CN101325519B - Content auditing method, system based on safety protocol and content auditing equipment - Google Patents

Content auditing method, system based on safety protocol and content auditing equipment Download PDF

Info

Publication number
CN101325519B
CN101325519B CN2008101144315A CN200810114431A CN101325519B CN 101325519 B CN101325519 B CN 101325519B CN 2008101144315 A CN2008101144315 A CN 2008101144315A CN 200810114431 A CN200810114431 A CN 200810114431A CN 101325519 B CN101325519 B CN 101325519B
Authority
CN
China
Prior art keywords
communication
random number
content auditing
connection request
digital certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008101144315A
Other languages
Chinese (zh)
Other versions
CN101325519A (en
Inventor
任亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Digital Technologies Chengdu Co Ltd
Original Assignee
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Symantec Technologies Co Ltd filed Critical Huawei Symantec Technologies Co Ltd
Priority to CN2008101144315A priority Critical patent/CN101325519B/en
Publication of CN101325519A publication Critical patent/CN101325519A/en
Application granted granted Critical
Publication of CN101325519B publication Critical patent/CN101325519B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a content auditing method, system and apparatus based on safety protocol, pertaining to the communication field. The method includes: receiving connection requests from first communication participants; initiating connection to the corresponding second communication participants, and receiving digital certificate carrying public key of the second communication participants returned back from the second communication participants, generating a public key, using the public key to modify the public key of the second communication participants in the digital certificate, and then transmitting the modified digital certificate to the first communication participants; establishing a safety protocol chain circuit between the first communication participants and the second communication participants; monitoring the data forwarded by the first communication participants or the second communication participants through the safety protocol. The system includes first communication participants, second communication participants, fireproof walls and a content auditing apparatus. The content auditing apparatus of the invention can monitor the communication between the first communication participants or the second communication participants by disguising the identifications of the first communication participants or the second communication participants.

Description

Content auditing method, system and content auditing equipment based on security protocol
Technical field
The present invention relates to the communications field, particularly a kind of content auditing method, system and content auditing equipment based on security protocol.
Background technology
SSL (Secure Socket Layer; SSL) agreement is between TCP (Transmission Control Protocol; transmission control protocol)/ a kind of security protocol between IP transport layer and the application layer; initial ssl protocol mainly is used in and protects HTTP (HyperText Transfer Protocol in the web browser; HTTP) mutual; along with the increase gradually of network security requirement, TLS (Transport Layer Security Transport Layer Security) agreement has been proposed.Most of function of tls protocol is based on SSL 3 versions.
A kind of communication means based on the SSL/TLS agreement is arranged in the prior art, simply introduces the process that client is communicated by letter with service end below:
Client is at first set up SSL with service end and is connected, and consults the encryption suite and the compression algorithm of use;
Then, service end is to the digital certificate of client transmission oneself, and this certificate has two effects, and one is exactly to allow client that the identity of service end is authenticated, it two is exactly the PKI that includes service end in the certificate, allows client that the information of data encryption key after being used for producing is encrypted;
At this moment, service end has proved oneself identity to client, and both sides have decided through consultation data encryption external member and data compression algorithm, and client has also obtained the information of data encryption key after being used for producing is carried out encrypted secret key;
The information of client data encryption key after service end produces, and send DEA and the hash message authentication code algorithm of confirming to service end, notification service end are just encrypted data with new key that produces and the various algorithms that consult later on;
At last, client and service end send application data mutually, may comprise that wherein client issues the username and password of service end; Data are closed connection after transmitting and finishing, and play the effect that prevents that terminal from attacking simultaneously.
In realizing process of the present invention, the inventor finds that there is following problem at least in prior art:
The data of transmitting in the above-mentioned communication process have guaranteed safety of transmission by the mode of encrypting, but, this communication mode has brought difficulty for content auditing (the network service content being carried out a kind of means of monitoring filtering), communication does not have corresponding content auditing mode at security protocol in the prior art, be unfavorable for the supervision of information, for example, certain intra-company need monitor employee and client or other people network service, do not reveal to other people in order to the secret of guarantee company, just need the content corresponding auditing method and come the monitoring communications content this moment.
Summary of the invention
For monitoring communications both sides' Content of Communication, the embodiment of the invention provides a kind of content auditing method based on security protocol, system and content auditing equipment.Described technical scheme is as follows:
A kind of content auditing method based on security protocol, described method comprises:
Content auditing equipment receives the connection request from first communication party; Initiate to connect to the second communication side of described connection request correspondence, receive the digital certificate of the PKI that carries described second communication side that returns described second communication side;
Described content auditing equipment generates PKI, revises the PKI of the described second communication side in the described digital certificate with described PKI, and amended digital certificate is sent to described first communication party;
Described first communication party receives described digital certificate, from described digital certificate, obtain the PKI of described content auditing equipment, confirm data encryption external member and compression algorithm that described second communication side is selected, select first random number, generate first key according to described first random number, use described first random number of public key encryption of described content auditing equipment, send first random number after encrypting;
Described content auditing equipment receives first random number after the described encryption, with the private key deciphering of self, obtain described first random number, generate described first key according to described first random number, wherein, described first communication party and described content auditing equipment use described first key enciphering/deciphering transmission data;
Described content auditing choice of equipment second random number generates second key according to described second random number, uses described second random number of public key encryption of described second communication side, second random number after described second communication side sends encryption;
Described second communication side receives second random number after the described encryption, private key with self is decrypted, obtain described second random number, generate described second key according to described second random number, wherein, described second communication side and described content auditing equipment use described second key enciphering/deciphering transmission data;
Described first communication party of described content auditing monitoring of tools crosses the data of described second cipher key delivery by described first key or described second communication square tube.
A kind of content auditing system based on security protocol comprises first communication party and the second communication side, and described system also comprises: fire compartment wall and content auditing equipment; Wherein,
After described fire compartment wall is used to receive the connection request that first communication party sends, the destination address of described connection request is converted to the address of described content auditing equipment, the connection request behind the conversion destination address is sent to described content auditing equipment;
Described content auditing equipment is used to receive described connection request, initiates to connect to the second communication side of described connection request correspondence, receives the digital certificate of the PKI that carries described second communication side that returns described second communication side; Generate PKI, revise the PKI of the described second communication side in the described digital certificate, amended digital certificate is sent to described first communication party with described PKI; First random number after reception is encrypted from described first communication party, private key deciphering with self obtains described first random number, generates described first key according to described first random number, wherein, self uses described first key enciphering/deciphering transmission data with described first communication party; Select second random number, generate second key, use described second random number of public key encryption of described second communication side, second random number after described second communication side sends encryption according to described second random number; Monitor described first communication party crosses described second cipher key delivery by described first key or described second communication square tube data;
Described first communication party receives described digital certificate, from described digital certificate, obtain the PKI of described content auditing equipment, confirm data encryption external member and compression algorithm that described second communication side is selected, select first random number, generate first key according to described first random number, use described first random number of public key encryption of described content auditing equipment, send first random number after encrypting;
Described second communication side receives second random number after the described encryption, private key with self is decrypted, and obtains described second random number, generates described second key according to described second random number, wherein, self uses described second key enciphering/deciphering transmission data with described content auditing equipment.
A kind of content auditing equipment, described equipment comprises:
Receiver module is used to receive the connection request of first communication party transmission, digital certificate and the mutual data of described first communication party and described second communication side that second communication side sends;
Connect initiation module, after being used for described receiver module and receiving first communication party's connection request, initiate to connect to the second communication side of described connection request correspondence;
The digital certificate processing module, after being used for the digital certificate that carries described second communication side PKI that described receiver module receives that described second communication side sends, generate PKI, revise the PKI of the described second communication side in the described digital certificate with described PKI, amended digital certificate is sent to described first communication party;
Safety chain is set up module, be used to receive first random number from after described first communication party encryption, with the private key deciphering of self, obtain described first random number, generate described first key according to described first random number, wherein, self uses described first key enciphering/deciphering transmission data with described first communication party; Select second random number, generate second key, use described second random number of public key encryption of described second communication side, second random number after described second communication side sends encryption according to described second random number;
The audit module is used to monitor described first communication party or described second communication square tube and crosses described safety chain and set up the data that security protocol link that module sets up is transmitted.
Content auditing equipment in the embodiment of the invention is by disguising oneself as the identity of first communication party and second communication side, can get access to the mutual content in first communication party and second communication side, and then the communication of both monitoring part, remedied in the practical application the content auditing demand of encrypted link, safeguarded enterprise or in-company secret information better.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the content auditing method flow diagram based on security protocol that the embodiment of the invention 1 provides;
Fig. 2 is the Signalling exchange figure based on the content auditing method of security protocol that the embodiment of the invention 1 provides;
Fig. 3 is the schematic diagram based on the content auditing system of security protocol that the embodiment of the invention 2 provides;
Fig. 4 is the schematic diagram of the content auditing equipment that provides of the embodiment of the invention 3.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention is by all transmitting the data traffic of first communication party and second communication side from content auditing equipment, can be on the basis of not discovered by communicating pair, monitoring communications both sides' interaction content can prevent the leakage of enterprises confidential information.
Embodiment 1
Referring to Fig. 1, present embodiment provides a kind of content auditing method based on security protocol, and as first communication party, as second communication side, carry out content auditing with content auditing equipment is that example describes to this method with service end with client, and this method comprises:
101: content auditing equipment receives the connection request from client;
102: initiate to connect to the service end of this connection request correspondence, receive the digital certificate of the PKI that carries this service end that this service end returns;
103: this content auditing equipment generates PKI, and the PKI with this service end in the PKI modification digital certificate sends to client with amended digital certificate;
104: set up the security protocol link according to PKI in the amended digital certificate and client, set up the security protocol link according to the digital certificate and the service end of the PKI that carries this service end;
105: the data that monitor client or service end are transmitted by the security protocol link.
Wherein, the security protocol in the present embodiment can be the SSL/TLS agreement.
When stating the content auditing method in realization, used fire compartment wall with destination address translation function, by this fire compartment wall message or the data forwarding that client mails to service end arrived content auditing equipment, wherein, content auditing equipment is service end for client, is client for service end, play internuncial effect, referring to Fig. 2, be the Signalling exchange figure of content auditing method, this method is briefly described as follows:
201: client sends ClientHello message, tells service end to require to set up SSL and connects, and tells encryption suite and compression algorithm that the service end SSL version that it is supported and it can be used simultaneously;
This ClientHello message is when the fire compartment wall, will its destination address be converted to the address of content auditing equipment by fire compartment wall, with forwards to content auditing equipment;
202: after content auditing equipment receives ClientHello message, send ClientHello to service end with the identity of client *Message, request are set up SSL and are connected, and carry the SSL version of client support and encryption suite and the compression algorithm that it can use.
203: after service end is received ClientHello message, will regard content auditing equipment as client, return ServerHello message, notify its selected encryption suite and compression algorithm to content auditing equipment;
204: after content auditing equipment is received ServerHello message, with the identity of service end with ServerHello *Message sends to client;
205: service end sends the digital certificate of oneself to content auditing equipment, this certificate has two effects, one is exactly to allow client that the identity of service end is authenticated, it two is exactly the PKI that includes service end in the certificate, allows client that the information of data encryption key after being used for producing is encrypted;
206: after content auditing equipment is received the digital certificate (Certificate) of service end, generate public private key pair, with the public key information in the modification of the PKI in the public private key pair digital certificate, with amended digital certificate (Certificate *) send to client;
207: service end sends ServerHelloDone message to content auditing equipment, the end of expression service end response message;
At this moment, service end has proved oneself identity to client, and both sides have decided through consultation data encryption external member and data compression algorithm, and client has also obtained the information of data encryption key after being used for producing is carried out encrypted secret key;
208: after content auditing equipment is received the ServerHelloDone message of service end transmission, send ServerHelloDone to client *Message, the end of expression response message;
209: client is received digital certificate and ServerHelloDone *After the message, select first random number, generate first key according to first random number, send ClientKeyExchange message to service end, this message is carried and is used first random number, and, in order to strengthen fail safe, this first random number is the public key encryption in the digital certificate that sends with content auditing equipment, and this message will be forwarded to content auditing equipment by fire compartment wall;
210: after content auditing equipment is received ClientKeyExchange message, decipher first random number, generate first key according to first random number with the private key of self; Select second random number, generate second key with the service end public key encryption, and send ClientKeyExchange to service end with the identity of client according to second random number *Message is carried second random number;
211: client sends ChangeCipherSpec message to service end, this message is carried the DEA and the hash message authentication code algorithm of affirmation, for fail safe, DEA of confirming and hash message authentication code algorithm are with the public key encryption of content auditing equipment, and just encrypt data with new first key that produces and the various algorithms that consult later on the notice opposite end; This message will be forwarded to content auditing equipment by fire compartment wall;
212: after content auditing equipment was received ChangeCipherSpec message, DEA and the hash message authentication code algorithm confirmed with the private key deciphering of self sent ChangeCipherSpec with the identity of client to service end *Message is carried DEA and hash message authentication code algorithm with the affirmation of service end public key encryption;
213: client sends Finished message to service end, the end that expression client one side shakes hands, and this message is forwarded to content auditing equipment by fire compartment wall;
214: after content auditing equipment is received Finished message, send Finished to service end with the identity of client *Message;
215: service end is received above-mentioned message (ClientKeyExchange *Message and ChangeCipherSpec *Message) after, the information of carrying in the private key decrypt with self, obtain second random number and confirm data cryptographic algorithm and hash message authentication code algorithm, generate second key according to second random number, when receiving Finished *After the message, the ChangeCipherSpec message of response is confirmed the various algorithms of consulting;
Afterwards, service end will be carried out enciphering/deciphering by second key with communicating by letter of content auditing equipment room;
216: content auditing equipment is responded ChangeCipherSpec with the identity of service end to client after receiving the ChangeCipherSpec message of service end response *Message is confirmed the various algorithms of consulting;
217: service end sends Finished message, and the end that expression service end one side shakes hands is confirmed;
218: after content auditing equipment is received the Finished message of service end transmission, send Finished to client *Message;
219: after both sides finished and shake hands, client and service end sent data mutually, and these data will be carried out transfer by content auditing equipment, the Content of Communication that content auditing equipment will both monitoring part.
After both sides finish and shake hands, client is used first key and is added/decode the transmission data, service end is used second key and is added/decode the transmission data, content auditing equipment will carry out enciphering/deciphering by the mutual transmission data of first key pair and client, carry out enciphering/deciphering by the transmission data that second key pair and service end are mutual.
Said method is inserting content auditing equipment between normal client and service end, i.e. go-between, and this equipment possesses the function of client and service end simultaneously.
When client begins to initiate to connect, content auditing equipment will respond this connection, the counterfeit client of content auditing equipment is initiated to connect to service end simultaneously, at this moment service end is just issued content auditing equipment to the digital certificate of oneself, content auditing equipment does not have the private key of service end, in order deciphering, need to forge certificate again according to some key message (public key information) of this certificate and issue client again the enciphered message that the later stage client sends;
Further, content auditing equipment is set up two different SSL links respectively with client and service end simultaneously, and consults the safety encipher external member of link separately with client and service end respectively; After finishing the negotiation of link safety ability, content auditing equipment just can without hindrance storage be transmitted the data on the link separately, and then the Content of Communication of both monitoring part.
The fire compartment wall of present embodiment by having network address translation function is forwarded to content auditing equipment with the flow of client, content auditing equipment is by disguising oneself as the identity of client and service end, can get access to the mutual content of client and service end, and then the communication of both monitoring part, remedied in the practical application the content auditing demand of encrypted link, safeguarded enterprise or in-company secret information better.
Embodiment 2
Referring to Fig. 3, present embodiment provides a kind of content auditing system based on security protocol, and this system comprises: first communication party 301, second communication side 302, fire compartment wall 303 and content auditing equipment 304; Wherein,
After fire compartment wall 303 is used to receive the connection request that first communication party 301 sends, the destination address of connection request is converted to the address of content auditing equipment 304, the connection request behind the conversion destination address is sent to content auditing equipment 304;
Content auditing equipment 304, be used to receive this connection request, second communication side 302 to this connection request correspondence initiates to connect, and generation PKI, set up the security protocol link according to this PKI and described first communication party 301, according to the PKI and the second communication side 302 of second communication side 302 setting up the security protocol link; Monitor the data that first communication party 301 or second communication side 302 transmit by the security protocol link.
Further, content auditing equipment 304 comprises:
Receiver module 304a is used to receive the mutual data in connection request that fire compartment wall 303 sends, digital certificate that second communication side 302 sends and first communication party 301 and second communication side 302;
Connect initiation module 304b, after being used for receiver module 304a and receiving connection request, initiate to connect to second communication side 302;
Digital certificate processing module 304c, after being used for receiver module 304a and receiving that second communication side 302 sends the digital certificate of the PKI that carries second communication side 302, generate PKI, revise the PKI of the second communication side 302 in the digital certificate with the PKI that is generated, amended digital certificate is sent to first communication party 301;
Safety chain is set up module 304d, be used for setting up the security protocol link according to the PKI and first communication party 301 of the amended digital certificate of digital certificate processing module 304c, the digital certificate and the second communication side 302 of the PKI that carries second communication side 302 that receives according to receiver module 304a set up the security protocol link;
Audit module 304e is used to monitor first communication party 301 or second communication side 302 and sets up the data that security protocol link that module 304d set up is transmitted by safety chain.
Further, in order to strengthen fail safe, first communication party 301 of this system is provided with safety measure, is specially:
First communication party 301 is used for sending connection request to server 302, information safe to carry in the connection request, and security information comprises: security protocol version, encryption suite and compression algorithm that first communication party 301 supports;
Correspondingly, after above-mentioned connection initiation module 304b specifically is used for receiver module 304a and receives connection request, transmit connection requests to second communication side 302 with first communication party's 301 identity;
The second communication side of this system 302 also has corresponding safety measure, is specially:
After second communication side 302 is used to receive connection request, data encryption external member and compression algorithm that security information from connection request selects desire to use, send digital certificate to content auditing equipment 304, digital certificate carries public key information, data encryption external member and the compression algorithm of second communication side 302.
Wherein, first communication party 301 comprises:
Request sending module is used for sending connection request to second communication side 302, information safe to carry in the connection request, and security information comprises: security protocol version, encryption suite and compression algorithm that first communication party 301 supports;
The encryption key sending module, after being used to receive digital certificate, from digital certificate, obtain the PKI of content auditing equipment 304, confirm data encryption external member and compression algorithm that second communication side 302 is selected, select first random number, generate first key according to first random number, use public key encryption first random number of content auditing equipment 304, send first random number after encrypting;
Safety chain is set up module 304d and is comprised:
The deciphering submodule, be used to receive first random number after the encryption that first communication party 301 sends after, decode with the private key of self, obtain first random number, generate first key according to first random number;
Encrypt submodule, be used to select second random number, generate second key, use public key encryption second random number of second communication side 302, second random number that sends after encrypting to second communication side 302 according to second random number;
Correspondingly, after second communication side 302 also is used to receive second random number after the encryption, be decrypted, obtain second random number, generate second key according to second random number with self private key;
First communication party and content auditing equipment 304 use first key enciphering/deciphering transmission data;
Second communication side 302 and content auditing equipment 304 use second key enciphering/deciphering transmission data.
Wherein, first communication party in the present embodiment can be client, and second communication can be thought service end.
The system that present embodiment provides is by being provided with fire compartment wall, first communication party's flow is forwarded to content auditing equipment, content auditing equipment is by disguising oneself as the identity of first communication party and second communication side, can get access to the mutual content in first communication party and second communication side, and then the communication of both monitoring part, remedied in the practical application the content auditing demand of encrypted link, safeguarded enterprise or in-company secret information better.
Embodiment 3
Referring to Fig. 4, present embodiment provides a kind of content auditing equipment, and equipment comprises:
Receiver module 401 is used to receive the connection request of first communication party transmission, digital certificate and the mutual data of first communication party and second communication side that second communication side sends;
Connect initiation module 402, after being used for receiver module 401 and receiving first communication party's connection request, initiate to connect to the second communication side of connection request correspondence;
Digital certificate processing module 403, after being used for the digital certificate that carries second communication side's PKI that receiver module 401 receives that second communication side sends, generate PKI, revise the PKI of the second communication side in the digital certificate, amended digital certificate is sent to first communication party with PKI;
Safety chain is set up module 404, be used for setting up the security protocol link according to the PKI and first communication party of digital certificate processing module 403 amended digital certificates, the digital certificate and the second communication side of the PKI that carries second communication side that receives according to receiver module 401 set up the security protocol link;
Audit module 405 is used to monitor first communication party and/or second communication square tube and crosses safety chain and set up the data that security protocol link that module 404 set up is transmitted.
Safety chain is set up module 404 and is specifically comprised:
The deciphering submodule, be used to receive first random number after the encryption that first communication party sends after, decipher with the private key of self, obtain first random number, generate first key according to first random number;
Encrypt submodule, be used to select second random number, generate second key, use public key encryption second random number of second communication side, second random number after second communication side sends encryption according to second random number;
The transfer of data submodule is used for the first key enciphering/deciphering transmission data of using the deciphering submodule to generate with first communication party; Use the second key enciphering/deciphering transmission data of encrypting the submodule generation with second communication side.
Wherein, first communication party in the present embodiment can be client, and second communication can be thought service end.
The content auditing equipment that present embodiment provides is by disguising oneself as the identity of first communication party and second communication side, can get access to the mutual content in first communication party and second communication side, and then the communication of both monitoring part, remedied in the practical application the content auditing demand of encrypted link, safeguarded enterprise or in-company secret information better.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Below only be preferred embodiment of the present invention, or not within the spirit and principles in the present invention not all in order to restriction the present invention, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (7)

1. content auditing method based on security protocol is characterized in that described method comprises:
Content auditing equipment receives the connection request from first communication party; Initiate to connect to the second communication side of described connection request correspondence, receive the digital certificate of the PKI that carries described second communication side that returns described second communication side;
Described content auditing equipment generates PKI, revises the PKI of the described second communication side in the described digital certificate with described PKI, and amended digital certificate is sent to described first communication party;
Described first communication party receives described digital certificate, from described digital certificate, obtain the PKI of described content auditing equipment, confirm data encryption external member and compression algorithm that described second communication side is selected, select first random number, generate first key according to described first random number, use described first random number of public key encryption of described content auditing equipment, send first random number after encrypting;
Described content auditing equipment receives first random number after the described encryption, with the private key deciphering of self, obtain described first random number, generate described first key according to described first random number, wherein, described first communication party and described content auditing equipment use described first key enciphering/deciphering transmission data;
Described content auditing choice of equipment second random number generates second key according to described second random number, uses described second random number of public key encryption of described second communication side, second random number after described second communication side sends encryption;
Described second communication side receives second random number after the described encryption, private key with self is decrypted, obtain described second random number, generate described second key according to described second random number, wherein, described second communication side and described content auditing equipment use described second key enciphering/deciphering transmission data;
Described first communication party of described content auditing monitoring of tools crosses the data of described second cipher key delivery by described first key or described second communication square tube.
2. the content auditing method based on security protocol as claimed in claim 1 is characterized in that, comprises before the connection request of described reception from first communication party:
Fire compartment wall receives the connection request that first communication party sends, and the destination address of described connection request is the address of second communication side;
Described fire compartment wall is converted to the address of content auditing equipment with the destination address of described connection request, and the connection request behind the conversion destination address is sent.
3. the content auditing method based on security protocol as claimed in claim 1, it is characterized in that, information safe to carry in the described connection request from first communication party, described security information comprises: security protocol version, data encryption external member and compression algorithm that described first communication party supports;
Correspondingly, described second communication side to described connection request correspondence initiates to connect, and the digital certificate that receives the PKI that carries described second communication side that returns described second communication side specifically comprises:
Content auditing equipment is transmitted described connection request with described first communication party's identity to described second communication side;
After described connection request is received by described second communication side, data encryption external member and the compression algorithm of from the security information of described connection request, selecting desire to use, send digital certificate to described content auditing equipment, described digital certificate carries PKI, data encryption external member and the compression algorithm of described second communication side.
4. the content auditing system based on security protocol comprises first communication party and the second communication side, it is characterized in that described system also comprises: fire compartment wall and content auditing equipment; Wherein,
After described fire compartment wall is used to receive the connection request that first communication party sends, the destination address of described connection request is converted to the address of described content auditing equipment, the connection request behind the conversion destination address is sent to described content auditing equipment;
Described content auditing equipment is used to receive described connection request, initiates to connect to the second communication side of described connection request correspondence, receives the digital certificate of the PKI that carries described second communication side that returns described second communication side; Generate PKI, revise the PKI of the described second communication side in the described digital certificate, amended digital certificate is sent to described first communication party with described PKI; First random number after reception is encrypted from described first communication party, private key deciphering with self obtains described first random number, generates described first key according to described first random number, wherein, self uses described first key enciphering/deciphering transmission data with described first communication party; Select second random number, generate second key, use described second random number of public key encryption of described second communication side, second random number after described second communication side sends encryption according to described second random number; Monitor described first communication party crosses described second cipher key delivery by described first key or described second communication square tube data;
Described first communication party receives described digital certificate, from described digital certificate, obtain the PKI of described content auditing equipment, confirm data encryption external member and compression algorithm that described second communication side is selected, select first random number, generate first key according to described first random number, use described first random number of public key encryption of described content auditing equipment, send first random number after encrypting;
Described second communication side receives second random number after the described encryption, private key with self is decrypted, and obtains described second random number, generates described second key according to described second random number, wherein, self uses described second key enciphering/deciphering transmission data with described content auditing equipment.
5. the content auditing system based on security protocol as claimed in claim 4, it is characterized in that, described first communication party specifically is used for sending connection request to described second communication side, information safe to carry in the described connection request, described security information comprises: security protocol version, data encryption external member and compression algorithm that described first communication party supports;
Correspondingly, described content auditing equipment is used for after receiving connection request, transmits described connection request with described first communication party's identity to described second communication side;
After described second communication side specifically is used to receive described connection request, data encryption external member and the compression algorithm of from the security information of described connection request, selecting desire to use, send digital certificate to described content auditing equipment, described digital certificate carries PKI, data encryption external member and the compression algorithm of described second communication side.
6. the content auditing system based on security protocol as claimed in claim 5 is characterized in that, described first communication party comprises:
Request sending module is used for sending connection request to second communication side, information safe to carry in the described connection request, and described security information comprises: security protocol version, data encryption external member and compression algorithm that described first communication party supports;
The encryption key sending module, after being used to receive described digital certificate, from described digital certificate, obtain the PKI of described content auditing equipment, confirm data encryption external member and compression algorithm that described second communication side is selected, select first random number, generate first key according to described first random number, use described first random number of public key encryption of described content auditing equipment, send first random number after encrypting.
7. a content auditing equipment is characterized in that, described equipment comprises:
Receiver module is used to receive the connection request of first communication party transmission, digital certificate and the mutual data of described first communication party and described second communication side that second communication side sends;
Connect initiation module, after being used for described receiver module and receiving first communication party's connection request, initiate to connect to the second communication side of described connection request correspondence;
The digital certificate processing module, after being used for the digital certificate that carries described second communication side PKI that described receiver module receives that described second communication side sends, generate PKI, revise the PKI of the described second communication side in the described digital certificate with described PKI, amended digital certificate is sent to described first communication party;
Safety chain is set up module, be used to receive first random number from after described first communication party encryption, with the private key deciphering of self, obtain described first random number, generate described first key according to described first random number, wherein, self uses described first key enciphering/deciphering transmission data with described first communication party; Select second random number, generate second key, use described second random number of public key encryption of described second communication side, second random number after described second communication side sends encryption according to described second random number;
The audit module is used to monitor described first communication party or described second communication square tube and crosses described safety chain and set up the data that security protocol link that module sets up is transmitted.
CN2008101144315A 2008-06-05 2008-06-05 Content auditing method, system based on safety protocol and content auditing equipment Expired - Fee Related CN101325519B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008101144315A CN101325519B (en) 2008-06-05 2008-06-05 Content auditing method, system based on safety protocol and content auditing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008101144315A CN101325519B (en) 2008-06-05 2008-06-05 Content auditing method, system based on safety protocol and content auditing equipment

Publications (2)

Publication Number Publication Date
CN101325519A CN101325519A (en) 2008-12-17
CN101325519B true CN101325519B (en) 2011-02-16

Family

ID=40188861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101144315A Expired - Fee Related CN101325519B (en) 2008-06-05 2008-06-05 Content auditing method, system based on safety protocol and content auditing equipment

Country Status (1)

Country Link
CN (1) CN101325519B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019037685A1 (en) * 2017-08-23 2019-02-28 华为技术有限公司 Quic service control method and network apparatus

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103780410B (en) * 2012-10-19 2017-06-06 任子行网络技术股份有限公司 A kind of content obtaining system and method for encrypting application
CN102932350B (en) * 2012-10-31 2016-06-15 华为技术有限公司 A kind of method and apparatus of TLS scanning
CN103905425A (en) * 2013-12-27 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for capturing malicious code network behavior enciphered data
CN105743868B (en) * 2014-12-11 2019-01-25 中国科学院声学研究所 A kind of data collection system and method for supporting encryption and non-encrypted agreement
CN106341375B (en) * 2015-07-14 2021-01-01 腾讯科技(深圳)有限公司 Method and system for realizing encrypted access of resources
CN106533689B (en) * 2015-09-15 2019-07-30 阿里巴巴集团控股有限公司 A kind of method and apparatus of the load digital certificates in SSL/TLS communication
CN106899559A (en) * 2015-12-21 2017-06-27 上海交通大学 Android Auto safety communicating methods and system based on TrustZone technologies
CN107124385B (en) * 2016-02-24 2020-02-04 中国科学院声学研究所 Mirror flow-based SSL/TLS protocol plaintext data acquisition method
CN107979481A (en) * 2016-10-25 2018-05-01 航天信息股份有限公司 A kind of transmitting terminal, receiving terminal, data interchange platform and its method for execution
CN108965307A (en) * 2018-07-26 2018-12-07 深信服科技股份有限公司 Based on HTTPS agreement ciphertext Data Audit method, system and relevant apparatus
CN112035851A (en) * 2020-07-22 2020-12-04 北京中安星云软件技术有限公司 MYSQL database auditing method based on SSL
CN112637348B (en) * 2020-12-23 2022-05-10 北京金山云网络技术有限公司 Connection establishing method, device and system and electronic equipment
CN114221799B (en) * 2021-12-10 2024-03-22 中国人民银行数字货币研究所 Communication monitoring method, device and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1383351A2 (en) * 2002-07-08 2004-01-21 Matsushita Electric Industrial Co., Ltd. Device authentication system
CN1708018A (en) * 2004-06-04 2005-12-14 华为技术有限公司 Method for switching in radio local-area network mobile terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1383351A2 (en) * 2002-07-08 2004-01-21 Matsushita Electric Industrial Co., Ltd. Device authentication system
CN1708018A (en) * 2004-06-04 2005-12-14 华为技术有限公司 Method for switching in radio local-area network mobile terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
藤猛.分布对象中间件安全关键技术研究.中国优秀博硕士学位论文全文数据库(博士) 信息科技辑.2005,(2),正文第71-87页第五章和第六章第6.1节、对应的插图. *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019037685A1 (en) * 2017-08-23 2019-02-28 华为技术有限公司 Quic service control method and network apparatus

Also Published As

Publication number Publication date
CN101325519A (en) 2008-12-17

Similar Documents

Publication Publication Date Title
CN101325519B (en) Content auditing method, system based on safety protocol and content auditing equipment
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
JP4959750B2 (en) Dynamic connection to multiple origin servers with transcoding proxy
CN104702611B (en) A kind of device and method for protecting Secure Socket Layer session key
JP5118048B2 (en) Method and apparatus for establishing a security association
US20170111179A1 (en) Providing forward secrecy in a terminating SSL/TLS connection proxy using ephemeral Diffie-Hellman key exchange
CN107302541A (en) A kind of data encryption and transmission method based on http protocol
WO2009076811A1 (en) A method, a system, a client and a server for key negotiating
WO2008030523A2 (en) Real privacy management authentication system
WO2006091396A2 (en) Payload layer security for file transfer
CN103905384B (en) The implementation method of session handshake between built-in terminal based on secure digital certificate
CN101997679A (en) Encrypted message negotiation method, equipment and network system
CN102868665A (en) Method and device for data transmission
CN112637136A (en) Encrypted communication method and system
CN1977559B (en) Method and system for protecting information exchanged during communication between users
CN111865939A (en) Point-to-point national secret tunnel establishment method and device
CN101567784A (en) Method, system and equipment for acquiring key
WO2009018512A1 (en) Systems and methods for implementing a mutating transport layer security protocol
WO2009018510A1 (en) Systems and methods for implementing a mutating internet protocol security
EP3216163B1 (en) Providing forward secrecy in a terminating ssl/tls connection proxy using ephemeral diffie-hellman key exchange
CN102281303A (en) Data exchange method
CN100544247C (en) The negotiating safety capability method
JP4924943B2 (en) Authenticated key exchange system, authenticated key exchange method and program
CN109474667A (en) A kind of UAV Communication method based on TCP and UDP
Cisco Introduction to IPSec

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD.

Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD.

Effective date: 20090424

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20090424

Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731

Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd.

Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129

Applicant before: Huawei Technologies Co., Ltd.

C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee after: Huawei Symantec Technologies Co., Ltd.

Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110216

Termination date: 20180605