CN101877693A - Method, device and system for obtaining public key - Google Patents

Method, device and system for obtaining public key Download PDF

Info

Publication number
CN101877693A
CN101877693A CN2009101069323A CN200910106932A CN101877693A CN 101877693 A CN101877693 A CN 101877693A CN 2009101069323 A CN2009101069323 A CN 2009101069323A CN 200910106932 A CN200910106932 A CN 200910106932A CN 101877693 A CN101877693 A CN 101877693A
Authority
CN
China
Prior art keywords
pki
dns
territory
response message
dns server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2009101069323A
Other languages
Chinese (zh)
Inventor
沈烁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2009101069323A priority Critical patent/CN101877693A/en
Priority to PCT/CN2010/071521 priority patent/WO2010124549A1/en
Publication of CN101877693A publication Critical patent/CN101877693A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of communication and discloses a method for obtaining a public key. The method comprises the following steps of: establishing a TCP (Transmission Control Protocol) connection with a DNS (Domain Name Server), transmitting a DNS request message to the DNS by the connection and demanding for obtaining a public key of a first domain; and receiving a DNS response message derived from the DNS by the connection and obtaining the public key of the first domain according to the public key of the first domain carried in the response message. The invention also discloses a device and a system for obtaining the public key.

Description

Obtain the methods, devices and systems of PKI
Technical field
The present invention relates to the communications field, particularly obtain the methods, devices and systems of PKI.
Background technology
DKIM (Domain Key Identified Mail, domain name key identification mail) is a kind of emerging E-mail verifying standard, is widely used in preventing the Email swindle, prevents spam, prevents field such as phishing.
In the DKIM scheme, the public/private keys that each territory (as ABC.com) all has oneself is right, in the message that is sent by this territory (as Email), carries the signature of the private key generation that utilizes this territory oneself.After the recipient receives message, utilize the PKI in this territory to verify signature in the message, to confirm that this message is really from this territory.If the recipient is the PKI in this territory not, then need message by DNS (Domain Name System, domain name system) Request (request), obtain the PKI in this territory to dns server.
In the actual application, the DNS message all is to use UDP (User DatagramProtocol, User Datagram Protoco (UDP)) to transmit usually.Therefore,, need set up UDP with above-mentioned dns server and be connected,, get access to the PKI in this territory by the UDP message as above-mentioned recipient not during the PKI in this territory.
But in the prior art, DKIM only supports the RSA key system, and is to improve secrecy, and RSA key is all very long usually.When the RSA in certain territory PKI length long, to such an extent as to when exceeding the length of UDP message regulation, above-mentioned recipient just can't get access to the RSA PKI in this territory by the UDP message.
Summary of the invention
In view of this, embodiments of the invention provide following scheme:
A kind of method of obtaining PKI, this method comprises:
Setting up transmission control protocol TCP with the domain name system DNS server is connected; Connect by this TCP, send DNS request message, the PKI in acquisition request first territory to described dns server; And, also connect by this TCP, receive DNS response message from this dns server; Wherein, the DNS response message carries the PKI in described first territory; According to this DNS response message, obtain the PKI in first territory.
A kind of device that obtains PKI, this device comprises:
The module that connects is used for setting up TCP with dns server and is connected;
Sending module is used for connecting by the TCP that the module that connects is set up, and sends DNS request message, the PKI in acquisition request first territory to dns server;
Receiver module is used for connecting by the TCP that the module that connects is set up, and receives the DNS response message from dns server, carries the PKI in first territory in this DNS response message;
Acquisition module is used for the DNS response message that receives according to receiver module, obtains the PKI in first territory.
A kind of system that obtains PKI, this system comprises:
First equipment is used for setting up TCP with dns server and is connected, and connects by this TCP, sends DNS request message, the PKI in acquisition request first territory to dns server; And, receive DNS response message from dns server, obtain the PKI in described first territory of carrying in this DNS response message;
Dns server is used for after receiving above-mentioned DNS request message, connects by above-mentioned TCP, sends the DNS response message to first equipment, and this DNS response message carries the PKI in described first territory.
A kind of method of obtaining PKI, this method comprises:
Establish a communications link with dns server; Communicate to connect by this, send DNS request message, the PKI in acquisition request first territory to this dns server; This PKI is for adopting the key of short key code system; Communicate to connect by this, receive DNS response message from dns server; This DNS response message carries the PKI in first territory; According to this DNS response message, obtain the PKI in first territory.
A kind of device that obtains PKI, this device comprises:
The module that connects is used for establishing a communications link with dns server;
Sending module is used for sending DNS request message, the PKI in acquisition request first territory by communicating to connect that the module that connects is set up to dns server; This PKI is for adopting the key of short key code system;
Receiver module is used for receiving the DNS response message from dns server by communicating to connect that the module that connects is set up, and carries the PKI in first territory in this DNS response message;
Acquisition module is used for the DNS response message that receives according to receiver module, obtains the PKI in first territory.
A kind of system that obtains PKI, this system comprises:
First equipment is used for establishing a communications link with dns server, communicates to connect by this, sends DNS request message, the PKI in acquisition request first territory to dns server; And, receive DNS response message from dns server, obtain the PKI in first territory of carrying in this DNS response message; This PKI is for adopting the key of short key code system;
Dns server is used for communicating to connect by above-mentioned after receiving the DNS request message, sends the DNS response message to first equipment, and this DNS response message carries the PKI in first territory.
The methods, devices and systems that obtain PKI that adopt embodiments of the invention to provide, the PKI length that can solve in the prior art because territory is long, and can't get access to the problem of PKI by the UDP message.
Description of drawings
Fig. 1 is an application scenarios schematic diagram of the embodiment of the invention;
A kind of method flow diagram that obtains PKI that Fig. 2 provides for the embodiment of the invention;
A kind of device schematic diagram that obtains PKI that Fig. 3 provides for the embodiment of the invention;
The schematic diagram of sending module 310 in a kind of device that obtains PKI that Fig. 4 provides for the embodiment of the invention;
A kind of system schematic of obtaining PKI that Fig. 5 provides for the embodiment of the invention;
Fig. 6 is another application scenarios schematic diagram of the embodiment of the invention;
Fig. 7 provide for the embodiment of the invention another obtain the method flow diagram of PKI;
Fig. 8 (a) is the form of the Question option in the DNS request message;
Fig. 8 (b) is the form in Query Name territory in the Question option;
Fig. 9 provide for the embodiment of the invention another obtain the device schematic diagram of PKI;
Figure 10 provide for the embodiment of the invention another obtain the schematic diagram of sending module 910 in the device of PKI;
Figure 11 provide for the embodiment of the invention another obtain the system schematic of PKI.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, below with reference to accompanying drawing, the embodiment of the invention is described in further detail.
For ease of explanation, below more common scene in the simple knot unification practical application, specifically introduce several embodiments of the present invention.
As shown in Figure 1, territory ABC.com has key to X1/X2 (public/private keys), when territory ABC.com when user P sends message (as Email), carry signature in the message, this signature is that territory ABC.com utilizes own private key X2 generation.In this scene, territory ABC.com can adopt RSA key, also can adopt other key code systems, does not do qualification herein.
After user P receives message, need verify, to confirm that this message is really from territory ABC.com this signature.For example, user P can utilize with the corresponding PKI X1 of private key X2 and verify signature in the message.If user P does not have PKI X1, then need to send the DNS request message, with this PKI of acquisition request X1 to dns server.
Be different from scheme of the prior art, in this scene, do not set up UDP between user P and the dns server and be connected, and (the Transfer Control Protocol that directly sets up TCP, transmission control protocol) connect, user P sends above-mentioned DNS request message by the TCP connection to dns server.
Optionally, in this scene, because territory ABC.con can adopt RSA key, also can adopt other key code systems, therefore, after user P receives message from territory ABC.com, can know which key code system territory ABC.com utilizes generate signature by the signature that carries in the message.Thereby user P sends in the DNS request message of dns server, can carry the type identification of the PKI of acquisition request.
After dns server is received this DNS request message, connect, send DNS Response (response) message, carried the PKI X1 of territory ABC.com in this DNS response message to user P based on above-mentioned TCP.For example, can carry the resource record (RR, Resource Record) of text (TXT) type of PKI X1 in this DNS response message.When the DNS request message carried the type identification of PKI of acquisition request, dns server can also identify according to the type, and the PKI of respective type is carried in the DNS response message, sent to user P.
So far, user P has just got access to the PKI X1 of territory ABC.com.Just can utilize the PKI X1 that gets access to verify signature in the message then.
In this scene, communicate owing to be based on TCP between user P and the dns server, therefore, even the length of PKI X1 has surpassed the message length of agreement regulation, dns server also can send to the user with PKI X1 by a plurality of TCP messages.User P can receive these TCP messages in order according to the test serial number that carries in the TCP message, gets access to PKI X1.Thereby the PKI length that has solved in the prior art because territory is long, and can't get access to the problem of PKI by the UDP message.
A kind of method flow diagram that obtains PKI that Fig. 2 provides for the embodiment of the invention, as shown in Figure 2, this method comprises:
200, set up TCP with dns server and be connected;
210, connect by the TCP that sets up in 200, send the DNS request message to dns server, with the PKI in acquisition request first territory; In the present embodiment, this PKI can be a RSA key, also can be the key that adopts other key code systems, does not do qualification herein;
220, connect by the TCP that sets up in 200, receive DNS response message from dns server, this DNS response message is the response of dns server to above-mentioned DNS request message, carries the PKI in first territory in this DNS response message;
230, the DNS response message according to receiving obtains the PKI in first territory.
Optionally, in the present embodiment, in the DNS request message that dns server sends, can also carry the type identification of PKI in first territory of acquisition request.Like this, dns server just can be carried at the PKI of respective type in the DNS response message.
Another optional, in the present embodiment, can carry the resource record of the TXT type of PKI in the DNS response message.At this moment, the resource record according to the TXT type of the first territory PKI that carries in the DNS response message that receives obtains the PKI in first territory.
A kind of device schematic diagram that obtains PKI that Fig. 3 provides for the embodiment of the invention, as shown in Figure 3, this device comprises:
The module 300 that connects is used for setting up TCP with dns server and is connected;
Sending module 310 is used for connecting by the TCP that the module 300 that connects is set up, and sends the DNS request message to dns server, with the PKI in acquisition request first territory; In the present embodiment, this PKI can RSA key, also can be the key that adopts other key code systems, does not do qualification herein;
Receiver module 320, be used for connecting by the TCP that the module 300 that connects is set up, reception is from the DNS response message of dns server, and this DNS response message is the response of dns server to above-mentioned DNS request message, carries the PKI in first territory in this DNS response message;
Acquisition module 330 is used for the DNS response message that receives according to receiver module 320, obtains the PKI in first territory.
Optionally, as shown in Figure 4, sending module 310 can also comprise:
Identify unit 311 is used for carrying at the DNS request message type identification of the PKI in first territory;
Transmitting element 312 is used for sending to dns server the DNS request message of the type identification of the above-mentioned PKI that carries first territory.
Optionally, can carry the resource record of the TXT type of PKI in the DNS response message, at this moment, the resource record of the TXT type of the first territory PKI that the DNS response message that acquisition module 330 is used for receiving according to receiver module 320 carries obtains the PKI in first territory.
A kind of system schematic of obtaining PKI that Fig. 5 provides for the embodiment of the invention, as shown in Figure 5, this system comprises first equipment and dns server, wherein:
First equipment is used for setting up TCP with dns server and is connected, and sends the DNS request message to dns server, with the PKI in acquisition request first territory; Reception is obtained the PKI in first territory of carrying in this DNS response message from the DNS response message of dns server; In the present embodiment, this PKI can be a RSA key, also can be the key that adopts other key code systems, does not do qualification herein;
Dns server is used for after receiving above-mentioned DNS request message, connects by above-mentioned TCP, sends the DNS response message to first equipment, and this DNS response message carries the PKI in first territory.
The methods, devices and systems that obtain PKI that the embodiment of employing the invention described above provides, since with do not set up UDP and be connected between the dns server, communicate and be based on TCP, therefore, even the length of the PKI in territory has surpassed the message length of agreement regulation, also can get access to the PKI in territory by a plurality of TCP messages.Thereby the PKI length that has solved in the prior art because territory is long, and can't get access to the problem of PKI by the UDP message.
Below, again by another more common in practical application scene, specifically introduce other several embodiment of the present invention.
As shown in Figure 6, territory ABC.com has key to Y1/Y2 (public/private keys) and Z1/Z2 (public/private keys), when territory ABC.com when user Q sends message (as Email), utilize the private key in the pair of secret keys wherein to generate signature, be carried in the message.For example, territory ABC.com utilizes key that the private key Y2 among the Y1/Y2 has been generated signature, and is carried in the message that sends to user Q.In this scene, the key code system that territory ABC.com adopts is short key code system (also can be called short key algorithm).
In this application, lack key can be understood as key length can by the carrying of single UDP message and security intensity greater than 80, every bit intensity is greater than 0.1 key.Herein, " every bit intensity " is meant the security intensity (Security Strength) of key and the ratio of key length.The security intensity of the key of a given length is often referred to and is meant and breaks through the needed workload of this key.With the RSA key system is example, and the security intensity of the RSA key of different length and every bit intensity are as shown in table 1:
Table 1
Key length (bit) Security intensity Every bit intensity
??1024 ??80 ??0.078
??2048 ??112 ??0.055
??3072 ??128 ??0.042
Comparatively common short key code system is for example: ECDSA ECDSA (Ellipic Curve Digital Signature Algorithm), common key cryptosystem (Lattice-Based Public-Key Cryptography) based on lattice, common key cryptosystem (Password-Based Public-Key cryptography) based on password, based on common key cryptosystem (1dentity-Based Public-Key Cryptography Using Pairing) of identity or the like.Certainly, other keys that meet above-mentioned requirements also can be understood as short key.Do not do qualification herein.In this scene, key all can not done qualification herein for any one key in the short key code system to Y1/Y2 and Z1/Z2.
After user Q receives message, need verify, to confirm that this message is really from territory ABC.com this signature.For example, user Q can utilize with the corresponding PKI Y1 of private key Y2 and verify signature in the message.If user Q does not have PKI Y1, then need to send the DNS request message, with this PKI of acquisition request Y1 to dns server.
In this scene, can set up UDP between user Q and the dns server and be connected, user Q connects by UDP and sends above-mentioned DNS request message to dns server; Also can set up TCP between user Q and the dns server and be connected, user Q connects by TCP and sends above-mentioned DNS request message to dns server; Certainly, can also be that other communicate to connect, do not do qualification herein.When setting up TCP between user Q and the dns server and be connected, the process that concrete process can be communicated by letter with dns server with reference to user P among above-mentioned Fig. 1 has just repeated no more herein.
Optionally, in this scene since territory ABC.com to have two pairs of public/private keys right, therefore, user Q can know which key code system territory ABC.com utilizes generate signature by the signature that carries in the message after receiving message from territory ABC.com.Thereby user Q sends in the DNS request message of dns server, can carry the type identification of the PKI of acquisition request.For example, what suppose that key adopts Y1/Y2 is the ECDSA key code system, and then user Q sends in the DNS request message of dns server, just carries the type identification of this key code system.So just can avoid dns server that another key is sent to user Q to the PKI Z1 of Z1/Z2, or Y1 and Z1 are issued user Q.
Dns server communicates to connect based on above-mentioned after receiving this DNS request message, sends the DNS response message to user Q, has carried the PKI Y1 of territory ABC.com in this DNS response message.For example, can carry the resource record of the TXT type of PKI Y1 in this DNS response message.When the DNS request message carried the type identification of PKI of acquisition request, dns server can also be according to the type identification of the PKI that carries in the DNS request message, and the PKI of respective type is carried in the DNS response message, sent to user Q.
So far, user Q has just got access to the PKI Y1 of territory ABC.com.Just can utilize the PKI Y1 that gets access to verify signature in the message then.
In this scene, because therefore the PKI that is based on short key code system that transmits between user Q and the dns server, is that UDP connects or TCP connects regardless of what set up between user Q and the dns server, the length of PKI can not surpass the message length of agreement regulation.Thereby the PKI length that has solved in the prior art because territory is long, and can't get access to the problem of PKI by the UDP message.
Fig. 7 provide for the embodiment of the invention another obtain the method flow diagram of PKI, as shown in Figure 7, this method comprises:
700, establish a communications link with dns server; In the present embodiment, this communicates to connect can be that UDP connects, and also can be that TCP connects, and can also be that other communicate to connect, and does not do qualification herein;
710, by communicating to connect of setting up in 700, send the DNS request message to dns server, with the PKI in acquisition request first territory; In the present embodiment, this PKI is for adopting the key of short key code system;
720, connect by the TCP that sets up in 700, receive DNS response message from dns server, this DNS response message is the response of dns server to above-mentioned DNS request message, carries the PKI in first territory in this DNS response message;
730, the DNS response message according to receiving obtains the PKI in first territory.
Optionally, in the present embodiment, in the DNS request message that dns server sends, can also carry the type identification of PKI in first territory of acquisition request.Like this, dns server just can be carried at the PKI of respective type in the DNS response message.
Another optional, in the present embodiment, can carry the resource record of the TXT type of PKI in the DNS response message.At this moment, the resource record according to the TXT type of the first territory PKI that carries in the DNS response message that receives obtains the PKI in first territory.
Optionally, can carry the type identification of the PKI in this first territory at the Question in the DNS request message (problem) option.
Shown in Fig. 8 (a), three territories are arranged in the Question option, be respectively Query Name, Query Type and Query Class.Can in Query Name territory, carry the type identification of the PKI in first territory in the present embodiment.For example, can in Query Name territory, carry following information: ecdsa.Beijing._domainkey.ABC.com.Wherein, " ecdsa " represents ecdsa type PKI, and " Beijing " is the selector sign, and " _ domainkey " is the DKIM sign, and " ABC.com " is domain name.Concrete, can be with reference to the form shown in the figure 8 (b).Wherein, count is a meter digital, is illustrated in the bit number between current count position and next the count position.
Certainly, Fig. 8 (a) and Fig. 8 (b) only show a kind of optional expression mode of type identification of PKI in the DNS request message.In the present embodiment in the DNS request message expression mode of the type identification of PKI be not limited thereto.
Fig. 9 provide for the embodiment of the invention another obtain the device schematic diagram of PKI, as shown in Figure 9, this device comprises:
The module 900 that connects is used for establishing a communications link with dns server; In the present embodiment, this communicates to connect can be that UDP connects, and also can be that TCP connects, and can also be that other communicate to connect, and does not do qualification herein;
Sending module 910 is used for sending the DNS request message to dns server, with the PKI in acquisition request first territory by communicating to connect that the module 900 that connects is set up; In the present embodiment, this PKI is for adopting the key of short key code system;
Receiver module 920, be used for by communicating to connect that the module 900 that connects is set up, reception is from the DNS response message of dns server, and this DNS response message is the response of dns server to above-mentioned DNS request message, carries the PKI in first territory in this DNS response message;
Acquisition module 930 is used for the DNS response message that receives according to receiver module 920, obtains the PKI in first territory.
Optionally, as shown in figure 10, sending module 910 can also comprise:
Identify unit 911 is used for carrying at the DNS request message type identification of the PKI in first territory;
Transmitting element 912 is used for sending to dns server the DNS request message of the type identification of the above-mentioned PKI that carries first territory.
Optionally, can carry the resource record of the TXT type of PKI in the DNS response message, at this moment, the resource record of the TXT type of the first territory PKI that the DNS response message that acquisition module 930 is used for receiving according to receiver module 920 carries obtains the PKI in first territory.
Figure 11 provide for the embodiment of the invention another obtain the system schematic of PKI, as shown in figure 11, this system comprises first equipment and dns server, wherein:
First equipment is used for establishing a communications link with dns server, sends the DNS request message to dns server, with the PKI in acquisition request first territory; Reception is obtained the PKI in first territory of carrying in this DNS response message from the DNS response message of dns server; In the present embodiment, this PKI is the key that adopts short key code system; Above-mentioned communicating to connect can be that UDP connects, and also can be that TCP connects, and can also be that other communicate to connect, and do not do qualification herein;
Dns server is used for communicating to connect by above-mentioned after receiving above-mentioned DNS request message, sends the DNS response message to first equipment, and this DNS response message carries the PKI in first territory.
The methods, devices and systems that obtain PKI that the embodiment of employing the invention described above provides, because and the PKI that is based on short key code system that transmits between the dns server, therefore, no matter and what set up between the dns server is that UDP connects or TCP connects, the length of PKI can not surpass the message length of agreement regulation.Thereby the PKI length that has solved in the prior art because territory is long, and can't get access to the problem of PKI by the UDP message.
Through the above description of the embodiments, those of ordinary skill in the art can be well understood to the embodiment of the invention and can realize by the mode that software adds essential general hardware platform, can certainly realize by hardware.Based on such understanding, the technical scheme of the embodiment of the invention can embody with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that computer equipment or server or other network equipments are carried out the described method of some part of each embodiment of the present invention or embodiment.
Being preferred embodiment of the present invention only below, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1. a method of obtaining PKI is characterized in that, comprising:
Setting up transmission control protocol TCP with the domain name system DNS server is connected;
Connect by described TCP, send DNS request message, the PKI in acquisition request first territory to described dns server;
Connect by described TCP, receive DNS response message from described dns server; Described DNS response message carries the PKI in described first territory;
According to described DNS response message, obtain the PKI in described first territory.
2. the method for claim 1 is characterized in that, described DNS request message carries the type identification of the PKI in described first territory.
3. method as claimed in claim 1 or 2 is characterized in that, described DNS response message carries the PKI in described first territory, is specially: described DNS response message carries the resource record of the text type of the described first territory PKI.
4. a device that obtains PKI is characterized in that, comprising:
The module that connects is used for setting up TCP with dns server and is connected;
Sending module is used for connecting by the TCP that the described module that connects is set up, and sends DNS request message, the PKI in acquisition request first territory to described dns server;
Receiver module is used for connecting by the TCP that the described module that connects is set up, and receives the DNS response message from described dns server, carries the PKI in described first territory in the described DNS response message;
Acquisition module is used for the described DNS response message that receives according to described receiver module, obtains the PKI in described first territory.
5. device as claimed in claim 4 is characterized in that, described sending module comprises:
Identify unit is used for carrying at described DNS request message the type identification of the PKI in described first territory;
Transmitting element is used for sending to described dns server the DNS request message of the type identification of the described PKI that carries first territory.
6. a system that obtains PKI is characterized in that, comprising:
First equipment is used for setting up TCP with dns server and is connected, and connects by described TCP, sends DNS request message, the PKI in acquisition request first territory to described dns server; Reception is obtained the PKI in described first territory of carrying in the described DNS response message from the DNS response message of described dns server;
Described dns server is used for after receiving described DNS request message, connects by described TCP, sends described DNS response message to described first equipment, and described DNS response message carries the PKI in described first territory.
7. a method of obtaining PKI is characterized in that, comprising:
Establish a communications link with dns server;
Communicate to connect by described, send DNS request message, the PKI in acquisition request first territory to described dns server; Described PKI is for adopting the key of short key code system;
Communicate to connect by described, receive DNS response message from described dns server; Described DNS response message carries the PKI in described first territory;
According to described DNS response message, obtain the PKI in described first territory.
8. method as claimed in claim 6 is characterized in that described DNS request message carries the type identification of the PKI in described first territory.
9. as claim 7 or 8 described methods, it is characterized in that described DNS response message carries the PKI in described first territory, is specially: described DNS response message carries the resource record of the text type of the described first territory PKI.
10. a device that obtains PKI is characterized in that, comprising:
The module that connects is used for establishing a communications link with dns server;
Sending module is used for sending DNS request message, the PKI in acquisition request first territory by communicating to connect that the described module that connects is set up to described dns server; Described PKI is for adopting the key of short key code system;
Receiver module is used for receiving the DNS response message from described dns server by communicating to connect that the described module that connects is set up, and carries the PKI in described first territory in the described DNS response message;
Acquisition module is used for the described DNS response message that receives according to described receiver module, obtains the PKI in described first territory.
11. device as claimed in claim 10 is characterized in that, described sending module comprises:
Identify unit is used for carrying at described DNS request message the type identification of the PKI in described first territory;
Transmitting element is used for sending to described dns server the DNS request message of the type identification of the described PKI that carries first territory.
12. a system that obtains PKI is characterized in that, comprising:
First equipment is used for establishing a communications link with dns server, communicates to connect by described, sends DNS request message, the PKI in acquisition request first territory to described dns server; Reception is obtained the PKI in described first territory of carrying in the described DNS response message from the DNS response message of described dns server; Described PKI is for adopting the key of short key code system;
Described dns server is used for communicating to connect by described after receiving described DNS request message, sends described DNS response message to described first equipment, and described DNS response message carries the PKI in described first territory.
CN2009101069323A 2009-04-29 2009-04-29 Method, device and system for obtaining public key Pending CN101877693A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2009101069323A CN101877693A (en) 2009-04-29 2009-04-29 Method, device and system for obtaining public key
PCT/CN2010/071521 WO2010124549A1 (en) 2009-04-29 2010-04-02 Method, apparatus and system for obtaining public key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101069323A CN101877693A (en) 2009-04-29 2009-04-29 Method, device and system for obtaining public key

Publications (1)

Publication Number Publication Date
CN101877693A true CN101877693A (en) 2010-11-03

Family

ID=43020156

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101069323A Pending CN101877693A (en) 2009-04-29 2009-04-29 Method, device and system for obtaining public key

Country Status (2)

Country Link
CN (1) CN101877693A (en)
WO (1) WO2010124549A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104796502A (en) * 2015-05-08 2015-07-22 上海斐讯数据通信技术有限公司 DNS (domain name system) system and method
CN107395312A (en) * 2017-09-19 2017-11-24 电信科学技术第五研究所有限公司 A kind of secure network method for synchronizing time and device
CN112152978A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Key management method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6986049B2 (en) * 2003-08-26 2006-01-10 Yahoo! Inc. Method and system for authenticating a message sender using domain keys
US8135780B2 (en) * 2006-12-01 2012-03-13 Microsoft Corporation Email safety determination
CN100428140C (en) * 2007-01-05 2008-10-22 东南大学 Implement method of elliptic curve cipher system coprocessor
CN101257450A (en) * 2008-03-28 2008-09-03 华为技术有限公司 Network safety protection method, gateway equipment, client terminal as well as network system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104796502A (en) * 2015-05-08 2015-07-22 上海斐讯数据通信技术有限公司 DNS (domain name system) system and method
CN107395312A (en) * 2017-09-19 2017-11-24 电信科学技术第五研究所有限公司 A kind of secure network method for synchronizing time and device
CN107395312B (en) * 2017-09-19 2019-03-19 电信科学技术第五研究所有限公司 A kind of secure network method for synchronizing time and device
CN112152978A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Key management method, device, equipment and storage medium
CN112152978B (en) * 2019-06-28 2021-07-20 北京金山云网络技术有限公司 Key management method, device, equipment and storage medium

Also Published As

Publication number Publication date
WO2010124549A1 (en) 2010-11-04

Similar Documents

Publication Publication Date Title
US6934392B1 (en) Split-key key-agreement protocol
Asokan et al. Applicability of identity-based cryptography for disruption-tolerant networking
CN107769914B (en) Method and network device for protecting data transmission security
CN102088441B (en) Data encryption transmission method and system for message-oriented middleware
US20100268943A1 (en) Method and System for Source Authentication in Group Communications
CN103685217A (en) Method and apparatus for determining a cryptographic key in a network
US20060209843A1 (en) Secure spontaneous associations between networkable devices
CN101814991B (en) Mutual authentication method and system based on identity
EP3160172A1 (en) Method and device for short messaging service intercommunication
US10880079B2 (en) Private key generation method and system, and device
JP2010050958A (en) Transmitting terminal, receiving terminal, communicating terminal, and information distributing system
US8200967B2 (en) Method of configuring a node, related node and configuration server
CN102065016A (en) Message sending and receiving method and device, message processing method and system
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN102088352B (en) Data encryption transmission method and system for message-oriented middleware
CN106713236A (en) End-to-end identity authentication and encryption method based on CPK identifier authentication
CN105610590A (en) Multicast message transmission method and device
CN103874059A (en) Method, device and system for message processing
CN102045343A (en) DC (Digital Certificate) based communication encrypting safety method, server and system
CN101877693A (en) Method, device and system for obtaining public key
US20170359178A1 (en) Network communication method having function of recovering terminal session
US20220407845A1 (en) System and Method for Performing Secure Key Exchange
CN103139774B (en) Short message service processing method and short message service treatment system
Yang et al. High efficiency secure channels for a secure multiparty computation protocol based on signal
CN114765546A (en) End-to-end hard encryption method, system, encryption equipment and key management server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20101103

WD01 Invention patent application deemed withdrawn after publication