The certificate management cost of client local.It, can be very convenient by the way that certificate management is moved to proxy server from client
Ground carries out the change of security strategy, improves the ability for preventing network attack.Moreover, in addition to by proxy server to destination server
It carries out other than authentication, the security strategy of higher level also can be implemented in client, for example is mounted with the card of proxy server
After book, forbid client local software that other certificates are installed again under default condition, it is soft that some malice can be effectively prevented in this way
Part installs the case where certificate privately.The embodiment of the present invention also advantageously improves the usage experience of client, for example, client will not
It encounters again and needs the case where reminding user to screen in the presence of non-credit website.Further, proxy server is built with certain destination server
After standing once safety connection, subsequent other clients establish the secure connection with this destination server by this proxy server
When, it does not all need to authenticate the destination server again, therefore there is good convergence to act on, network meter can be greatlyd save
Calculate resource.
It include using in the proxy server the embodiment of the invention also discloses a kind of proxy server for the above method
In the device that client and destination server securely communicate.
Fig. 3 is the hardware configuration connection figure of proxy server provided in an embodiment of the present invention.
As shown in figure 3, the proxy server includes processor, network interface, memory and nonvolatile memory, and above-mentioned
Each hardware is connected by bus, specifically:
Nonvolatile memory, for storing instruction code;The operation that described instruction code is completed when being executed by processor
The function that the device of secure communication predominantly in memory is completed.
Processor, for being communicated with nonvolatile memory, read and execute stored in nonvolatile memory it is described
Instruction code completes the function that the device of above-mentioned secure communication is completed.
Memory, when the operation that the described instruction code in nonvolatile memory is performed completion is mainly in memory
The function that the device of secure communication is completed.
Fig. 4 is the structural schematic diagram of the device of secure communication provided in an embodiment of the present invention.
As shown in figure 4, the device includes the first secure communication module 401 and the second secure communication module 402.
First secure communication module 401, for according to client based on the agency service installed in the client-side
The request for establishing the first exit passageway that the certificate of device is sent, establishes first exit passageway with the client, is based on institute
It states the first exit passageway and receives the communication request with destination server that the client is sent, by the second secure communication module Shen
The session key that please be arrived issues the client by first exit passageway, so that the client and the purpose service
Device is communicated by the session key.
Second secure communication module 402 is based on for the information according to the destination server carried in the communication request
The certificate of the destination server and the destination server establish the second exit passageway, according to what is carried in the communication request
Client-side information, the session key based on client and the destination server described in the second exit passageway application.
Wherein, the second secure communication module 402, for the letter according to the destination server carried in the communication request
Breath, judges whether the certificate for having installed the destination server, if so, the certificate based on the mounted destination server
The second exit passageway is established with the destination server, if not, the certificate of the destination server is obtained, it is described verifying
When certificate is legal, the certificate of the destination server is installed, described in the certificate foundation based on the mounted destination server
Second exit passageway.
The communication request may include session key update request.
Second secure communication module 402, can be used for based on client described in the second exit passageway application with it is described
The session key of the update of destination server.
First secure communication module 401 can be also used for establishing the first exit passageway receive client transmission
When request, judged whether to establish first exit passageway with the client according to security strategy;
Second secure communication module 402 can be also used in the communication with destination server for receiving client transmission
When request, judged whether to establish the second exit passageway with the destination server according to security strategy.
Wherein, the information of the destination server may include the identification information or address letter of the destination server
Breath, the client-side information may include the certificate information of the client and the Diffie-Hellman that the client is supported
Information and cryptography information.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Any modification, equivalent substitution, improvement and etc. done within mind and principle, should be included within the scope of the present invention.
Claims (10)
1. a kind of method of secure communication, which is characterized in that this method comprises:
The foundation that proxy server is sent according to client based on the certificate for the proxy server installed in the client-side
The request of first exit passageway establishes first exit passageway with the client, is received based on first exit passageway
The communication request with destination server that the client is sent;
Information of the proxy server according to the destination server carried in the communication request, the card based on the destination server
Book and the destination server establish the second exit passageway, according to the client-side information carried in the communication request, are based on institute
State the session key of client and the destination server described in the second exit passageway application;
The session key applied is issued the client by first exit passageway by proxy server, so that the visitor
Family end and the destination server establish communication channel, and the client and destination server are based on the session key to communication
Data are encrypted, and encrypted data are issued other side by the communication channel, wherein first exit passageway and
Second exit passageway is separated with the communication channel.
2. the method according to claim 1, wherein proxy server is according to the mesh carried in the communication request
Server information, the certificate based on the destination server establishes the second exit passageway with the destination server and includes:
Whether proxy server judges the proxy server according to the information of the destination server carried in the communication request
The certificate of the destination server is installed, if so, the certificate based on the mounted destination server and the purpose
Server establishes the second exit passageway, if not, the proxy server obtains the certificate of the destination server, is verifying
When the certificate is legal, the certificate of the destination server is installed, the certificate based on the mounted destination server is established
Second exit passageway.
3. the method according to claim 1, wherein the communication request includes session key update request;
Include: based on client described in the second exit passageway application and the session key of the destination server
Session key based on client described in the second exit passageway application Yu the update of the destination server.
4. the method according to claim 1, wherein this method further include:
Proxy server is according to security strategy, when receiving the request for establishing the first exit passageway of client transmission, judgement
Whether with the client first exit passageway is established, and/or, receiving client transmission and destination server
When communication request, judge whether to establish the second exit passageway with the destination server.
5. the method according to claim 1, wherein
The information of the destination server includes the identification information or address information of the destination server, the client
Information includes the certificate information of the client and Diffie-Hellman information and Encryption Algorithm letter that the client is supported
Breath.
6. a kind of device of secure communication, which is characterized in that the device is located in proxy server, which includes the first safety
Communication module and the second secure communication module;
First secure communication module, for according to client based on the proxy server installed in the client-side
The request for establishing the first exit passageway that certificate is sent, establishes first exit passageway with the client, based on described the
One exit passageway receives the communication request with destination server that the client is sent, and the second secure communication module application is arrived
Session key the client is issued by first exit passageway so that the client is built with the destination server
Vertical communication channel, the client and destination server are based on the session key and encrypt to communication data, and will encryption
Data afterwards issue other side by the communication channel, wherein first exit passageway and second exit passageway and institute
Stating communication channel is separation;
Second secure communication module is based on institute for the information according to the destination server carried in the communication request
The certificate and the destination server for stating destination server establish the second exit passageway, according to the visitor carried in the communication request
Family client information, the session key based on client and the destination server described in the second exit passageway application.
7. device according to claim 6, which is characterized in that
Second secure communication module, for the information according to the destination server carried in the communication request, judgement is
The no certificate for having installed the destination server, if so, the certificate based on the mounted destination server and the mesh
Server establish the second exit passageway, if not, obtaining the certificate of the destination server, verifying, the certificate is legal
When, the certificate of the destination server is installed, the certificate based on the mounted destination server establishes second safety
Channel.
8. device according to claim 6, which is characterized in that the communication request includes session key update request;
Second secure communication module, for based on client and the purpose service described in the second exit passageway application
The session key of the update of device.
9. device according to claim 6, which is characterized in that
First secure communication module is also used to when receiving the request for establishing the first exit passageway of client transmission,
Judged whether to establish first exit passageway with the client according to security strategy;
Second secure communication module is also used to when receiving the communication request with destination server of client transmission,
Judged whether to establish the second exit passageway with the destination server according to security strategy.
10. device according to claim 6, which is characterized in that
The information of the destination server includes the identification information or address information of the destination server, the client
Information includes the certificate information of the client and Diffie-Hellman information and Encryption Algorithm letter that the client is supported
Breath.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510272533.XA CN104821951B (en) | 2015-05-26 | 2015-05-26 | A kind of method and apparatus of secure communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510272533.XA CN104821951B (en) | 2015-05-26 | 2015-05-26 | A kind of method and apparatus of secure communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104821951A CN104821951A (en) | 2015-08-05 |
| CN104821951B true CN104821951B (en) | 2019-04-19 |
Family
ID=53732114
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510272533.XA Active CN104821951B (en) | 2015-05-26 | 2015-05-26 | A kind of method and apparatus of secure communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104821951B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254388A (en) * | 2016-09-22 | 2016-12-21 | 安徽云图信息技术有限公司 | Access control technology under cloud computing environment |
| GB201710168D0 (en) * | 2017-06-26 | 2017-08-09 | Microsoft Technology Licensing Llc | Introducing middleboxes into secure communications between a client and a sever |
| CN108667857A (en) * | 2018-08-28 | 2018-10-16 | 深信服科技股份有限公司 | A kind of security strategy maintaining method and system, server-side, client |
| CN109088883B (en) * | 2018-09-21 | 2021-01-15 | 北京天融信网络安全技术有限公司 | Multi-subnet networking method and device, storage medium and computer equipment |
| CN110932861A (en) * | 2019-10-17 | 2020-03-27 | 杭州安存网络科技有限公司 | Digital certificate management method, device, equipment and storage medium based on multiple CA |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1972306A (en) * | 2006-12-01 | 2007-05-30 | 浙江大学 | Implementation method of secure socket layer protocol secure proxy multiple authentication |
| CN102769846A (en) * | 2011-05-04 | 2012-11-07 | 中国银联股份有限公司 | User terminal and payment system |
| CN104023013A (en) * | 2014-05-30 | 2014-09-03 | 上海帝联信息科技股份有限公司 | Data transmission method, server side and client |
| CN104378339A (en) * | 2013-08-16 | 2015-02-25 | 深圳市腾讯计算机系统有限公司 | Communication method and device based on agency protocol |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| MXPA05001669A (en) * | 2002-08-14 | 2005-07-22 | Thomson Licensing Sa | Session key management for public wireless lan supporitng multiple virtual operators. |
-
2015
- 2015-05-26 CN CN201510272533.XA patent/CN104821951B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1972306A (en) * | 2006-12-01 | 2007-05-30 | 浙江大学 | Implementation method of secure socket layer protocol secure proxy multiple authentication |
| CN102769846A (en) * | 2011-05-04 | 2012-11-07 | 中国银联股份有限公司 | User terminal and payment system |
| CN104378339A (en) * | 2013-08-16 | 2015-02-25 | 深圳市腾讯计算机系统有限公司 | Communication method and device based on agency protocol |
| CN104023013A (en) * | 2014-05-30 | 2014-09-03 | 上海帝联信息科技股份有限公司 | Data transmission method, server side and client |
Non-Patent Citations (2)
| Title |
|---|
| 《基于SSL协议的客户端安全代理的研究与实现》;付沙 等;《计算机与现代化》;20071230(第143期);第100-105页及附图1 |
| 《客户端SSL安全代理的设计与实现》;任静 等;《计算机应用与研究》;20031230(第6期);第80-81、109页 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104821951A (en) | 2015-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102420969B1 (en) | System and method for integrating an authentication service within a network architecture | |
| EP3175578B1 (en) | System and method for establishing trust using secure transmission protocols | |
| US8898749B2 (en) | Method and system for generating one-time passwords | |
| EP2304636B1 (en) | Mobile device assisted secure computer network communications | |
| US8689290B2 (en) | System and method for securing a credential via user and server verification | |
| US8769289B1 (en) | Authentication of a user accessing a protected resource using multi-channel protocol | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| CN104821951B (en) | A kind of method and apparatus of secure communication | |
| Elkhodr et al. | A proposal to improve the security of mobile banking applications | |
| US9055061B2 (en) | Process of authentication for an access to a web site | |
| US20170070353A1 (en) | Method of managing credentials in a server and a client system | |
| WO2018021708A1 (en) | Public key-based service authentication method and system | |
| US20160241536A1 (en) | System and methods for user authentication across multiple domains | |
| US10243930B2 (en) | Systems and methods for secure communication bootstrapping of a device | |
| CN108604990A (en) | The application method and device of local authorized certificate in terminal | |
| KR101656458B1 (en) | Authentication method and system for user confirmation and user authentication | |
| Abdelrazig Abubakar et al. | Blockchain-based identity and authentication scheme for MQTT protocol | |
| CN105577657B (en) | A kind of extended method of SSL/TLS algorithms external member | |
| US10693873B2 (en) | Securing remote authentication | |
| Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos | |
| Weerasinghe et al. | Security framework for mobile banking | |
| Kerttula | A novel federated strong mobile signature service—the finnish case | |
| Ivanov et al. | AutoThing: A Secure Transaction Framework for Self-Service Things | |
| Urien et al. | A new convergent identity system based on eap-tls smart cards | |
| KR102484660B1 (en) | Server for mediating fast identity online 2 authentication, and operating method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |