CN117834125A

CN117834125A - Encryption transmission method, device and system, electronic equipment and storage medium

Info

Publication number: CN117834125A
Application number: CN202311602689.0A
Authority: CN
Inventors: 应玉龙; 王勇; 于浩; 王元涛; 鲍远来
Original assignee: Postal Savings Bank of China Ltd
Current assignee: Postal Savings Bank of China Ltd
Priority date: 2023-11-28
Filing date: 2023-11-28
Publication date: 2024-04-05

Abstract

The application discloses an encryption transmission method, device and system, electronic equipment and storage medium, wherein the method is executed by a Web server and comprises the following steps: receiving a user access request sent by a browser, wherein the user access request carries a password suite list supported by the browser; determining a target password certificate and a corresponding target password kit according to a password kit list supported by a browser, a plurality of password certificates configured in a Web server and password kit lists corresponding to the password certificates; returning the target password certificate and the corresponding target password suite to the browser and establishing an encryption transmission channel with the browser; and based on the encryption transmission channel, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the target password certificate. According to the encryption transmission method, the access requests supporting multiple types of browsers can be compatible by configuring multiple types of password certificates in the Web server, so that the compatibility of a Web system is improved, and the access experience of a user is improved.

Description

Encryption transmission method, device and system, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to an encryption transmission method, an encryption transmission device, an encryption transmission system, an electronic device, and a storage medium.

Background

In the network communication process, in order to ensure the security of the transmission data, the information is transmitted through the network in an encrypted mode so as to prevent the sensitive information from being stolen or cracked. The password certificate is a file which is digitally signed by a certificate authority and contains public key owner information and a public key. The certificate will typically contain: public key, user, signature algorithm, expiration date, certification authority name, serial number, fingerprint, etc., the format of the certificate complies with the cryptographic certificate format specification of the international organization for standardization. The existing common password certificates mainly comprise three types: RSA certificates, ECC certificates, and SM2 cryptographic certificates.

The RSA certificate is a password certificate based on an RSA public key encryption algorithm, is relatively early in application, encrypts and decrypts information sent through the Internet based on a public key and a private key, is most commonly used at present, has the best compatibility in all old platform browsers, is most widely applied, and has high consumption on the performance of a server.

The ECC cipher certificate is based on an ECC (elliptic curve cryptography) public key encryption algorithm, is a new generation mainstream encryption algorithm, and can achieve quite safety (equivalent to RSA 3072-bit encryption strength being safer) by adopting 256-bit encryption length generally. But has the disadvantage that some older system environments are not able to support the algorithm and therefore are less compatible than RSA.

The existing mainstream international universal password certificates (RSA certificates and ECC certificates) are all mastered by other countries, the authorization of the password certificates is mastered by foreign countries, a plurality of uncontrollable factors exist in key links of password application, and once the password application is utilized and attacked, great impact is caused on network security of China. In order to improve the autonomous controllability of an encryption communication system, china promotes an autonomous national encryption SM2 certificate.

The SM2 certificate is a cryptographic certificate based on a national secret SM2 public key encryption algorithm, is an ECC public key cryptographic certificate standard which is independently designed and controllable in China, is improved on the basis of an ECC elliptic curve cryptographic theory of international standard based on a safer and advanced elliptic curve cryptographic mechanism, and has higher encryption strength. The SM2 national certificate has just emerged, and only a few types of browsers support the certificate at present, so that the server environment cannot be widely deployed.

In the conventional encryption communication service deployed by the Web server, only one type of password certificate is generally deployed, and the response of the encryption communication handshake process is strictly performed according to the communication protocol version number and the password suite list, so that dynamic expansion cannot be performed, and the access request of a user cannot be dynamically responded according to the condition of a browser.

Disclosure of Invention

In order to solve the technical problem of at least one aspect, embodiments of the present application provide an encryption transmission method, an encryption transmission device, an encryption transmission system, an electronic device, and a storage medium, so as to improve compatibility of a Web system while ensuring security of encryption transmission.

The embodiment of the application adopts the following technical scheme:

in a first aspect, an embodiment of the present application provides an encrypted transmission method, which is performed by a Web server, the method including:

receiving a user access request sent by a browser, wherein the user access request carries a password suite list supported by the browser;

determining a target password certificate and a corresponding target password kit according to a password kit list supported by a browser, a plurality of password certificates configured in the Web server and password kit lists corresponding to the password certificates;

returning the target password certificate and the corresponding target password suite to the browser and establishing an encryption transmission channel with the browser;

And based on the encryption transmission channel, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the target password certificate.

Optionally, the receiving the user access request sent by the browser includes:

and receiving the user access request sent by the browser through a load balancing server, wherein the load balancing server is used for carrying out load balancing processing on the user access request sent by the browser based on a load balancing strategy.

Optionally, the Web server is configured with a plurality of password certificates and password suite lists corresponding to the password certificates, and determining the target password certificates and the corresponding target password suites according to the password suite list supported by the browser and the password suite lists corresponding to the plurality of password certificates and the password suites corresponding to the password certificates configured in the Web server includes:

matching a password suite list supported by the browser with a password suite list corresponding to each password certificate configured in the Web server based on a preset matching priority;

and determining the target password certificate and the corresponding target password suite according to the matching result.

Optionally, the cryptographic certificate includes a national cryptographic certificate and a non-national cryptographic certificate, the user access request further carries an encrypted communication version supported by a browser, and determining, according to a cryptographic suite list supported by the browser and a plurality of cryptographic certificates configured in the Web server and the cryptographic suite list corresponding to each cryptographic certificate, the target cryptographic certificate and the corresponding target cryptographic suite includes:

Matching a password suite list supported by the browser with a password suite list corresponding to the national secret password certificate configured in the Web server;

if the password suite list supported by the browser contains a password suite corresponding to the national password certificate configured in the Web server, the national password certificate is used as the target password certificate and the target password suite corresponding to the national password certificate is determined;

if the password suite list and the encrypted communication version are not contained, matching the password suite list and the encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the non-national secret password certificate configured in the Web server;

if the password suite list supported by the browser comprises a password suite corresponding to the non-national password certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the non-national password certificate configured in the Web server, taking the non-national password certificate as the target password certificate and determining the target password suite corresponding to the non-national password certificate;

otherwise, rejecting the user access request and returning error information to the browser.

Optionally, the non-national secret code certificate includes an ECC certificate and an RSA certificate, and determining, according to a password suite list supported by a browser and a plurality of password certificates configured in the Web server and password suite lists corresponding to the password certificates, the target password certificate and the corresponding target password suite includes:

Matching a password suite list and an encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the ECC certificate configured in the Web server;

if the password suite list supported by the browser comprises a password suite corresponding to the ECC certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the ECC certificate configured in the Web server, the ECC certificate is used as the target password certificate and the target password suite corresponding to the ECC certificate is determined;

if the RSA certificate is not contained, matching a password suite list and an encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the RSA certificate configured in the Web server;

if the password suite list supported by the browser comprises a password suite corresponding to the RSA certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the RSA certificate configured in the Web server, the RSA certificate is used as the target password certificate, and the target password suite corresponding to the RSA certificate is determined;

Optionally, the cryptographic certificate includes a national cryptographic certificate and a non-national cryptographic certificate, and the encrypting the web page data based on the encrypting transmission channel by using the encrypting algorithm corresponding to the target cryptographic certificate includes:

if the target password certificate is a national password certificate, carrying out encryption transmission on the webpage data by utilizing a national password encryption algorithm;

and if the target password certificate is a non-national password certificate, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the non-national password certificate.

Optionally, the cryptographic certificate comprises a non-national cryptographic certificate, the method further comprising:

checking the validity state of the non-national secret code certificate by using a timing task;

if the non-national secret code certificate is invalid, determining a certificate invalidation reason and adopting a corresponding invalidation processing strategy.

Optionally, the determining the certificate revocation reason and adopting the corresponding revocation processing policy includes:

determining whether the non-national cryptographic certificate is revoked or expired;

if the non-national secret code certificate is revoked, configuring jump information so as to jump the browser to a non-encrypted webpage and remind a user to replace the browser adopting the national secret code certificate;

And if the non-national secret code certificate is out of date, sending an update certificate prompt to operation and maintenance personnel.

In a second aspect, an embodiment of the present application further provides an encrypted transmission device, where the device is applied to a Web server, and the device includes:

the receiving unit is used for receiving a user access request sent by the browser, wherein the user access request carries a password suite list supported by the browser;

the first determining unit is used for determining a target password certificate and a corresponding target password kit according to a password kit list supported by the browser, a plurality of password certificates configured in the Web server and password kit lists corresponding to the password certificates;

the establishing unit is used for returning the target password certificate and the corresponding target password suite to the browser and establishing an encryption transmission channel with the browser;

and the encryption transmission unit is used for carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the target password certificate based on the encryption transmission channel.

In a third aspect, an embodiment of the present application further provides an encrypted transmission system, where the system includes a plurality of Web servers and a browser, and the plurality of Web servers are each configured to execute any one of the foregoing encrypted transmission methods.

Optionally, the system further comprises a load balancing server, and the load balancing server is used for executing:

receiving a user access request of a browser;

determining the current running state of each Web server;

determining a target Web server according to the current running state of each Web server;

and sending the user access request of the browser to the target Web server.

In a fourth aspect, embodiments of the present application further provide an electronic device, including:

a processor and a memory arranged to store computer executable instructions which, when executed, cause the processor to perform any of the methods described above.

In a fifth aspect, embodiments of the present application also provide a computer-readable storage medium storing one or more programs that, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform any of the methods described above.

The above-mentioned at least one technical scheme that this application embodiment adopted can reach following beneficial effect: the encryption transmission method is executed by a Web server, a user access request sent by a browser is received, and the user access request carries a password suite list supported by the browser; then determining a target password certificate and a corresponding target password kit according to a password kit list supported by the browser, a plurality of password certificates configured in the Web server and password kit lists corresponding to the password certificates; returning the target password certificate and the corresponding target password suite to the browser and establishing an encryption transmission channel with the browser; and finally, based on the encryption transmission channel, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the target password certificate. According to the encryption transmission method, the access requests supporting multiple types of browsers can be compatible by configuring multiple types of password certificates in the Web server, so that the compatibility of a Web system is improved, and the access experience of a user is improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:

FIG. 1 is a schematic diagram of an encrypted transmission flow in the prior art;

fig. 2 is a schematic flow chart of an encryption transmission method in an embodiment of the present application;

fig. 3 is a schematic diagram of an encryption transmission flow in an embodiment of the present application;

fig. 4 is a schematic structural diagram of an encryption transmission device in an embodiment of the present application;

fig. 5 is a schematic diagram of an architecture of an encrypted transmission system according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device in an embodiment of the present application.

Detailed Description

For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.

As shown in fig. 1, a schematic diagram of an encrypted transmission flow in the prior art is provided. 1) And deploying a configuration certificate system on the Web server, and strictly configuring the encryption communication version numbers supported by the corresponding encryption certificates and the cipher suite list information corresponding to each version number. 2) When a user operates a browser to access a Web site, the browser firstly transmits a request message (ClientHello) for establishing an encryption channel, wherein the message contains an encryption communication version number selected by the browser and list information of a supported cipher suite. 3) After receiving and analyzing the request message sent by the browser, the background Web server firstly selects a corresponding cipher suite list according to the encrypted communication version number, and searches the cipher suite list and the cipher suite list supported by the browser. If some cipher suite in the list is in the cipher suite list supported by the background server, the server selects one cipher suite and sends the cipher suite to the browser together with the certificate, establishes an encryption transmission channel and encrypts and transmits webpage information; otherwise, refusing to establish the encrypted communication and sending error information to the browser.

The existing encryption transmission flow only deploys a password certificate on a background Web server, and the response of the encryption communication handshake flow is strictly carried out according to a communication protocol version number and a password suite list, and the existing encryption transmission flow cannot be dynamically expanded and cannot dynamically respond to the access request of a user according to the condition of a browser, and is specifically expressed in the following aspects:

1) Cannot be compatible with all types of browser access requests: in the current domestic browser market, a small number of old browsers only support RSA certificates, a large number of browsers support ECC certificates, and a small number of national security browsers support SM2 national security certificates, so that only one ECC or SM2 certificate is deployed in the Web background, and all the browsers cannot be compatible for access.

2) The method is not beneficial to gradually popularizing the national secret SM2 certificate: the existing components, tool libraries, operating systems and hardware modules supporting the SM2 certificate of the national secret are not enough, the ecological system of the SM2 certificate of the national secret is not perfect, a set of compatible background certificate management architecture is urgently needed, and the application of the SM2 certificate of the national secret is gradually promoted on the premise of ensuring normal access of users, so that the time is strived for independently and controllably for the password certificate.

3) High performance of ECC certificates is not favored: because each performance of the ECC certificate is superior to that of the RSA certificate, if the web background service only deploys the RSA certificate in order to ensure that all users are supported for access, the advantage of better performance of the ECC certificate cannot be exerted.

4) The emergency of the ECC and RSA certificates can not be timely lifted abroad for early warning treatment: because of the existing background service system, most of the background service systems use ECC or RSA certificates controlled by foreign certificate authorities; if an international emergency occurs, the foreign certificate authorities revoke all the national ECC or RSA certificates, which causes a large number of government websites and banking websites to be disabled due to the failure of normal access.

In order to solve the above-mentioned at least one aspect, an embodiment of the present application provides an encrypted transmission method, as shown in fig. 2, and provides a flowchart of the encrypted transmission method in the embodiment of the present application, where the method is executed by a Web server, and the method at least includes the following steps 210 to 240:

step 210, receiving a user access request sent by a browser, where the user access request carries a password suite list supported by the browser.

The encryption transmission method of the embodiment of the application can be executed by the Web server, and the encryption transmission of the webpage data is carried out between the Web server and the browser.

After the user starts the browser, the browser will first send a request message (ClientHello) for establishing an encryption channel, where the request message will carry a cryptographic suite list supported by the browser, where the cryptographic suite is a concept in a Transport Layer Security (TLS)/Secure Socket Layer (SSL) network protocol, and different cryptographic suites prescribe different encryption algorithms specifically adopted in different encryption transmission stages. For example, the national password browser may add all supported national password packages to the password package list.

In addition, the cryptographic certificates, such as ECC certificates and RSA certificates, may have multiple communication versions, and thus the request may also carry the encrypted communication version number selected by the browser.

Step 220, determining a target password certificate and a corresponding target password kit according to a password kit list supported by the browser, a plurality of password certificates configured in the Web server and password kit lists corresponding to the password certificates.

In the embodiment of the application, various currently used password certificates are deployed in each Web server in advance, for example, a national password SM2 certificate, an ECC certificate and an RSA certificate can be deployed on each Web server, and a supported password suite list is configured for each password certificate and used as a basis for subsequent certificate negotiation selection.

Based on the configuration, the password suite list supported by the current browser can be compared with a plurality of password certificates and corresponding password suite lists configured in the Web server, so that a target password certificate and a corresponding target password suite which can be compatible with the current browser access request are determined.

And 220, returning the target password certificate and the corresponding target password suite to the browser and establishing an encrypted transmission channel with the browser.

And returning the target password certificate and the corresponding target password suite to the browser, so that the Web server and the browser can establish an encryption handshake channel based on the target password certificate and the corresponding target password suite.

And step 240, based on the encryption transmission channel, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the target password certificate.

After the handshake is successful, the web page data can be encrypted and transmitted in real time by utilizing an encryption algorithm corresponding to the target password certificate based on the established encryption transmission channel, so that the security of the web page data transmission is ensured.

According to the encryption transmission method, the access requests supporting multiple types of browsers can be compatible by configuring multiple types of password certificates in the Web server, so that the compatibility of a Web system is improved, and the access experience of a user is improved.

In some embodiments of the present application, the receiving the user access request sent by the browser includes: and receiving the user access request sent by the browser through a load balancing server, wherein the load balancing server is used for carrying out load balancing processing on the user access request sent by the browser based on a load balancing strategy.

Considering that the real-time operation pressures of different Web servers are different, if the operation load of a single Web server is too high, the server may crash, and thus all requests on the server fail to respond, so how to effectively load balance the access requests of users is a key for solving the problems.

However, the conventional scheme that only one kind of password certificate is deployed on a single Web server cannot completely solve the problem of load balancing, because the scheme can only load the Web servers deploying each kind of password certificate respectively, for example, load balancing is performed on all servers deploying national password SM2 certificates, load balancing is performed on all servers deploying ECC certificates or load balancing is performed on all servers deploying RSA certificates, and thus, the situation that a server of a certain certificate is idle due to a small access amount of a user or is busy due to a large access amount of the user cannot realize the load balancing of the whole Web system still occurs.

In the embodiment of the application, a plurality of password certificates are deployed in each server, so that each server is basically identical, and any server has the capability of processing user access requests, so that the current load state of each server node can be analyzed from the system level, and further, the load balance of all server nodes in the system is realized.

In some embodiments of the present application, a plurality of cryptographic certificates and a cryptographic suite list corresponding to each cryptographic certificate are configured in the Web server, and determining, according to the cryptographic suite list supported by the browser and the cryptographic suite list corresponding to the plurality of cryptographic certificates and each cryptographic certificate configured in the Web server, the target cryptographic certificate and the corresponding target cryptographic suite includes: matching a password suite list supported by the browser with a password suite list corresponding to each password certificate configured in the Web server based on a preset matching priority; and determining the target password certificate and the corresponding target password suite according to the matching result.

The currently used password certificates can be mainly divided into national secret code certificates and non-national secret code certificates, wherein the national secret code certificates are independently designed by China, and the non-national secret code certificates are designed by foreign dominance, so that the national secret code certificates have higher safety, stability and reliability relatively. The non-national secret code certificate mainly comprises an ECC certificate and an RSA certificate, and the characteristics of the ECC certificate and the RSA certificate are compared with those shown in the following table 1, so that the overall advantages of the ECC certificate are more prominent compared with the RSA certificate:

TABLE 1

Based on the above, the embodiment of the application sets the matching priority of different password certificates, namely, the password suite list supported by the browser is matched with the password suite list corresponding to each password certificate configured in the Web server in sequence based on the matching priority, if the password certificates with high priority are successfully matched, the password certificates with high priority and the corresponding target password suites are preferentially used, so that the safety, stability and reliability of the encryption transmission process are improved.

In some embodiments of the present application, the cryptographic credentials include a national cryptographic credential and a non-national cryptographic credential, the user access request further carries an encrypted communication version supported by a browser, and determining, according to a cryptographic suite list supported by the browser and a plurality of cryptographic credentials configured in the Web server and a cryptographic suite list corresponding to each cryptographic credential, the target cryptographic credential and the corresponding target cryptographic suite includes: matching a password suite list supported by the browser with a password suite list corresponding to the national secret password certificate configured in the Web server; if the password suite list supported by the browser contains a password suite corresponding to the national password certificate configured in the Web server, the national password certificate is used as the target password certificate and the target password suite corresponding to the national password certificate is determined; if the password suite list and the encrypted communication version are not contained, matching the password suite list and the encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the non-national secret password certificate configured in the Web server; if the password suite list supported by the browser comprises a password suite corresponding to the non-national password certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the non-national password certificate configured in the Web server, taking the non-national password certificate as the target password certificate and determining the target password suite corresponding to the non-national password certificate; otherwise, rejecting the user access request and returning error information to the browser.

Based on the matching priority set in the foregoing embodiment, the password suite list supported by the browser may be first matched with the password suite list of the national secret code certificate configured in the Web server, if the password suite list supported by the browser includes at least one password suite of the national secret code certificate, it is indicated that the current browser supports transmission encryption by using the encryption algorithm of the national secret code certificate, so that the national secret code certificate may be used as the target password certificate, if the password suite list supported by the browser includes a plurality of password suites of the national secret code certificate, a target password suite needs to be selected from the plurality of password suites for subsequent encryption, and specifically how to select, and a person skilled in the art may set in combination with comprehensive considerations such as encryption security and encryption efficiency, which is not limited herein.

If the password suite list supported by the browser does not contain the password suite of the national secret code certificate, the password suite list supported by the browser is further matched with the password suite list of the non-national secret code certificate, if the matching is successful, the non-national secret code certificate is used as a target password certificate and a corresponding target password suite is selected, if the matching still fails, the user access request is refused and error information is returned to the browser.

In some embodiments of the present application, the non-national secret code certificate includes an ECC certificate and an RSA certificate, and determining, according to a password suite list supported by a browser and a plurality of password certificates configured in the Web server and password suite lists corresponding to the respective password certificates, the target password certificate and the corresponding target password suite includes: matching a password suite list and an encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the ECC certificate configured in the Web server; if the password suite list supported by the browser comprises a password suite corresponding to the ECC certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the ECC certificate configured in the Web server, the ECC certificate is used as the target password certificate and the target password suite corresponding to the ECC certificate is determined; if the RSA certificate is not contained, matching a password suite list and an encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the RSA certificate configured in the Web server; if the password suite list supported by the browser comprises a password suite corresponding to the RSA certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the RSA certificate configured in the Web server, the RSA certificate is used as the target password certificate, and the target password suite corresponding to the RSA certificate is determined; otherwise, rejecting the user access request and returning error information to the browser.

Based on the foregoing embodiment, the non-national secret code certificate mainly includes an ECC certificate and an RSA certificate, and the matching priority of the ECC certificate is higher than that of the RSA certificate, so that the matching of the ECC certificate can be performed on the basis of the foregoing embodiment, if the matching is successful, the ECC certificate is used as a target cryptographic certificate, if the matching is failed, the matching is performed on the RSA certificate, if the matching is successful, the RSA certificate is used as a target cryptographic certificate, and if the matching is still failed, the user access request is refused and error information is returned to the browser.

In some embodiments of the present application, the cryptographic certificate includes a national cryptographic certificate and a non-national cryptographic certificate, and the encrypting the web page data by using the encryption algorithm corresponding to the target cryptographic certificate based on the encryption transmission channel includes: if the target password certificate is a national password certificate, carrying out encryption transmission on the webpage data by utilizing a national password encryption algorithm; and if the target password certificate is a non-national password certificate, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the non-national password certificate.

After the target password certificate and the corresponding password suite are determined, in the encryption transmission stage, the webpage data can be encrypted by adopting a corresponding encryption algorithm based on different target password certificates, for example, if the target password certificate is a national password certificate, the encryption transmission is carried out by adopting a national password SM2 encryption algorithm, if the target password certificate is an ECC certificate, the encryption transmission is carried out by adopting an encryption algorithm of the ECC certificate, and if the target password certificate is an RSA certificate, the encryption transmission is carried out by adopting an encryption algorithm of the RSA certificate.

After the encryption communication of the webpage data is completed, the browser renders and displays webpage content, and a user can normally browse the webpage of the encryption website.

In some embodiments of the present application, the cryptographic certificate comprises a non-national cryptographic certificate, the method further comprising: checking the validity state of the non-national secret code certificate by using a timing task; if the non-national secret code certificate is invalid, determining a certificate invalidation reason and adopting a corresponding invalidation processing strategy.

Since the non-national secret code certificate is authorized and managed by foreign countries, the problem that the certificate is invalid and the encrypted transmission of the webpage data cannot be carried out possibly occurs, therefore, the embodiment of the application can check the validity of the certificate by starting a timing task, for example, the method is carried out once per hour, and is used for checking the validity of the ECC certificate and the RSA certificate deployed on the server at regular time, if the certificate is valid, the certificate management of the Web service is normal, otherwise, the reason of the invalid certificate can be further analyzed and the corresponding processing strategy can be adopted by explaining that the certificate is invalid.

In some embodiments of the present application, the determining a certificate revocation reason and adopting a corresponding revocation processing policy includes: determining whether the non-national cryptographic certificate is revoked or expired; if the non-national secret code certificate is revoked, configuring jump information so as to jump the browser to a non-encrypted webpage and remind a user to replace the browser adopting the national secret code certificate; and if the non-national secret code certificate is out of date, sending an update certificate prompt to operation and maintenance personnel.

The non-national secret code certificate of the embodiment of the application mainly comprises two conditions of being revoked or expired, and for specific judgment of the reason of expiration, the CA (certificate authentication) organization can be accessed according to a CRL field in the password certificate to determine whether the password certificate is revoked or expired, and of course, for judgment of whether the password certificate is expired, the judgment can also be determined according to the starting date and the ending date of the certificate. And in particular, how to judge the method, those skilled in the art can flexibly set the method according to actual requirements, and the method is not particularly limited herein.

If the non-national secret code certificate is revoked, the Web server may configure 302 the skip information to cause the browser to skip to the non-encrypted Web page, and prompt the user to replace the browser using the national secret code certificate, so that the recognition and avoidance process can be performed on the emergencies such as the foreign revoked certificate in the scene that the ECC or RSA certificate must be used. If the non-national secret code certificate expires, the Web system operation and maintenance personnel can be reminded of updating the certificate.

In order to facilitate understanding of the embodiments of the present application, as shown in fig. 3, a schematic diagram of an encrypted transmission flow in the embodiments of the present application is provided.

Based on the above embodiments, the key points of the encryption transmission method of the present application are:

1) Each Web server is compatible to support all cryptographic certificates: the method comprises the steps of maintaining and managing a set of corresponding supported password certificate list for each password certificate in 3 password certificate systems in the existing domestic network encryption communication system.

2) Optimally selecting a password certificate according to a password suite list supported by a browser: according to the password suite list supported by the browser, the password suite list for searching 3 password certificates is matched respectively, an autonomous national password SM2 certificate is selected preferentially, then an ECC password certificate with better performance is searched for, and finally an RSA password certificate with general performance is searched for.

3) Load balancing all types of encrypted communication connections: all types of encrypted communications based on SM2, ECC, RSA certificates are integrated together for balanced scheduling, and each type of access request is possibly distributed on each server.

4) Timely identifying the emergencies of the ECC and RSA certificates which are revoked, and carrying out early warning avoidance processing: checking the validity of the ECC and RSA certificates on the server at regular time, if the certificates are revoked, performing evading operation, guaranteeing that a user can normally access the Web system and reminding the user to replace the national password browser, and if the certificates are out of date, reminding an operator of the Web system to update the certificates.

The encryption transmission method at least has the following technical effects:

1) The application is compatible with supporting all types of browser encryption access requests. Not only are the existing national encryption browsers supported by using SM2 national encryption certificates, but also most of the existing browsers using ECC certificates are supported, and even the old browsers which support a small number of the existing browsers only using RSA certificates are compatible.

2) Under the premise of guaranteeing normal access of users, the national secret certificate is preferentially used, so that the national secret SM2 certificate can be promoted gradually, and time is strived for the autonomous and controllable cryptographic certificate. The domestic cipher certificate is supported by modules such as a service assembly, a tool library, an operating system, hardware and the like in a progressive manner, and the ecological system of the domestic cipher SM2 certificate is steadily improved.

3) For the use scene of the non-national secret code certificate, the ECC certificate is preferentially used, so that the high efficiency of the ECC certificate is brought into play. Because each performance of the ECC certificate is superior to that of the RSA certificate, the Web background service can preferably allocate and use an ECC certificate system on the premise that a user can normally access a website by using a browser, and can better exert the advantage of better performance of the ECC certificate.

4) Load balancing of all types of encryption requests is achieved. Each server can respond to SM2, ECC and RSA encryption requests of users, and the distribution of encryption communication tasks is controlled by monitoring the CPU, the memory and the encryption connection number of each server node, so that the problem that a traditional single certificate can not be fully load-balanced after only one certificate is deployed can be avoided.

5) The emergency event for finding the foreign revocation certificate can be timely identified, further evading processing is supported, and the Web system can be ensured to be normally accessed.

In summary, the application can support autonomous SM2 cryptographic certificates and is compatible with a large number of existing RSA and ECC certificates; the service efficiency of the ECC cipher suite is considered, and the system and the browser platform which support the old system environment and the browser platform are compatible. The autonomous controllable SM2 password certificate is preferentially used, then the ECC certificate is used, and finally the RSA certificate is used, and the old and old system environment and the browser platform are considered. A set of emergency processing mechanism is established for the emergency when the certificate is revoked, so that the application surface of the national encryption certificate is improved, and the efficiency of background encryption communication is improved.

The embodiment of the application also provides an encryption transmission device 400, as shown in fig. 4, and provides a schematic structural diagram of the encryption transmission device in the embodiment of the application, where the device is applied to a Web server, and the device 400 includes:

a receiving unit 410, configured to receive a user access request sent by a browser, where the user access request carries a password suite list supported by the browser;

a first determining unit 420, configured to determine a target cryptographic certificate and a corresponding target cryptographic kit according to a cryptographic kit list supported by a browser, a plurality of cryptographic certificates configured in the Web server, and a cryptographic kit list corresponding to each cryptographic certificate;

The establishing unit 430 is configured to return the target password certificate and the corresponding target password set to the browser and establish an encrypted transmission channel with the browser;

and the encryption transmission unit 440 is configured to encrypt and transmit the web page data by using an encryption algorithm corresponding to the target password certificate based on the encryption transmission channel.

In some embodiments of the present application, the receiving unit 410 is specifically configured to: and receiving the user access request sent by the browser through a load balancing server, wherein the load balancing server is used for carrying out load balancing processing on the user access request sent by the browser based on a load balancing strategy.

In some embodiments of the present application, the Web server is configured with a plurality of cryptographic certificates and a cryptographic suite list corresponding to each cryptographic certificate, and the first determining unit 420 is specifically configured to: matching a password suite list supported by the browser with a password suite list corresponding to each password certificate configured in the Web server based on a preset matching priority; and determining the target password certificate and the corresponding target password suite according to the matching result.

In some embodiments of the present application, the cryptographic certificate includes a national cryptographic certificate and a non-national cryptographic certificate, the user access request further carries an encrypted communication version supported by the browser, and the first determining unit 420 is specifically configured to: matching a password suite list supported by the browser with a password suite list corresponding to the national secret password certificate configured in the Web server; if the password suite list supported by the browser contains a password suite corresponding to the national password certificate configured in the Web server, the national password certificate is used as the target password certificate and the target password suite corresponding to the national password certificate is determined; if the password suite list and the encrypted communication version are not contained, matching the password suite list and the encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the non-national secret password certificate configured in the Web server; if the password suite list supported by the browser comprises a password suite corresponding to the non-national password certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the non-national password certificate configured in the Web server, taking the non-national password certificate as the target password certificate and determining the target password suite corresponding to the non-national password certificate; otherwise, rejecting the user access request and returning error information to the browser.

In some embodiments of the present application, the non-national cryptographic certificate includes an ECC certificate and an RSA certificate, and the first determining unit 420 is specifically configured to: matching a password suite list and an encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the ECC certificate configured in the Web server; if the password suite list supported by the browser comprises a password suite corresponding to the ECC certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the ECC certificate configured in the Web server, the ECC certificate is used as the target password certificate and the target password suite corresponding to the ECC certificate is determined; if the RSA certificate is not contained, matching a password suite list and an encrypted communication version supported by the browser with the password suite list and the encrypted communication version corresponding to the RSA certificate configured in the Web server; if the password suite list supported by the browser comprises a password suite corresponding to the RSA certificate configured in the Web server, and the encrypted communication version supported by the browser comprises an encrypted communication version corresponding to the RSA certificate configured in the Web server, the RSA certificate is used as the target password certificate, and the target password suite corresponding to the RSA certificate is determined; otherwise, rejecting the user access request and returning error information to the browser.

In some embodiments of the present application, the cryptographic credentials include a national cryptographic credential and a non-national cryptographic credential, and the encrypted transmission unit 440 is specifically configured to: if the target password certificate is a national password certificate, carrying out encryption transmission on the webpage data by utilizing a national password encryption algorithm; and if the target password certificate is a non-national password certificate, carrying out encryption transmission on the webpage data by utilizing an encryption algorithm corresponding to the non-national password certificate.

In some embodiments of the present application, the cryptographic certificate comprises a non-national cryptographic certificate, the apparatus further comprising: a checking unit for checking a valid state of the non-national cryptographic certificate using a timing task; and the second determining unit is used for determining the reason of certificate invalidation and adopting a corresponding invalidation processing strategy if the non-national secret code certificate is invalidated.

In some embodiments of the present application, the second determining unit is specifically configured to: determining whether the non-national cryptographic certificate is revoked or expired; if the non-national secret code certificate is revoked, configuring jump information so as to jump the browser to a non-encrypted webpage and remind a user to replace the browser adopting the national secret code certificate; and if the non-national secret code certificate is out of date, sending an update certificate prompt to operation and maintenance personnel.

It can be understood that the above-mentioned encryption transmission device can implement the steps of the encryption transmission method provided in the foregoing embodiment, and the relevant explanation about the encryption transmission method is applicable to the encryption transmission device, which is not repeated herein.

The embodiment of the application also provides an encryption transmission system, as shown in fig. 5, and provides an architecture schematic diagram of the encryption transmission system in the embodiment of the application, where the system includes a plurality of Web servers and a browser, and the plurality of Web servers are all used to execute any one of the encryption transmission methods.

Different user browsers may support different cryptographic certificates, but each Web server is deployed with all the cryptographic certificates to be compatible with all types of browser access requests.

In some embodiments of the present application, the system further comprises a load balancing server for performing: receiving a user access request of a browser; determining the current running state of each Web server; determining a target Web server according to the current running state of each Web server; and sending the user access request of the browser to the target Web server.

The load balancing control node can acquire the use condition of the CPU and the memory and the current accessed encryption connection number from each server at regular time (30 seconds, for example), and comprehensively judge the operation filling of each server node. If a certain server has the condition of high occupation of CPU and memory, the CPU and the memory are actively reported to the load balancing control node. The task of encrypted communication is preferentially distributed to the servers with relatively low CPU and memory usage, and if the CPU and memory usage of each server are basically equal, the task of encrypted communication is preferentially distributed to the servers with less encrypted connection. Of course, how to set the load balancing policy specifically, those skilled in the art may also flexibly adjust the load balancing policy in conjunction with the actual service scenario, which is not limited herein specifically.

Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 6, at the hardware level, the electronic device includes a processor, and optionally an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.

The processor, network interface, and memory may be interconnected by an internal bus, which may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 6, but not only one bus or type of bus.

And the memory is used for storing programs. In particular, the program may include program code including computer-operating instructions. The memory may include memory and non-volatile storage and provide instructions and data to the processor.

The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs, and the encryption transmission device is formed on the logic level. The processor is used for executing the programs stored in the memory and is specifically used for executing the following operations:

The method performed by the encryption transmission apparatus disclosed in the embodiment shown in fig. 1 of the present application may be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.

The electronic device may further execute the method executed by the encryption transmission device in fig. 1, and implement the function of the encryption transmission device in the embodiment shown in fig. 1, which is not described herein again.

The embodiments of the present application also provide a computer readable storage medium storing one or more programs, where the one or more programs include instructions, which when executed by an electronic device that includes a plurality of application programs, enable the electronic device to perform a method performed by the encryption transmission apparatus in the embodiment shown in fig. 1, and specifically are configured to perform:

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims

1. An encrypted transmission method, the method being performed by a Web server, the method comprising:

2. The method of claim 1, wherein receiving the user access request sent by the browser comprises:

3. The method according to claim 1, wherein the Web server is configured with a plurality of cryptographic certificates and a cryptographic suite list corresponding to each cryptographic certificate, and the determining the target cryptographic certificate and the corresponding target cryptographic suite according to the cryptographic suite list supported by the browser and the cryptographic suite list corresponding to the plurality of cryptographic certificates and each cryptographic certificate configured in the Web server includes:

4. The method according to claim 3, wherein the cryptographic certificates include a national cryptographic certificate and a non-national cryptographic certificate, the user access request further carries an encrypted communication version supported by a browser, and the determining the target cryptographic certificate and the corresponding target cryptographic kit according to a cryptographic kit list supported by the browser and a plurality of cryptographic certificates configured in the Web server and the cryptographic kit list corresponding to each cryptographic certificate includes:

5. The method according to claim 4, wherein the non-national cryptographic certificate includes an ECC certificate and an RSA certificate, and the determining the target cryptographic certificate and the corresponding target cryptographic kit according to a cryptographic kit list supported by the browser and a plurality of cryptographic certificates configured in the Web server and the cryptographic kit list corresponding to each cryptographic certificate includes:

6. The method of claim 1, wherein the cryptographic credentials include a national cryptographic credential and a non-national cryptographic credential, and wherein encrypting the web page data using an encryption algorithm corresponding to the target cryptographic credential based on the encrypted transmission channel comprises:

7. The method of claim 3, wherein the cryptographic certificate comprises a non-national cryptographic certificate, the method further comprising:

8. The method of claim 7, wherein determining a certificate revocation reason and taking a corresponding revocation process policy comprises:

9. An encrypted transmission device, the device being applied to a Web server, the device comprising:

10. An encrypted transmission system, characterized in that the system comprises a plurality of Web servers and a browser, each of the plurality of Web servers being adapted to execute the encrypted transmission method according to any one of claims 1 to 8.

11. The system of claim 10, further comprising a load balancing server for performing:

receiving a user access request of a browser;

determining the current running state of each Web server;

and sending the user access request of the browser to the target Web server.

12. An electronic device, comprising:

a processor and a memory arranged to store computer executable instructions which, when executed, cause the processor to perform the method of any of claims 1 to 8.

13. A computer readable storage medium storing one or more programs, which when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of any of claims 1-8.