CN114553449A - Encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS - Google Patents
Encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS Download PDFInfo
- Publication number
- CN114553449A CN114553449A CN202011329647.0A CN202011329647A CN114553449A CN 114553449 A CN114553449 A CN 114553449A CN 202011329647 A CN202011329647 A CN 202011329647A CN 114553449 A CN114553449 A CN 114553449A
- Authority
- CN
- China
- Prior art keywords
- decryption
- server
- encryption
- target information
- proxy server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 93
- 238000012545 processing Methods 0.000 claims abstract description 50
- 230000008569 process Effects 0.000 claims abstract description 30
- 230000001133 acceleration Effects 0.000 claims abstract description 14
- 238000004891 communication Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 230000010365 information processing Effects 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000005484 gravity Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure relates to an encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS, wherein the method comprises the following steps: acquiring target information, wherein the target information is information needing signature or decryption in the process of generating a symmetric key of a client and a webpage server; sending the target information to a proxy server so that the proxy server signs or decrypts the target information through a private key corresponding to a certificate of a web server, wherein the proxy server is provided with an encryption and decryption accelerator card; and receiving a processing result returned by the proxy server, and generating a symmetric key based on the processing result. According to the embodiment of the disclosure, the encryption and decryption acceleration card is arranged in the proxy server, and the proxy server carries out signature or decryption processing on the target information acquired by the web server, so that the cost for purchasing the encryption and decryption acceleration card is reduced under the condition of reducing the consumption of a CPU (central processing unit) of the web server, and the conflict between the encryption and decryption acceleration card and the web server is avoided.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to an encryption and decryption method, apparatus, system, electronic device, and storage medium based on HTTPS.
Background
Secure Hypertext Transfer Protocol (HTTPS) is a Secure communication channel developed based on HTTP for exchanging information between a client and a server. It uses Secure Sockets Layer (SSL) for information exchange, which is simply a Secure version of HTTP. HTTPS is developed by Netscape and built into its browser for performing compression and decompression operations on data and returning the results back over the network.
The asymmetric encryption and decryption of the HTTPS service consumes a large amount of CPU of the webpage server, so that resources such as a network card and a hard disk are wasted. In contrast, hardware manufacturers provide hardware capable of performing encryption and decryption, namely a hardware accelerator card, and the hardware accelerator card is installed on the web server to release the CPU, so that the consumption of the CPU of the web server is reduced, and the access capability of the web server is improved. However, installing a hardware accelerator card on each web server increases hardware cost, and a hardware manufacturer has some restrictions on the operation of the hardware accelerator card on the device, so that the restrictions may conflict with the web server and affect the operation of the web server.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the present disclosure provides an HTTPS-based encryption and decryption method, apparatus, system, electronic device, and storage medium.
In a first aspect, the present disclosure provides an encryption and decryption method based on HTTPS, where the method is applied to a web server, and includes:
acquiring target information, wherein the target information is information needing to be signed or decrypted in the process of generating a symmetric key of a client and a webpage server;
sending the target information to a proxy server so that the proxy server signs or decrypts the target information through a private key corresponding to the certificate of the web server, wherein the proxy server is configured with an encryption and decryption acceleration card;
and receiving a processing result returned by the proxy server.
Optionally, the obtaining the target information includes:
receiving a pre-master key which is sent by the client and encrypted by using a public key corresponding to the certificate; alternatively, the first and second electrodes may be,
obtaining a DH information of a key exchange protocol, wherein the DH information comprises a DH public key and a DH parameter.
Optionally, before receiving the processing result returned by the proxy server, the method further includes:
and sending a private key corresponding to the certificate to a proxy server, wherein the private key is stored in the webpage server.
Optionally, sending the target information to a proxy server, includes:
and the target information is coded by a private protocol and then is sent to the proxy server through a TCP long connection.
In a second aspect, the present disclosure provides an encryption and decryption method based on HTTPS, where the method is applied to a proxy server, and the proxy server is configured with an encryption and decryption accelerator card, and the method includes:
receiving target information sent by a webpage server, wherein the target information is information needing signature or decryption in the process of generating a symmetric key of a client and the webpage server;
signing or decrypting the target information through a private key corresponding to the certificate of the webpage server;
and returning the processing result to the webpage server.
Optionally, before signing or decrypting the target information through a private key corresponding to a certificate of the web server, the method further includes:
and receiving a private key corresponding to the certificate sent by the webpage server, wherein the private key is stored in the webpage server.
In a third aspect, the present disclosure provides an encryption and decryption apparatus based on HTTPS, where the apparatus is applied to a web server, and the apparatus includes:
the system comprises an information acquisition module, a data processing module and a data processing module, wherein the information acquisition module is used for acquiring target information, and the target information is information needing signature or decryption in the process of generating a symmetric key of a client and a webpage server;
the information sending module is used for sending the target information to a proxy server so that the proxy server signs or decrypts the target information through a private key corresponding to the certificate of the webpage server, wherein the proxy server is provided with an encryption and decryption acceleration card;
and the result receiving module is used for receiving the processing result returned by the proxy server.
In a fourth aspect, the present disclosure provides an HTTPS-based encryption and decryption apparatus, where the apparatus is applied to a proxy server configured with an encryption and decryption accelerator card, and the apparatus includes:
the system comprises an information receiving module, a processing module and a processing module, wherein the information receiving module is used for receiving target information sent by a webpage server, and the target information is information needing signature or decryption in the process of generating a symmetric key of a client and the webpage server;
the information processing module is used for signing or decrypting the target information through a private key corresponding to the certificate of the webpage server;
and the result returning module is used for returning the processing result to the webpage server.
In a fifth aspect, the present disclosure provides an HTTPS-based encryption and decryption system, including:
the webpage server is in communication connection with one or more clients and is used for acquiring target information in a handshaking process with the clients; sending the target information to a proxy server; receiving a processing result returned by the proxy server; the target information is information needing signature or decryption in the process of generating a symmetric key between the client and the webpage server, and the proxy server is configured with an encryption and decryption accelerator card;
the proxy server is in communication connection with one or more web servers and is used for receiving the target information sent by the web servers; signing or decrypting the target information through a private key corresponding to the certificate of the webpage server; and returning the processing result to the webpage server.
Optionally, the proxy server is configured with a plurality of encryption and decryption accelerator cards.
In a sixth aspect, the present disclosure provides an electronic device comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instruction from the memory, and execute the instruction to implement the HTTPS-based encryption and decryption method according to the first aspect or the HTTPS-based encryption and decryption method according to the second aspect.
In a seventh aspect, the present disclosure provides a computer-readable storage medium, where a computer program is stored, where the computer program is configured to execute the HTTPS-based encryption and decryption method according to the first aspect or the HTTPS-based encryption and decryption method according to the second aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
in the technical scheme, the webpage server acquires target information for generating a symmetric key between the client and the webpage server, sends the target information to the proxy server, signs or decrypts the target information by the proxy server, and generates the symmetric key for safe communication between the webpage server and the client based on the signing or decryption result by the webpage server. Therefore, when the webpage server needs to carry out signature or decryption, the calculation task of signature or decryption is transferred to the proxy server, and the proxy server carries out signature or decryption processing, so that the CPU consumption of the webpage server is reduced; moreover, because one encryption and decryption accelerator card can realize the access capacity of a plurality of web servers, the encryption and decryption accelerator card is configured on the proxy server, so that one proxy server can sign or decrypt target information sent by a plurality of web servers, thereby avoiding configuring the encryption and decryption accelerator card for each web server, greatly reducing the number of the encryption and decryption accelerator cards and reducing the hardware cost for purchasing the encryption and decryption accelerator cards; meanwhile, the webpage server does not need to be provided with an encryption and decryption accelerator card, so that the conflict between the operation of the encryption and decryption accelerator card on the webpage server and the webpage server is avoided, and the bandwidth and network card resources can be fully utilized.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the embodiments or technical solutions in the prior art description will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
Fig. 1 is a flowchart of an HTTPS-based encryption and decryption method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another HTTPS-based encryption and decryption method according to an embodiment of the present disclosure;
fig. 3 is a block diagram of an encryption and decryption apparatus based on HTTPS according to an embodiment of the present disclosure;
fig. 4 is a block diagram of another encryption and decryption apparatus based on HTTPS according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an HTTPS-based encryption and decryption system according to an embodiment of the present disclosure.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
As described in the background art, the HTTPS service processing of the prior art has a problem of large consumption of the CPU of the web server, or a problem of high hardware cost and conflict with the web server in order to reduce the consumption of the CPU of the web server. The inventor researches and discovers that aiming at the HTTPS service, in order to ensure the security of the whole application data transmission, a handshake process between a webpage server and a client generates a symmetric key, a private key signature or private key decryption is required in the process of generating the symmetric key, and the private key signature or private key decryption is CPU intensive operation and consumes a CPU very much. Therefore, according to the technical scheme, the information needing to be signed or decrypted is sent to the proxy server, and the proxy server completes the task of signing or decrypting, so that the CPU of the web server is released, and the consumption of the CPU of the web server is reduced; meanwhile, the encryption and decryption accelerator card (namely, the hardware accelerator card related in the background technology) is configured in the proxy server, so that the hardware cost for purchasing the encryption and decryption accelerator card is reduced, and the conflict between the operation of the encryption and decryption accelerator card on the web server and the web server is avoided.
The technical scheme related to the embodiment of the disclosure is applied to the handshake process between the webpage server and the client (including the handshake process based on the RSA algorithm, the handshake process based on the DH algorithm and the like), is particularly applied to the key agreement process, and can be applied to the condition of private key signature or private key decryption. The web server can be an Nginx server; the client can comprise a mobile phone, a tablet computer, a smart wearable device, a computer and other smart terminals. In addition, the proxy server related to the embodiments of the present disclosure may be a physical server, and may be one or more.
Aiming at the technical problems in the prior art, the embodiment of the disclosure provides an encryption and decryption method based on HTTPS. Fig. 1 is a flowchart of an encryption and decryption method based on HTTPS according to an embodiment of the present disclosure. The method is applied to a web server and can be executed by an encryption and decryption device based on HTTPS, wherein the encryption and decryption device based on HTTPS can be realized in a software and/or hardware mode and can be generally integrated in electronic equipment. As shown in fig. 1, the encryption and decryption method based on HTTPS provided in this embodiment includes:
s110, target information is obtained, wherein the target information is information needing signature or decryption in the process of generating the symmetric key of the client and the webpage server.
For example, the target information is information that needs to be signed or decrypted originally on the web server, and may be provided by the client or the web server itself. When the target information is obtained, the adopted key negotiation algorithms are different, and the obtaining ways of the target information are also different.
In some embodiments, when the RSA algorithm is used for key exchange, the client encrypts the generated premaster secret key with the public key corresponding to the certificate, sends the encrypted premaster secret key to the web server, and the web server receives the premaster secret key which is sent by the client and encrypted with the public key corresponding to the certificate, where the encrypted premaster secret key is the target information and needs to be decrypted with the private key corresponding to the certificate of the web server. In addition, in some embodiments, when a key exchange is performed by using a key exchange protocol DH algorithm, the web server generates DH information, where the DH information includes a DH public key and a DH parameter, so that the web server directly obtains the target information, and the DH information needs to be signed by using a private key corresponding to the certificate. The DH parameters comprise a prime number and an original root of the prime number, DH information needs to be signed by a private key corresponding to a certificate of a webpage server, a subsequent client side uses a public key corresponding to the certificate of the webpage server to check the signed DH information to obtain a DH public key and DH parameters, and the client side uses the private key generated by the client side and the DH public key and DH parameters obtained by checking the signature to generate a symmetric key.
It should be noted that the above manner of obtaining the target information is only an exemplary illustration, in some embodiments, the key agreement algorithm may also be a TLS1.3 algorithm, and the like, and accordingly, the manner of obtaining the target information and the target information are also different, and reference may be made to the content of the existing related algorithm herein.
And S120, sending the target information to a proxy server so that the proxy server signs or decrypts the target information through a private key corresponding to the certificate of the web server, wherein the proxy server is configured with an encryption and decryption accelerator card.
The encryption and decryption accelerator card is a hardware accelerator card, acts like a GPU, and can release a CPU, so that the consumption of the CPU of the web server can be reduced. In some embodiments, a single encryption/decryption accelerator card may provide 35k of decryption capability, equivalent to 175 core CPU, at least equivalent to 7 24 core servers, and one encryption/decryption accelerator card may achieve access capability approaching 10 servers, taking into account the overhead of other programs of the servers. Therefore, the target information is sent to the proxy server configured with the encryption and decryption accelerator cards, and one proxy server is configured with one encryption and decryption accelerator card to realize signature or decryption of the target information of a plurality of web servers, so that the number of the encryption and decryption accelerator cards is greatly reduced, and the hardware cost is reduced.
In some embodiments, after the web server obtains the target information, a signature request or a decryption request containing the target information is sent to the proxy server according to the requirements of signature or decryption; the proxy server responds to the signing request or the decryption request, signs or decrypts the target information through a private key corresponding to a certificate (namely a security certificate or a digital certificate) of the web server, and returns a processing result to the web server.
The private key corresponding to the certificate of the web server may be stored in the web server or the proxy server. Considering that when the private key corresponding to the certificate of the web server is stored in the proxy server, the encryption and decryption acceleration card is md5 or SHA256 of the modulus value, the server on the encryption and decryption acceleration card finds the private key, and then signs or decrypts the target information through the private key. At this time, the proxy server needs to maintain the service of the private key, if the certificate and the private key are replaced, it must be ensured that the certificate and the private key are replaced at the same time by the web server and the proxy server, otherwise, the certificate and the private key of the same domain name of the distributed cluster are not updated consistently on different devices. Therefore, in order to avoid the situation that the certificate and the private key of the same domain name of the distributed cluster are updated on different devices in an inconsistent manner, in some embodiments, the private key corresponding to the certificate of the web server is stored in the web server. Correspondingly, when the target information needs to be signed or decrypted, the webpage server sends the private key corresponding to the certificate to the proxy server. In a specific scheme, the web server can simultaneously send the target information and the private key corresponding to the certificate to the proxy server, and can also successively send the target information and the private key corresponding to the certificate to the proxy server.
In addition, in some embodiments, in order to improve the security of data transmission between the web server and the proxy server and save the time for connecting the web server and the proxy server, the web server encodes the target information by a private protocol and then sends the target information to the proxy server through a long connection of a TCP; at this time, the proxy server correspondingly decodes the received information to obtain the target information. It can be understood that, when the web server sends the private key corresponding to the certificate to the proxy server, the private key corresponding to the certificate is also encoded by the private protocol and then sent to the proxy server, and the proxy server decodes the private key and signs or decrypts the target information by the decoded private key. The above proprietary protocol is usually a set of self-defined protocol standards in an enterprise, and is only suitable for equipment products produced by the enterprise.
And S130, receiving a processing result returned by the proxy server.
After the web server receives the processing result returned by the proxy server, a symmetric key for secure communication between the web server and the client can be generated based on the processing result.
In the encryption and decryption method based on HTTPS provided by this embodiment, the web server obtains target information for generating a symmetric key between the client and the web server, and sends the target information to the proxy server, and the proxy server performs signature or decryption processing on the target information, and the web server generates the symmetric key for secure communication between the web server and the client based on a result of the signature or decryption processing. Therefore, when the webpage server needs to carry out signature or decryption, the calculation task of signature or decryption is transferred to the proxy server, and the proxy server carries out signature or decryption processing, so that the CPU consumption of the webpage server is reduced; moreover, because one encryption and decryption accelerator card can realize the access capacity of a plurality of web servers, the encryption and decryption accelerator card is configured on the proxy server, so that one proxy server can sign or decrypt target information sent by a plurality of web servers, thereby avoiding configuring the encryption and decryption accelerator card for each web server, greatly reducing the number of the encryption and decryption accelerator cards and reducing the hardware cost for purchasing the encryption and decryption accelerator cards; meanwhile, the webpage server does not need to be provided with an encryption and decryption accelerator card, so that the conflict between the operation of the encryption and decryption accelerator card on the webpage server and the webpage server is avoided, and the bandwidth and network card resources can be fully utilized.
The embodiment of the disclosure also provides another encryption and decryption method based on HTTPS. Fig. 2 is a flowchart of another HTTPS-based encryption and decryption method according to an embodiment of the present disclosure. The method is applied to a proxy server, wherein the proxy server is provided with an encryption and decryption acceleration card and can be executed by an HTTPS-based encryption and decryption device, and the HTTPS-based encryption and decryption device can be realized in a software and/or hardware mode and can be generally integrated in electronic equipment. As shown in fig. 2, the encryption and decryption method based on HTTPS provided in this embodiment includes:
s210, receiving target information sent by the webpage server, wherein the target information is information needing signature or decryption in the process of generating a symmetric key of the client and the webpage server.
The target information may include a premaster secret key sent by the client and encrypted by using a public key corresponding to the certificate, or DH information of the web server, where the DH information includes a DH public key and a DH parameter.
And S220, signing or decrypting the target information through a private key corresponding to the certificate of the webpage server.
When the webpage server encodes the target information through a private protocol and then sends the target information to the proxy server through the TCP long connection, the proxy server firstly decodes the received information correspondingly to obtain the target information, and then signs or decrypts the target information through a private key corresponding to the certificate.
And S230, returning the processing result to the webpage server.
Optionally, in some embodiments, before signing or decrypting the target information by using a private key corresponding to the certificate of the web server, the HTTPS-based encryption and decryption method further includes:
and receiving a private key corresponding to the certificate sent by the webpage server, wherein the private key is stored in the webpage server.
The encryption and decryption method based on HTTPS shown in fig. 2 and the encryption and decryption method based on HTTPS shown in fig. 1 provided by the present disclosure belong to a general inventive concept, have the same or corresponding specific technical features, and can achieve the same technical effects.
Corresponding to the encryption and decryption method based on HTTPS shown in fig. 1, an embodiment of the present disclosure further provides an encryption and decryption device based on HTTPS, which is applied to a web server. Fig. 3 is a block diagram of an encryption and decryption apparatus based on HTTPS according to an embodiment of the present disclosure. As shown in fig. 3, the HTTPS-based encryption and decryption apparatus includes:
the information acquisition module 31 is configured to acquire target information, where the target information is information that needs to be signed or decrypted in a process of generating a symmetric key between a client and a web server;
the information sending module 32 is configured to send the target information to the proxy server, so that the proxy server signs or decrypts the target information through a private key corresponding to a certificate of the web server, where the proxy server is configured with an encryption/decryption accelerator card;
and the result receiving module 33 is configured to receive the processing result returned by the proxy server.
Optionally, the information obtaining module 31 is specifically configured to:
receiving a premaster secret key which is sent by the client and encrypted by using a public key corresponding to the certificate; alternatively, the first and second electrodes may be,
obtaining DH information, wherein the DH information comprises a DH public key and a DH parameter.
Optionally, the information sending module 32 is further configured to:
and before receiving a processing result returned by the proxy server, sending a private key corresponding to the certificate to the proxy server, wherein the private key is stored in the web server.
Optionally, the information sending module 32 is specifically configured to:
and the target information is coded by a private protocol and then is sent to the proxy server through a TCP long connection.
The encryption and decryption device based on HTTPS provided by this embodiment can be used to execute the encryption and decryption method based on HTTPS provided by the corresponding embodiment, and has the same functions and advantages as the encryption and decryption method based on HTTPS.
Corresponding to the encryption and decryption method based on HTTPS shown in fig. 2, an embodiment of the present disclosure further provides an encryption and decryption device based on HTTPS. Fig. 4 is a block diagram of an encryption and decryption apparatus based on HTTPS according to an embodiment of the present disclosure. The device is applied to a proxy server, the proxy server is configured with an encryption and decryption acceleration card, as shown in fig. 4, the encryption and decryption device based on HTTPS includes:
the information receiving module 41 is configured to receive target information sent by the web server, where the target information is information that needs to be signed or decrypted in a process of generating a symmetric key between the client and the web server;
the information processing module 42 is configured to perform signature or decryption processing on the target information through a private key corresponding to the certificate of the web server;
and a result returning module 43, configured to return the processing result to the web server.
Optionally, the information receiving module 41 is further configured to:
before signing or decrypting target information through a private key corresponding to a certificate of a webpage server, receiving the private key corresponding to the certificate sent by the webpage server, wherein the private key is stored in the webpage server.
The encryption and decryption device based on HTTPS provided by this embodiment can be used to execute the encryption and decryption method based on HTTPS provided by the corresponding embodiment, and has the same functions and advantages as the encryption and decryption method based on HTTPS.
Based on the above embodiment, the embodiment of the present disclosure further provides an encryption and decryption system based on HTTPS. Fig. 5 is a schematic structural diagram of an HTTPS-based encryption and decryption system according to an embodiment of the present disclosure. As shown in fig. 5, the HTTPS-based encryption and decryption system includes:
the web server 51 is in communication connection with one or more clients 100 and is used for acquiring target information in a handshaking process with the clients 100; sending the target information to the proxy server 52; receiving the processing result returned by the proxy server 52; the target information is information which needs to be signed or decrypted in the process of generating a symmetric key between the client 100 and the web server 51, and the proxy server 52 is configured with an encryption and decryption accelerator card;
a proxy server 52, which is in communication connection with one or more web servers 51 and is used for receiving the target information sent by the web servers 51; signing or decrypting the target information through a private key corresponding to the certificate of the webpage server; the processing result is returned to the web server 51.
In the encryption and decryption system based on HTTPS provided by this embodiment, the web server obtains target information for generating a symmetric key between the client and the web server, and sends the target information to the proxy server, and the proxy server performs signature or decryption processing on the target information, and the web server generates the symmetric key for secure communication between the web server and the client based on a result of the signature or decryption processing. Therefore, when the webpage server needs to carry out signature or decryption, the calculation task of signature or decryption is transferred to the proxy server, and the proxy server carries out signature or decryption processing, so that the CPU consumption of the webpage server is reduced; moreover, because one encryption and decryption accelerator card can realize the access capacity of a plurality of web servers, the encryption and decryption accelerator card is configured on the proxy server, so that one proxy server can sign or decrypt target information sent by a plurality of web servers, thereby avoiding configuring the encryption and decryption accelerator card for each web server, greatly reducing the number of the encryption and decryption accelerator cards and reducing the hardware cost for purchasing the encryption and decryption accelerator cards; meanwhile, the webpage server does not need to be provided with an encryption and decryption accelerator card, so that the conflict between the operation of the encryption and decryption accelerator card on the webpage server and the webpage server is avoided, and the bandwidth and network card resources can be fully utilized.
Optionally, the proxy server is configured with a plurality of encryption and decryption accelerator cards to meet the expansion requirement.
Optionally, the proxy server may include a primary proxy server and at least one backup proxy server. When the main proxy server fails, the standby proxy server takes over the signature or decryption task of the web server, so that the handshake process between the web server and the client is prevented from being interrupted. In addition, when the main proxy server and the standby proxy server both fail or are unavailable due to other reasons, the web server performs signature or decryption processing.
In some embodiments, the web server may be further assigned to the primary proxy server and the backup proxy server according to a preset assignment weight (the preset assignment weight represents a specific gravity of the web server assigned to each proxy server, and is preferentially assigned to the proxy server with the specific gravity), and the primary proxy server and the backup proxy server communicate with the respective assigned web servers and perform signature or decryption processing on target information transmitted by the respective assigned web servers, thereby reducing the load of each proxy server. Further, when any one of the main proxy server and the standby proxy server is unavailable, the web server assigned by the proxy server is reassigned to the other proxy server according to the preset assignment weight. Similarly, when neither the primary proxy server nor the backup proxy server is available, the web server itself performs the signing or decryption process.
The present disclosure provides an electronic device, including: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to execute the HTTPS-based encryption and decryption method shown in fig. 1 or the HTTPS-based encryption and decryption method shown in fig. 2 of the present disclosure via execution of the executable instructions.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 6, the electronic device 600 includes one or more processors 601 and memory 602.
The processor 601 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 600 to perform desired functions.
In one example, the electronic device 600 may further include: an input device 603 and an output device 604, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 603 may also include, for example, a keyboard, a mouse, and the like.
The output device 604 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 604 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for simplicity, only some of the components of the electronic device 600 relevant to the present disclosure are shown in fig. 6, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 600 may include any other suitable components depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the HTTPS-based encryption/decryption method of fig. 1 or the HTTPS-based encryption/decryption method of fig. 2 of the present disclosure.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform the HTTPS-based encryption and decryption method shown in fig. 1 or the HTTPS-based encryption and decryption method shown in fig. 2 of the present disclosure.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (12)
1. An encryption and decryption method based on HTTPS is characterized in that the method is applied to a webpage server and comprises the following steps:
acquiring target information, wherein the target information is information needing signature or decryption in the process of generating a symmetric key of a client and a webpage server;
sending the target information to a proxy server so that the proxy server signs or decrypts the target information through a private key corresponding to the certificate of the web server, wherein the proxy server is configured with an encryption and decryption acceleration card;
and receiving a processing result returned by the proxy server.
2. The HTTPS-based encryption and decryption method according to claim 1, wherein obtaining the target information includes:
receiving a pre-master key which is sent by the client and encrypted by using a public key corresponding to the certificate; alternatively, the first and second electrodes may be,
obtaining a DH information of a key exchange protocol, wherein the DH information comprises a DH public key and a DH parameter.
3. The HTTPS-based encryption/decryption method according to claim 1, wherein before receiving the processing result returned by the proxy server, the method further includes:
and sending a private key corresponding to the certificate to a proxy server, wherein the private key is stored in the webpage server.
4. The HTTPS-based encryption and decryption method according to claim 1, wherein sending the target information to a proxy server includes:
and the target information is coded by a private protocol and then is sent to the proxy server through a TCP long connection.
5. An encryption and decryption method based on HTTPS, which is applied to a proxy server, wherein the proxy server is configured with an encryption and decryption acceleration card, and the method comprises the following steps:
receiving target information sent by a webpage server, wherein the target information is information needing signature or decryption in the process of generating a symmetric key of a client and the webpage server;
signing or decrypting the target information through a private key corresponding to the certificate of the webpage server;
and returning the processing result to the webpage server.
6. The HTTPS-based encryption and decryption method according to claim 5, wherein before the target information is signed or decrypted by a private key corresponding to a certificate of a web server, the method further includes:
and receiving a private key corresponding to the certificate sent by the webpage server, wherein the private key is stored in the webpage server.
7. An encryption and decryption device based on HTTPS, which is applied to a web server, comprising:
the system comprises an information acquisition module, a data processing module and a data processing module, wherein the information acquisition module is used for acquiring target information, and the target information is information needing signature or decryption in the process of generating a symmetric key of a client and a webpage server;
the information sending module is used for sending the target information to a proxy server so that the proxy server signs or decrypts the target information through a private key corresponding to the certificate of the webpage server, wherein the proxy server is provided with an encryption and decryption acceleration card;
and the result receiving module is used for receiving the processing result returned by the proxy server.
8. An encryption and decryption apparatus based on HTTPS, wherein the apparatus is applied to a proxy server, the proxy server is configured with an encryption and decryption acceleration card, and the apparatus comprises:
the system comprises an information receiving module, a processing module and a processing module, wherein the information receiving module is used for receiving target information sent by a webpage server, and the target information is information needing signature or decryption in the process of generating a symmetric key of a client and the webpage server;
the information processing module is used for signing or decrypting the target information through a private key corresponding to the certificate of the webpage server;
and the result returning module is used for returning the processing result to the webpage server.
9. An HTTPS-based encryption/decryption system, comprising:
the webpage server is in communication connection with one or more clients and is used for acquiring target information in a handshaking process with the clients; sending the target information to a proxy server; receiving a processing result returned by the proxy server; the target information is information needing signature or decryption in the process of generating a symmetric key between the client and the webpage server, and the proxy server is configured with an encryption and decryption accelerator card;
the proxy server is in communication connection with one or more web servers and is used for receiving the target information sent by the web servers; signing or decrypting the target information through a private key corresponding to the certificate of the webpage server; and returning the processing result to the webpage server.
10. The HTTPS-based encryption and decryption system of claim 9, wherein the proxy server is configured with a plurality of the encryption and decryption acceleration cards.
11. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the HTTPS-based encryption and decryption method according to any one of claims 1 to 4 or the HTTPS-based encryption and decryption method according to any one of claims 5 to 6.
12. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the HTTPS-based encryption/decryption method of any one of claims 1 to 4, or the HTTPS-based encryption/decryption method of any one of claims 5 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011329647.0A CN114553449A (en) | 2020-11-24 | 2020-11-24 | Encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011329647.0A CN114553449A (en) | 2020-11-24 | 2020-11-24 | Encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114553449A true CN114553449A (en) | 2022-05-27 |
Family
ID=81659956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011329647.0A Pending CN114553449A (en) | 2020-11-24 | 2020-11-24 | Encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553449A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116846682A (en) * | 2023-08-29 | 2023-10-03 | 山东海量信息技术研究院 | Communication channel establishment method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200104A (en) * | 2018-03-23 | 2018-06-22 | 网宿科技股份有限公司 | The method and system that a kind of progress SSL shakes hands |
| CN109088889A (en) * | 2018-10-16 | 2018-12-25 | 深信服科技股份有限公司 | A kind of SSL encipher-decipher method, system and computer readable storage medium |
| CN110071933A (en) * | 2019-04-28 | 2019-07-30 | 深圳前海微众银行股份有限公司 | Secure Socket Layer accelerated method, device, equipment and readable storage medium storing program for executing |
-
2020
- 2020-11-24 CN CN202011329647.0A patent/CN114553449A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200104A (en) * | 2018-03-23 | 2018-06-22 | 网宿科技股份有限公司 | The method and system that a kind of progress SSL shakes hands |
| CN109088889A (en) * | 2018-10-16 | 2018-12-25 | 深信服科技股份有限公司 | A kind of SSL encipher-decipher method, system and computer readable storage medium |
| CN110071933A (en) * | 2019-04-28 | 2019-07-30 | 深圳前海微众银行股份有限公司 | Secure Socket Layer accelerated method, device, equipment and readable storage medium storing program for executing |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116846682A (en) * | 2023-08-29 | 2023-10-03 | 山东海量信息技术研究院 | Communication channel establishment method, device, equipment and medium |
| CN116846682B (en) * | 2023-08-29 | 2024-01-23 | 山东海量信息技术研究院 | Communication channel establishment method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11665006B2 (en) | User authentication with self-signed certificate and identity verification | |
| EP3484125B1 (en) | Method and device for scheduling interface of hybrid cloud | |
| US11196745B2 (en) | Blockchain-based account management | |
| EP3682364B1 (en) | Cryptographic services utilizing commodity hardware | |
| US20180205711A1 (en) | Self-encrypting key management system | |
| US20220083326A1 (en) | Upgrading method and system, server, and terminal device | |
| CN111970240B (en) | Cluster receiving and managing method and device and electronic equipment | |
| CN111522809B (en) | Data processing method, system and equipment | |
| US10686769B2 (en) | Secure key caching client | |
| US10728232B2 (en) | Method for authenticating client system, client device, and authentication server | |
| CN112800393B (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| CN111427860B (en) | Distributed storage system and data processing method thereof | |
| CN112560003A (en) | User authority management method and device | |
| CN114553449A (en) | Encryption and decryption method, device, system, electronic equipment and storage medium based on HTTPS | |
| CN113312576A (en) | Page jump method, system and device | |
| CN113489706B (en) | Data processing method, device, system, equipment and storage medium | |
| US20130219510A1 (en) | Drm/cas service device and method using security context | |
| CN114039723A (en) | Method and device for generating shared key, electronic equipment and storage medium | |
| CN116186709B (en) | Method, device and medium for unloading UEFI (unified extensible firmware interface) safe start based on virtualized VirtIO technology | |
| CN115221562A (en) | Browser file signature method and device and computer readable storage medium | |
| CN116132075A (en) | Data transmission method, device, medium and equipment based on virtual keyboard | |
| CN116886421A (en) | User service processing method, processing device, electronic equipment and storage medium | |
| CN114007218A (en) | Authentication method, system, terminal and digital identity authentication functional entity | |
| CN114448629A (en) | Identity authentication method and device, storage medium and electronic equipment | |
| CN112929325A (en) | Information processing method, system, electronic device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |