CN113037480A - JSSE-based national secret encryption communication method and device and storage medium - Google Patents
JSSE-based national secret encryption communication method and device and storage medium Download PDFInfo
- Publication number
- CN113037480A CN113037480A CN202110318921.2A CN202110318921A CN113037480A CN 113037480 A CN113037480 A CN 113037480A CN 202110318921 A CN202110318921 A CN 202110318921A CN 113037480 A CN113037480 A CN 113037480A
- Authority
- CN
- China
- Prior art keywords
- handshake
- jsse
- client
- information
- national secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 89
- 238000004891 communication Methods 0.000 title claims abstract description 78
- 230000008569 process Effects 0.000 claims abstract description 50
- 230000004044 response Effects 0.000 claims abstract description 6
- 238000012790 confirmation Methods 0.000 claims description 54
- 238000004422 calculation algorithm Methods 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 18
- 230000006835 compression Effects 0.000 claims description 17
- 238000007906 compression Methods 0.000 claims description 17
- 238000004458 analytical method Methods 0.000 claims description 13
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000002131 composite material Substances 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/04—Protocols for data compression, e.g. ROHC
Abstract
The application discloses a JSSE-based national secret encryption communication method, a device and a storage medium thereof. The method comprises the following steps: receiving a handshake request of a client; analyzing the handshake request through a JSSE target server to generate handshake information; matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result; when the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client; the client side and the target server side handshake for subsequent encrypted communication; the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications. Through carrying out corresponding processing on the handshake request of the client and returning corresponding response data, the JSSE-based national secret encryption communication is realized.
Description
Technical Field
The application relates to the technical field of national secret secure socket layer protocols, in particular to a JSSE-based national secret encryption communication method, a JSSE-based national secret encryption communication device and a JSSE-based national secret secure socket layer protocol storage medium.
Background
With the development of electronic commerce in recent years, TLS encryption technology is widely applied to network communication technology, but the TLS standard is established by foreign associations, and certain hidden danger exists for the cryptographic security of our country. Therefore, according to relevant password policies and regulations, the nation establishes a set of SSL VPN technical specifications based on RFC4346 TLS1.1 standard by combining the actual application requirements of China and the actual experience of product manufacturers. The specification correspondingly directs the national secret secure socket layer protocol specification, but the realization of the specification in the field of JAVA development has a problem.
Disclosure of Invention
The embodiment of the application provides a technical scheme of the national secret encryption communication based on JSSE, which is used for solving the problem of application and implementation of a national secret secure socket layer protocol in JSSE.
The application provides a JSSE-based national secret encryption communication method, which comprises the following steps:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
Further, in a preferred embodiment provided by the present application, the parsing, by the JSSE target server, the handshake request to generate handshake information specifically includes:
calling a JSSE target server side analysis model;
analyzing the handshake request through the server side analysis model to generate handshake information;
the handshake information comprises SSL/TLS protocol version numbers supported by the client, supported password suites, client random numbers, session IDs and compression methods;
the SSL/TLS protocol version number supported by the client comprises a cryptographic protocol version number;
the supported cipher suite includes a cipher suite supported by national cipher standards.
Further, in a preferred embodiment provided by the present application, matching the secret information preset in the JSSE target server with the handshake information to obtain a matching result specifically includes:
calling a matching algorithm in the JSSE target server;
matching a pre-expanded national cryptographic protocol version number in a JSSE target server with a protocol version number supported in the handshake information through a matching algorithm to generate a first matching result;
matching a password suite which is expanded in advance in a JSSE target server and meets the national password specification with a password suite supported in the handshake information through a matching algorithm to generate a second matching result;
and obtaining a matching result according to the first matching result and the second matching result.
Further, in a preferred embodiment provided by the present application, when the matching result meets the cryptographic communication condition, continuing to perform a handshake operation through the reconstructed JSSE handshake process logic, and establishing a handshake relationship with the client, specifically including:
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, adopting JSSE handshake process logic which accords with the national secret standard to continue handshake operation, and establishing a handshake relation with the client side;
and the JSSE handshake process logic is reconstructed at the target server in advance according to the national cryptographic specification.
Further, in a preferred embodiment provided by the present application, when a matching result meets a cryptographic communication condition, generating a server-side handshake confirmation parameter according to the matching result and the handshake information specifically includes:
when the matching result meets the national secret communication condition, selecting a national secret protocol version number in the handshake information and a password suite meeting the national secret specification;
extracting a session ID and a compression method in the handshake information;
calling a random number of a server;
and combining the national secret protocol version number, the server random number, the session ID, the compression method and the password suite to generate a server handshake confirmation parameter.
Further, in a preferred embodiment provided by the present application, according to the server side confirmation parameter, the JSSE handshake process logic conforming to the cryptographic specification is adopted to continue the handshake operation, and a handshake relationship is established with the client side, which specifically includes:
according to the server side confirmation parameters, completing a first handshake information exchange task with the client side;
generating a master key and a session key according to the first handshake information and the handshake parameters;
according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client is completed;
and establishing a handshake relation with the client according to the second handshake information.
Further, in a preferred embodiment provided by the present application, the completing, according to the server-side acknowledgement parameter, a first handshake information exchange task with the client specifically includes:
according to the server side confirmation parameters, sending certificate information of a target server side to a client side;
after the certificate information is sent, first handshake completion information is sent to the client;
and receiving a pre-master key message sent by the client in response to the server confirmation parameter, and completing a first handshake information exchange task with the client.
Further, in a preferred embodiment provided by the present application, the completing, according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client specifically includes:
receiving a prompt message which is sent by a client and is about to be switched to an encryption environment;
receiving a handshake completion message sent by a client;
responding to the prompt message of the client, and sending a prompt message that a target server is about to switch to an encryption environment;
and responding to the client handshake completion message, sending a target server handshake completion message, and completing a second handshake information exchange task with the client.
The present application also provides a JSSE-based national encryption communication device, including:
the receiving module is used for receiving a handshake request of a client;
the analysis module is used for analyzing the handshake request through the JSSE target server to generate handshake information;
the matching module is used for matching the national secret information preset in the JSSE target server and the handshake information to obtain a matching result;
the handshake module continues to perform handshake operation through the reconstructed JSSE handshake process logic and establishes handshake relation with the client when the matching result meets the national secret communication condition;
the handshake completion module is used for carrying out subsequent encrypted communication with the client according to the handshake relation;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
The present application also provides a storage medium storing a computer program which, when loaded, is able to carry out the method of any one of claims 1 to 8.
The embodiment provided by the application has at least the following technical effects:
the problem of support to the national password secure socket layer protocol in the JAVA development field is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a JSSE-based national encryption communication method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a JSSE-based national encryption communication device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a JSSE-based national secret encryption communication method provided in an embodiment of the present application specifically includes the following steps:
s100: a handshake request of a client is received.
A client is also commonly referred to as a client, and refers to a program corresponding to a server for providing local services to a client. After the internet has developed, the more common clients include web browsers used on the world wide web, email clients for receiving and sending emails, and client software for instant messaging. The handshake request may be request information requesting establishment of a secure national communication in a secure national socket layer protocol. For example, there is a client browser that supports communication functions based on the secure socket layer protocol. When a user inputs a specific website in a client browser, the client firstly sends a connection request to a server where the website is located. It is obvious that the connection request here can be understood as a handshake request.
S200: and analyzing the handshake request through the JSSE target server to generate handshake information.
Specifically, in a preferred embodiment provided by the present application, the analyzing, by the JSSE target server, the handshake request to generate handshake information specifically includes:
calling a JSSE target server side analysis model;
analyzing the handshake request through the server side analysis model to generate handshake information;
the handshake information comprises SSL/TLS protocol version numbers supported by the client, supported password suites, client random numbers, session IDs and compression methods;
the SSL/TLS protocol version number supported by the client comprises a cryptographic protocol version number;
the supported cipher suite includes a cipher suite supported by national cipher standards.
JSSE is a composite based on security algorithms and on handshake mechanisms. It can be understood that, for the handshake request sent by the client, the server may perform recognition after parsing. Such as a client browser that supports communications in accordance with the national secure socket layer protocol, with a cipher suite: ECC _ SM4_ SM 3. The client sends a request for establishing a secure socket layer protocol communication to the server through the browser. The server analyzes the request, and analyzes the request until the Client sends a Client Hello message to the server, wherein the message comprises: SSL/TLS protocol version number supported by the client, supported cipher suite, client random number, session ID, and compression method. By parsing the information, the target server may identify the specific information in the client request.
S300: and matching the national secret information preset in the JSSE target server with the handshake information to obtain a matching result.
It can be understood that when preset secret information is used, the support of the secret secure socket layer protocol by the program in the JSSE target server needs to be adjusted in advance. And matching preset national secret information with the handshake information, and establishing handshake connection between the target server and the client when the handshake information meets the preset rule condition of the target server. And handshake connection based on the national secret secure socket layer protocol can be established through the matching result of secret information preset in the JSSE target server and the handshake information.
Specifically, in a preferred embodiment provided by the present application, matching national secret information preset in the JSSE target server with the handshake information to obtain a matching result specifically includes:
calling a matching algorithm in the JSSE target server;
matching a pre-expanded national cryptographic protocol version number in a JSSE target server with a protocol version number supported in the handshake information through a matching algorithm to generate a first matching result;
matching a password suite which is expanded in advance in a JSSE target server and meets the national password specification with a password suite supported in the handshake information through a matching algorithm to generate a second matching result;
and obtaining a matching result according to the first matching result and the second matching result.
Obviously, when two items of data are matched, a matching algorithm needs to be called for data matching, so that a matching result is obtained. For example, for the common TLS protocol, the SSL version number is selected during HTTP communication. After the client sends the supported SSL version number to the server, the server can match the supported SSL version number according to the protocol version number supported by the server and the version number supported by the client. Since the version number of the domestic secret secure socket layer protocol is 0101, the protocol version needs to be extended to support the domestic secret secure socket layer protocol version number. It can be appreciated that the JSSE target server needs to coordinate support for the cipher suite within the JSSE to support the use of the cipher suite during communication. The secure socket layer protocol uses commercial cipher specification issued by the national cipher bureau for encryption, so that it is also necessary to support cipher suites in the secure socket layer protocol specification, such as ECC _ SM4_ SM3, in terms of encryption algorithm. Therefore, the target server based on the JSSE can carry out the next operation based on the national secret secure socket layer protocol.
S400: and when the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client.
Specifically, in an embodiment provided by the present application, when the matching result meets the cryptographic communication condition, continuing to perform a handshake operation through the reconstructed JSSE handshake process logic, and establishing a handshake relationship with the client, specifically including:
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, adopting JSSE handshake process logic which accords with the national secret standard to continue handshake operation, and establishing a handshake relation with the client side;
and the JSSE handshake process logic is reconstructed at the target server in advance according to the national cryptographic specification.
It will be appreciated that since there is a distinction between the domestic secure socket layer protocol and the international secure socket layer protocol, the SSL handshake process logic within JSSE needs to be adapted in order to support communication based on the domestic secure socket layer protocol. According to the specification of the domestic secret secure socket layer protocol, the JSSE handshake process needs to be reconstructed. For example, after receiving a client request, the Server parses the request parameters and sends a Server Hello message, where the message content includes: the server side comprises a version protocol number selected by the server side, a server side random number, a session ID, a compression method and a selected password suite. After the JSSE handshake process is reconstructed, the JSSE target server can support handshake operation which accords with the national secret security socket layer protocol specification.
Specifically, in a preferred embodiment provided by the present application, when a matching result meets a cryptographic communication condition, generating a server-side handshake confirmation parameter according to the matching result and the handshake information specifically includes:
when the matching result meets the national secret communication condition, selecting a national secret protocol version number in the handshake information and a password suite meeting the national secret specification;
extracting a session ID and a compression method in the handshake information;
calling a random number of a server;
and combining the national secret protocol version number, the server random number, the session ID, the compression method and the password suite to generate a server handshake confirmation parameter.
It is understood that, when the version number of the national password protocol and the cipher suite meeting the national password specification in the handshake information are selected, the protocol specification of the national password security socket layer needs to be met. It is obvious that the chosen model of protocol version and cipher suite needs to be reconstructed according to the national secure socket layer protocol specification. Thus, the handshake confirmation parameters of the server can meet the protocol specification of the secure socket layer.
It should be noted that, in an embodiment of the present invention, according to the server-side confirmation parameter, the step of continuing to perform a handshake operation by using a JSSE handshake process logic conforming to a cryptographic specification, and establishing a handshake relationship with the client includes:
according to the server side confirmation parameters, completing a first handshake information exchange task with the client side;
generating a master key and a session key according to the first handshake information and the handshake parameters;
according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client is completed;
and establishing a handshake relation with the client according to the second handshake information.
It can be understood that according to the specifications of the domestic secret secure socket layer protocol, the JSSE handshake process needs to be reconstructed, including the generation algorithm of the master key and the calculation algorithm of the session key. Thus, the master key and the session key generated by the reconstructed algorithm conform to the specifications of the secure socket layer protocol.
Specifically, in a preferred embodiment provided by the present application, the completing a first handshake information exchange task with a client according to the server-side acknowledgement parameter specifically includes:
according to the server side confirmation parameters, sending certificate information of a target server side to a client side;
after the certificate information is sent, first handshake completion information is sent to the client;
and receiving a pre-master key message sent by the client in response to the server confirmation parameter, and completing a first handshake information exchange task with the client.
It can be understood that when the client and the server perform encrypted communication based on the secure socket layer protocol, the certificate of the target server needs to conform to the secret specification. Obviously, the target server needs to adjust the support of SSL certificates in JSSE in order to support the use of secure sockets layer protocol dual certificates. For the SSL/TLS protocol, the supported certificates are all single certificates. For the national secret secure socket layer protocol specification, part of the cipher suite communication needs to adopt double certificates for communication. The double certificate here refers to an encryption certificate and a signature certificate. When a certificate in the service end JSSE is reformed, a certificate manager in the JSSE needs to be expanded. For example, the Server sends a Server Certificate message to the client according to the selected cipher suite, and the Server Certificate message may be understood as Certificate information of the target Server. When the cipher suite is ECC _ SM4_ SM3, the message carries the encryption certificate and signature certificate information. And when the cipher suite selected by the Server is ECC _ SM4_ SM3, continuously sending a Server Key Exchange message, wherein the message carries the random numbers of the two parties and the signature value of the encrypted certificate of the Server. The Server continues to send a Server Hello Done message, which may be understood as the first handshake complete message, indicating that the Server Hello message is complete. After receiving the Server Hello Done message, the Client generates a pre-master Key according to the random numbers of the two parties and an encryption algorithm, then encrypts the pre-master Key by using a public Key of a certificate, sends a Client Key Exchange message to the target Server after encryption, and starts to calculate the master Key and the session Key. Wherein the Client Key Exchange message comprises a Client support version number and a 46-byte random number. The server side receives the pre-master key and then decrypts the pre-master key, and then starts to calculate the master key and the session key. In this way, the target server side realizes the encryption parameter exchange with the client side.
Specifically, in a preferred embodiment provided by the present application, the completing, according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client specifically includes:
receiving a prompt message which is sent by a client and is about to be switched to an encryption environment;
receiving a handshake completion message sent by a client;
responding to the prompt message of the client, and sending a prompt message that a target server is about to switch to an encryption environment;
and responding to the client handshake completion message, sending a target server handshake completion message, and completing a second handshake information exchange task with the client.
It can be understood that the client handshake completion message is an encrypted message protected by an algorithm and a key negotiated by the client and the server, and the target server handshake completion message also contains an encrypted content verified by the client. For example, the client sends a ChangeCipherSpec message, which may be understood as a prompt message sent by the client to tell the server that a switch to a cryptographic environment is about to occur. The client sends a Finished message, which may be understood as a client handshake completion message. The server side also sends a ChangeCipherSpec message of the server side after receiving the ChangeCipherSpec message of the client side, wherein the ChangeCipherSpec message can be understood as a prompt message of the target server side and is used for telling the client side to switch to the encryption environment. And after receiving the Finished message of the client, the server checks the Finished message and then sends the Finished message of the server. It should be apparent that the server Finished message can be understood as a target server handshake completion message. At this time, the client and the target server make preparation for formally establishing encrypted communication based on the national security socket layer protocol in the next step.
S500: the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
Obviously, after the client and the target server handshake, they can start to use the negotiated algorithm and key for encrypted communication. It will be appreciated that the support for the SSL protocol version within JSSE is adjusted to support the version number of the homesecurity socket layer protocol by extending the homekey version number in advance in the JSSE protocol version. The adjusted JSSE target server can support communication based on a secure socket layer protocol.
Based on the same idea, the JSSE-based national encryption communication method provided in the embodiment of the present application further provides a JSSE-based national encryption communication device 100, as shown in fig. 2.
A JSSE-based cryptographic communication device 100 comprising:
a receiving module 11, configured to receive a handshake request of a client;
the analysis module 12 is configured to analyze the handshake request through the JSSE target server to generate handshake information;
the matching module 13 is used for matching the national secret information preset in the JSSE target server and the handshake information to obtain a matching result;
the handshake module 14 is used for continuing handshake operation through the reconstructed JSSE handshake process logic and establishing handshake relation with the client when the matching result meets the national secret communication condition;
a handshake completion module 15, configured to perform subsequent encrypted communication with the client according to the handshake relationship;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
A particular application of the JSSE-based cryptographic communication device herein is understood to be a software product. One specific application of the receiving module 11, the parsing module 12, the matching module 13, the handshaking module 14 and the handshaking completion module 15 can be understood as functional functions that can be packaged independently.
Further, in a preferred embodiment provided in the present application, the parsing module 12 is configured to parse the handshake request through the JSSE target server to generate handshake information, and specifically configured to:
calling a JSSE target server side analysis model;
analyzing the handshake request through the server side analysis model to generate handshake information;
the handshake information comprises SSL/TLS protocol version numbers supported by the client, supported password suites, client random numbers, session IDs and compression methods;
the SSL/TLS protocol version number supported by the client comprises a cryptographic protocol version number;
the supported cipher suite includes a cipher suite supported by national cipher standards.
Further, in a preferred embodiment provided in the present application, the matching module 13 is configured to match cryptographic information preset in the JSSE target server with the handshake information to obtain a matching result, and specifically configured to:
calling a matching algorithm in the JSSE target server;
matching a pre-expanded national cryptographic protocol version number in a JSSE target server with a protocol version number supported in the handshake information through a matching algorithm to generate a first matching result;
matching a password suite which is expanded in advance in a JSSE target server and meets the national password specification with a password suite supported in the handshake information through a matching algorithm to generate a second matching result;
and obtaining a matching result according to the first matching result and the second matching result.
Further, in a preferred embodiment provided in the present application, the matching module 14 is configured to continue performing a handshake operation through the reconstructed JSSE handshake process logic and establish a handshake relationship with the client when the matching result meets the cryptographic communication condition, and specifically configured to:
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, adopting JSSE handshake process logic which accords with the national secret standard to continue handshake operation, and establishing a handshake relation with the client side;
and the JSSE handshake process logic is reconstructed at the target server in advance according to the national cryptographic specification.
Further, in a preferred embodiment provided in the present application, the apparatus is further configured to generate a server-side handshake confirmation parameter according to the matching result and the handshake information when the matching result meets a cryptographic communication condition, and specifically configured to:
when the matching result meets the national secret communication condition, selecting a national secret protocol version number in the handshake information and a password suite meeting the national secret specification;
extracting a session ID and a compression method in the handshake information;
calling a random number of a server;
and combining the national secret protocol version number, the server random number, the session ID, the compression method and the password suite to generate a server handshake confirmation parameter.
Further, in a preferred embodiment provided in the present application, the apparatus is further configured to continue performing a handshake operation by using JSSE handshake process logic conforming to a cryptographic specification according to the server-side confirmation parameter, and establish a handshake relationship with the client, and specifically configured to:
according to the server side confirmation parameters, completing a first handshake information exchange task with the client side;
generating a master key and a session key according to the first handshake information and the handshake parameters;
according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client is completed;
and establishing a handshake relation with the client according to the second handshake information.
Further, in a preferred embodiment provided in the present application, the apparatus is further configured to complete a first handshake information exchange task with the client according to the server-side acknowledgement parameter, and specifically configured to:
according to the server side confirmation parameters, sending certificate information of a target server side to a client side;
after the certificate information is sent, first handshake completion information is sent to the client;
and receiving a pre-master key message sent by the client in response to the server confirmation parameter, and completing a first handshake information exchange task with the client.
Further, in a preferred embodiment provided in the present application, the apparatus is further configured to complete a second handshake information exchange task with the client according to the reconstructed JSSE handshake process logic, and specifically configured to:
receiving a prompt message which is sent by a client and is about to be switched to an encryption environment;
receiving a handshake completion message sent by a client;
responding to the prompt message of the client, and sending a prompt message that a target server is about to switch to an encryption environment;
and responding to the client handshake completion message, sending a target server handshake completion message, and completing a second handshake information exchange task with the client.
An embodiment of the present application further provides a storage medium, where the storage medium stores a computer program, and after the computer program is loaded, the following steps may be executed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
calling a JSSE target server side analysis model;
analyzing the handshake request through the server side analysis model to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications, the handshake information comprises an SSL/TLS protocol version number supported by a client, a supported password suite, a client random number, a session ID and a compression method, the SSL/TLS protocol version number supported by the client comprises a national secret protocol version number, and the supported password suite comprises a password suite supported by a national secret standard.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
calling a matching algorithm in the JSSE target server;
matching a pre-expanded national cryptographic protocol version number in a JSSE target server with a protocol version number supported in the handshake information through a matching algorithm to generate a first matching result;
matching a password suite which is expanded in advance in a JSSE target server and meets the national password specification with a password suite supported in the handshake information through a matching algorithm to generate a second matching result;
and obtaining a matching result according to the first matching result and the second matching result.
When the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, adopting JSSE handshake process logic which accords with the national secret standard to continue handshake operation, and establishing a handshake relation with the client side;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a cipher suite which is expanded in a JSSE cipher suite in advance and accords with the national secret specification, and the JSSE handshake process logic is reconstructed at the target server in advance according to the national secret specification.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, selecting a national secret protocol version number in the handshake information and a password suite meeting the national secret specification;
extracting a session ID and a compression method in the handshake information;
calling a random number of a server;
combining the national cryptographic protocol version number, the server random number, the session ID, the compression method and the password suite to generate a server handshake confirmation parameter;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, adopting JSSE handshake process logic which accords with the national secret standard to continue handshake operation, and establishing a handshake relation with the client side;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a cipher suite which is expanded in a JSSE cipher suite in advance and accords with the national secret specification, and the JSSE handshake process logic is reconstructed at the target server in advance according to the national secret specification.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, completing a first handshake information exchange task with the client side;
generating a master key and a session key according to the first handshake information and the handshake parameters;
according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client is completed;
establishing a handshake relation with the client according to the second handshake information;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a cipher suite which is expanded in a JSSE cipher suite in advance and accords with the national secret specification, and the JSSE handshake process logic is reconstructed at the target server in advance according to the national secret specification.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, sending certificate information of a target server side to a client side;
after the certificate information is sent, first handshake completion information is sent to the client;
receiving a pre-master key message sent by a client in response to the server confirmation parameter, and completing a first handshake information exchange task with the client;
generating a master key and a session key according to the first handshake information and the handshake parameters;
according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client is completed;
establishing a handshake relation with the client according to the second handshake information;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a cipher suite which is expanded in a JSSE cipher suite in advance and accords with the national secret specification, and the JSSE handshake process logic is reconstructed at the target server in advance according to the national secret specification.
Further, in an embodiment provided by the present application, the storage medium stores a computer program, and after the computer program is loaded, the following steps may be performed:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, completing a first handshake information exchange task with the client side;
generating a master key and a session key according to the first handshake information and the handshake parameters;
receiving a prompt message which is sent by a client and is about to be switched to an encryption environment;
receiving a handshake completion message sent by a client;
responding to the prompt message of the client, and sending a prompt message that a target server is about to switch to an encryption environment;
responding the client handshake completion message, sending a target server handshake completion message, and completing a second handshake information exchange task with the client;
establishing a handshake relation with the client according to the second handshake information;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a cipher suite which is expanded in a JSSE cipher suite in advance and accords with the national secret specification, and the JSSE handshake process logic is reconstructed at the target server in advance according to the national secret specification.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A JSSE-based national secret encryption communication method is characterized by comprising the following steps:
receiving a handshake request of a client;
analyzing the handshake request through a JSSE target server to generate handshake information;
matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result;
when the matching result meets the national secret communication condition, continuing to perform handshake operation through the reconstructed JSSE handshake process logic, and establishing handshake relation with the client;
the client side and the target server side handshake for subsequent encrypted communication;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
2. The method of claim 1, wherein the parsing the handshake request through the JSSE target server generates handshake information, specifically comprising:
calling a JSSE target server side analysis model;
analyzing the handshake request through the server side analysis model to generate handshake information;
the handshake information comprises SSL/TLS protocol version numbers supported by the client, supported password suites, client random numbers, session IDs and compression methods;
the SSL/TLS protocol version number supported by the client comprises a cryptographic protocol version number;
the supported cipher suite includes a cipher suite supported by national cipher standards.
3. The method according to claim 1, wherein matching national secret information preset in a JSSE target server with the handshake information to obtain a matching result specifically comprises:
calling a matching algorithm in the JSSE target server;
matching a pre-expanded national cryptographic protocol version number in a JSSE target server with a protocol version number supported in the handshake information through a matching algorithm to generate a first matching result;
matching a password suite which is expanded in advance in a JSSE target server and meets the national password specification with a password suite supported in the handshake information through a matching algorithm to generate a second matching result;
and obtaining a matching result according to the first matching result and the second matching result.
4. The method according to claim 1, wherein when the matching result meets the cryptographic communication condition, continuing the handshake operation through the reconstructed JSSE handshake process logic, and establishing a handshake relationship with the client, specifically comprising:
when the matching result meets the national secret communication condition, generating a server side handshake confirmation parameter according to the matching result and the handshake information;
sending handshake confirmation parameters of a server side to a client side;
according to the server side confirmation parameters, adopting JSSE handshake process logic which accords with the national secret standard to continue handshake operation, and establishing a handshake relation with the client side;
and the JSSE handshake process logic is reconstructed at the target server in advance according to the national cryptographic specification.
5. The method according to claim 4, wherein when the matching result meets the cryptographic communication condition, generating a server-side handshake confirmation parameter according to the matching result and the handshake information, specifically comprising:
when the matching result meets the national secret communication condition, selecting a national secret protocol version number in the handshake information and a password suite meeting the national secret specification;
extracting a session ID and a compression method in the handshake information;
calling a random number of a server;
and combining the national secret protocol version number, the server random number, the session ID, the compression method and the password suite to generate a server handshake confirmation parameter.
6. The method according to claim 4, wherein according to the server side confirmation parameters, continuing the handshake operation by adopting JSSE handshake process logic conforming to the cryptographic specification, and establishing a handshake relationship with the client side, specifically comprising:
according to the server side confirmation parameters, completing a first handshake information exchange task with the client side;
generating a master key and a session key according to the first handshake information and the handshake parameters;
according to the reconstructed JSSE handshake process logic, a second handshake information exchange task with the client is completed;
and establishing a handshake relation with the client according to the second handshake information.
7. The method according to claim 6, wherein completing the first handshake information exchange task with the client according to the server confirmation parameter specifically includes:
according to the server side confirmation parameters, sending certificate information of a target server side to a client side;
after the certificate information is sent, first handshake completion information is sent to the client;
and receiving a pre-master key message sent by the client in response to the server confirmation parameter, and completing a first handshake information exchange task with the client.
8. The method according to claim 6, wherein completing a second handshake information exchange task with the client according to the reconstructed JSSE handshake process logic specifically comprises:
receiving a prompt message which is sent by a client and is about to be switched to an encryption environment;
receiving a handshake completion message sent by a client;
responding to the prompt message of the client, and sending a prompt message that a target server is about to switch to an encryption environment;
and responding to the client handshake completion message, sending a target server handshake completion message, and completing a second handshake information exchange task with the client.
9. A JSSE-based cryptographic communication apparatus, comprising:
the receiving module is used for receiving a handshake request of a client;
the analysis module is used for analyzing the handshake request through the JSSE target server to generate handshake information;
the matching module is used for matching the national secret information preset in the JSSE target server and the handshake information to obtain a matching result;
the handshake module continues to perform handshake operation through the reconstructed JSSE handshake process logic and establishes handshake relation with the client when the matching result meets the national secret communication condition;
the handshake completion module is used for carrying out subsequent encrypted communication with the client according to the handshake relation;
the preset national secret information comprises a national secret version number expanded in a protocol version of JSSE in advance and a password suite which is expanded in a JSSE password suite in advance and accords with national secret specifications.
10. A storage medium, characterized in that it stores a computer program which, when loaded, can carry out the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110318921.2A CN113037480A (en) | 2021-03-25 | 2021-03-25 | JSSE-based national secret encryption communication method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110318921.2A CN113037480A (en) | 2021-03-25 | 2021-03-25 | JSSE-based national secret encryption communication method and device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113037480A true CN113037480A (en) | 2021-06-25 |
Family
ID=76473633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110318921.2A Pending CN113037480A (en) | 2021-03-25 | 2021-03-25 | JSSE-based national secret encryption communication method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113037480A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709111A (en) * | 2021-07-28 | 2021-11-26 | 杭州迪普科技股份有限公司 | Connection establishing method and device |
| CN114338844A (en) * | 2021-12-31 | 2022-04-12 | 北京升明科技有限公司 | Cross-protocol communication method and device between client servers |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103118027A (en) * | 2013-02-05 | 2013-05-22 | 中金金融认证中心有限公司 | Transport layer security (TLS) channel constructing method based on cryptographic algorithm |
| CN103338215A (en) * | 2013-07-26 | 2013-10-02 | 中金金融认证中心有限公司 | Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm |
| CN106533689A (en) * | 2015-09-15 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Method and device for loading digital certificate in SSL/TLS communication |
| US9888037B1 (en) * | 2015-08-27 | 2018-02-06 | Amazon Technologies, Inc. | Cipher suite negotiation |
| CN109040055A (en) * | 2018-07-30 | 2018-12-18 | 美通云动(北京)科技有限公司 | The method for realizing Web secure access using domestic password |
-
2021
- 2021-03-25 CN CN202110318921.2A patent/CN113037480A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103118027A (en) * | 2013-02-05 | 2013-05-22 | 中金金融认证中心有限公司 | Transport layer security (TLS) channel constructing method based on cryptographic algorithm |
| CN103338215A (en) * | 2013-07-26 | 2013-10-02 | 中金金融认证中心有限公司 | Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm |
| US9888037B1 (en) * | 2015-08-27 | 2018-02-06 | Amazon Technologies, Inc. | Cipher suite negotiation |
| CN106533689A (en) * | 2015-09-15 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Method and device for loading digital certificate in SSL/TLS communication |
| CN109040055A (en) * | 2018-07-30 | 2018-12-18 | 美通云动(北京)科技有限公司 | The method for realizing Web secure access using domestic password |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709111A (en) * | 2021-07-28 | 2021-11-26 | 杭州迪普科技股份有限公司 | Connection establishing method and device |
| CN114338844A (en) * | 2021-12-31 | 2022-04-12 | 北京升明科技有限公司 | Cross-protocol communication method and device between client servers |
| CN114338844B (en) * | 2021-12-31 | 2024-04-05 | 北京升明科技有限公司 | Cross-protocol communication method and device between client servers |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100319256B1 (en) | Method for operating communication protocol | |
| WO2016107320A1 (en) | Website security information loading method, and browser device | |
| WO2016107318A1 (en) | Secure communication system | |
| JP5411204B2 (en) | Information processing apparatus and information processing method | |
| WO2022021992A1 (en) | Data transmission method and system based on nb-iot communication, and medium | |
| WO2016107322A1 (en) | Implementation method for secure browser, and secure browser device | |
| CN112714053B (en) | Communication connection method and device | |
| CN108768979B (en) | Method for accessing intranet, device and system for accessing intranet | |
| WO2022111102A1 (en) | Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium | |
| WO2019178942A1 (en) | Method and system for performing ssl handshake | |
| CN113037480A (en) | JSSE-based national secret encryption communication method and device and storage medium | |
| JP2017536776A (en) | Method and system for collecting clear text of network confidential data | |
| CN110839240B (en) | Method and device for establishing connection | |
| CN110708304A (en) | Information processing method and device | |
| CN111970109A (en) | Data transmission method and system | |
| CN110690969A (en) | Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties | |
| CN113709111B (en) | Connection establishment method and device | |
| CN105471896B (en) | Proxy Method, apparatus and system based on SSL | |
| CN114553957A (en) | Service system and method compatible with national password and international HTTPS transmission | |
| CN114390524A (en) | Method and device for realizing one-key login service | |
| JP5614465B2 (en) | Encryption communication device, proxy server, encryption communication device program, and proxy server program | |
| KR102121399B1 (en) | Local information acquisition method, apparatus and system | |
| WO2015104567A1 (en) | Secure communication between a server and a client web browser | |
| CN114390027B (en) | Network communication method, device, equipment and medium | |
| CN114650181B (en) | E-mail encryption and decryption method, system, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210625 |
|
| RJ01 | Rejection of invention patent application after publication |