CN105530090A - Key negotiation method and device - Google Patents
Key negotiation method and device Download PDFInfo
- Publication number
- CN105530090A CN105530090A CN201511028895.0A CN201511028895A CN105530090A CN 105530090 A CN105530090 A CN 105530090A CN 201511028895 A CN201511028895 A CN 201511028895A CN 105530090 A CN105530090 A CN 105530090A
- Authority
- CN
- China
- Prior art keywords
- algorithm
- client
- interface
- cryptographic algorithm
- net silver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Abstract
The invention provides a key negotiation method and device. The method comprises the steps that: a client identifies a password algorithm supported by an E-bank shield; and the client schedules an interface supporting the password algorithm to negotiate a key with a security socket layer SSL server. By implementing the key negotiation method and device provided by the invention, the client can be compatible with different password algorithms to carry out key negotiation, therefore the user experience is optimized.
Description
Technical field
The present invention relates to the communications field, specifically, relate to the method and apparatus of key agreement.
Background technology
According to the report of world-renowned research institution, 1024 RSA (a kind of public key encryption algorithm named with three inventor Rivest (Lee Vista), Shamir (Shamir) and Adleman (A Deman)) keys only should use only should to use to the year two thousand thirty, 3072 RSA keys to 2010,2048 RSA keys and can use to after the year two thousand thirty.The scheme of fail safe strengthening RSA Algorithm is that to increase the key mould of RSA Algorithm long, but the increase of key length can cause encryption/decryption speed greatly to reduce, hardware implementing also becomes and becomes increasingly complex, this gives and uses the application of RSA Algorithm to bring very large burden, thus its range of application is restricted day by day, meanwhile, the applicable cycle of the program is shorter, from present circumstances and development trend, RSA can be eliminated sooner or later.
Therefore the cryptographic algorithm (the close algorithm of such as state) having more advantage in fail safe and encryption and decryption speed is needed to substitute RSA Algorithm gradually.But, current IE (InternetExplorer, a kind of web browser) kernel browser (carrying out the major browsers of key agreement) only supports RSA Algorithm, after waiting to promote the cryptographic algorithm of the advantage of having more, use and support that the client of this cryptographic algorithm Net silver shield cannot use IE kernel browser to carry out key agreement, have impact on the Experience Degree of user.
Summary of the invention
For solving the problems of the technologies described above, the invention provides a kind of method and equipment thereof of key agreement.
On the one hand, embodiments of the present invention provide a kind of method of key agreement, and described method comprises:
The cryptographic algorithm that client identification Net silver shield is supported;
Described client call supports that the interface of described cryptographic algorithm and SSL (SecureSocketsLayer, SSL) server carry out key agreement.
On the other hand, embodiment of the present invention provides a kind of client, and described client comprises:
Identification module, for identifying the cryptographic algorithm that Net silver shield is supported;
Key negotiation module, carries out key agreement for the interface and SSL server calling the cryptographic algorithm that the described identification module of support identifies.
Implement the method and apparatus of key agreement provided by the invention, the compatible different cryptographic algorithm of client can be realized to carry out key agreement, optimize Consumer's Experience.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for a kind of key agreement according to embodiment of the present invention;
Fig. 2 shows a kind of execution mode of the treatment S 100 shown in Fig. 1;
Fig. 3 is the structural representation of a kind of client according to embodiment of the present invention;
Fig. 4 shows the structural representation of the identification module 100 shown in Fig. 3.
Embodiment
For making the object of embodiments of the invention, technical scheme and advantage clearly, below in conjunction with accompanying drawing, the present invention is described in further detail.
Fig. 1 is the flow chart of the method for a kind of key agreement according to embodiment of the present invention.See Fig. 1, described method comprises:
S100: the cryptographic algorithm that client identification Net silver shield is supported.
Wherein, described cryptographic algorithm can be RSA Algorithm, or the close algorithm of state etc.
S200: client call supports that the interface of described cryptographic algorithm and SSL server carry out key agreement.
In embodiments of the present invention, can in described client pre-configured described interface.Wherein, described interface can be CSP (CryptographicServiceProvider, CSP) interface or SKF (state's Data Encryption Standard interface) interface etc., this CSP interface supports above-mentioned RSA Algorithm, and this SKF interface supports the close algorithm of above-mentioned state.
Fig. 2 shows a kind of execution mode of the treatment S 100 shown in Fig. 1, and as shown in Figure 2, treatment S 100 can realize in the following manner:
S110: client obtains the algorithm types information of described Net silver shield.
In one embodiment of the invention, such as this algorithm types information can be obtained by facility information interface.
S120: the client cryptographic algorithm that Net silver shield is supported according to the algorithm types information identification got.
Such as, if the value of this algorithm types is 0, then identifying the cryptographic algorithm that described Net silver shield supports is RSA Algorithm, if the value of this algorithm types is 1, then identifying the cryptographic algorithm that described Net silver shield supports is the close algorithm of state.
Below for the compatible RSA Algorithm of client and the close algorithm of state, the method for key agreement provided by the present invention is specifically described.The method comprises:
Step 1: the cryptographic algorithm that client identification Net silver shield is supported, the cryptographic algorithm that this Net silver shield supports if identify is RSA Algorithm, then perform step 2, and the cryptographic algorithm that this Net silver shield supports if identify is the close algorithm of state, then perform step 3.
Wherein, step 1 such as can be realized by following process: the algorithm types information being obtained this Net silver shield by facility information interface; According to the cryptographic algorithm that this Net silver shield of algorithm types information identification got is supported.If the value of the algorithm types information got is 0, then RSA Algorithm supported by this Net silver shield, if the value of the algorithm types information got is 1, then the close algorithm of state supported by this Net silver shield.
Step 2: this client call CSP interface and SSL server carry out key agreement.
Step 3: this client call SKF interface and SSL server carry out key agreement.
Wherein, this step 2 specifically comprises following process:
1) information such as SSL version, cryptographic algorithm, Diffie-Hellman, MAC (MessageAuthenticationCodes, a kind of hash function) algorithm that this locality is supported by client sends to SSL server to select for it;
2) SSL server selectes SSL version and the encryption suite of this communication employing, and digital certificate is sent to client together;
3) client receives SSL server selected SSL version, encryption suite, and server digital certificate, and verifies certificate legitimacy:
● judge whether SSL server certificate is issued by " root authority of being trusted ";
● judge whether SSL server certificate is revoked;
● judge that whether server domain name is consistent with certificate domain name.
4) client carries out Net silver shield signature;
5) client stochastic generation is used for the symmetric key of subsequent communications;
6) client utilizes SSL server public key to send Net silver shield certificate, Net silver shield signature and symmetric key encryption to SSL server;
7) whether SSL server authentication client certificate is legal:
● judge whether client certificate is issued by " root authority of being trusted ";
● judge whether client certificate is revoked.
Whether Net silver shield signature is correct to utilize client public key to verify, and determines that SSL consults successfully or failure according to the result.
This step 3 specifically comprises following process:
1) close for state ssl protocol and standard cipher external member are sent to SSL server by client;
2) digital certificate is sent to client by SSL server;
3) client validate service device certificate legitimacy:
● judge whether server certificate is issued by " root authority of being trusted ";
● judge whether server certificate is revoked;
● judge that whether server domain name is consistent with certificate domain name.
4) client carries out Net silver shield signature;
5) client stochastic generation is used for the symmetric key of subsequent communications;
6) client utilizes SSL server public key to send Net silver shield certificate, Net silver shield signature and symmetric key encryption to SSL server;
7) first whether checking client certificate is legal for SSL server:
● judge whether client certificate is issued by " root authority of being trusted ";
● judge whether client certificate is revoked.
Whether Net silver shield signature is correct to utilize client public key to verify, and determines that SSL consults successfully or failure according to the result.
Fig. 3 is the structural representation of a kind of client according to embodiment of the present invention.See Fig. 3, described client 1000 comprises: identification module 100 and key negotiation module 200, particularly:
Identification module 100 is for identifying the cryptographic algorithm that Net silver shield is supported.
Wherein, described cryptographic algorithm can be RSA Algorithm, or the close algorithm of state etc.
Key negotiation module 200 is for calling the interface of cryptographic algorithm of supporting that described identification module 100 identifies and SSL server carries out key agreement.
In another embodiment of the invention, this client 1000 can also comprise configuration module, for configuring described interface.Wherein, described interface can be CSP interface or SKF interface etc., and this CSP interface supports above-mentioned RSA Algorithm, and this SKF interface supports the close algorithm of above-mentioned state.
Fig. 4 shows the structural representation of the identification module 100 shown in Fig. 3.See Fig. 4, described identification module 100 can comprise: acquiring unit 110 and recognition unit 120, particularly:
Acquiring unit 110 is for obtaining the algorithm types information of described Net silver shield.
The cryptographic algorithm that recognition unit 120 is supported for Net silver shield described in the algorithm types information identification accessed by described acquiring unit 110.
Implement the method and apparatus of key agreement provided by the invention, the compatible different cryptographic algorithm of client can be realized to carry out key agreement, optimize Consumer's Experience.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode of software combined with hardware platform.Based on such understanding, what technical scheme of the present invention contributed to background technology can embody with the form of software product in whole or in part, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, smart mobile phone or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
The term used in specification of the present invention and wording, just to illustrating, are not meaned and are formed restriction.It will be appreciated by those skilled in the art that under the prerequisite of the general principle not departing from disclosed execution mode, can various change be carried out to each details in above-mentioned execution mode.Therefore, scope of the present invention is only determined by claim, and in the claims, except as otherwise noted, all terms should be understood by the most wide in range rational meaning.
Claims (10)
1. a method for key agreement, is characterized in that, described method comprises:
The cryptographic algorithm that client identification Net silver shield is supported;
Described client call supports that the interface of described cryptographic algorithm and SSL SSL server carry out key agreement.
2. the method for claim 1, is characterized in that, the cryptographic algorithm that client identification Net silver shield is supported comprises:
Described client obtains the algorithm types information of described Net silver shield;
The described client cryptographic algorithm that Net silver shield is supported according to the algorithm types information identification got.
3. the method for claim 1, is characterized in that,
Described cryptographic algorithm comprises: RSA Algorithm, or the close algorithm of state.
4. method as claimed in claim 3, is characterized in that,
The interface of the described cryptographic algorithm of described support comprises: CSP CSP interface, or state Data Encryption Standard interface SKF interface, and wherein, described CSP interface supports described RSA Algorithm, and described SKF interface supports the close algorithm of described state.
5. the method according to any one of Claims 1-4, is characterized in that, described method also comprises:
The pre-configured described interface of described client.
6. a client, is characterized in that, described client comprises:
Identification module, for identifying the cryptographic algorithm that Net silver shield is supported;
Key negotiation module, carries out key agreement for the interface and SSL server calling the cryptographic algorithm that the described identification module of support identifies.
7. client as claimed in claim 6, it is characterized in that, described identification module comprises:
Acquiring unit, for obtaining the algorithm types information of described Net silver shield;
Recognition unit, for the cryptographic algorithm that Net silver shield described in the algorithm types information identification accessed by described acquiring unit is supported.
8. client as claimed in claim 6, is characterized in that,
Described cryptographic algorithm comprises: RSA Algorithm, or the close algorithm of state.
9. client as claimed in claim 8, is characterized in that,
The interface of the described cryptographic algorithm of described support comprises: CSP CSP interface, or state Data Encryption Standard interface SKF interface, and wherein, described CSP interface supports described RSA Algorithm, and described SKF interface supports the close algorithm of described state.
10. the client according to any one of claim 6 to 9, is characterized in that, described client also comprises:
Configuration module, for configuring described interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511028895.0A CN105530090A (en) | 2015-12-31 | 2015-12-31 | Key negotiation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511028895.0A CN105530090A (en) | 2015-12-31 | 2015-12-31 | Key negotiation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105530090A true CN105530090A (en) | 2016-04-27 |
Family
ID=55772104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511028895.0A Pending CN105530090A (en) | 2015-12-31 | 2015-12-31 | Key negotiation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105530090A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101056A (en) * | 2016-05-12 | 2016-11-09 | 山东渔翁信息技术股份有限公司 | A kind of software architecture and allow IE browser method based on the communication of state close ssl protocol |
| CN106572109A (en) * | 2016-11-08 | 2017-04-19 | 广东信鉴信息科技有限公司 | Method for realizing encrypted communication based on TLS protocol and device |
| CN107277007A (en) * | 2017-06-14 | 2017-10-20 | 山东中创软件商用中间件股份有限公司 | A kind of data encryption and transmission method and device |
| CN107302428A (en) * | 2017-05-26 | 2017-10-27 | 北京国电通网络技术有限公司 | The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network |
| CN109040318A (en) * | 2018-09-25 | 2018-12-18 | 网宿科技股份有限公司 | The HTTPS connection method of CDN network and CDN node server |
| CN109450901A (en) * | 2018-11-12 | 2019-03-08 | 北京天融信网络安全技术有限公司 | The close tunnel establishing method of state, device and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050216736A1 (en) * | 2004-03-24 | 2005-09-29 | Smith Ned M | System and method for combining user and platform authentication in negotiated channel security protocols |
| CN101043335A (en) * | 2007-03-12 | 2007-09-26 | 中国建设银行股份有限公司 | Information security control system |
| CN103138938A (en) * | 2013-03-22 | 2013-06-05 | 中金金融认证中心有限公司 | SM2 certificate application method based on cryptographic service provider (CSP) |
| CN103780376A (en) * | 2012-10-26 | 2014-05-07 | 中国银联股份有限公司 | Method, terminal and safety carrier for realizing cryptographic algorithm system adaptive switching |
| CN105162808A (en) * | 2015-10-19 | 2015-12-16 | 成都卫士通信息产业股份有限公司 | Safety login method based on domestic cryptographic algorithm |
-
2015
- 2015-12-31 CN CN201511028895.0A patent/CN105530090A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050216736A1 (en) * | 2004-03-24 | 2005-09-29 | Smith Ned M | System and method for combining user and platform authentication in negotiated channel security protocols |
| CN101043335A (en) * | 2007-03-12 | 2007-09-26 | 中国建设银行股份有限公司 | Information security control system |
| CN103780376A (en) * | 2012-10-26 | 2014-05-07 | 中国银联股份有限公司 | Method, terminal and safety carrier for realizing cryptographic algorithm system adaptive switching |
| CN103138938A (en) * | 2013-03-22 | 2013-06-05 | 中金金融认证中心有限公司 | SM2 certificate application method based on cryptographic service provider (CSP) |
| CN105162808A (en) * | 2015-10-19 | 2015-12-16 | 成都卫士通信息产业股份有限公司 | Safety login method based on domestic cryptographic algorithm |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101056A (en) * | 2016-05-12 | 2016-11-09 | 山东渔翁信息技术股份有限公司 | A kind of software architecture and allow IE browser method based on the communication of state close ssl protocol |
| CN106101056B (en) * | 2016-05-12 | 2018-10-26 | 山东渔翁信息技术股份有限公司 | Data processing method and allow IE browser based on the method for the close ssl protocol communication of state in a kind of agent software software architecture |
| CN106572109A (en) * | 2016-11-08 | 2017-04-19 | 广东信鉴信息科技有限公司 | Method for realizing encrypted communication based on TLS protocol and device |
| CN106572109B (en) * | 2016-11-08 | 2019-11-08 | 广东信鉴信息科技有限公司 | The method and device of coded communication is realized based on tls protocol |
| CN107302428A (en) * | 2017-05-26 | 2017-10-27 | 北京国电通网络技术有限公司 | The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network |
| CN107277007A (en) * | 2017-06-14 | 2017-10-20 | 山东中创软件商用中间件股份有限公司 | A kind of data encryption and transmission method and device |
| CN109040318A (en) * | 2018-09-25 | 2018-12-18 | 网宿科技股份有限公司 | The HTTPS connection method of CDN network and CDN node server |
| CN109040318B (en) * | 2018-09-25 | 2021-05-04 | 网宿科技股份有限公司 | HTTPS connection method of CDN (content delivery network) and CDN node server |
| CN109450901A (en) * | 2018-11-12 | 2019-03-08 | 北京天融信网络安全技术有限公司 | The close tunnel establishing method of state, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10348715B2 (en) | Computer-implemented systems and methods of device based, internet-centric, authentication | |
| CN104170312B (en) | For using the method and apparatus that hardware security engine is securely communicated by network | |
| CN108241517B (en) | Software upgrading method, client and electronic equipment | |
| KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
| US9705673B2 (en) | Method, device, and system of provisioning cryptographic data to electronic devices | |
| US10454674B1 (en) | System, method, and device of authenticated encryption of messages | |
| CN105530090A (en) | Key negotiation method and device | |
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| CN108377190B (en) | Authentication equipment and working method thereof | |
| CN104717198B (en) | Oftware updating method and equipment on safety element | |
| US8606234B2 (en) | Methods and apparatus for provisioning devices with secrets | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| CN107464109B (en) | Trusted mobile payment device, system and method | |
| US10609070B1 (en) | Device based user authentication | |
| CN103503366A (en) | Managing data for authentication devices | |
| EP3387576B1 (en) | Apparatus and method for certificate enrollment | |
| CN108683674A (en) | Verification method, device, terminal and the computer readable storage medium of door lock communication | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| EP2840735A1 (en) | Electronic cipher generation method, apparatus and device, and electronic cipher authentication system | |
| CN109413084B (en) | Password updating method, device and system | |
| CN106411520B (en) | Method, device and system for processing virtual resource data | |
| CN109302425A (en) | Identity identifying method and terminal device | |
| KR101836211B1 (en) | Electronic device authentication manager device | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium | |
| CN114745114B (en) | Key agreement method, device, equipment and medium based on password derivation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160427 |
|
| RJ01 | Rejection of invention patent application after publication |