CN102695168B - Terminal equipment, encrypted gateway and method and system for wireless network safety communication - Google Patents
Terminal equipment, encrypted gateway and method and system for wireless network safety communication Download PDFInfo
- Publication number
- CN102695168B CN102695168B CN201210158887.8A CN201210158887A CN102695168B CN 102695168 B CN102695168 B CN 102695168B CN 201210158887 A CN201210158887 A CN 201210158887A CN 102695168 B CN102695168 B CN 102695168B
- Authority
- CN
- China
- Prior art keywords
- session key
- encryption gateway
- encryption
- terminal equipment
- user account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides terminal equipment, an encrypted gateway and a method and a system for wireless network safety communication. The method for wireless network safety communication includes: acquiring encryption communication request information transmitted by the terminal equipment when the terminal equipment is accessed to a wireless network, wherein the encryption communication request information includes a user account of a user; acquiring a first session key and a second session key corresponding to the user account according to the encryption communication request information, wherein the second session key is obtained by encrypting the first session key by a user login password corresponding to the user account; and transmitting the second session key to the terminal equipment, and using the first session key to encrypt or decrypt data messages communicated with the terminal equipment. By the aid of the terminal equipment, the encrypted gateway, the method and the system, potential safety hazard in existing wireless network communication can be effectively avoided.
Description
Technical field
The present invention relates to the communication technology, particularly relate to a kind of terminal equipment, encryption gateway, wireless network safety communication method and system.
Background technology
Along with the development of wireless communication technology, increasing public place provides the hotspot of wireless network accessing Internet, and the terminal equipment possessing radio communication to be user-friendly to it is surfed the Net.
Building very simply and low cost of hotspot, its supplier only needs a wireless router or has modulator-demodulator (modem) access network of radio function.Such as, by configuration WiFi (Wireless Fidelity) wireless access points, (WiFiAccess Point is called for short: WiFi AP) provide the free WiFi of use AP to access the Internet to user in the specific public places such as a lot of airport, hotel, coffee shop.User thinks online during in these public places, its terminal equipment is communicated with WiFi AP by WiFi wireless communication signals, WiFi AP is connected to BAS Broadband Access Server (the Broadband Access Server of network side operator by cable network, hereinafter referred to as: BAS server), realize broadband access by BAS server accessing Internet.When subscriber terminal equipment is by WiFi AP accessing Internet, because wireless network is open and hotspot builds simple feature, the radio communication on the one hand between subscriber terminal equipment and WiFi AP is easy to be attacked by wireless signal listener; Some WiFi access providers utilize user to think freely to use the psychology of WiFi and user to be difficult to distinguish the actual conditions of the WiFi AP true and false on the other hand, and malice builds the free WiFi AP used in public places, obtain user profile by the communication flows monitored on WiFi AP.Therefore, wireless communication, while accessing Internet of providing convenience for user, also provides invasion to hacker convenient, thus makes user terminal by there is very large security risk during wireless network accessing Internet.
Summary of the invention
First aspect of the present invention is to provide a kind of wireless network safety communication method, comprising:
Obtain the coded communication solicited message that terminal equipment sends when access of radio network, in described coded communication solicited message, comprise the user account of user;
The first session key corresponding to described user account and the second session key is obtained according to described coded communication solicited message, wherein, described second session key is adopt the user entry password corresponding with described user account to be encrypted described first session key to obtain;
Described second session key is sent to described terminal equipment, and utilizes described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication.
Another aspect of the present invention is to provide a kind of wireless network safety communication method, comprising:
Send coded communication solicited message by wireless network to encryption gateway, in described coded communication solicited message, comprise the user account of user;
Receive the second session key that described user account that described encryption gateway returns according to described coded communication solicited message is corresponding, and the user's entry password utilizing described user account corresponding is decrypted acquisition first session key to described second session key;
The described first session key pair data message communicated with described encryption gateway is utilized to be encrypted or decryption processing.
Another aspect of the present invention is to provide a kind of encryption gateway, comprising:
Acquisition module, for obtaining the coded communication solicited message that terminal equipment sends when access of radio network, comprises the user account of user in described coded communication solicited message; And for obtaining the first session key corresponding to described user account and the second session key according to described coded communication solicited message, wherein, described second session key is adopt user's entry password corresponding to described user account to be encrypted described first session key to obtain;
Processing module, for described second session key is sent to described terminal equipment, and utilizes described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication.
Another aspect of the present invention is to provide a kind of terminal equipment, comprising:
Encryption agents module, for sending coded communication solicited message by wireless network to encryption gateway, comprises the user account of user in described coded communication solicited message; And receive the second session key corresponding to described user account that described encryption gateway returns according to described coded communication solicited message, and the user's entry password utilizing described user account corresponding is decrypted acquisition first session key to described second session key;
Communications Processor Module, is encrypted or decryption processing for utilizing the described first session key pair data message communicated with described encryption gateway.
Another aspect of the present invention is to provide a kind of wireless network safety communication system, comprising: the above-mentioned terminal equipment in above-mentioned encryption gateway and wireless network.
Technique effect of the present invention is: the encryption gateway arranged by network side operator is responded the coded communication solicited message that user in wireless network terminal equipment sends, the user account carried in coded communication solicited message is utilized to obtain the first session key, and utilize user's user entry password corresponding with this user account of the pre-share of operator to obtain the second session key, and the second session key is fed back to corresponding terminal equipment, terminal equipment utilizes user's entry password to obtain the first same session key to the second session key deciphering, thus the first session key that terminal equipment and encryption gateway utilize both sides to obtain is encrypted communication data message or deciphers, improve the fail safe of telex network, because user's entry password is user and institute of operator pre-share, and do not transmit this user's entry password in mutual consulting session key, so, the present invention also assures that the key obtained in cipher key agreement process is also secret, thus effectively ensure the communication security of user data on wireless channel and hotspot, thus avoid the potential safety hazard existed in existing wireless communication.
Accompanying drawing explanation
Fig. 1 is the flow chart of wireless network safety communication embodiment of the method one of the present invention;
Fig. 2 is the particular flow sheet obtaining session key in Fig. 1;
Fig. 3 is the flow chart of wireless network safety communication embodiment of the method two of the present invention;
Fig. 4 is the flow chart of wireless network safety communication embodiment of the method three of the present invention;
Fig. 5 is the structural representation of encryption gateway embodiment of the present invention;
Fig. 6 is the structural representation of terminal equipment embodiment of the present invention;
Fig. 7 is the structural representation of wireless network safety communication system of the present invention;
Fig. 8 be embodiment illustrated in fig. 7 in signaling diagram mutual between each device.
Embodiment
Accompanying drawing below in conjunction with specific embodiment and correspondence thereof describes technical scheme of the present invention in detail.
Fig. 1 is the flow chart of wireless network safety communication embodiment of the method one of the present invention, and as shown in Figure 1, the method for the present embodiment, comprising:
The coded communication solicited message that step 101, acquisition terminal equipment send when access of radio network, comprises the user account of user in described coded communication solicited message.
Multiple potential safety hazard is there is in the terminal equipment in the wireless network of user side when access of radio network, therefore it is equally also existed by these potential safety hazards during hotspot accessing Internet in wireless network, for ensureing data message safe transmission on wireless channel and hotspot, ciphertext can be adopted to transmit to the data message communicated between terminal equipment with BAS server, namely by increasing encryption gateway between the hotspot in user side and the BAS server of network side, encryption gateway is utilized to be encrypted or decryption processing the data message communicated with terminal equipment therebetween, and encryption gateway direct accessing Internet when the data message after encryption or decryption processing is had a BAS server capability by BAS server accessing Internet or encryption gateway, thus the safe transmission of the communication data of user on wireless channel and hotspot can be ensured.
For making to carry out ciphertext transmission between terminal equipment and encryption gateway, terminal equipment need carry out the session key of both key agreement acquisitions for secure communication with encryption gateway before communication data message, therefore, first terminal equipment sends coded communication solicited message to encryption gateway before communicating, and the user account of user is carried in coded communication solicited message, so that the encryption gateway that network side operator is arranged obtains its wildcard stored according to this user account, realize utilizing this wildcard to consult to obtain the session key for communicating.
In this step, when encryption gateway receives the coded communication request of terminal equipment transmission, obtain the user account wherein carried, obtain corresponding session key so that follow-up according to this user account.User account is user's existing user name on network side carrier network, if user did not previously have registered account information on network side carrier network, and also can by non-internet passage as SMS or phone provisional registration one.The account information of user on carrier network comprises user account and user's entry password (or password), user is when utilizing terminal equipment to send coded communication request, user account is carried in coded communication solicited message, and without the need to the wildcard of the two and user's entry password corresponding to user account are transmitted, both encryption gateway can have been made to obtain corresponding user's entry password or password according to this user account, wildcard can be avoided again to be obtained by hacker, improve the fail safe of key agreement phase.Wherein terminal equipment can be the user terminal such as computer, mobile phone that user side user uses wireless network to surf the Net.Coded communication request can be started by the encryption agents module that terminal equipment is arranged, be specially, when encryption agents module detects terminal equipment to carry out network connection without the internetwork connection mode of security mechanism as free WiFi, encryption agents module just starts Safety Pre treatment measures, send coded communication solicited message to encryption gateway, obtain session key alternately with encryption gateway.
Step 102, obtain the first session key corresponding to described user account and the second session key according to described coded communication solicited message, wherein, described second session key is adopt user's entry password corresponding to described user account to be encrypted described first session key to obtain.
After encryption gateway obtains the coded communication solicited message of terminal equipment transmission, resolve the user account obtained wherein, session key corresponding to this user account is obtained according to this user account, Fig. 2 is the particular flow sheet obtaining session key in Fig. 1, as shown in Figure 2, encryption gateway can adopt following steps to obtain session key:
Step 1021, obtain the user account carried in described coded communication solicited message.
Step 1022, to customer data base send cipher key request information, comprise described user account in described cipher key request information.
For reducing the information processing capacity of encryption gateway, the customer data base that the work obtaining key information can be arranged by network side operator processes, encryption gateway only carries out encryption key distribution to the key information that customer data base returns, wherein customer data base can for the database server for storing user account information, which stores user name and user's entry password that user logs in carrier network, or store the account used in some cases and corresponding user cipher that user arranges in advance.If be configured with multiple gateway in network side carrier network, then in this step encryption gateway to customer data base send cipher key request information time, also need the identification information of the encryption gateway in the present embodiment to be carried in cipher key request information, to make customer data base, the key information of acquisition is fed back to gateway corresponding to identification information.
Step 1023, receive the first session key corresponding to described user account that described customer data base returns and the second session key.
In the present embodiment, after encryption gateway receives coded communication solicited message, first the user account obtaining and wherein carry is resolved, the customer data base arranged to network side again sends cipher key request information, and user account is carried in cipher key request information, find corresponding key information to make customer data base according to this user account.Such as, customer data base receive encryption gateway send carry the cipher key request information of user name Ua corresponding to user A after generate the first session key Ka, and find corresponding user's entry password Pa according to user account and user name Ua, utilize user's entry password Pa to be encrypted the first session key Ka generated and obtain the second session key Ka ', afterwards the first session key Ka generated and the second session key Ka ' encrypted is sent to encryption gateway, encryption gateway carries out encryption key distribution according to the key information received, retain by unencrypted first session key Ka oneself and the second session key Ka ' encrypted fed back to the subscriber terminal equipment of user side, acquisition first session key Ka is decrypted according to user's entry password Pa after terminal equipment receives the second session key Ka ' of encryption, thus terminal equipment and encryption gateway all obtain the first same session key Ka, follow-up this first session key Ka that can utilize is encrypted the message sent and receive or deciphers.The second session key feeding back to terminal equipment due to encryption gateway is the key information adopting user's entry password to be encrypted, this user's entry password only has the encryption gateway (or customer data base) of operator and user to preserve, therefore the second session key Ka ' is even if stolen by hacker over the wireless channel or on hotspot, hacker also cannot obtain the first session key Ka used in telex network, thus the ciphertext of telex network can not be cracked, ensure that the communication security of user.
Step 103, described second session key is sent to described terminal equipment, and utilize described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication.
After encryption gateway obtains and comprises the key information of the first session key Ka and the second session key Ka ', second session key Ka ' of encryption is issued the terminal equipment of user, adopts user's entry password Pa corresponding to user name Ua to be decrypted this second session key Ka ' to make terminal equipment and obtain subscriber terminal equipment and to communicate with encryption gateway the first session key Ka of middle use.In follow-up communication, terminal equipment and encryption gateway all utilize the first session key Ka be encrypted data message or decipher.Namely at network side, encryption gateway sends to described terminal equipment after being utilized by internet data message described first session key to be encrypted; And the data message of the encryption that described terminal equipment sent utilize described first session key to be decrypted after be sent to the Internet; In user side, terminal equipment sends to described encryption gateway after being utilized by data message to be sent described first session key to be encrypted, and is sent to the Internet after being decrypted by the data message of encryption to make described encryption gateway; And utilize described first session key to be decrypted the internet data message be encrypted by described encryption gateway received.And the data transmitted on wireless channel and hotspot are through the ciphertext that encryption gateway or terminal equipment are encrypted, telex network is safe.
Wireless network in the present embodiment can be adopt WiFi connected mode to network, and also can network by other radio connection.If WiFi connected mode is carried out networking and is formed wireless network, when then the terminal equipment of user is communicated with encryption gateway by WiFi AP, on wireless channel between terminal equipment with WiFi AP, WiFi AP and WiFi AP be all ciphertext with the data message communicated in the wire message way between encryption gateway, it is the ciphertext that the listener of wireless channel or the malice supplier of WiFi AP cannot crack communication, therefore, the communication security adopting the method for the present embodiment fully to ensure when user passes through wireless network connecting Internet.
In actual applications, encryption gateway can know according to the source sending coded communication solicited message the terminal equipment needing secure communication, also can be that its device identification is carried in coded communication solicited message by the terminal equipment of the current use of user, especially when the multiple terminal equipment of user uses same user account to surf the Net, the mark of present terminal equipment is carried in coded communication solicited message to be resolved by encryption gateway and obtains, when follow-up encryption gateway obtains key information, be conducive to being sent to by the second session key relevant device to identify corresponding terminal equipment, thus realize the encryption key distribution of equipment, and in follow-up data communication, encryption gateway also utilizes the message of the corresponding first session key pair terminal equipment in communication corresponding with device identification to be encrypted or to decipher.
The encryption gateway that the present embodiment is arranged by network side operator responds the coded communication solicited message that user in wireless network terminal equipment sends, the user account carried in coded communication solicited message is utilized to obtain the first session key, and utilize user's user entry password corresponding with this user account of the pre-share of operator to obtain the second session key, and the second session key is fed back to corresponding terminal equipment, terminal equipment utilizes user's entry password to obtain the first same session key to the second session key deciphering, thus the first session key that terminal equipment and encryption gateway utilize both sides to obtain is encrypted communication data message or deciphers, improve the fail safe of telex network, because user's entry password is user and institute of operator pre-share, and do not transmit this user's entry password in mutual consulting session key, so, the present invention also assures that the key obtained in cipher key agreement process is also secret, thus effectively ensure the communication security of user data on wireless channel and hotspot, thus avoid the potential safety hazard existed in existing wireless communication.
Fig. 3 is the flow chart of wireless network safety communication embodiment of the method two of the present invention, and as shown in Figure 3, the method for the present embodiment, comprising:
Step 201, send coded communication solicited message by wireless network to encryption gateway, in described coded communication solicited message, comprise the user account of user.
Terminal equipment in wireless network is for ensureing data message safe transmission on wireless channel and hotspot, coded communication solicited message can be sent, to obtain the key information for secure communication to the encryption gateway arranged in network side operator by wireless network.
Specifically, terminal equipment receives user by after the access request information of wireless network connecting Internet, coded communication solicited message is sent to the encryption gateway being arranged on network side by wireless network, and the user name it registered on carrier network is carried in this coded communication solicited message, so that encryption gateway obtains the key information of user security communication according to this user name.In practical application, operator considers the secure communication demand of user, specific security service and corresponding value-added service can be provided for user, operator is on the one hand at network side configuration safety devices, as arranged encryption gateway etc. at network side, also provide on the other hand and mate with the safety devices of its setting the agent application used, as encryption agents application program, so that user is downloaded and installed terminal equipment, by agent application, user just can obtain secure communication without the need to changing terminal equipment only by simply downloading and installing.In the embodiment of the present invention, user downloads encryption agents module application program to terminal equipment from carrier network, when the terminal equipment being provided with this application program utilizes wireless network connecting Internet or when certain communication unsafe conditions of presetting of user occurs, application program will start as terminal equipment is consulted to obtain the pretreatment operation for the session key of secure communication.
Step 202, receive the second session key corresponding to described user account that described encryption gateway returns according to described coded communication solicited message, and the user's entry password utilizing described user account corresponding is decrypted acquisition first session key to described second session key.
When encryption gateway returns the second session key according to described coded communication solicited message, encryption agents module can require that user inputs user's entry password corresponding to its user account, according to this user's entry password, the second session key is decrypted, obtains the first session key being used for communication encryption.The second session key returned due to encryption gateway also needs to utilize user's entry password to be decrypted, even if so the second session key is stolen in wireless channel or on hotspot, user be used for communication encryption the first session key or safety, so the key information utilizing the method for the present embodiment to obtain can ensure the communication security of subscriber terminal equipment.
Step 203, the described first session key pair data message communicated with described encryption gateway is utilized to be encrypted or decryption processing.
After obtaining the first session key being used for secure communication, when terminal equipment is by wireless network connecting Internet, as formed by the WiFi AP of user side wireless network accessing Internet time, send to described encryption gateway after data message to be sent can being utilized described first session key to be encrypted, after being decrypted by the data message of encryption to make described encryption gateway, be sent to the Internet; And utilize described first session key to be decrypted process the internet data message be encrypted by described encryption gateway received.
Before terminal equipment sends datagram, can also determine whether to be encrypted according to the demand for security of data message to be sent, if the data message to be sent data that to be fail safe high, as the password of the online bank information of user or other users need the personal information etc. of safe transmission, the described first session key pair data message communicated with described encryption gateway is then utilized to be encrypted, and the mark be encrypted data message is sent to described encryption gateway, determine that corresponding data message is ciphertext to make described encryption gateway according to described mark.It is only in most cases view Internet information that user utilizes terminal equipment to get online without being tethered to a cable, do not relate to secure communication problem, in this case, terminal equipment can not be encrypted the data message of communication, to reduce the encryption and decryption processing load of terminal equipment and encryption gateway.In practical application, the encryption agents module of terminal equipment can the communication of monitor user ' terminal equipment the need of safe handling, determine whether to enable the process of communication encryption and decryption as information such as some sensitive keys words that encryption agents module is clicked by the website information of webpage that links during monitoring terminal equipment access the Internet or user, enable secure communication during web page interlinkage or the keyword such as user account and password as bank, encryption and decryption is carried out to the message of communication.
The encryption gateway that the present embodiment terminal equipment is configured to network side operator by wireless network sends coded communication solicited message, and user account is carried in this information, encryption gateway is made to obtain the wildcard between user and operator according to this user account, thus obtain the first session key and second session key of user security communication, after second session key is fed back to terminal equipment by encryption gateway, user's entry password that terminal equipment utilizes this user account corresponding obtains the first session key for secure communication to its deciphering, thus in subsequent communications, communication between terminal equipment and encryption gateway can utilize this first session key to be encrypted or decryption processing, make the communication security of user data on wireless channel and hotspot, thus avoid the potential safety hazard existed in existing wireless communication.
Before consulting to obtain session key alternately with encryption gateway, terminal equipment can also carry out the pretreatment operation connected with encryption gateway, to make subsequent terminal equipment to the encryption gateway connected alternately to obtain the session key of secure communication.
Fig. 4 is the flow chart of wireless network safety communication embodiment of the method three of the present invention, and as shown in Figure 4, the method for the present embodiment, before the step 201 of above-mentioned Fig. 3, can also comprise:
Step 2020, obtain access request information by wireless network connecting Internet.
Step 2021, the encryption gateway arranged according to described access request information startup search for networks side.
If step 2022 searches, then send connectivity request message to described encryption gateway.
Step 2023, receive described encryption gateway feedback connection response information.
The encryption agents module of mobile terminal can supervisory user terminal equipment in communication connected mode, this kind of connected mode whether safety and need secure communication process in some cases, namely when terminal equipment is by wireless network connecting Internet, encryption agents module can judge this connection whether safety, to simplify the process, to judge whether by wireless network connecting Internet be freely access as whether safe decision condition in the present embodiment, in other embodiments, also can with other qualificationss for judging communication security whether condition.If encryption agents module detects when terminal equipment employing does not have the internetwork connection mode of security mechanism to carry out network connection, during as networked by free WiFi connected mode, encryption agents module can start encryption pretreatment operation, be specially: encryption agents module starts the encryption gateway found operator and arrange at network side, if find, then send connection request to the encryption gateway found, encryption gateway is to after the response of this connection request, key agreement communication connection is set up between encryption gateway and terminal equipment, thus follow-up encryption gateway can send coded communication solicited message to the encryption gateway returning connection response information further, and the user account of user is carried in this coded communication solicited message, session key can be obtained alternately with the customer data base of network side after encryption gateway receives this confidential communication solicited message, its process obtaining session key can process for the method described in the above embodiment of the present invention one, do not repeat them here.
Encryption agents module is before sending coded communication solicited message to encryption gateway, while starting the process finding the encryption gateway that operator is arranged at network side, encryption agents module can also suspend ongoing network communication data flow on terminal equipment, other networks as suspended subscriber terminal equipment connect behavior or usage behavior, obtained wrongly to avoid the traffic flow information communicated, after obtaining session key according to the encryption pretreatment operation started, the network communication data flow suspended can be recovered again, and utilize the session key obtained to be encrypted or decryption processing the network communication data flow recovered, thus ensure the ongoing communication security of user.
The present embodiment is on the basis reaching above-mentioned technique effect embodiment illustrated in fig. 3, the encryption gateway of search for networks side setting is started further by the access request information obtained according to terminal equipment, and set up the connection between encryption gateway and terminal equipment searched, carry out consulting to obtain session key alternately with the encryption gateway connected to make subsequent terminal equipment.
Fig. 5 is the structural representation of encryption gateway embodiment of the present invention, as shown in Figure 5, the encryption gateway of the present embodiment comprises: acquisition module 30 and processing module 31, wherein, acquisition module 30, for obtaining the coded communication solicited message that terminal equipment sends when access of radio network, in described coded communication solicited message, comprise the user account of user; And for obtaining the first session key corresponding to described user account and the second session key according to described coded communication solicited message, wherein, described second session key is adopt user's entry password corresponding to described user account to be encrypted described first session key to obtain; Processing module 31, for described second session key is sent to described terminal equipment, and utilizes described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication.
Specifically, when the acquisition module 30 of encryption gateway receives the coded communication solicited message of user's lateral terminal equipment transmission, resolve the user account obtaining and wherein carry, mutual according to the customer data base that this solicited message can be arranged with network side operator, as sent cipher key request information to customer data base, and user account is carried in cipher key request information, and customer data base generates the first session key according to this cipher key request information, and obtain corresponding user's entry password according to user account information inquiry, this user's entry password is utilized to be encrypted acquisition second session key to the first session key, first session key and the second session key are fed back to corresponding encryption gateway, and the first session key oneself retains by encryption gateway, and the second session key is returned to the terminal equipment sending coded communication solicited message, subsequent terminal equipment can be decrypted according to its user's entry password the first session key obtained for secure communication to the second session key, thus encryption gateway and terminal equipment have the first session key being encrypted communication data message or deciphering, when encryption gateway and terminal equipment in communication, the processing module 31 of encryption gateway can utilize the first session key to carry out encryption and decryption to communication data, ensure that the communication security of user.
The present embodiment can be used for perform the above-mentioned technical scheme of embodiment illustrated in fig. 1, its operation principle and the technique effect reached similar, detail repeats no more.
Fig. 6 is the structural representation of terminal equipment embodiment of the present invention, as shown in Figure 6, the terminal equipment of the present embodiment comprises: encryption agents module 40 and Communications Processor Module 41, wherein encryption agents module 40, for sending coded communication solicited message by wireless network to encryption gateway, in described coded communication solicited message, comprise the user account of user; And receive the second session key corresponding to described user account that described encryption gateway returns according to described coded communication solicited message, and the user's entry password utilizing described user account corresponding is decrypted acquisition first session key to described second session key; Communications Processor Module 41, is encrypted or decryption processing for utilizing the described first session key pair data message communicated with described encryption gateway.
Specifically, the encryption agents module 40 of terminal equipment, when terminal equipment being detected by wireless network connecting Internet, starts the encryption gateway operation finding network side, to consult to obtain with encryption gateway the session key that user security communicates.The first session key pair data message communicated with network side encryption gateway that Communications Processor Module 41 utilizes encryption agents module 40 to obtain is encrypted or decryption processing.In embody rule, encryption agents module 40 is also for obtaining the access request information by wireless network connecting Internet; The encryption gateway of search for networks side setting is started according to described access request information; If search, then send connectivity request message to described encryption gateway; And receive the connection response information of described encryption gateway feedback, thus encryption agents module can be determined to establish with encryption gateway to be connected according to this connection response information, coded communication solicited message can be sent further by wireless network to the encryption gateway connected.
Specifically, when encryption agents module 40 obtains terminal equipment by wireless network accessing Internet, the operation finding network side encryption gateway will be started, and send connection request to connect with this encryption gateway to the encryption gateway searched, the current solicited message of encryption is sent further to the encryption gateway connected, after receiving the second session key that encryption gateway feeds back according to coded communication solicited message, user's entry password is utilized the second session key to be decrypted to the first session key obtained for communicating, thus Communications Processor Module 41 just can utilize the processing module 31 of this first session key and encryption gateway to carry out safe communication.
In practical application, above-mentioned encryption agents module 40 is also for judging whether by wireless network connecting Internet be free access; If so, then send coded communication solicited message to the encryption gateway of the network side searched, and suspend ongoing network communication data flow; Communications Processor Module 41, also for the network communication data flow by suspending with described encryption gateway communication recovery, and utilizes described first session key to be encrypted or decryption processing the network communication data flow recovered.
The present embodiment can be used for performing above-mentioned Fig. 3 or technical scheme embodiment illustrated in fig. 4, its operation principle and the technique effect reached similar, detail repeats no more.
Fig. 7 is the structural representation of wireless network safety communication system of the present invention, and as shown in Figure 7, the wireless network safety communication system of the present embodiment, comprising: the terminal equipment in the encryption gateway of network side and user side wireless network.Wherein encryption gateway can be the encryption gateway of embodiment as shown in Figure 5, also can be except the above-mentioned function embodiment illustrated in fig. 5 of execution, the function of BAS server can also be had, when encryption gateway has the function performing BAS server, the communication of itself and terminal equipment can be directly connected to the Internet, if when encryption gateway only has the data function obtaining session key and encryption and decryption forwarding, it is by BAS server accessing Internet.In Fig. 7, the WiFi AP of user side can be subscriber terminal equipment hotspot when being networked by wireless network, the WiFi reflector etc. utilizing radio modem to be formed in the WiFi AP provided as public place or subscriber household network.Terminal equipment can be terminal equipment as shown in Figure 6, terminal equipment will securely communicate, first by downloading encryption agents application program on terminal equipment from carrier network, it is follow-up when terminal equipment needs secure communication, encryption agents can start the encryption gateway looking for network side, and consults with encryption gateway the session key being used for secure communication.In the present embodiment, communicate as the communication ciphertext utilizing the first session key in above-mentioned any embodiment to be encrypted between terminal equipment with encryption gateway, therefore, be the user data of communication on wireless channel or WiFiAP be all ciphertext, thus the potential safety hazard that exists in existing radio communication can be avoided.
Fig. 8 be embodiment illustrated in fig. 7 in signaling diagram mutual between each device, as shown in Figure 8, when terminal equipment is by wireless network connecting Internet, its encryption agents finds encryption gateway for it, and request connects, encryption gateway responds corresponding connection request, encryption agents sends coded communication application to encryption gateway, according to this coded communication application, encryption gateway is to customer data base application session key, customer data base returns session key to encryption gateway, encryption gateway to conversate encryption key distribution to terminal equipment, the first session key oneself is retained namely described in above-described embodiment, and the second session key is returned to terminal equipment, subsequent terminal equipment obtains the first session key by after the second session key deciphering, thus terminal equipment can utilize the first session key of acquisition and encryption gateway to carry out safe communication.
The present embodiment can be used for the technical scheme performing above-mentioned any embodiment, its operation principle and the technique effect reached similar, detail repeats no more.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (16)
1. a wireless network safety communication method, is characterized in that, comprising: obtain the coded communication solicited message that terminal equipment sends when access of radio network, comprise the user account of user in described coded communication solicited message;
The first session key corresponding to described user account and the second session key is obtained according to described coded communication solicited message, wherein, described second session key is adopt the user entry password corresponding with described user account to be encrypted described first session key and to obtain, and described user's entry password is the wildcard of the storage obtained according to described user account; Described second session key is sent to described terminal equipment, and utilizes described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication;
Described coded communication request message is started when detecting to connect carry out network connection without the network of security mechanism by described terminal;
Described wireless network adopts WiFi connected mode to network.
2. method according to claim 1, is characterized in that, describedly obtains the first session key corresponding to described user account and the second session key according to described coded communication solicited message, comprising:
Obtain the user account carried in described coded communication solicited message;
Send cipher key request information to customer data base, in described cipher key request information, comprise described user account;
Receive the first session key corresponding to described user account that described customer data base returns and the second session key.
3. method according to claim 1 and 2, is characterized in that, utilizes described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication, comprising:
Described terminal equipment is sent to after being utilized by internet data message described first session key to be encrypted; And
The Internet is sent to after the data message of the encryption sent by described terminal equipment utilizes described first session key to be decrypted.
4. a wireless network safety communication method, is characterized in that, comprising:
Send coded communication solicited message by wireless network to encryption gateway, in described coded communication solicited message, comprise the user account of user;
Receive the second session key that described user account that described encryption gateway returns according to described coded communication solicited message is corresponding, and the user's entry password utilizing described user account corresponding is decrypted acquisition first session key to described second session key, wherein, described second session key is adopt the user entry password corresponding with described user account to be encrypted described first session key to obtain, and described user's entry password is the wildcard that described encryption gateway stores according to the described encryption gateway that described user account obtains;
The described first session key pair data message communicated with described encryption gateway is utilized to be encrypted or decryption processing;
Described coded communication request message is started when detecting to connect carry out network connection without the network of security mechanism by terminal;
Described wireless network adopts WiFi connected mode to network.
5. method according to claim 4, is characterized in that, described send coded communication solicited message by wireless network to encryption gateway before, also comprise:
Obtain the access request information by wireless network connecting Internet;
The encryption gateway of search for networks side setting is started according to described access request information;
If search, then send connectivity request message to described encryption gateway;
Receive the connection response information of described encryption gateway feedback;
Correspondingly, describedly send coded communication solicited message by wireless network to encryption gateway, be specially:
By the encryption gateway transmission coded communication solicited message of wireless network to feedback link response message.
6. the method according to claim 4 or 5, is characterized in that, utilizes the described first session key pair data message communicated with described encryption gateway to be encrypted or decryption processing, comprising:
Send to described encryption gateway after being utilized by data message to be sent described first session key to be encrypted, after being decrypted by the data message of encryption to make described encryption gateway, be sent to the Internet; And
Described first session key is utilized to be decrypted the internet data message be encrypted by described encryption gateway received.
7. method according to claim 6, is characterized in that, utilizes the described first session key pair data message communicated with described encryption gateway be encrypted or before decryption processing, also comprise:
Determine whether to be encrypted according to the demand for security of data message to be sent, if the data message to be sent data that to be fail safe high, the described first session key pair data message communicated with described encryption gateway is then utilized to be encrypted or decryption processing, and the mark be encrypted data message is sent to described encryption gateway, determine that corresponding data message is ciphertext to make described encryption gateway according to described mark.
8. the method according to claim 4 or 5, is characterized in that, before sending coded communication solicited message, also comprises by wireless network to encryption gateway:
Judge whether by wireless network connecting Internet be free access, if so, then send coded communication solicited message by wireless network to encryption gateway, and suspend ongoing network communication data flow;
Correspondingly, the user's entry password utilizing described user account corresponding also comprises after being decrypted acquisition first session key to described second session key:
By the network communication data flow suspended with described encryption gateway communication recovery, and described first session key is utilized to be encrypted or decryption processing the network communication data flow recovered.
9. an encryption gateway, is characterized in that, comprising:
Acquisition module, for obtaining the coded communication solicited message that terminal equipment sends when access of radio network, comprises the user account of user in described coded communication solicited message; And for obtaining the first session key corresponding to described user account and the second session key according to described coded communication solicited message, wherein, described second session key is adopt the user entry password corresponding with described user account to be encrypted described first session key and to obtain, and described user's entry password is the wildcard of the storage obtained according to described user account; Processing module, for described second session key is sent to described terminal equipment, and utilizes described first session key pair to be encrypted or decryption processing with the data message of described terminal equipment in communication;
Described coded communication request message is started when detecting to connect carry out network connection without the network of security mechanism by described terminal;
Described wireless network adopts WiFi connected mode to network.
10. encryption gateway according to claim 9, is characterized in that, described acquisition module, specifically for obtaining the user account carried in described coded communication solicited message; Send cipher key request information to customer data base, in described cipher key request information, comprise described user account; Receive the first session key corresponding to described user account that described customer data base returns and the second session key.
11. encryption gateways according to claim 9 or 10, it is characterized in that, described processing module, specifically for described second session key is sent to described terminal equipment, and sends to described terminal equipment after being utilized by internet data message described first session key to be encrypted; And the data message of the encryption that described terminal equipment sent utilize described first session key to be decrypted after be sent to the Internet.
12. 1 kinds of terminal equipments, is characterized in that, comprising:
Encryption agents module, for sending coded communication solicited message by wireless network to encryption gateway, comprises the user account of user in described coded communication solicited message; And receive the second session key corresponding to described user account that described encryption gateway returns according to described coded communication solicited message, and the user's entry password utilizing described user account corresponding is decrypted acquisition first session key to described second session key, wherein, described second session key is adopt the user entry password corresponding with described user account to be encrypted described first session key to obtain, and described user's entry password is the wildcard that described encryption gateway stores according to the described encryption gateway that described user account obtains;
Communications Processor Module, is encrypted or decryption processing for utilizing the described first session key pair data message communicated with described encryption gateway;
Described coded communication request message is started when detecting to connect carry out network connection without the network of security mechanism by described terminal;
Described wireless network adopts WiFi connected mode to network.
13. terminal equipments according to claim 12, is characterized in that, described encryption agents module, also for obtaining the access request information by wireless network connecting Internet; The encryption gateway of search for networks side setting is started according to described access request information; If search, then send connectivity request message to described encryption gateway; And receive the connection response information of described encryption gateway feedback, to send coded communication solicited message by wireless network to the encryption gateway feeding back described connection response information.
14. terminal equipments according to claim 12 or 13, it is characterized in that, described Communications Processor Module, sending to described encryption gateway after being encrypted specifically for data message to be sent being utilized described first session key, after being decrypted by the data message of encryption to make described encryption gateway, being sent to the Internet; And utilize described first session key to be decrypted the internet data message be encrypted by described encryption gateway received.
15. terminal equipments according to claim 12 or 13, is characterized in that, described encryption agents module, also for judging whether by wireless network connecting Internet be free access; If so, then send coded communication solicited message by wireless network to encryption gateway, and suspend ongoing network communication data flow;
Communications Processor Module, also for the network communication data flow by suspending with described encryption gateway communication recovery, and utilizes described first session key to be encrypted or decryption processing the network communication data flow recovered.
16. 1 kinds of wireless network safety communication systems, is characterized in that, comprising: the terminal equipment according to any one of claim 12 ~ 15 in the encryption gateway according to any one of claim 9 ~ 11 and wireless network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210158887.8A CN102695168B (en) | 2012-05-21 | 2012-05-21 | Terminal equipment, encrypted gateway and method and system for wireless network safety communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210158887.8A CN102695168B (en) | 2012-05-21 | 2012-05-21 | Terminal equipment, encrypted gateway and method and system for wireless network safety communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102695168A CN102695168A (en) | 2012-09-26 |
| CN102695168B true CN102695168B (en) | 2015-03-25 |
Family
ID=46860418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210158887.8A Active CN102695168B (en) | 2012-05-21 | 2012-05-21 | Terminal equipment, encrypted gateway and method and system for wireless network safety communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102695168B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103501494B (en) * | 2013-10-14 | 2016-08-10 | 中国联合网络通信集团有限公司 | Mobile hot terminal cut-in method, mobile hot terminal and mobile management entity |
| CN104580086A (en) * | 2013-10-17 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Information transmission method, client side, server and system |
| CN105338524A (en) * | 2014-07-28 | 2016-02-17 | 阿里巴巴集团控股有限公司 | Information transmission method and device |
| CN104284329A (en) * | 2014-09-27 | 2015-01-14 | 无锡市恒通智能交通设施有限公司 | Client-side data encryption transmission method |
| CN106209756B (en) * | 2015-06-01 | 2019-08-13 | 华为技术有限公司 | Password update method, user equipment, subscriber location servers and domain router |
| CN105307160A (en) * | 2015-09-29 | 2016-02-03 | 北京元心科技有限公司 | Data transmission method and device by use of Wi-Fi network |
| WO2017206125A1 (en) * | 2016-06-01 | 2017-12-07 | 华为技术有限公司 | Network connection method, and secure node determination method and device |
| CN110495135B (en) * | 2017-04-14 | 2022-06-28 | 三菱电机株式会社 | Key management system, communication device, and key sharing method |
| CN111768162A (en) * | 2019-04-02 | 2020-10-13 | 上海观创智能科技有限公司 | Enterprise office management system and method |
| CN113572591B (en) * | 2020-04-28 | 2023-09-29 | 北京科东电力控制系统有限责任公司 | Real-time high concurrency safety access device and access method for intelligent energy service system |
| CN111917545A (en) * | 2020-08-18 | 2020-11-10 | 中国银行股份有限公司 | Key management method, device and system based on local area network |
| CN114520730B (en) * | 2020-11-20 | 2023-06-20 | 腾讯科技(深圳)有限公司 | Data transmission method, device, system, computer equipment and storage medium |
| CN112632625A (en) * | 2020-12-31 | 2021-04-09 | 深圳昂楷科技有限公司 | Database security gateway system, data processing method and electronic equipment |
| CN114915435B (en) * | 2021-02-09 | 2024-03-19 | 网联清算有限公司 | Service data access method and system |
| CN113114648A (en) * | 2021-04-01 | 2021-07-13 | 山东高云半导体科技有限公司 | Method and device for realizing encrypted communication |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101137123A (en) * | 2007-04-09 | 2008-03-05 | 中兴通讯股份有限公司 | Encrypted group calling, individual calling, and dynamic restructuring call implementing method of cluster system |
| WO2008113299A1 (en) * | 2007-03-22 | 2008-09-25 | Huawei Technologies Co., Ltd. | Authentication and secret key negotiation method, certification method, system and device |
| CN101296086A (en) * | 2008-06-18 | 2008-10-29 | 华为技术有限公司 | Method, system and device for access authentication |
-
2012
- 2012-05-21 CN CN201210158887.8A patent/CN102695168B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008113299A1 (en) * | 2007-03-22 | 2008-09-25 | Huawei Technologies Co., Ltd. | Authentication and secret key negotiation method, certification method, system and device |
| CN101137123A (en) * | 2007-04-09 | 2008-03-05 | 中兴通讯股份有限公司 | Encrypted group calling, individual calling, and dynamic restructuring call implementing method of cluster system |
| CN101296086A (en) * | 2008-06-18 | 2008-10-29 | 华为技术有限公司 | Method, system and device for access authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102695168A (en) | 2012-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102695168B (en) | Terminal equipment, encrypted gateway and method and system for wireless network safety communication | |
| CN104144049B (en) | A kind of encryption communication method, system and device | |
| CA2874317C (en) | Communication session transfer between devices | |
| CN103596173B (en) | Wireless network authentication method, client and service end wireless network authentication device | |
| US10567350B2 (en) | Virtual card downloading method, terminal, and intermediate device | |
| EP3057351B1 (en) | Access method, system, and device of terminal, and computer storage medium | |
| CN104580086A (en) | Information transmission method, client side, server and system | |
| US20140380443A1 (en) | Network connection in a wireless communication device | |
| CN103929748A (en) | Internet of things wireless terminal, configuration method thereof and wireless network access point | |
| WO2013118096A1 (en) | Method, apparatus and computer program for facilitating secure d2d discovery information | |
| CN105933895A (en) | Transmission method of WIFI network configuration data, intelligent device, and intelligent terminal | |
| CN104837136B (en) | Wireless access authentication method and device | |
| Plósz et al. | Security vulnerabilities and risks in industrial usage of wireless communication | |
| KR101835640B1 (en) | Method for authentication of communication connecting, gateway apparatus thereof, and communication system thereof | |
| CN102916948A (en) | Data safety processing method and device, and terminal | |
| WO2016058965A1 (en) | One time credentials for secure automated bluetooth pairing | |
| EP3284232B1 (en) | Wireless communications | |
| CN110191052A (en) | Across the protocol network transmission method of one kind and system | |
| US11336621B2 (en) | WiFiwall | |
| CN113301563A (en) | Network configuration method, device, equipment and storage medium | |
| CA2838244A1 (en) | Establishing communications with a secure network | |
| CN110166410B (en) | Method and terminal for safely transmitting data and multimode communication terminal | |
| CN102026186B (en) | Service network detection system and method | |
| JP2015517747A (en) | Authentication method, apparatus and system for mobile device | |
| US20100131762A1 (en) | Secured communication method for wireless mesh network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |