CN104394123A - A data encryption transmission system and method based on an HTTP - Google Patents

A data encryption transmission system and method based on an HTTP Download PDF

Info

Publication number
CN104394123A
CN104394123A CN201410618704.5A CN201410618704A CN104394123A CN 104394123 A CN104394123 A CN 104394123A CN 201410618704 A CN201410618704 A CN 201410618704A CN 104394123 A CN104394123 A CN 104394123A
Authority
CN
China
Prior art keywords
http
client
service end
agreement
data encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410618704.5A
Other languages
Chinese (zh)
Inventor
孙付
李雪兵
何文森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201410618704.5A priority Critical patent/CN104394123A/en
Publication of CN104394123A publication Critical patent/CN104394123A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a data encryption transmission system and method based on an HTTP. The HTTP combines with data encryption, double factor authentication and non-symmetrical encryption are used, each step of information interaction carries with one message ID for preventing replaying, the ID increases successively, and when the ID is greater than a certain designated value, a session key is re-calculated. According to the invention, confidentiality of information transmission is protected, a user is prevented from illegally accessing a network, and data transmitted on the network is prevented from being stolen and destroyed by people who are eavesdropping.

Description

A kind of Data Encrypting Transmission System based on http agreement and method
Technical field
The present invention relates to a kind of Data Encrypting Transmission System based on http agreement and method, particularly relate to a kind of Data Encrypting Transmission System based on http agreement and the method that are applicable to secrecy transmission information.
Background technology
HTTP is an OO agreement belonging to application layer, because it is simple and direct, mode fast, is applicable to distributed Hypermedia Information System.Along with the development of web application, the security requirement of http agreement also reaches unprecedented height.
But the technology such as traditional HTTPS, make gateway, agency plant effectively can not process http protocol, and lose the advantage of HTTP in transmission over networks, the present invention realizes safety function in HTTP inside, the manner is had better easy-to-use and compatible.
Summary of the invention
The technical problem to be solved in the present invention is to provide one and makes http agreement safety and reliability, the Data Encrypting Transmission System based on http agreement making Data Encryption Transmission more easy-to-use, compatible and method.
The technical solution used in the present invention is as follows: a kind of Data Encrypting Transmission System based on http agreement, comprises client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Authentication module, carries out double factor authentication to login user.
As preferably, also comprise session key agreement module, use asymmetric key algorithm to carry out the session key agreement of client and service end.
Based on a Data Encrypting Transmission System for http agreement, comprise client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
Based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; Session key agreement module uses asymmetric cryptographic algorithm to carry out the session ciphersuite negotiation of client and service end, the session key calculated is carried out the encryption and decryption operation of transfer of data.
As preferably, described method also comprises carries out to login user the double factor authentication that user account and cryptographic hardware modules bind.
As preferably, the concrete steps of described key agreement are:
Step one, http client send client public key to http service end;
Step 2, http service end generate random number R 1, calculate the MD5 digest value HR1 of R1, with private key, SHR1 is obtained to HR1 signature, obtain ER1 with client public key encryption R1, the ER1 after encryption is packaged into http respond packet together with the signature value SHR1 of generation and passes to client;
Step 3, client private key decipher ER1, obtain expressly R1, then calculate the MD5 digest value of R1, then carry out sign test with the PKI of service end to signature value SHR1;
Step 4, client generate random number R 2, calculate the MD5 digest value HR2 of R2, with private key, HR2 is signed, obtain signature value SHR2, obtaining ciphertext ER2 with the public key encryption R2 of service end, issuing service end being packaged into http respond packet together with ER2 with SHR2;
Step 5, service end private key deciphering ER2 obtains R2, then carries out sign test to the signature value SHR2 of client;
Step 6, client (or service end) calculate this session key by R1 and R2 XOR.
As preferably, described method also comprises, and comprises a message MSGID increased progressively in each message, and after message MSGID reaches certain value, client clothes and service end re-start key agreement.
Based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; The double factor authentication that user account and cryptographic hardware modules bind is carried out to login user.
As preferably, described method also comprises, and comprises a message MSGID increased progressively in each message, and after message MSGID reaches certain value, client clothes and service end re-start key agreement.
Compared with prior art, the invention has the beneficial effects as follows: prevent user's un-authorised access to network, audit the data stolen, Replay Attack, broken loop network are transmitted, safeguard protection is carried out to network channel.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
Based on a Data Encrypting Transmission System for http agreement, comprise client, service end, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service, combining cipher learns a skill and http agreement can be made safer, reliably.
Authentication module, carries out double factor authentication to login user, and namely user account number and cryptographic hardware modules are bound.
Session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
Based on a data encryption and transmission method for http agreement, http Data Encryption Transmission control with the form of dynamic base for user program provides service.
Session key agreement module uses asymmetric cryptographic algorithm to carry out the session ciphersuite negotiation of client and service end, the session key calculated is carried out the encryption and decryption operation of transfer of data, the private key of client and service end all exists in cryptographic hardware modules, ensure that the high security of key like this, also should demonstrate,prove the identity of communicating pair simultaneously.
The double factor authentication that user account and cryptographic hardware modules bind is carried out to login user.Use the mode of hardware and user password, decrease because account and password are revealed and carried out unauthorized access and destruction to data.
In this specific embodiment, the concrete steps of key agreement are:
Step one, http client send client public key to http service end;
Step 2, http service end generate random number R 1, calculate the MD5 digest value HR1 of R1, with private key, SHR1 is obtained to HR1 signature, obtain ER1 with client public key encryption R1, the ER1 after encryption is packaged into http respond packet together with the signature value SHR1 of generation and passes to client;
Step 3, client private key decipher ER1, obtain expressly R1, then calculate the MD5 digest value of R1, then carry out sign test with the PKI of service end to signature value SHR1;
Step 4, client generate random number R 2, calculate the MD5 digest value HR2 of R2, with private key, HR2 is signed, obtain signature value SHR2, obtaining ciphertext ER2 with the public key encryption R2 of service end, issuing service end being packaged into http respond packet together with ER2 with SHR2;
Step 5, service end private key deciphering ER2 obtains R2, then carries out sign test to the signature value SHR2 of client;
Step 6, client (or service end) calculate this session key by R1 and R2 XOR.
Transfer of data below carries out symmetrical encryption and decryption operation with regard to using the session key that calculates of the 6th step, improves the confidentiality and integrity of http protocol data transmission, prevents user's un-authorised access to network, audits the data stolen, broken loop network is transmitted.
Described method also comprises, and comprises a message MSGID increased progressively in each message, and after message MSGID reaches certain value, client clothes and service end re-start key agreement to ensure the confidentiality of session key, prevent message replay attack simultaneously.

Claims (9)

1. based on a Data Encrypting Transmission System for http agreement, comprise client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Authentication module, carries out double factor authentication to login user.
2. Data Encrypting Transmission System according to claim 1, is characterized in that, also comprises session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
3. based on a Data Encrypting Transmission System for http agreement, comprise client, service end, it is characterized in that, also comprise:
Http Data Encryption Transmission control, with the form of dynamic base for user program provides service;
Session key agreement module, uses asymmetric key algorithm to carry out the session key agreement of client and service end.
4., based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; Session key agreement module uses asymmetric cryptographic algorithm to carry out the session ciphersuite negotiation of client and service end, the session key calculated is carried out the encryption and decryption operation of transfer of data.
5. data encryption and transmission method according to claim 4, is characterized in that, described method also comprises carries out to login user the double factor authentication that user account and cryptographic hardware modules bind.
6. data encryption and transmission method according to claim 4, is characterized in that, the concrete steps of described key agreement are:
Step one, http client send client public key to http service end;
Step 2, http service end generate random number R 1, calculate the MD5 digest value HR1 of R1, with private key, SHR1 is obtained to HR1 signature, obtain ER1 with client public key encryption R1, the ER1 after encryption is packaged into http respond packet together with the signature value SHR1 of generation and passes to client;
Step 3, client private key decipher ER1, obtain expressly R1, then calculate the MD5 digest value of R1, then carry out sign test with the PKI of service end to signature value SHR1;
Step 4, client generate random number R 2, calculate the MD5 digest value HR2 of R2, with private key, HR2 is signed, obtain signature value SHR2, obtaining ciphertext ER2 with the public key encryption R2 of service end, issuing service end being packaged into http respond packet together with ER2 with SHR2;
Step 5, service end private key deciphering ER2 obtains R2, then carries out sign test to the signature value SHR2 of client;
Step 6, client (or service end) calculate this session key by R1 and R2 XOR.
7. according to the data encryption and transmission method one of claim 4 to 6 Suo Shu, it is characterized in that, described method also comprises, and comprises a message MSGID increased progressively in each message, after message MSGID reaches certain value, client clothes and service end re-start key agreement.
8., based on a data encryption and transmission method for http agreement, it is characterized in that, http Data Encryption Transmission control with the form of dynamic base for user program provides service; The double factor authentication that user account and cryptographic hardware modules bind is carried out to login user.
9. data encryption and transmission method according to claim 8, it is characterized in that, described method also comprises, and comprises a message MSGID increased progressively in each message, after message MSGID reaches certain value, client clothes and service end re-start key agreement.
CN201410618704.5A 2014-11-06 2014-11-06 A data encryption transmission system and method based on an HTTP Pending CN104394123A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410618704.5A CN104394123A (en) 2014-11-06 2014-11-06 A data encryption transmission system and method based on an HTTP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410618704.5A CN104394123A (en) 2014-11-06 2014-11-06 A data encryption transmission system and method based on an HTTP

Publications (1)

Publication Number Publication Date
CN104394123A true CN104394123A (en) 2015-03-04

Family

ID=52611959

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410618704.5A Pending CN104394123A (en) 2014-11-06 2014-11-06 A data encryption transmission system and method based on an HTTP

Country Status (1)

Country Link
CN (1) CN104394123A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591738A (en) * 2015-12-22 2016-05-18 杭州华三通信技术有限公司 Key update method and device
CN105763335A (en) * 2016-05-09 2016-07-13 浪潮集团有限公司 Double-signature-digital-certificate certification realizing method
CN106572076A (en) * 2016-09-27 2017-04-19 山东浪潮商用系统有限公司 Web service access method, client side and server side
CN106685937A (en) * 2016-12-16 2017-05-17 华数传媒网络有限公司 Custom Internet TV http protocol method based on Netty encapsulation
CN106713237A (en) * 2015-11-16 2017-05-24 厦门雅迅网络股份有限公司 Encryption method of vehicle-mounted terminal and center platform communication
CN107302541A (en) * 2017-07-31 2017-10-27 成都蓝码科技发展有限公司 A kind of data encryption and transmission method based on http protocol
CN109088731A (en) * 2018-09-04 2018-12-25 杭州涂鸦信息技术有限公司 A kind of Internet of Things cloud communication means and its device
CN109495445A (en) * 2018-09-30 2019-03-19 青岛海尔科技有限公司 Identity identifying method, device, terminal, server and medium based on Internet of Things
CN109862040A (en) * 2019-03-27 2019-06-07 北京经纬恒润科技有限公司 A kind of safety certifying method and Verification System
CN110421575A (en) * 2019-08-06 2019-11-08 南京奥拓电子科技有限公司 A kind of control system of the peripheral component of banking machine people
CN110650113A (en) * 2018-04-24 2020-01-03 物联智慧股份有限公司 Data encryption and decryption method and system, networking device and data encryption and decryption method thereof
CN112383392A (en) * 2020-11-13 2021-02-19 随锐科技集团股份有限公司 Video conference alternate encryption method and device and computer readable storage medium
CN114143026A (en) * 2021-10-26 2022-03-04 福建福诺移动通信技术有限公司 Data security interface based on asymmetric and symmetric encryption and working method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101231737A (en) * 2008-02-25 2008-07-30 北京飞天诚信科技有限公司 Method and system for enhancing internet bank trade security
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN102664739A (en) * 2012-04-26 2012-09-12 杜丽萍 PKI (Public Key Infrastructure) implementation method based on safety certificate
CN103905384A (en) * 2012-12-26 2014-07-02 北京握奇数据系统有限公司 Embedded inter-terminal session handshake realization method based on security digital certificate
WO2014179535A1 (en) * 2013-05-03 2014-11-06 Citrix Systems, Inc. Secured access to resources using a proxy

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101231737A (en) * 2008-02-25 2008-07-30 北京飞天诚信科技有限公司 Method and system for enhancing internet bank trade security
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN102664739A (en) * 2012-04-26 2012-09-12 杜丽萍 PKI (Public Key Infrastructure) implementation method based on safety certificate
CN103905384A (en) * 2012-12-26 2014-07-02 北京握奇数据系统有限公司 Embedded inter-terminal session handshake realization method based on security digital certificate
WO2014179535A1 (en) * 2013-05-03 2014-11-06 Citrix Systems, Inc. Secured access to resources using a proxy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王宇飞: "《一种基于HTTP摘要认证的SIP安全机制》", 《重庆邮电学院学报》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713237A (en) * 2015-11-16 2017-05-24 厦门雅迅网络股份有限公司 Encryption method of vehicle-mounted terminal and center platform communication
CN106713237B (en) * 2015-11-16 2021-03-23 厦门雅迅网络股份有限公司 Encryption method for communication between vehicle-mounted terminal and central platform
CN105591738A (en) * 2015-12-22 2016-05-18 杭州华三通信技术有限公司 Key update method and device
CN105591738B (en) * 2015-12-22 2018-12-25 新华三技术有限公司 A kind of key updating method and device
CN105763335B (en) * 2016-05-09 2019-03-12 浪潮集团有限公司 A kind of certification implementation method of doubled sign digital certificate
CN105763335A (en) * 2016-05-09 2016-07-13 浪潮集团有限公司 Double-signature-digital-certificate certification realizing method
CN106572076A (en) * 2016-09-27 2017-04-19 山东浪潮商用系统有限公司 Web service access method, client side and server side
CN106685937A (en) * 2016-12-16 2017-05-17 华数传媒网络有限公司 Custom Internet TV http protocol method based on Netty encapsulation
CN106685937B (en) * 2016-12-16 2019-12-31 华数传媒网络有限公司 Customized internet television http protocol method based on Netty packaging
CN107302541A (en) * 2017-07-31 2017-10-27 成都蓝码科技发展有限公司 A kind of data encryption and transmission method based on http protocol
CN110650113A (en) * 2018-04-24 2020-01-03 物联智慧股份有限公司 Data encryption and decryption method and system, networking device and data encryption and decryption method thereof
CN109088731A (en) * 2018-09-04 2018-12-25 杭州涂鸦信息技术有限公司 A kind of Internet of Things cloud communication means and its device
CN109495445A (en) * 2018-09-30 2019-03-19 青岛海尔科技有限公司 Identity identifying method, device, terminal, server and medium based on Internet of Things
CN109862040A (en) * 2019-03-27 2019-06-07 北京经纬恒润科技有限公司 A kind of safety certifying method and Verification System
CN109862040B (en) * 2019-03-27 2021-08-24 北京经纬恒润科技股份有限公司 Security authentication method and authentication system
CN110421575A (en) * 2019-08-06 2019-11-08 南京奥拓电子科技有限公司 A kind of control system of the peripheral component of banking machine people
CN112383392A (en) * 2020-11-13 2021-02-19 随锐科技集团股份有限公司 Video conference alternate encryption method and device and computer readable storage medium
CN114143026A (en) * 2021-10-26 2022-03-04 福建福诺移动通信技术有限公司 Data security interface based on asymmetric and symmetric encryption and working method thereof
CN114143026B (en) * 2021-10-26 2024-01-23 福建福诺移动通信技术有限公司 Data security interface based on asymmetric and symmetric encryption and working method thereof

Similar Documents

Publication Publication Date Title
CN104394123A (en) A data encryption transmission system and method based on an HTTP
Vanhoef et al. Key reinstallation attacks: Forcing nonce reuse in WPA2
CN103095696B (en) A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system
CN104735068B (en) Method based on the close SIP safety certification of state
CN103763356B (en) A kind of SSL establishment of connection method, apparatus and system
CN101917270B (en) Weak authentication and key agreement method based on symmetrical password
CN102036238B (en) Method for realizing user and network authentication and key distribution based on public key
CN101969638B (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN107302541A (en) A kind of data encryption and transmission method based on http protocol
US9917692B2 (en) Key exchange system, key exchange method, key exchange device, control method thereof, and recording medium for storing control program
CN105163309B (en) A method of the wireless sensor network security communication based on combination pin
TW201036394A (en) Method and apparatus for security protection of an original user identity in an initial signaling message
CN104754581A (en) Public key password system based LTE wireless network security certification system
WO2011017099A3 (en) Secure communication using asymmetric cryptography and light-weight certificates
CN104158653A (en) Method of secure communication based on commercial cipher algorithm
JP2012019511A (en) System and method of safety transaction between wireless communication apparatus and server
CN102111411A (en) Method for switching encryption safety data among peer-to-peer user nodes in P2P network
CN102547688A (en) Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel
CN114765534B (en) Private key distribution system and method based on national secret identification cryptographic algorithm
CN112118106A (en) Lightweight end-to-end secure communication authentication method based on identification password
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN106789845A (en) A kind of method of network data security transmission
CN101719895A (en) Data processing method and system for realizing secure communication of network
Luring et al. Analysis of security features in DLMS/COSEM: Vulnerabilities and countermeasures
CN107276755B (en) Security association method, device and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150304

RJ01 Rejection of invention patent application after publication