Disclosure of Invention
In order to monitor the communication content of both communication parties, the embodiment of the invention provides a content auditing method, a system and content auditing equipment based on a security protocol. The technical scheme is as follows:
a security protocol-based content auditing method, the method comprising:
the content auditing device receives a connection request from a first communication party; initiating connection to a second communication party corresponding to the connection request, and receiving a digital certificate which is returned by the second communication party and carries a public key of the second communication party;
the content auditing equipment generates a public key, modifies the public key of the second communication party in the digital certificate by using the public key and sends the modified digital certificate to the first communication party;
the first communication party receives the digital certificate, obtains a public key of the content auditing equipment from the digital certificate, confirms the data encryption suite and the compression algorithm selected by the second communication party, selects a first random number, generates a first key according to the first random number, encrypts the first random number by using the public key of the content auditing equipment, and sends the encrypted first random number;
the content auditing equipment receives the encrypted first random number, decrypts the first random number by using a private key of the content auditing equipment to obtain the first random number, and generates the first secret key according to the first random number, wherein the first communication party and the content auditing equipment use the first secret key to encrypt/decrypt transmission data;
the content auditing equipment selects a second random number, generates a second key according to the second random number, encrypts the second random number by using a public key of a second communication party, and sends the encrypted second random number to the second communication party;
the second communication party receives the encrypted second random number, decrypts the encrypted second random number by using a private key of the second communication party to obtain the second random number, and generates a second key according to the second random number, wherein the second communication party and the content auditing equipment use the second key to encrypt/decrypt transmission data;
and the content auditing equipment monitors data transmitted by the first communication party through the first key or the second communication party through the second key.
A security protocol based content auditing system comprising a first communicating party and a second communicating party, the system further comprising: a firewall and a content auditing device; wherein,
the firewall is used for converting a destination address of the connection request into an address of the content auditing equipment after receiving the connection request sent by the first communication party, and sending the connection request after the destination address is converted to the content auditing equipment;
the content auditing device is used for receiving the connection request, initiating connection to a second communication party corresponding to the connection request, and receiving a digital certificate which is returned by the second communication party and carries a public key of the second communication party; generating a public key, modifying the public key of the second communication party in the digital certificate by using the public key, and sending the modified digital certificate to the first communication party; receiving a first random number encrypted by the first communication party, decrypting the first random number by using a private key of the first communication party to obtain the first random number, and generating a first secret key according to the first random number, wherein the first secret key is used by the first communication party and the first communication party for encrypting/decrypting transmission data; selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of the second communication party, and sending the encrypted second random number to the second communication party; monitoring data transmitted by the first communication party through the first key or the second communication party through the second key;
the first communication party receives the digital certificate, obtains a public key of the content auditing equipment from the digital certificate, confirms the data encryption suite and the compression algorithm selected by the second communication party, selects a first random number, generates a first key according to the first random number, encrypts the first random number by using the public key of the content auditing equipment, and sends the encrypted first random number;
and the second communication party receives the encrypted second random number, decrypts the encrypted second random number by using a private key of the second communication party to obtain the second random number, and generates a second key according to the second random number, wherein the second communication party and the content auditing equipment use the second key to encrypt/decrypt transmission data.
A content auditing apparatus, the apparatus comprising:
the receiving module is used for receiving a connection request sent by a first communication party, a digital certificate sent by a second communication party and data interacted between the first communication party and the second communication party;
the connection initiating module is used for initiating connection to a second communication party corresponding to the connection request after the receiving module receives the connection request of the first communication party;
the digital certificate processing module is used for generating a public key after the receiving module receives the digital certificate which is sent by the second communication party and carries the public key of the second communication party, modifying the public key of the second communication party in the digital certificate by using the public key and sending the modified digital certificate to the first communication party;
the secure link establishing module is used for receiving the encrypted first random number from the first communication party, decrypting the first random number by using a private key of the first communication party to obtain the first random number, and generating the first secret key according to the first random number, wherein the first secret key is used by the first communication party and the first communication party for encrypting/decrypting transmission data; selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of the second communication party, and sending the encrypted second random number to the second communication party;
and the auditing module is used for monitoring data forwarded by the first communication party or the second communication party through the security protocol link established by the security link establishing module.
The content auditing equipment in the embodiment of the invention can acquire the interactive content of the first communication party and the second communication party by impersonating the identities of the first communication party and the second communication party, so as to monitor the communication of the two parties, make up for the content auditing requirement of an encrypted link in practical application, and better maintain the secret information in an enterprise or a company.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
According to the embodiment of the invention, the data traffic of the first communication party and the second communication party is forwarded from the content auditing equipment, so that the interactive content of the two communication parties can be monitored on the basis of not being perceived by the two communication parties, and the leakage of confidential information inside an enterprise can be prevented.
Example 1
Referring to fig. 1, this embodiment provides a content auditing method based on a security protocol, where a client is used as a first communication party, a server is used as a second communication party, and content auditing is performed by a content auditing device, which includes:
101: the content auditing equipment receives a connection request from a client;
102: initiating connection to a server corresponding to the connection request, and receiving a digital certificate which is returned by the server and carries a public key of the server;
103: the content auditing equipment generates a public key, modifies the public key of the server side in the digital certificate by using the public key, and sends the modified digital certificate to the client side;
104: establishing a security protocol link with the client according to the public key in the modified digital certificate, and establishing a security protocol link with the server according to the digital certificate carrying the public key of the server;
105: and monitoring data forwarded by the client or the server through the security protocol link.
The security protocol in this embodiment may be an SSL/TLS protocol.
When the content auditing method is implemented, a firewall with a destination address conversion function is used, and a message or data sent from a client to a server is forwarded to content auditing equipment through the firewall, wherein the content auditing equipment is the server for the client and plays a role of a man-in-the-middle for the server, and the content auditing equipment is a signaling interaction diagram of the content auditing method, as shown in fig. 2, and the method is simply described as follows:
201: the client sends a ClientHello message to tell the server to request to establish SSL connection and simultaneously tell the server about the SSL version supported by the server and the encryption suite and the compression algorithm which can be used by the server;
when the ClientHello message passes through the firewall, the destination address of the ClientHello message is converted into the address of the content auditing equipment by the firewall, and the ClientHello message is forwarded to the content auditing equipment;
202: after receiving the ClientHello message, the content auditing equipment sends the ClientHello message to the server side by the identity of the client side*A message requesting to establish an SSL connection and carrying the SSL version supported by the client, as well as the encryption suite and compression algorithm it can use.
203: after receiving the ClientHello message, the server side regards the content auditing equipment as a client side, returns a ServerHello message to the content auditing equipment and informs the content auditing equipment of the selected encryption suite and the compression algorithm;
204: after the content auditing equipment receives the ServerHello message, the ServerHello message is sent by the identity of the server*Sending the message to a client;
205: the server side sends a digital certificate of the server side to the content auditing equipment, and the certificate has two functions, namely, a client side authenticates the identity of the server side, and the certificate contains a public key of the server side, so that the client side encrypts information for generating a later data encryption key;
206: after receiving the digital Certificate (Certificate) of the server, the content auditing device generates a public and private key pair, modifies the public key information in the digital Certificate by using the public key in the public and private key pair, and sends the modified digital Certificate (Certificate)*) Sending the data to a client;
207: the server side sends a ServerHelloDone message to the content auditing equipment, and the end of the server side response message is indicated;
at the moment, the server side proves the identity of the server side to the client side, the two sides agree with the data encryption suite and the data compression algorithm, and the client side also obtains a key for encrypting information for generating a later data encryption key;
208: after receiving the ServerHelloDone message sent by the server, the content auditing equipment sends the ServerHelloDone message to the client*A message indicating the end of the response message;
209: the client receives the digital certificate and the ServerHelloDone*After the message, selecting a first random number, generating a first key according to the first random number, and sending a ClientKeyExchange message to the server, wherein the message carries the first random number, and in order to enhance the security, the first random number is encrypted by a public key in a digital certificate sent by content auditing equipment, and the message is forwarded to the content auditing equipment by a firewall;
210: after receiving the ClientKeyExchange message, the content auditing equipment decrypts the first random number by using a private key of the content auditing equipment and generates a first key according to the first random number; selecting a second random number, encrypting the second random number by using a server public key according to the second random number to generate a second key, and sending the ClientKeyExchange to the server by using the identity of the client*A message carrying a second random number;
211: the client sends a ChangeCipherSpec message to the server, the message carries a confirmed data encryption algorithm and a Hash message authentication code algorithm, the confirmed data encryption algorithm and the Hash message authentication code algorithm are encrypted by a public key of the content auditing equipment for safety, and after the client is informed, the data is encrypted by a newly generated first secret key and various negotiated algorithms; the message is forwarded by the firewall to the content auditing device;
212: after the content auditing equipment receives the ChangeCipherSpec message, the confirmed data encryption algorithm and hash are decrypted by using the private key of the content auditing equipmentThe authentication code algorithm of the History message sends ChangeCipherSpec to the server side with the identity of the client side*The message carries a confirmed data encryption algorithm and a Hash message authentication code algorithm which are encrypted by a server public key;
213: the client sends Finished information to the server, the Finished information represents the end of the handshake of the client side, and the information is forwarded to the content auditing equipment by the firewall;
214: after receiving the Finished message, the content auditing equipment sends the Finished message to the server side by the identity of the client side*A message;
215: the server receives the message (ClientKeyExchange)*Message and ChangeCipherSpec*Message), decrypting the information carried in the message by using the private key of the user to obtain a second random number, confirming the second random number to obtain a data encryption algorithm and a Hash message authentication code algorithm, generating a second key according to the second random number, and when Finished is received*After the message, the returned ChangeCipherSpec message confirms various negotiated algorithms;
then, the communication between the server and the content auditing equipment is encrypted/decrypted through a second key;
216: after the content auditing equipment receives the ChangeCipherSpec message responded by the server, the content auditing equipment responds to the client by the identity of the server*Messages, confirming various algorithms of negotiation;
217: the server side sends Finished information to indicate the end confirmation of the handshake of the server side;
218: after receiving the Finished message sent by the server, the content auditing equipment sends the Finished message to the client*A message;
219: after the two parties complete the handshake, the client and the server send data to each other, the data are transferred through the content auditing equipment, and the content auditing equipment monitors the communication content of the two parties.
After the two parties complete the handshake, the client side can encrypt/decode the transmission data by using the first secret key, the server side can encrypt/decode the transmission data by using the second secret key, and the content auditing equipment encrypts/decrypts the transmission data interacted with the client side by using the first secret key and encrypts/decrypts the transmission data interacted with the server side by using the second secret key.
According to the method, the content auditing equipment, namely the middleman, is inserted between the normal client and the server, and the equipment has the functions of both the client and the server.
When the client starts to initiate connection, the content auditing equipment responds to the connection, simultaneously the content auditing equipment imitates the client to initiate connection to the server, the server sends a digital certificate of the content auditing equipment to the content auditing equipment, the content auditing equipment does not have a private key of the server, and in order to decrypt encrypted information sent by the client at a later stage, the certificate needs to be forged again according to certain key information (public key information) of the certificate and then sent to the client;
further, the content auditing equipment simultaneously establishes two different SSL links with the client and the server respectively, and negotiates with the client and the server about security encryption suites of the respective links respectively; after the negotiation of link safety capability is completed, the content auditing equipment can store and forward data on respective links without resistance, and then the communication contents of both sides are monitored.
In the embodiment, the flow of the client is forwarded to the content auditing device through the firewall with the network address conversion function, and the content auditing device can acquire the interactive content of the client and the server by impersonating the identities of the client and the server, so that the communication of the client and the server is monitored, the content auditing requirement on an encrypted link in practical application is met, and the secret information in an enterprise or a company is better maintained.
Example 2
Referring to fig. 3, the present embodiment provides a content auditing system based on a security protocol, including: a first communication party 301, a second communication party 302, a firewall 303 and a content auditing device 304; wherein,
the firewall 303 is configured to, after receiving the connection request sent by the first communication party 301, convert a destination address of the connection request into an address of the content auditing apparatus 304, and send the connection request after the destination address is converted to the content auditing apparatus 304;
the content auditing device 304 is configured to receive the connection request, initiate connection to the second communication party 302 corresponding to the connection request, generate a public key, establish a security protocol link with the first communication party 301 according to the public key, and establish a security protocol link with the second communication party 302 according to the public key of the second communication party 302; data forwarded by the first communication partner 301 or the second communication partner 302 over the secure protocol link is monitored.
Further, the content auditing apparatus 304 includes:
a receiving module 304a, configured to receive a connection request sent by the firewall 303, a digital certificate sent by the second communication party 302, and data of interaction between the first communication party 301 and the second communication party 302;
a connection initiating module 304b, configured to initiate a connection to the second communication party 302 after the receiving module 304a receives the connection request;
the digital certificate processing module 304c is configured to, after receiving the digital certificate that is sent by the second communication party 302 and carries the public key of the second communication party 302, the receiving module 304a generates a public key, modifies the public key of the second communication party 302 in the digital certificate by using the generated public key, and sends the modified digital certificate to the first communication party 301;
a secure link establishing module 304d, configured to establish a secure protocol link with the first communication party 301 according to the public key in the digital certificate modified by the digital certificate processing module 304c, and establish a secure protocol link with the second communication party 302 according to the digital certificate carrying the public key of the second communication party 302 received by the receiving module 304 a;
and the auditing module 304e is used for monitoring data forwarded by the first communication party 301 or the second communication party 302 through the security protocol link established by the security link establishing module 304 d.
Further, in order to enhance security, the first communication party 301 of the system is provided with security measures, specifically:
the first communication party 301 is configured to send a connection request to the server 302, where the connection request carries security information, where the security information includes: the security protocol version, encryption suite and compression algorithm supported by the first correspondent 301;
correspondingly, the connection initiating module 304b is specifically configured to forward the connection request to the second communication party 302 by using the identity of the first communication party 301 after the receiving module 304a receives the connection request;
the second communication partner 302 of the system also has corresponding security measures, specifically:
the second communication party 302 is configured to, after receiving the connection request, select a data encryption suite and a compression algorithm to be used from the security information in the connection request, and send a digital certificate to the content auditing device 304, where the digital certificate carries the public key information, the data encryption suite and the compression algorithm of the second communication party 302.
Wherein the first communication partner 301 comprises:
a request sending module, configured to send a connection request to the second communication party 302, where the connection request carries security information, where the security information includes: the security protocol version, encryption suite and compression algorithm supported by the first correspondent 301;
an encryption key sending module, configured to obtain a public key of the content auditing device 304 from the digital certificate after receiving the digital certificate, confirm the data encryption suite and the compression algorithm selected by the second communication party 302, select a first random number, generate a first key according to the first random number, encrypt the first random number using the public key of the content auditing device 304, and send the encrypted first random number;
the secure link establishment module 304d includes:
the decryption submodule is used for decoding the encrypted first random number sent by the first communication party 301 by using a private key of the decryption submodule to obtain the first random number and generating a first key according to the first random number;
the encryption submodule is configured to select a second random number, generate a second key according to the second random number, encrypt the second random number using the public key of the second communication party 302, and send the encrypted second random number to the second communication party 302;
correspondingly, the second communication party 302 is further configured to decrypt the encrypted second random number with its own private key after receiving the encrypted second random number to obtain a second random number, and generate a second key according to the second random number;
the first communication party and the content auditing apparatus 304 encrypt/decrypt transmission data using the first key;
the second party 302 and the content auditing apparatus 304 use the second key to encrypt/decrypt the transmission data.
In this embodiment, the first communication party may be a client, and the second communication party may be a server.
According to the system provided by the embodiment, the firewall is arranged, the flow of the first communication party is forwarded to the content auditing equipment, the content auditing equipment can acquire the interactive content of the first communication party and the second communication party by impersonating the identities of the first communication party and the second communication party, so that the communication of the two parties is monitored, the content auditing requirement on the encrypted link in practical application is made up, and the secret information in an enterprise or a company is better maintained.
Example 3
Referring to fig. 4, the present embodiment provides a content auditing apparatus, including:
a receiving module 401, configured to receive a connection request sent by a first communication party, a digital certificate sent by a second communication party, and data interacted between the first communication party and the second communication party;
a connection initiating module 402, configured to initiate a connection to a second communication party corresponding to a connection request after the receiving module 401 receives the connection request of the first communication party;
the digital certificate processing module 403 is configured to generate a public key after the receiving module 401 receives the digital certificate carrying the public key of the second communication party and sent by the second communication party, modify the public key of the second communication party in the digital certificate with the public key, and send the modified digital certificate to the first communication party;
a secure link establishing module 404, configured to establish a secure protocol link with a first communication party according to a public key in the digital certificate modified by the digital certificate processing module 403, and establish a secure protocol link with a second communication party according to the digital certificate carrying the public key of the second communication party and received by the receiving module 401;
and the auditing module 405 is configured to monitor data forwarded by the first communication party and/or the second communication party through the secure protocol link established by the secure link establishing module 404.
The secure link establishing module 404 specifically includes:
the decryption submodule is used for decrypting the encrypted first random number sent by the first communication party by using a private key of the decryption submodule to obtain the first random number and generating a first secret key according to the first random number;
the encryption submodule is used for selecting a second random number, generating a second key according to the second random number, encrypting the second random number by using a public key of a second communication party and sending the encrypted second random number to the second communication party;
the data transmission submodule is used for encrypting/decrypting transmission data by using a first key generated by the decryption submodule with the first communication party; and encrypting/decrypting the transmission data with the second communication party using the second key generated by the encryption sub-module.
In this embodiment, the first communication party may be a client, and the second communication party may be a server.
The content auditing device provided by the embodiment can acquire the interactive content of the first communication party and the second communication party by impersonating the identities of the first communication party and the second communication party, so that the communication of the two parties is monitored, the content auditing requirement on an encrypted link in practical application is made up, and the secret information in an enterprise or a company is better maintained.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent replacements, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention.