CN104394123A - A data encryption transmission system and method based on an HTTP - Google Patents
A data encryption transmission system and method based on an HTTP Download PDFInfo
- Publication number
- CN104394123A CN104394123A CN201410618704.5A CN201410618704A CN104394123A CN 104394123 A CN104394123 A CN 104394123A CN 201410618704 A CN201410618704 A CN 201410618704A CN 104394123 A CN104394123 A CN 104394123A
- Authority
- CN
- China
- Prior art keywords
- http
- client
- service end
- agreement
- data encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a data encryption transmission system and method based on an HTTP. The HTTP combines with data encryption, double factor authentication and non-symmetrical encryption are used, each step of information interaction carries with one message ID for preventing replaying, the ID increases successively, and when the ID is greater than a certain designated value, a session key is re-calculated. According to the invention, confidentiality of information transmission is protected, a user is prevented from illegally accessing a network, and data transmitted on the network is prevented from being stolen and destroyed by people who are eavesdropping.
Description
Technical field
The present invention relates to a kind of Data Encrypting Transmission System based on http agreement and method, particularly relate to a kind of Data Encrypting Transmission System based on http agreement and the method that are applicable to secrecy transmission information.
Background technology
HTTP is an OO agreement belonging to application layer, because it is simple and direct, mode fast, is applicable to distributed Hypermedia Information System.Along with the development of web application, the security requirement of http agreement also reaches unprecedented height.
But the technology such as traditional HTTPS, make gateway, agency plant effectively can not process http protocol, and lose the advantage of HTTP in transmission over networks, the present invention realizes safety function in HTTP inside, the manner is had better easy-to-use and compatible.
Summary of the invention
The technical problem to be solved in the present invention is to provide one and makes http agreement safety and reliability, the Data Encrypting Transmission System based on http agreement making Data Encryption Transmission more easy-to-use, compatible and method.
The technical solution used in the present invention is as follows: a kind of Data Encrypting Transmission System based on http agreement, comprises client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Authentication module, carries out double factor authentication to login user.
As preferably, also comprise session key agreement module, use asymmetric key algorithm to carry out the session key agreement of client and service end.
Based on a Data Encrypting Transmission System for http agreement, comprise client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
Based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; Session key agreement module uses asymmetric cryptographic algorithm to carry out the session ciphersuite negotiation of client and service end, the session key calculated is carried out the encryption and decryption operation of transfer of data.
As preferably, described method also comprises carries out to login user the double factor authentication that user account and cryptographic hardware modules bind.
As preferably, the concrete steps of described key agreement are:
Step one, http client send client public key to http service end;
Step 2, http service end generate random number R 1, calculate the MD5 digest value HR1 of R1, with private key, SHR1 is obtained to HR1 signature, obtain ER1 with client public key encryption R1, the ER1 after encryption is packaged into http respond packet together with the signature value SHR1 of generation and passes to client;
Step 3, client private key decipher ER1, obtain expressly R1, then calculate the MD5 digest value of R1, then carry out sign test with the PKI of service end to signature value SHR1;
Step 4, client generate random number R 2, calculate the MD5 digest value HR2 of R2, with private key, HR2 is signed, obtain signature value SHR2, obtaining ciphertext ER2 with the public key encryption R2 of service end, issuing service end being packaged into http respond packet together with ER2 with SHR2;
Step 5, service end private key deciphering ER2 obtains R2, then carries out sign test to the signature value SHR2 of client;
Step 6, client (or service end) calculate this session key by R1 and R2 XOR.
As preferably, described method also comprises, and comprises a message MSGID increased progressively in each message, and after message MSGID reaches certain value, client clothes and service end re-start key agreement.
Based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; The double factor authentication that user account and cryptographic hardware modules bind is carried out to login user.
As preferably, described method also comprises, and comprises a message MSGID increased progressively in each message, and after message MSGID reaches certain value, client clothes and service end re-start key agreement.
Compared with prior art, the invention has the beneficial effects as follows: prevent user's un-authorised access to network, audit the data stolen, Replay Attack, broken loop network are transmitted, safeguard protection is carried out to network channel.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
Based on a Data Encrypting Transmission System for http agreement, comprise client, service end, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service, combining cipher learns a skill and http agreement can be made safer, reliably.
Authentication module, carries out double factor authentication to login user, and namely user account number and cryptographic hardware modules are bound.
Session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
Based on a data encryption and transmission method for http agreement, http Data Encryption Transmission control with the form of dynamic base for user program provides service.
Session key agreement module uses asymmetric cryptographic algorithm to carry out the session ciphersuite negotiation of client and service end, the session key calculated is carried out the encryption and decryption operation of transfer of data, the private key of client and service end all exists in cryptographic hardware modules, ensure that the high security of key like this, also should demonstrate,prove the identity of communicating pair simultaneously.
The double factor authentication that user account and cryptographic hardware modules bind is carried out to login user.Use the mode of hardware and user password, decrease because account and password are revealed and carried out unauthorized access and destruction to data.
In this specific embodiment, the concrete steps of key agreement are:
Step one, http client send client public key to http service end;
Step 2, http service end generate random number R 1, calculate the MD5 digest value HR1 of R1, with private key, SHR1 is obtained to HR1 signature, obtain ER1 with client public key encryption R1, the ER1 after encryption is packaged into http respond packet together with the signature value SHR1 of generation and passes to client;
Step 3, client private key decipher ER1, obtain expressly R1, then calculate the MD5 digest value of R1, then carry out sign test with the PKI of service end to signature value SHR1;
Step 4, client generate random number R 2, calculate the MD5 digest value HR2 of R2, with private key, HR2 is signed, obtain signature value SHR2, obtaining ciphertext ER2 with the public key encryption R2 of service end, issuing service end being packaged into http respond packet together with ER2 with SHR2;
Step 5, service end private key deciphering ER2 obtains R2, then carries out sign test to the signature value SHR2 of client;
Step 6, client (or service end) calculate this session key by R1 and R2 XOR.
Transfer of data below carries out symmetrical encryption and decryption operation with regard to using the session key that calculates of the 6th step, improves the confidentiality and integrity of http protocol data transmission, prevents user's un-authorised access to network, audits the data stolen, broken loop network is transmitted.
Described method also comprises, and comprises a message MSGID increased progressively in each message, and after message MSGID reaches certain value, client clothes and service end re-start key agreement to ensure the confidentiality of session key, prevent message replay attack simultaneously.
Claims (9)
1. based on a Data Encrypting Transmission System for http agreement, comprise client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Authentication module, carries out double factor authentication to login user.
2. Data Encrypting Transmission System according to claim 1, is characterized in that, also comprises session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
3. based on a Data Encrypting Transmission System for http agreement, comprise client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
4., based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; Session key agreement module uses asymmetric cryptographic algorithm to carry out the session ciphersuite negotiation of client and service end, the session key calculated is carried out the encryption and decryption operation of transfer of data.
5. data encryption and transmission method according to claim 4, is characterized in that, described method also comprises carries out to login user the double factor authentication that user account and cryptographic hardware modules bind.
6. data encryption and transmission method according to claim 4, is characterized in that, the concrete steps of described key agreement are:
Step one, http client send client public key to http service end;
Step 2, http service end generate random number R 1, calculate the MD5 digest value HR1 of R1, with private key, SHR1 is obtained to HR1 signature, obtain ER1 with client public key encryption R1, the ER1 after encryption is packaged into http respond packet together with the signature value SHR1 of generation and passes to client;
Step 3, client private key decipher ER1, obtain expressly R1, then calculate the MD5 digest value of R1, then carry out sign test with the PKI of service end to signature value SHR1;
Step 4, client generate random number R 2, calculate the MD5 digest value HR2 of R2, with private key, HR2 is signed, obtain signature value SHR2, obtaining ciphertext ER2 with the public key encryption R2 of service end, issuing service end being packaged into http respond packet together with ER2 with SHR2;
Step 5, service end private key deciphering ER2 obtains R2, then carries out sign test to the signature value SHR2 of client;
Step 6, client (or service end) calculate this session key by R1 and R2 XOR.
7. according to the data encryption and transmission method one of claim 4 to 6 Suo Shu, it is characterized in that, described method also comprises, and comprises a message MSGID increased progressively in each message, after message MSGID reaches certain value, client clothes and service end re-start key agreement.
8., based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; The double factor authentication that user account and cryptographic hardware modules bind is carried out to login user.
9. data encryption and transmission method according to claim 8, it is characterized in that, described method also comprises, and comprises a message MSGID increased progressively in each message, after message MSGID reaches certain value, client clothes and service end re-start key agreement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410618704.5A CN104394123A (en) | 2014-11-06 | 2014-11-06 | A data encryption transmission system and method based on an HTTP |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410618704.5A CN104394123A (en) | 2014-11-06 | 2014-11-06 | A data encryption transmission system and method based on an HTTP |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104394123A true CN104394123A (en) | 2015-03-04 |
Family
ID=52611959
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410618704.5A Pending CN104394123A (en) | 2014-11-06 | 2014-11-06 | A data encryption transmission system and method based on an HTTP |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104394123A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105591738A (en) * | 2015-12-22 | 2016-05-18 | 杭州华三通信技术有限公司 | Key update method and device |
CN105763335A (en) * | 2016-05-09 | 2016-07-13 | 浪潮集团有限公司 | Double-signature-digital-certificate certification realizing method |
CN106572076A (en) * | 2016-09-27 | 2017-04-19 | 山东浪潮商用系统有限公司 | Web service access method, client side and server side |
CN106685937A (en) * | 2016-12-16 | 2017-05-17 | 华数传媒网络有限公司 | Custom Internet TV http protocol method based on Netty encapsulation |
CN106713237A (en) * | 2015-11-16 | 2017-05-24 | 厦门雅迅网络股份有限公司 | Encryption method of vehicle-mounted terminal and center platform communication |
CN107302541A (en) * | 2017-07-31 | 2017-10-27 | 成都蓝码科技发展有限公司 | A kind of data encryption and transmission method based on http protocol |
CN109088731A (en) * | 2018-09-04 | 2018-12-25 | 杭州涂鸦信息技术有限公司 | A kind of Internet of Things cloud communication means and its device |
CN109495445A (en) * | 2018-09-30 | 2019-03-19 | 青岛海尔科技有限公司 | Identity identifying method, device, terminal, server and medium based on Internet of Things |
CN109862040A (en) * | 2019-03-27 | 2019-06-07 | 北京经纬恒润科技有限公司 | A kind of safety certifying method and Verification System |
CN110421575A (en) * | 2019-08-06 | 2019-11-08 | 南京奥拓电子科技有限公司 | A kind of control system of the peripheral component of banking machine people |
CN110650113A (en) * | 2018-04-24 | 2020-01-03 | 物联智慧股份有限公司 | Data encryption and decryption method and system, networking device and data encryption and decryption method thereof |
CN112383392A (en) * | 2020-11-13 | 2021-02-19 | 随锐科技集团股份有限公司 | Video conference alternate encryption method and device and computer readable storage medium |
CN114143026A (en) * | 2021-10-26 | 2022-03-04 | 福建福诺移动通信技术有限公司 | Data security interface based on asymmetric and symmetric encryption and working method thereof |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101231737A (en) * | 2008-02-25 | 2008-07-30 | 北京飞天诚信科技有限公司 | Method and system for enhancing internet bank trade security |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN102664739A (en) * | 2012-04-26 | 2012-09-12 | 杜丽萍 | PKI (Public Key Infrastructure) implementation method based on safety certificate |
CN103905384A (en) * | 2012-12-26 | 2014-07-02 | 北京握奇数据系统有限公司 | Embedded inter-terminal session handshake realization method based on security digital certificate |
WO2014179535A1 (en) * | 2013-05-03 | 2014-11-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
-
2014
- 2014-11-06 CN CN201410618704.5A patent/CN104394123A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101231737A (en) * | 2008-02-25 | 2008-07-30 | 北京飞天诚信科技有限公司 | Method and system for enhancing internet bank trade security |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN102664739A (en) * | 2012-04-26 | 2012-09-12 | 杜丽萍 | PKI (Public Key Infrastructure) implementation method based on safety certificate |
CN103905384A (en) * | 2012-12-26 | 2014-07-02 | 北京握奇数据系统有限公司 | Embedded inter-terminal session handshake realization method based on security digital certificate |
WO2014179535A1 (en) * | 2013-05-03 | 2014-11-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
Non-Patent Citations (1)
Title |
---|
王宇飞: "《一种基于HTTP摘要认证的SIP安全机制》", 《重庆邮电学院学报》 * |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106713237A (en) * | 2015-11-16 | 2017-05-24 | 厦门雅迅网络股份有限公司 | Encryption method of vehicle-mounted terminal and center platform communication |
CN106713237B (en) * | 2015-11-16 | 2021-03-23 | 厦门雅迅网络股份有限公司 | Encryption method for communication between vehicle-mounted terminal and central platform |
CN105591738A (en) * | 2015-12-22 | 2016-05-18 | 杭州华三通信技术有限公司 | Key update method and device |
CN105591738B (en) * | 2015-12-22 | 2018-12-25 | 新华三技术有限公司 | A kind of key updating method and device |
CN105763335B (en) * | 2016-05-09 | 2019-03-12 | 浪潮集团有限公司 | A kind of certification implementation method of doubled sign digital certificate |
CN105763335A (en) * | 2016-05-09 | 2016-07-13 | 浪潮集团有限公司 | Double-signature-digital-certificate certification realizing method |
CN106572076A (en) * | 2016-09-27 | 2017-04-19 | 山东浪潮商用系统有限公司 | Web service access method, client side and server side |
CN106685937A (en) * | 2016-12-16 | 2017-05-17 | 华数传媒网络有限公司 | Custom Internet TV http protocol method based on Netty encapsulation |
CN106685937B (en) * | 2016-12-16 | 2019-12-31 | 华数传媒网络有限公司 | Customized internet television http protocol method based on Netty packaging |
CN107302541A (en) * | 2017-07-31 | 2017-10-27 | 成都蓝码科技发展有限公司 | A kind of data encryption and transmission method based on http protocol |
CN110650113A (en) * | 2018-04-24 | 2020-01-03 | 物联智慧股份有限公司 | Data encryption and decryption method and system, networking device and data encryption and decryption method thereof |
CN109088731A (en) * | 2018-09-04 | 2018-12-25 | 杭州涂鸦信息技术有限公司 | A kind of Internet of Things cloud communication means and its device |
CN109495445A (en) * | 2018-09-30 | 2019-03-19 | 青岛海尔科技有限公司 | Identity identifying method, device, terminal, server and medium based on Internet of Things |
CN109862040A (en) * | 2019-03-27 | 2019-06-07 | 北京经纬恒润科技有限公司 | A kind of safety certifying method and Verification System |
CN109862040B (en) * | 2019-03-27 | 2021-08-24 | 北京经纬恒润科技股份有限公司 | Security authentication method and authentication system |
CN110421575A (en) * | 2019-08-06 | 2019-11-08 | 南京奥拓电子科技有限公司 | A kind of control system of the peripheral component of banking machine people |
CN112383392A (en) * | 2020-11-13 | 2021-02-19 | 随锐科技集团股份有限公司 | Video conference alternate encryption method and device and computer readable storage medium |
CN114143026A (en) * | 2021-10-26 | 2022-03-04 | 福建福诺移动通信技术有限公司 | Data security interface based on asymmetric and symmetric encryption and working method thereof |
CN114143026B (en) * | 2021-10-26 | 2024-01-23 | 福建福诺移动通信技术有限公司 | Data security interface based on asymmetric and symmetric encryption and working method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104394123A (en) | A data encryption transmission system and method based on an HTTP | |
Vanhoef et al. | Key reinstallation attacks: Forcing nonce reuse in WPA2 | |
CN103095696B (en) | A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system | |
CN104735068B (en) | Method based on the close SIP safety certification of state | |
CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
CN101917270B (en) | Weak authentication and key agreement method based on symmetrical password | |
CN102036238B (en) | Method for realizing user and network authentication and key distribution based on public key | |
CN101969638B (en) | Method for protecting international mobile subscriber identity (IMSI) in mobile communication | |
CN107302541A (en) | A kind of data encryption and transmission method based on http protocol | |
US9917692B2 (en) | Key exchange system, key exchange method, key exchange device, control method thereof, and recording medium for storing control program | |
CN105163309B (en) | A method of the wireless sensor network security communication based on combination pin | |
TW201036394A (en) | Method and apparatus for security protection of an original user identity in an initial signaling message | |
CN104754581A (en) | Public key password system based LTE wireless network security certification system | |
WO2011017099A3 (en) | Secure communication using asymmetric cryptography and light-weight certificates | |
CN104158653A (en) | Method of secure communication based on commercial cipher algorithm | |
JP2012019511A (en) | System and method of safety transaction between wireless communication apparatus and server | |
CN102111411A (en) | Method for switching encryption safety data among peer-to-peer user nodes in P2P network | |
CN102547688A (en) | Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel | |
CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
CN112118106A (en) | Lightweight end-to-end secure communication authentication method based on identification password | |
CN105141629A (en) | Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords | |
CN106789845A (en) | A kind of method of network data security transmission | |
CN101719895A (en) | Data processing method and system for realizing secure communication of network | |
Luring et al. | Analysis of security features in DLMS/COSEM: Vulnerabilities and countermeasures | |
CN107276755B (en) | Security association method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150304 |
|
RJ01 | Rejection of invention patent application after publication |