CN101325519B - Content auditing method, system based on safety protocol and content auditing equipment - Google Patents
Content auditing method, system based on safety protocol and content auditing equipment Download PDFInfo
- Publication number
- CN101325519B CN101325519B CN2008101144315A CN200810114431A CN101325519B CN 101325519 B CN101325519 B CN 101325519B CN 2008101144315 A CN2008101144315 A CN 2008101144315A CN 200810114431 A CN200810114431 A CN 200810114431A CN 101325519 B CN101325519 B CN 101325519B
- Authority
- CN
- China
- Prior art keywords
- communication party
- random number
- content auditing
- key
- connection request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000006854 communication Effects 0.000 claims abstract description 238
- 238000004891 communication Methods 0.000 claims abstract description 236
- 230000000977 initiatory effect Effects 0.000 claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims abstract description 8
- 230000005540 biological transmission Effects 0.000 claims description 22
- 238000007906 compression Methods 0.000 claims description 21
- 230000006835 compression Effects 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 6
- 230000002452 interceptive effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000013144 data compression Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a content auditing method, system and apparatus based on safety protocol, pertaining to the communication field. The method includes: receiving connection requests from first communication participants; initiating connection to the corresponding second communication participants, and receiving digital certificate carrying public key of the second communication participants returned back from the second communication participants, generating a public key, using the public key to modify the public key of the second communication participants in the digital certificate, and then transmitting the modified digital certificate to the first communication participants; establishing a safety protocol chain circuit between the first communication participants and the second communication participants; monitoring the data forwarded by the first communication participants or the second communication participants through the safety protocol. The system includes first communication participants, second communication participants, fireproof walls and a content auditing apparatus. The content auditing apparatus of the invention can monitor the communication between the first communication participants or the second communication participants by disguising the identifications of the first communication participants or the second communication participants.
Description
Technical Field
The invention relates to the field of communication, in particular to a content auditing method, a system and content auditing equipment based on a security protocol.
Background
The SSL (Secure Socket Layer) Protocol is a Security Protocol between TCP (Transmission Control Protocol)/IP Transport Layer and application Layer, and the initial SSL Protocol is mainly used in a web browser to protect the interaction of HTTP (HyperText Transfer Protocol), and as the network Security requirements gradually increase, the TLS (Transport Layer Security) Protocol is proposed. Most of the functionality of the TLS protocol is based on the SSL 3 version.
In the prior art, there is a communication method based on SSL/TLS protocol, and the following briefly introduces a communication process between a client and a server:
the method comprises the steps that a client and a server establish SSL connection, and negotiate an encryption suite and a compression algorithm used;
then, the server side sends a digital certificate of the server side to the client side, and the certificate has two functions, namely, the client side authenticates the identity of the server side, and the certificate contains a public key of the server side, so that the client side encrypts information used for generating a later data encryption key;
at the moment, the server side proves the identity of the server side to the client side, the two sides agree with the data encryption suite and the data compression algorithm, and the client side also obtains a key for encrypting information for generating a later data encryption key;
the client generates information of a later data encryption key to the server, sends a confirmed data encryption algorithm and a Hash message authentication code algorithm to the server, and informs the server that the data is encrypted by the newly generated key and various negotiated algorithms;
finally, the client and the server send application data to each other, wherein the application data may include a user name and a password sent by the client to the server; after the data transmission is finished, the connection is closed, and meanwhile, the function of preventing terminal attack is achieved.
In the process of implementing the invention, the inventor finds that the prior art has at least the following problems:
the data transmitted in the communication process guarantees the transmission safety through an encryption mode, however, the communication mode brings difficulty to content auditing (a means for monitoring and filtering network communication content), and in the prior art, no corresponding content auditing mode exists for security protocol communication, which is not beneficial to information supervision.
Disclosure of Invention
In order to monitor the communication content of both communication parties, the embodiment of the invention provides a content auditing method, a system and content auditing equipment based on a security protocol. The technical scheme is as follows:
a security protocol-based content auditing method, the method comprising:
the content auditing device receives a connection request from a first communication party; initiating connection to a second communication party corresponding to the connection request, and receiving a digital certificate which is returned by the second communication party and carries a public key of the second communication party;
the content auditing equipment generates a public key, modifies the public key of the second communication party in the digital certificate by using the public key and sends the modified digital certificate to the first communication party;
the first communication party receives the digital certificate, obtains a public key of the content auditing equipment from the digital certificate, confirms the data encryption suite and the compression algorithm selected by the second communication party, selects a first random number, generates a first key according to the first random number, encrypts the first random number by using the public key of the content auditing equipment, and sends the encrypted first random number;
the content auditing equipment receives the encrypted first random number, decrypts the first random number by using a private key of the content auditing equipment to obtain the first random number, and generates the first secret key according to the first random number, wherein the first communication party and the content auditing equipment use the first secret key to encrypt/decrypt transmission data;
the content auditing equipment selects a second random number, generates a second key according to the second random number, encrypts the second random number by using a public key of a second communication party, and sends the encrypted second random number to the second communication party;
the second communication party receives the encrypted second random number, decrypts the encrypted second random number by using a private key of the second communication party to obtain the second random number, and generates a second key according to the second random number, wherein the second communication party and the content auditing equipment use the second key to encrypt/decrypt transmission data;
and the content auditing equipment monitors data transmitted by the first communication party through the first key or the second communication party through the second key.
A security protocol based content auditing system comprising a first communicating party and a second communicating party, the system further comprising: a firewall and a content auditing device; wherein,
the firewall is used for converting a destination address of the connection request into an address of the content auditing equipment after receiving the connection request sent by the first communication party, and sending the connection request after the destination address is converted to the content auditing equipment;
the content auditing device is used for receiving the connection request, initiating connection to a second communication party corresponding to the connection request, and receiving a digital certificate which is returned by the second communication party and carries a public key of the second communication party; generating a public key, modifying the public key of the second communication party in the digital certificate by using the public key, and sending the modified digital certificate to the first communication party; receiving a first random number encrypted by the first communication party, decrypting the first random number by using a private key of the first communication party to obtain the first random number, and generating a first secret key according to the first random number, wherein the first secret key is used by the first communication party and the first communication party for encrypting/decrypting transmission data; selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of the second communication party, and sending the encrypted second random number to the second communication party; monitoring data transmitted by the first communication party through the first key or the second communication party through the second key;
the first communication party receives the digital certificate, obtains a public key of the content auditing equipment from the digital certificate, confirms the data encryption suite and the compression algorithm selected by the second communication party, selects a first random number, generates a first key according to the first random number, encrypts the first random number by using the public key of the content auditing equipment, and sends the encrypted first random number;
and the second communication party receives the encrypted second random number, decrypts the encrypted second random number by using a private key of the second communication party to obtain the second random number, and generates a second key according to the second random number, wherein the second communication party and the content auditing equipment use the second key to encrypt/decrypt transmission data.
A content auditing apparatus, the apparatus comprising:
the receiving module is used for receiving a connection request sent by a first communication party, a digital certificate sent by a second communication party and data interacted between the first communication party and the second communication party;
the connection initiating module is used for initiating connection to a second communication party corresponding to the connection request after the receiving module receives the connection request of the first communication party;
the digital certificate processing module is used for generating a public key after the receiving module receives the digital certificate which is sent by the second communication party and carries the public key of the second communication party, modifying the public key of the second communication party in the digital certificate by using the public key and sending the modified digital certificate to the first communication party;
the secure link establishing module is used for receiving the encrypted first random number from the first communication party, decrypting the first random number by using a private key of the first communication party to obtain the first random number, and generating the first secret key according to the first random number, wherein the first secret key is used by the first communication party and the first communication party for encrypting/decrypting transmission data; selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of the second communication party, and sending the encrypted second random number to the second communication party;
and the auditing module is used for monitoring data forwarded by the first communication party or the second communication party through the security protocol link established by the security link establishing module.
The content auditing equipment in the embodiment of the invention can acquire the interactive content of the first communication party and the second communication party by impersonating the identities of the first communication party and the second communication party, so as to monitor the communication of the two parties, make up for the content auditing requirement of an encrypted link in practical application, and better maintain the secret information in an enterprise or a company.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a method for content auditing based on a security protocol provided in embodiment 1 of the present invention;
fig. 2 is a signaling interaction diagram of a content auditing method based on a security protocol according to embodiment 1 of the present invention;
FIG. 3 is a schematic diagram of a content auditing system based on a security protocol provided in embodiment 2 of the present invention;
fig. 4 is a schematic diagram of a content auditing apparatus provided in embodiment 3 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
According to the embodiment of the invention, the data traffic of the first communication party and the second communication party is forwarded from the content auditing equipment, so that the interactive content of the two communication parties can be monitored on the basis of not being perceived by the two communication parties, and the leakage of confidential information inside an enterprise can be prevented.
Example 1
Referring to fig. 1, this embodiment provides a content auditing method based on a security protocol, where a client is used as a first communication party, a server is used as a second communication party, and content auditing is performed by a content auditing device, which includes:
101: the content auditing equipment receives a connection request from a client;
102: initiating connection to a server corresponding to the connection request, and receiving a digital certificate which is returned by the server and carries a public key of the server;
103: the content auditing equipment generates a public key, modifies the public key of the server side in the digital certificate by using the public key, and sends the modified digital certificate to the client side;
104: establishing a security protocol link with the client according to the public key in the modified digital certificate, and establishing a security protocol link with the server according to the digital certificate carrying the public key of the server;
105: and monitoring data forwarded by the client or the server through the security protocol link.
The security protocol in this embodiment may be an SSL/TLS protocol.
When the content auditing method is implemented, a firewall with a destination address conversion function is used, and a message or data sent from a client to a server is forwarded to content auditing equipment through the firewall, wherein the content auditing equipment is the server for the client and plays a role of a man-in-the-middle for the server, and the content auditing equipment is a signaling interaction diagram of the content auditing method, as shown in fig. 2, and the method is simply described as follows:
201: the client sends a ClientHello message to tell the server to request to establish SSL connection and simultaneously tell the server about the SSL version supported by the server and the encryption suite and the compression algorithm which can be used by the server;
when the ClientHello message passes through the firewall, the destination address of the ClientHello message is converted into the address of the content auditing equipment by the firewall, and the ClientHello message is forwarded to the content auditing equipment;
202: after receiving the ClientHello message, the content auditing equipment sends the ClientHello message to the server side by the identity of the client side*A message requesting to establish an SSL connection and carrying the SSL version supported by the client, as well as the encryption suite and compression algorithm it can use.
203: after receiving the ClientHello message, the server side regards the content auditing equipment as a client side, returns a ServerHello message to the content auditing equipment and informs the content auditing equipment of the selected encryption suite and the compression algorithm;
204: after the content auditing equipment receives the ServerHello message, the ServerHello message is sent by the identity of the server*Sending the message to a client;
205: the server side sends a digital certificate of the server side to the content auditing equipment, and the certificate has two functions, namely, a client side authenticates the identity of the server side, and the certificate contains a public key of the server side, so that the client side encrypts information for generating a later data encryption key;
206: after receiving the digital Certificate (Certificate) of the server, the content auditing device generates a public and private key pair, modifies the public key information in the digital Certificate by using the public key in the public and private key pair, and sends the modified digital Certificate (Certificate)*) Sending the data to a client;
207: the server side sends a ServerHelloDone message to the content auditing equipment, and the end of the server side response message is indicated;
at the moment, the server side proves the identity of the server side to the client side, the two sides agree with the data encryption suite and the data compression algorithm, and the client side also obtains a key for encrypting information for generating a later data encryption key;
208: after receiving the ServerHelloDone message sent by the server, the content auditing equipment sends the ServerHelloDone message to the client*A message indicating the end of the response message;
209: the client receives the digital certificate and the ServerHelloDone*After the message, selecting a first random number, generating a first key according to the first random number, and sending a ClientKeyExchange message to the server, wherein the message carries the first random number, and in order to enhance the security, the first random number is encrypted by a public key in a digital certificate sent by content auditing equipment, and the message is forwarded to the content auditing equipment by a firewall;
210: after receiving the ClientKeyExchange message, the content auditing equipment decrypts the first random number by using a private key of the content auditing equipment and generates a first key according to the first random number; selecting a second random number, encrypting the second random number by using a server public key according to the second random number to generate a second key, and sending the ClientKeyExchange to the server by using the identity of the client*A message carrying a second random number;
211: the client sends a ChangeCipherSpec message to the server, the message carries a confirmed data encryption algorithm and a Hash message authentication code algorithm, the confirmed data encryption algorithm and the Hash message authentication code algorithm are encrypted by a public key of the content auditing equipment for safety, and after the client is informed, the data is encrypted by a newly generated first secret key and various negotiated algorithms; the message is forwarded by the firewall to the content auditing device;
212: after the content auditing equipment receives the ChangeCipherSpec message, the confirmed data encryption algorithm and hash are decrypted by using the private key of the content auditing equipmentThe authentication code algorithm of the History message sends ChangeCipherSpec to the server side with the identity of the client side*The message carries a confirmed data encryption algorithm and a Hash message authentication code algorithm which are encrypted by a server public key;
213: the client sends Finished information to the server, the Finished information represents the end of the handshake of the client side, and the information is forwarded to the content auditing equipment by the firewall;
214: after receiving the Finished message, the content auditing equipment sends the Finished message to the server side by the identity of the client side*A message;
215: the server receives the message (ClientKeyExchange)*Message and ChangeCipherSpec*Message), decrypting the information carried in the message by using the private key of the user to obtain a second random number, confirming the second random number to obtain a data encryption algorithm and a Hash message authentication code algorithm, generating a second key according to the second random number, and when Finished is received*After the message, the returned ChangeCipherSpec message confirms various negotiated algorithms;
then, the communication between the server and the content auditing equipment is encrypted/decrypted through a second key;
216: after the content auditing equipment receives the ChangeCipherSpec message responded by the server, the content auditing equipment responds to the client by the identity of the server*Messages, confirming various algorithms of negotiation;
217: the server side sends Finished information to indicate the end confirmation of the handshake of the server side;
218: after receiving the Finished message sent by the server, the content auditing equipment sends the Finished message to the client*A message;
219: after the two parties complete the handshake, the client and the server send data to each other, the data are transferred through the content auditing equipment, and the content auditing equipment monitors the communication content of the two parties.
After the two parties complete the handshake, the client side can encrypt/decode the transmission data by using the first secret key, the server side can encrypt/decode the transmission data by using the second secret key, and the content auditing equipment encrypts/decrypts the transmission data interacted with the client side by using the first secret key and encrypts/decrypts the transmission data interacted with the server side by using the second secret key.
According to the method, the content auditing equipment, namely the middleman, is inserted between the normal client and the server, and the equipment has the functions of both the client and the server.
When the client starts to initiate connection, the content auditing equipment responds to the connection, simultaneously the content auditing equipment imitates the client to initiate connection to the server, the server sends a digital certificate of the content auditing equipment to the content auditing equipment, the content auditing equipment does not have a private key of the server, and in order to decrypt encrypted information sent by the client at a later stage, the certificate needs to be forged again according to certain key information (public key information) of the certificate and then sent to the client;
further, the content auditing equipment simultaneously establishes two different SSL links with the client and the server respectively, and negotiates with the client and the server about security encryption suites of the respective links respectively; after the negotiation of link safety capability is completed, the content auditing equipment can store and forward data on respective links without resistance, and then the communication contents of both sides are monitored.
In the embodiment, the flow of the client is forwarded to the content auditing device through the firewall with the network address conversion function, and the content auditing device can acquire the interactive content of the client and the server by impersonating the identities of the client and the server, so that the communication of the client and the server is monitored, the content auditing requirement on an encrypted link in practical application is met, and the secret information in an enterprise or a company is better maintained.
Example 2
Referring to fig. 3, the present embodiment provides a content auditing system based on a security protocol, including: a first communication party 301, a second communication party 302, a firewall 303 and a content auditing device 304; wherein,
the firewall 303 is configured to, after receiving the connection request sent by the first communication party 301, convert a destination address of the connection request into an address of the content auditing apparatus 304, and send the connection request after the destination address is converted to the content auditing apparatus 304;
the content auditing device 304 is configured to receive the connection request, initiate connection to the second communication party 302 corresponding to the connection request, generate a public key, establish a security protocol link with the first communication party 301 according to the public key, and establish a security protocol link with the second communication party 302 according to the public key of the second communication party 302; data forwarded by the first communication partner 301 or the second communication partner 302 over the secure protocol link is monitored.
Further, the content auditing apparatus 304 includes:
a receiving module 304a, configured to receive a connection request sent by the firewall 303, a digital certificate sent by the second communication party 302, and data of interaction between the first communication party 301 and the second communication party 302;
a connection initiating module 304b, configured to initiate a connection to the second communication party 302 after the receiving module 304a receives the connection request;
the digital certificate processing module 304c is configured to, after receiving the digital certificate that is sent by the second communication party 302 and carries the public key of the second communication party 302, the receiving module 304a generates a public key, modifies the public key of the second communication party 302 in the digital certificate by using the generated public key, and sends the modified digital certificate to the first communication party 301;
a secure link establishing module 304d, configured to establish a secure protocol link with the first communication party 301 according to the public key in the digital certificate modified by the digital certificate processing module 304c, and establish a secure protocol link with the second communication party 302 according to the digital certificate carrying the public key of the second communication party 302 received by the receiving module 304 a;
and the auditing module 304e is used for monitoring data forwarded by the first communication party 301 or the second communication party 302 through the security protocol link established by the security link establishing module 304 d.
Further, in order to enhance security, the first communication party 301 of the system is provided with security measures, specifically:
the first communication party 301 is configured to send a connection request to the server 302, where the connection request carries security information, where the security information includes: the security protocol version, encryption suite and compression algorithm supported by the first correspondent 301;
correspondingly, the connection initiating module 304b is specifically configured to forward the connection request to the second communication party 302 by using the identity of the first communication party 301 after the receiving module 304a receives the connection request;
the second communication partner 302 of the system also has corresponding security measures, specifically:
the second communication party 302 is configured to, after receiving the connection request, select a data encryption suite and a compression algorithm to be used from the security information in the connection request, and send a digital certificate to the content auditing device 304, where the digital certificate carries the public key information, the data encryption suite and the compression algorithm of the second communication party 302.
Wherein the first communication partner 301 comprises:
a request sending module, configured to send a connection request to the second communication party 302, where the connection request carries security information, where the security information includes: the security protocol version, encryption suite and compression algorithm supported by the first correspondent 301;
an encryption key sending module, configured to obtain a public key of the content auditing device 304 from the digital certificate after receiving the digital certificate, confirm the data encryption suite and the compression algorithm selected by the second communication party 302, select a first random number, generate a first key according to the first random number, encrypt the first random number using the public key of the content auditing device 304, and send the encrypted first random number;
the secure link establishment module 304d includes:
the decryption submodule is used for decoding the encrypted first random number sent by the first communication party 301 by using a private key of the decryption submodule to obtain the first random number and generating a first key according to the first random number;
the encryption submodule is configured to select a second random number, generate a second key according to the second random number, encrypt the second random number using the public key of the second communication party 302, and send the encrypted second random number to the second communication party 302;
correspondingly, the second communication party 302 is further configured to decrypt the encrypted second random number with its own private key after receiving the encrypted second random number to obtain a second random number, and generate a second key according to the second random number;
the first communication party and the content auditing apparatus 304 encrypt/decrypt transmission data using the first key;
the second party 302 and the content auditing apparatus 304 use the second key to encrypt/decrypt the transmission data.
In this embodiment, the first communication party may be a client, and the second communication party may be a server.
According to the system provided by the embodiment, the firewall is arranged, the flow of the first communication party is forwarded to the content auditing equipment, the content auditing equipment can acquire the interactive content of the first communication party and the second communication party by impersonating the identities of the first communication party and the second communication party, so that the communication of the two parties is monitored, the content auditing requirement on the encrypted link in practical application is made up, and the secret information in an enterprise or a company is better maintained.
Example 3
Referring to fig. 4, the present embodiment provides a content auditing apparatus, including:
a receiving module 401, configured to receive a connection request sent by a first communication party, a digital certificate sent by a second communication party, and data interacted between the first communication party and the second communication party;
a connection initiating module 402, configured to initiate a connection to a second communication party corresponding to a connection request after the receiving module 401 receives the connection request of the first communication party;
the digital certificate processing module 403 is configured to generate a public key after the receiving module 401 receives the digital certificate carrying the public key of the second communication party and sent by the second communication party, modify the public key of the second communication party in the digital certificate with the public key, and send the modified digital certificate to the first communication party;
a secure link establishing module 404, configured to establish a secure protocol link with a first communication party according to a public key in the digital certificate modified by the digital certificate processing module 403, and establish a secure protocol link with a second communication party according to the digital certificate carrying the public key of the second communication party and received by the receiving module 401;
and the auditing module 405 is configured to monitor data forwarded by the first communication party and/or the second communication party through the secure protocol link established by the secure link establishing module 404.
The secure link establishing module 404 specifically includes:
the decryption submodule is used for decrypting the encrypted first random number sent by the first communication party by using a private key of the decryption submodule to obtain the first random number and generating a first secret key according to the first random number;
the encryption submodule is used for selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of a second communication party and sending the encrypted second random number to the second communication party;
the data transmission submodule is used for encrypting/decrypting transmission data by using a first key generated by the decryption submodule with the first communication party; and encrypting/decrypting the transmission data with the second communication party using the second key generated by the encryption sub-module.
In this embodiment, the first communication party may be a client, and the second communication party may be a server.
The content auditing device provided by the embodiment can acquire the interactive content of the first communication party and the second communication party by impersonating the identities of the first communication party and the second communication party, so that the communication of the two parties is monitored, the content auditing requirement on an encrypted link in practical application is made up, and the secret information in an enterprise or a company is better maintained.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent replacements, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. A method for security protocol-based content auditing, the method comprising:
the content auditing device receives a connection request from a first communication party; initiating connection to a second communication party corresponding to the connection request, and receiving a digital certificate which is returned by the second communication party and carries a public key of the second communication party;
the content auditing equipment generates a public key, modifies the public key of the second communication party in the digital certificate by using the public key and sends the modified digital certificate to the first communication party;
the first communication party receives the digital certificate, obtains a public key of the content auditing equipment from the digital certificate, confirms the data encryption suite and the compression algorithm selected by the second communication party, selects a first random number, generates a first key according to the first random number, encrypts the first random number by using the public key of the content auditing equipment, and sends the encrypted first random number;
the content auditing equipment receives the encrypted first random number, decrypts the first random number by using a private key of the content auditing equipment to obtain the first random number, and generates the first secret key according to the first random number, wherein the first communication party and the content auditing equipment use the first secret key to encrypt/decrypt transmission data;
the content auditing equipment selects a second random number, generates a second key according to the second random number, encrypts the second random number by using a public key of a second communication party, and sends the encrypted second random number to the second communication party;
the second communication party receives the encrypted second random number, decrypts the encrypted second random number by using a private key of the second communication party to obtain the second random number, and generates a second key according to the second random number, wherein the second communication party and the content auditing equipment use the second key to encrypt/decrypt transmission data;
and the content auditing equipment monitors data transmitted by the first communication party through the first key or the second communication party through the second key.
2. A security protocol based content auditing method according to claim 1, where said receiving a connection request from a first communicating party prior comprises:
a firewall receives a connection request sent by a first communication party, wherein the destination address of the connection request is the address of a second communication party;
and the firewall converts the destination address of the connection request into the address of the content auditing equipment and sends the connection request after the destination address is converted.
3. A security protocol based content auditing method according to claim 1 where the connection request from the first communicating party carries security information including: a security protocol version, a data encryption suite and a compression algorithm supported by the first communication party;
correspondingly, the initiating a connection to the second communication party corresponding to the connection request, and the receiving the digital certificate carrying the public key of the second communication party returned by the second communication party specifically includes:
the content auditing device forwards the connection request to the second communication party by the identity of the first communication party;
and after receiving the connection request, the second communication party selects a data encryption suite and a compression algorithm to be used from the security information of the connection request, and sends a digital certificate to the content auditing equipment, wherein the digital certificate carries a public key of the second communication party, the data encryption suite and the compression algorithm.
4. A security protocol based content auditing system comprising a first party and a second party, characterized in that said system further comprises: a firewall and a content auditing device; wherein,
the firewall is used for converting a destination address of the connection request into an address of the content auditing equipment after receiving the connection request sent by the first communication party, and sending the connection request after the destination address is converted to the content auditing equipment;
the content auditing device is used for receiving the connection request, initiating connection to a second communication party corresponding to the connection request, and receiving a digital certificate which is returned by the second communication party and carries a public key of the second communication party; generating a public key, modifying the public key of the second communication party in the digital certificate by using the public key, and sending the modified digital certificate to the first communication party; receiving a first random number encrypted by the first communication party, decrypting the first random number by using a private key of the first communication party to obtain the first random number, and generating a first secret key according to the first random number, wherein the first secret key is used by the first communication party and the first communication party for encrypting/decrypting transmission data; selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of the second communication party, and sending the encrypted second random number to the second communication party; monitoring data transmitted by the first communication party through the first key or the second communication party through the second key;
the first communication party receives the digital certificate, obtains a public key of the content auditing equipment from the digital certificate, confirms the data encryption suite and the compression algorithm selected by the second communication party, selects a first random number, generates a first key according to the first random number, encrypts the first random number by using the public key of the content auditing equipment, and sends the encrypted first random number;
and the second communication party receives the encrypted second random number, decrypts the encrypted second random number by using a private key of the second communication party to obtain the second random number, and generates a second key according to the second random number, wherein the second communication party and the content auditing equipment use the second key to encrypt/decrypt transmission data.
5. The security protocol-based content auditing system of claim 4, where the first party is specifically configured to send a connection request to the second party, where the connection request carries security information, where the security information includes: a security protocol version, a data encryption suite and a compression algorithm supported by the first communication party;
correspondingly, the content auditing device is used for forwarding the connection request to the second communication party by the identity of the first communication party after receiving the connection request;
and the second communication party is specifically configured to, after receiving the connection request, select a data encryption suite and a compression algorithm to be used from the security information of the connection request, and send a digital certificate to the content auditing device, where the digital certificate carries a public key of the second communication party, the data encryption suite and the compression algorithm.
6. The security protocol based content auditing system of claim 5 where said first communicating party comprises:
a request sending module, configured to send a connection request to a second communication party, where the connection request carries security information, where the security information includes: a security protocol version, a data encryption suite and a compression algorithm supported by the first communication party;
and the encryption key sending module is used for obtaining the public key of the content auditing equipment from the digital certificate after receiving the digital certificate, confirming the data encryption suite and the compression algorithm selected by the second communication party, selecting a first random number, generating a first key according to the first random number, encrypting the first random number by using the public key of the content auditing equipment, and sending the encrypted first random number.
7. A content auditing apparatus, the apparatus comprising:
the receiving module is used for receiving a connection request sent by a first communication party, a digital certificate sent by a second communication party and data interacted between the first communication party and the second communication party;
the connection initiating module is used for initiating connection to a second communication party corresponding to the connection request after the receiving module receives the connection request of the first communication party;
the digital certificate processing module is used for generating a public key after the receiving module receives the digital certificate which is sent by the second communication party and carries the public key of the second communication party, modifying the public key of the second communication party in the digital certificate by using the public key and sending the modified digital certificate to the first communication party;
the secure link establishing module is used for receiving the encrypted first random number from the first communication party, decrypting the first random number by using a private key of the first communication party to obtain the first random number, and generating the first secret key according to the first random number, wherein the first secret key is used by the first communication party and the first communication party for encrypting/decrypting transmission data; selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of the second communication party, and sending the encrypted second random number to the second communication party;
and the auditing module is used for monitoring data forwarded by the first communication party or the second communication party through the security protocol link established by the security link establishing module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101144315A CN101325519B (en) | 2008-06-05 | 2008-06-05 | Content auditing method, system based on safety protocol and content auditing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101144315A CN101325519B (en) | 2008-06-05 | 2008-06-05 | Content auditing method, system based on safety protocol and content auditing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101325519A CN101325519A (en) | 2008-12-17 |
| CN101325519B true CN101325519B (en) | 2011-02-16 |
Family
ID=40188861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101144315A Expired - Fee Related CN101325519B (en) | 2008-06-05 | 2008-06-05 | Content auditing method, system based on safety protocol and content auditing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101325519B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019037685A1 (en) * | 2017-08-23 | 2019-02-28 | 华为技术有限公司 | Quic service control method and network apparatus |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780410B (en) * | 2012-10-19 | 2017-06-06 | 任子行网络技术股份有限公司 | A kind of content obtaining system and method for encrypting application |
| CN102932350B (en) * | 2012-10-31 | 2016-06-15 | 华为技术有限公司 | A kind of method and apparatus of TLS scanning |
| CN103905425A (en) * | 2013-12-27 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Method and system for capturing malicious code network behavior enciphered data |
| CN105743868B (en) * | 2014-12-11 | 2019-01-25 | 中国科学院声学研究所 | A kind of data collection system and method for supporting encryption and non-encrypted agreement |
| CN106341375B (en) * | 2015-07-14 | 2021-01-01 | 腾讯科技(深圳)有限公司 | Method and system for realizing encrypted access of resources |
| CN106533689B (en) * | 2015-09-15 | 2019-07-30 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of the load digital certificates in SSL/TLS communication |
| CN106899559A (en) * | 2015-12-21 | 2017-06-27 | 上海交通大学 | Android Auto safety communicating methods and system based on TrustZone technologies |
| CN107124385B (en) * | 2016-02-24 | 2020-02-04 | 中国科学院声学研究所 | Mirror flow-based SSL/TLS protocol plaintext data acquisition method |
| CN107979481A (en) * | 2016-10-25 | 2018-05-01 | 航天信息股份有限公司 | A kind of transmitting terminal, receiving terminal, data interchange platform and its method for execution |
| CN108965307A (en) * | 2018-07-26 | 2018-12-07 | 深信服科技股份有限公司 | Based on HTTPS agreement ciphertext Data Audit method, system and relevant apparatus |
| CN112035851A (en) * | 2020-07-22 | 2020-12-04 | 北京中安星云软件技术有限公司 | MYSQL database auditing method based on SSL |
| CN112637348B (en) * | 2020-12-23 | 2022-05-10 | 北京金山云网络技术有限公司 | Connection establishing method, device and system and electronic equipment |
| CN114221799B (en) * | 2021-12-10 | 2024-03-22 | 中国人民银行数字货币研究所 | Communication monitoring method, device and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1383351A2 (en) * | 2002-07-08 | 2004-01-21 | Matsushita Electric Industrial Co., Ltd. | Device authentication system |
| CN1708018A (en) * | 2004-06-04 | 2005-12-14 | 华为技术有限公司 | Method for switching in radio local-area network mobile terminal |
-
2008
- 2008-06-05 CN CN2008101144315A patent/CN101325519B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1383351A2 (en) * | 2002-07-08 | 2004-01-21 | Matsushita Electric Industrial Co., Ltd. | Device authentication system |
| CN1708018A (en) * | 2004-06-04 | 2005-12-14 | 华为技术有限公司 | Method for switching in radio local-area network mobile terminal |
Non-Patent Citations (1)
| Title |
|---|
| 藤猛.分布对象中间件安全关键技术研究.中国优秀博硕士学位论文全文数据库(博士) 信息科技辑.2005,(2),正文第71-87页第五章和第六章第6.1节、对应的插图. * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019037685A1 (en) * | 2017-08-23 | 2019-02-28 | 华为技术有限公司 | Quic service control method and network apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101325519A (en) | 2008-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101325519B (en) | Content auditing method, system based on safety protocol and content auditing equipment | |
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| US8370296B2 (en) | Method for transmitting SyncML synchronization data | |
| CN104702611B (en) | A kind of device and method for protecting Secure Socket Layer session key | |
| JP4959750B2 (en) | Dynamic connection to multiple origin servers with transcoding proxy | |
| CN102833253B (en) | Set up method and server that client is connected with server security | |
| US7222234B2 (en) | Method for key agreement for a cryptographic secure point—to—multipoint connection | |
| CN101299667A (en) | Authentication method, system, client equipment and server | |
| EP2713546A1 (en) | Method and device for data transmission | |
| CN107147611B (en) | Method, user equipment, server and system for establishing link by transport layer security T L S | |
| JP2013502782A (en) | Method, device, and network system for negotiating encryption information | |
| WO2009076811A1 (en) | A method, a system, a client and a server for key negotiating | |
| WO2008030523A2 (en) | Real privacy management authentication system | |
| CN112637136A (en) | Encrypted communication method and system | |
| JP2017536776A (en) | Method and system for collecting clear text of network confidential data | |
| WO2009018512A1 (en) | Systems and methods for implementing a mutating transport layer security protocol | |
| CN106972919B (en) | Key negotiation method and device | |
| CN114173328B (en) | Key exchange method and device and electronic equipment | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| CN108040071A (en) | A kind of VoIP audio-video encryptions key dynamic switching method | |
| CN102932359B (en) | Streaming media service requesting method, device and system | |
| CN105471896A (en) | Agent method, device and system based on SSL (Secure Sockets Layer) | |
| CN111835688B (en) | Traffic fast forwarding method and system based on SSL/TLS protocol | |
| CN111245601B (en) | Communication negotiation method and device | |
| CN114553414B (en) | Intranet penetration method and system based on HTTPS service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110216 Termination date: 20180605 |