CN104580189A - Safety communication system - Google Patents

Safety communication system Download PDF

Info

Publication number
CN104580189A
CN104580189A CN201410849875.9A CN201410849875A CN104580189A CN 104580189 A CN104580189 A CN 104580189A CN 201410849875 A CN201410849875 A CN 201410849875A CN 104580189 A CN104580189 A CN 104580189A
Authority
CN
China
Prior art keywords
webserver
certificate
browser
encryption
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410849875.9A
Other languages
Chinese (zh)
Other versions
CN104580189B (en
Inventor
杭程
石彦伟
贾正强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410849875.9A priority Critical patent/CN104580189B/en
Publication of CN104580189A publication Critical patent/CN104580189A/en
Priority to PCT/CN2015/094846 priority patent/WO2016107318A1/en
Application granted granted Critical
Publication of CN104580189B publication Critical patent/CN104580189B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a safety communication system. The system comprises a safety browser device and a network server. The safety browser device comprises a browser main service process module and an encryption subprocess module, wherein an encryption subprocess of the encryption subprocess module serves as a connecting agency to achieve conversion from a first encryption channel to a second encryption channel and data forwarding, encryption connection communication is established through the encryption subprocess module and the network server, safety transmission of service data is guaranteed, the risk of service data leakage can be reduced, and the safety and reliability of service data transmission are improved.

Description

A kind of safe communication system
Technical field
The present invention relates to Internet technical field, particularly relate to a kind of safe communication system.
Background technology
Browser refers to can the html file content of display web page server or file system, and allows a kind of software of user and these file interactions.Browser mainly through http protocol and web page server alternately and obtain webpage, for user shows image, animation, word, video, sound and Streaming Media etc. in webpage, is rated as one of client-side program be most widely used.Browser common in PC comprises IE, the Safari of apple, the Chrome, 360 secure browsers, search dog high speed browser etc. of Google of Microsoft.
Along with the fast development of the Internet, network application has become a kind of trend, and increasing network application can realize in a browser, as Internet securities, Web bank, E-Government, ecommerce, online working etc.And then increasing important information circulates in a network; but the network application authentication mechanism in browser is more weak; the potential safety hazards such as plaintext transmission seriously hinder informationalized development, how to protect the circulation of these data to be safely the major issue that browser realizes network application and faces.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of safe communication system overcoming the problems referred to above or solve the problem at least in part.
According to one aspect of the present invention, provide a kind of safe communication system, comprising: secure browser device and the webserver; Wherein, the described webserver, communicates for setting up encryption connection with described secure browser device; And after described encryption connection connection setup success, perform service data interaction with described secure browser device by the second encrypted tunnel; Described secure browser device, comprise: browser main business scheduler module and encryption subprocess module, wherein, described browser main business scheduler module, for starting the encryption subprocess module of carrying out the encryption subprocess communicated with browser main business process in browser client, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission; Described encryption subprocess module, comprising: agent sub-module, for intercepting browser main business process, and obtains the first connection request of described browser main business process transmission; And after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel; Secure connection submodule, for according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated; Wherein, described first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.
The present embodiment can realize the conversion of the first encrypted tunnel to the second encrypted tunnel by encryption subprocess as agency, and data retransmission, success establishes the encrypted tunnel of a safety between the main business process and the webserver of browser, ensure that the safe transmission of business datum, the risk that business datum is revealed can be reduced, improve the safety and reliability of business data transmission.And, because the present embodiment realizes above-mentioned functions by browser, therefore use in the process of browser client user, browser client automatically can start encryption subprocess and set up escape way between main business process and the webserver, realize above-mentioned functions, improve the safety and reliability that browser and the webserver carry out stream compression, secure browser is achieved.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention flow chart of implementation method of secure browser;
Fig. 2 shows a kind of according to an embodiment of the invention flow chart of implementation method of secure browser;
Fig. 3 shows a kind of agency mechanism schematic diagram encrypting subprocess according to an embodiment of the invention;
Fig. 4 shows the handshake procedure schematic diagram encrypting subprocess and the webserver according to an embodiment of the invention;
Fig. 5 shows a kind of according to an embodiment of the invention structured flowchart of safe communication system;
Fig. 6 shows a kind of according to an embodiment of the invention structured flowchart of safe communication system;
Fig. 7 show according to the embodiment of the present invention provide a kind of structured flowchart of encryption subprocess module; And
Fig. 8 shows a kind of structured flowchart of the browser main business scheduler module provided according to the embodiment of the present invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Embodiment one:
With reference to Fig. 1, show a kind of according to an embodiment of the invention flow chart of steps of implementation method embodiment of secure browser, specifically can comprise the steps:
Step 102, starts the encryption subprocess carrying out with browser main business process communicating in browser client, and wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.
For number of site, as website of bank, Alipay website etc. relate to HTTP (the HTTP-Hypertext transfer protocol of website needs by taking safety as target of financial business, HTTP) passage is encrypted the transmission of data, but browser main business process and the webserver adopt different cryptographic protocols or algorithm sometimes, cause both cannot direct communication, cannot conduct interviews to the webpage of this webserver.
In the present embodiment, provide a kind of secure browser client, it is also provided with the encryption subprocess carrying out with browser main business process communicating in a browser.In order to make secure browser to realize, need in browser client, first start the encryption subprocess carrying out with browser main business process communicating.The major function of described encryption subprocess realizes the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.Namely adopt encryption subprocess as the agency of main business process, its safe passing that can be encrypted with browser main business process, the secure communication that also can be encrypted with the webserver, as sent to encryption subprocess for the business datum of browser main business process by the first encrypted tunnel, business datum is transferred to the webserver by the second encrypted tunnel by this encryption subprocess, realizes the connection of data retransmission and two encrypted tunnels.
It should be noted that, under normal circumstances, the main business process of browser directly communicates with the webserver, but, when the HTTP passage taking safety as target communicates, if main business process cannot be resolved the data message of webserver feedback, start described encryption subprocess and connect as agency, namely described encryption subprocess is as the agency between described main business process and the described webserver.In the present embodiment, above-mentioned first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the webserver.Therefore described encryption subprocess is by the first encrypted tunnel by encryption subprocess and described main business process, be converted to the second encrypted tunnel of encryption subprocess and the webserver, realize the Connection Proxy between described main business process and the described webserver.Certainly main business process is sent to the business datum of encryption subprocess by described first encrypted tunnel, described business datum can be sent to the webserver by the second encrypted tunnel by encryption subprocess.
Step 104, described encryption subprocess is intercepted browser main business process, and obtains the first connection request of described browser main business process transmission.
Encryption subprocess is intercepted browser main business process, is the first connection request in order to very first time acquisition browser main business process sends.During specific implementation, encryption subprocess can be intercepted described browser main business process by serve port.When encrypting subprocess and listening to the first connection request arrival, encryption subprocess receives the first connection request that described main business process sends.The first connection request that described browser main business process sends, specifically can comprise business datum.
Step 106, according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated.
After encryption subprocess receives the first connection request that main business process sends, described encryption subprocess, according to described first connection request, is set up encryption connection with the described webserver and is communicated.Described encryption subprocess is set up encryption connection with the described webserver and is communicated, and namely described encryption subprocess and the described webserver carry out safety certification, to be confirmed to be safety, legal communication party, thus sets up the passage of secure communication.
It should be noted that, described encryption subprocess is set up encryption connection with the described webserver and is communicated, combining encryption subprocess also can communicate with main business process, therefore encrypt subprocess and establish corresponding connection to main business process and these two ends of the webserver respectively, encryption connection communication can carry out the bridge of exchanges data as described two ends.
Step 108, after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel.
First encrypted tunnel described in the present embodiment is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.
Described encryption subprocess and the described webserver are successfully set up encryption connection and are communicated, and mean and mutually can send data between encryption subprocess and the webserver, and these data are through encryption, can ensure the safe and reliable of stream compression.Business datum in described first connection request received can be sent to the webserver by encryption subprocess, particularly, encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel, namely encrypt subprocess and can receive business datum by described first encrypted tunnel, after being decrypted, adopt the encryption method of the second encrypted tunnel agreement to after the encryption of business datum process again, send to the described webserver.Described like this business datum is just forwarded to the second encrypted tunnel from the first encrypted tunnel, represents business datum and is forwarded to the webserver from main business process.
First the present embodiment starts the encryption subprocess carrying out with browser main business process communicating in browser client, and wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission; Then described encryption subprocess is intercepted browser main business process, and obtains the first connection request of described browser main business process transmission; Then according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated; Finally after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel; Wherein, described first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.The present embodiment can realize the conversion of the first encrypted tunnel to the second encrypted tunnel by encryption subprocess as agency, and data retransmission, success establishes the encrypted tunnel of a safety between the main business process and the webserver of browser, ensure that the safe transmission of business datum, the risk that business datum is revealed can be reduced, improve the safety and reliability of business data transmission.And, because the present embodiment realizes above-mentioned functions by browser, therefore use in the process of browser client user, browser client automatically can start encryption subprocess and set up escape way between main business process and the webserver, realize above-mentioned functions, improve the safety and reliability that browser and the webserver carry out stream compression, secure browser is achieved.
Embodiment two:
On the basis of above-described embodiment, the present embodiment continues the implementation method discussing secure browser.
With reference to Fig. 2, show a kind of according to an embodiment of the invention flow chart of steps of implementation method embodiment of secure browser, specifically can comprise the steps:
Step 202, starts the encryption subprocess carrying out with browser main business process communicating in browser client, and wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.
In browser client, the encryption subprocess carrying out with browser main business process communicating is started in the present embodiment, automatically can be started by browser, particularly, when browser main business process and webserver communication failure, browser starts described encryption subprocess automatically, described encryption subprocess receives the first connection request of main business process, and the business datum according to comprising in described first connection request carries out respective handling, and the agency forming browser main business process connects.
In the present embodiment, above-mentioned first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the webserver.Therefore described encryption subprocess is by the first encrypted tunnel by encryption subprocess and described main business process, be converted to the second encrypted tunnel of encryption subprocess and the webserver, realize the Connection Proxy between described main business process and the described webserver.Certainly main business process is sent to the business datum of encryption subprocess by described first encrypted tunnel, described business datum can be sent to the webserver by the second encrypted tunnel by encryption subprocess.
In the present embodiment, browser main business process adopts with encryption subprocess and acts on behalf of and IPC two kinds of communication modes, thus encryption subprocess can as Connection Proxy, be responsible for and browser main business process first encrypted tunnel, to Channel-shifted and the data retransmission of the second encrypted tunnel with the webserver, and IPC communication mode is responsible for inter-process data transmission.In the present embodiment, encryption subprocess acts on behalf of realization mechanism as shown in Figure 3, specifically can comprise following structure:
Main thread: read all kinds of configuration, creates watcher thread, main business thread, and browser host process IPC leads to.
, there is connection request when there being main business process and receive the corresponding agent operation of (accept) successful execution in intercepting thread: for monitoring service port.
Business Processing thread: set up respective encrypted expanding channels respectively with main business process and webserver two ends and maintain, thus carrying out the exchanges data at two ends as bridge.
Step 204, described encryption subprocess is intercepted browser main business process, and obtains the first connection request of described browser main business process transmission.
Described encryption subprocess is intercepted browser main business process, specifically can realize in the following manner: described encryption subprocess creates intercepting thread; Described intercepting thread is intercepted described browser main business process by serve port.When intercepting thread listens to the first connection request arrival, receive the first connection request that described main business process sends.The first connection request that described browser main business process sends, specifically can comprise business datum.Encryption subprocess is intercepted browser main business process, is the first connection request in order to very first time acquisition browser main business process sends.
Step 206, according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated.
According to described first connection request in the present embodiment, described encryption subprocess is set up encryption connection with the described webserver and is communicated, and specifically can comprise following sub-step:
Sub-step one, receive successfully at described first connection request of confirmation, described encryption subprocess and the described webserver are encrypted data agreement and certificate verification successively.
Sub-step two, after enciphered data negotiation is complete and certificate verification is passed through, sets up described browser client and communicates with the encryption connection of the webserver.
It should be noted that, the step that subprocess and the described webserver are encrypted data agreement is encrypted in described sub-step one, specifically can realize in the following manner: first, described encryption subprocess sends client hello message to the described webserver, wherein, described client hello message comprises the first enciphered data of described browser client, and described first enciphered data comprises some protocol versions; Secondly, the described webserver is to described encryption subprocess back services end hello messages, wherein, described service end hello messages comprises the second enciphered data of described server client, and described second enciphered data comprises: protocol version selected from described first enciphered data.It should be noted that, above-mentioned client hello message and service end hello messages, for determining the safe transmission ability of both sides, comprise the attributes such as some protocol versions, session identification, cipher suite, and produce and exchange random number.
Client hello message (ClientHello message) is as the Article 1 message of browser client and webserver Handshake Protocol, described encryption subprocess, to after the described webserver sends client hello message, waits for webserver return service device hello messages.Client-side issue message structure defines:
1, Clien_vision represents the protocol version that client uses in this session.If protocol version is 1.1.
2, Radom is the random information that client produces, and its content comprises all the time and random number.
3, session_id is the session identification that client uses in this connection.Session_id is a variable length field, and its value is determined by server.If do not have reusable session identification or hope to consult security parameter, this field is empty, otherwise represents that client wishes to reuse this session.This session identification may be before connection identifier, current connection identifier, or other are in the connection identifier of connection status.Session identification should unanimously remain to after generating to be deleted by time-out or the connection relevant to this session runs into fatal error and be closed.A session failed or when being closed then relative connection all should be forced closed.
4, cipher_suites is the cipher suit list that client is supported, the priority orders arrangement that client should use according to cipher suite, the cipher suite that priority is the highest should rank the first.If session identity fields is not empty, this field should at least comprise the cipher suite session of reusing used.Each cipher suite comprises a Diffie-Hellman, a cryptographic algorithm and a checking algorithm.Server selects a cipher suite matched by cipher suit list, if do not have the cipher suite that can mate, should return and shakes hands failure warning message and close connection.
5, compression_methods is the compression algorithm list that client is supported, the priority orders arrangement that client should use according to compression algorithm, the compression algorithm that priority is the highest ranks the first.Server selects a compression algorithm matched by compression algorithm list, and must comprise pneumatics compression algorithm in list, such client and server can negotiate consistent compression algorithm.
It should be noted that, if server can find the cipher suite of coupling from client hello message, server sends described service end hello messages (Server Hello message) as the reply to client hello message.If can not find the cipher suite of coupling, server will respond warning message.
It should be noted that, encrypt the step that subprocess and the described webserver carry out certificate verification successively in described sub-step one, specifically can comprise: described encryption subprocess carries out unidirectional certificate verification to the described webserver; Or described encryption subprocess and the described webserver carry out two-way certificate verification.
In the present invention's embodiment, when carrying out the two-way authentication of digital certificate, described encryption subprocess ejects certificate selection frame, and in described certificate selection frame, show the information of each user certificate that described browser loads in the terminal; The user certificate of user's selection is received by described certificate selection frame.。
Also comprise: described encryption subprocess display password input message, described password input message inputs protection password corresponding to described user certificate for pointing out user; Described encryption subprocess receives the protection password of user's input, and verifies stating protection password, is confirming that the described protection described user that confirms password has the rights of using of described user certificate.
In the present embodiment, in order to ensure the safety of access websites and user, CA mechanism is that different website certificates is promulgated in different websites, simultaneously for the different user of different web sites promulgates different user certificates.Wherein, digital certificate comprises the PKI of website or user, the information of website or user, and the content such as digital signature.
In mutual authentication process, described encryption subprocess can be hit by a bullet out certificate choice box at browser client, and in described certificate selection frame, show the information of each user certificate that described browser loads in the terminal, the user certificate of user's selection is received by described certificate selection frame, user is after selecting user certificate, described encryption subprocess display password input message, described password input message inputs protection password corresponding to described user certificate for pointing out user, as inputted PIN (PersonalIdentification Number, PIN), described encryption subprocess receives the protection password of user's input, and verify stating protection password, namely certification can be carried out to user identity by protection password, confirm whether user has the use claim of this user certificate, thus after the input of protection password is correct, confirm that the described protection described user that confirms password has the rights of using of described user certificate.Further, above-mentioned user certificate and protection password can send to the webserver as the verify data in user certificate verification process.
Optionally, also comprise: described encryption subprocess inserts secure key storage hardware by information prompting user, stores user certificate in described secure key storage hardware; Described encryption subprocess call driver detects described secure key storage hardware; After described secure key storage hardware being detected, described encryption subprocess obtains the information of the user certificate stored in described secure key storage hardware.
When browser client loads user certificate, first described encryption subprocess inserts secure key storage hardware by information prompting user, this secure key storage hardware and USB Key, it is a kind of hardware device of USB interface, built-in single-chip microcomputer or intelligent card chip, have certain memory space, can store private key and the digital certificate of user, the public key algorithm utilizing USB Key built-in realizes the certification to user identity.Because private key for user is kept in coded lock, make in theory all cannot read in any way, therefore ensure that the fail safe of user authentication.
Described encryption subprocess identifies secure key storage hardware by driving, and in two-way certification authentication process, is encrypted computing according to described hardware certificate carrier.Such as, if need two-way authentication in SSL connection establishment process, described encryption subprocess can point out user to insert secure key storage hardware, i.e. USBKey equipment.Automatically can identify after user inserts secure key storage hardware and eject certificate selection dialog box, prompting user selects certificate.Described encryption subprocess identifies that secure key storage hardware needs to rely on two key message: SKFImagePath in CSP registry entry automatically: the path and the TokenVidPid that specify SKF dynamic base: string format.
VendorID and ProductID of KEY equipment, the similar HKEY_LOCAL_MACHINE of form of employing SYSTEM CurrentControlSet Enum form in USB, also i.e. VID_XXXX & PID_XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, completes associative operation.Browser can not store the pin password of user's input, also can not store the private key information in USBKey.Idiographic flow is as follows: be first connected to USBKey equipment; Then open respective application (Application), Application is selected to determine by user; Then open corresponding container (Container), Container is selected to determine by user; Then checking PIN code (Personal Identity Number), can point out after authentication error and re-enter; Then signing certificate information is obtained; Then encrypted certificate information is obtained; Last closing device, to disconnect.
1, unilateral authentication
In a kind of alternate exemplary of the embodiment of the present invention, described encryption subprocess carries out unidirectional certificate verification to the described webserver, specifically can realize in the following manner: first, described encryption subprocess receives the service end certificate message that the described webserver sends, and described service end certificate message comprises the website signing certificate of the described webserver; Secondly, the website signing certificate of described encryption subprocess to the described webserver carries out certification.Below service end certificate message (Server Certificate message) is described, the webserver needs transmission service end certificate message to client, this message is always immediately following after service end hello messages, when cipher suite use RSA or ECC in elected or ECDHE algorithm, the content of described service end certificate message is service end mark and IBC common parameter, for client and the open parameter of server negotiate IBC.The relation of Diffie-Hellman and credential key type is as shown in table 1.
Diffie-Hellman Credential key type
RSA RSA PKI, must use the PKI in encrypted certificate
IBC Service end mark and IBC common parameter
IBSDH Service end mark and IBC common parameter
ECC ECC PKI, must use the PKI in encrypted certificate
ECDHE ECC PKI, must use the PKI in encrypted certificate
Table 1, Diffie-Hellman and credential key type of relationship table
2, two-way authentication
In a kind of alternate exemplary of the embodiment of the present invention, described encryption subprocess and the described webserver carry out two-way certificate verification, specifically can realize in the following manner:
1) described encryption subprocess receives the service end certificate message that the described webserver sends, and described service end certificate message comprises the website signing certificate of the described webserver;
2) described encryption subprocess receives the certificate verification request message that the described webserver sends, and described certificate verification request message is used to indicate the certificate verification carrying out client;
3) described encryption subprocess receives the service end cipher key exchange message that the described webserver sends, and comprises key exchange parameters;
4) described encryption subprocess receives service end that the described webserver sends and greets and to finish message;
5) described encryption subprocess carries out certification to described website signing certificate;
6) after the certification of described website signing certificate is passed through, described encryption subprocess sends client certificate message to the described webserver, described client certificate message comprises the signing certificate of described browser client, carries out certification to make the described webserver to described signing certificate.
In a kind of alternate exemplary of the embodiment of the present invention, described method also comprises the step of cipher key change: described encryption subprocess produces pre-master key at random according to described key exchange parameters, wherein, described pre-master key adopts the encrypted public key of the described webserver to be encrypted by elliptic curve cryptography SM2 to calculate; Described encryption subprocess adopts described pre-master secret generating Client Key Exchange message, and sends to the webserver, obtains described pre-master key to make the described webserver.
In a kind of alternate exemplary of the embodiment of the present invention, described method also comprises the step of authentication certificate signature, specifically comprise: described encryption subprocess obtains the signature check parameter calculated according to website signing certificate, and generate client certificate verification message and send to the described webserver; Described encryption subprocess sends client password specification to the described webserver and changes message, completes with the negotiation characterizing enciphered data; Described encryption subprocess sends client to the described webserver and to shake hands end; Described encryption subprocess receives the service end password specification change message that the described webserver sends, to characterize the negotiation of this enciphered data of accreditation; Described encryption subprocess receives the service end that the described webserver sends and to shake hands end.It should be noted that, in each SSL handshake process of state close SSL connection procedure, all strict checking has been carried out to server certificate.
In the present embodiment, above-mentioned enciphered data negotiation, certificate verification, cipher key change and signature authentication are all perform in the encryption subprocess of secure browser client and the handshake procedure of the webserver.In the present embodiment, two-way authentication have employed double certificate mechanism, and the asymmetric arithmetic of certificate adopts SM2 algorithm, uses signing certificate to realize authentication based on ECDSA signature, uses encrypted certificate to realize key agreement based on ECDH.The SM4 algorithm used is encrypted data, uses SM3 algorithm to make a summary to data.
Wherein, SM2 algorithm (SM2algorithm) is a kind of ellipse curve public key cipher algorithm, and its key length is 256 bits.SM3 algorithm (SM3algorithm) is a kind of cryptographic Hash algorithm, and its key length is 128 bits, and SM4 algorithm (SM4algorithm) is a kind of block cipher, and block length is 128 bits, and key length is 128 bits.
As shown in Figure 4, the handshake procedure encrypting subprocess and the webserver comprises:
4.02, encrypt subprocess and send client hello message ClientHello to the webserver.
4.04, the webserver sends service end hello messages SeverHello to the encryption subprocess of described safe secure browser client.
Wherein, the webserver finds the cipher suite of coupling from ClientHello message, sends SeverHello as reply, if can not find the cipher suite of coupling, then sends warning message.In this SeverHello, Sever_vision, represents the version number that server is supported, as 1.1; The random number that Radom server end produces; The session identification that session_id service end uses; The cipher suite that cipher_suites service end is chosen from ClientHello message; The compression algorithm that compression_methods service end is chosen from ClientHello message.
4.06, the webserver sends service end certificate message Certificate to encryption subprocess.
Namely this message content of SeverCertificate is signing certificate and encrypted certificate.As the website signing certificate (X.509 sequence) of service end
4.08, the webserver sends certificate verification request message SeverRequest to encryption subprocess.
Certificate is provided by SeverRequest message calls client.Specify auth type (ECDSA) simultaneously
4.10, the webserver sends service end cipher key exchange message SeverKeyExchange to encryption subprocess.
SeverKeyExchange is used for the pre-master key that client calculates generation 48 byte.PKI can directly obtain from the encrypted certificate of server end.As client produces pre-master key pre_master_seceret key at random, and the PKI of server certificate is used to carry out ECDH computing
4.12, the webserver sends greeting and finishes message SeverHelloDone to encryption subprocess.
The hello message phase that SeverHelloDone characterizes handshake procedure completes, and then waits for the response message of client.
4.14, encrypt subprocess transmission client key and exchange messages Certificate to the webserver.
Namely ClientCertificate message is the Article 1 message after hello message phase completes, as comprised the signing certificate (X.509 sequence) of client.
4.16, encrypt subprocess transmission client key and exchange messages ClientKeyExchange to the webserver.
The pre-master key of the public key encryption of the webserver in ClientKeyExchange message.
4.18, encrypt subprocess and send certificate verification message CertificateVerify to the webserver.
CertificateVerify message is enough the legitimate holder of certificate for differentiating that client is.In the present embodiment, can point out user's input protection password after prompting user inserts USBKey, whether namely this protection password carries authentication of users within the message legal.
As, client uses the ECC private key of signing certificate to carry out ESDSA signature to the summary of handshaking information
4.20, encrypt subprocess and send client password specification change message ChangeCipherSpec to the webserver.
Namely to service end, ClientChangeCipherSpec message shows that algorithm and key agreement complete.
4.22, encrypt subprocess transmission client and shake hands end Finished to the webserver.
In the present embodiment, encryption subprocess is according to random number, the random number of service end, the pre_master_seceret use key algorithm calculating master_seceret of client, and then use random number and master_seceret to calculate real data encryption key, then encryption after all handshake information summaries is formed ClientFinished message and send to service end.
4.24, the webserver sends service end password specification and changes message ChangeCipherSpec to encryption subprocess.
4.26, the webserver sends service end and shakes hands end Finished to encryption subprocess.
Service end checking client certificate, uses the signature of the signing certificate checking client of client.Service uses the encryption key of self and carries out ECDH computing, obtain pre_master_seceret, the algorithm adopting client same calculates master_seceret and data encryption key, the correctness of checking SeverFinished message, send SeverChangeCipherSpec message to client, express one's approval algorithm and key agreement.
Completed the process such as certification, key agreement of browser client and webserver both sides by above-mentioned handshake procedure, thus encryption subprocess and network clothes can be engaged in holding the secret key encryption application data using respectively and consult to calculate.
Step 208, after the success of described encryption connection connection setup, is established as the second encrypted tunnel that described encryption subprocess and the described webserver securely communicate.
The process coded communication in the second encrypted tunnel of described encryption subprocess and the described webserver.Particularly, the data acquisition symmetric encipherment algorithm SM4 carrying out communicating in the second encrypted tunnel can be encrypted business datum.
Step 210, described encryption subprocess creates Business Processing thread; Described Business Processing thread connects with described first encrypted tunnel and described second encrypted tunnel respectively.
The Business Processing thread that described encryption subprocess creates, and the first encrypted tunnel between described encryption subprocess and main business process, and the second encrypted tunnel between described encryption subprocess and the webserver all connects.Described Business Processing thread specifically carries out the exchanges data at two ends as the bridge between described main business process and the described webserver.
Step 212, after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel.
Encrypt subprocess described in the present embodiment and perform the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel, specifically can realize in the following manner: described Business Processing thread receives the first business datum of described browser main business process transmission by described first encrypted tunnel; Described Business Processing thread adopts the first symmetry algorithm to be decrypted process to described first business datum, obtains original service data; Described Business Processing thread adopts the second symmetry algorithm to be encrypted described original service data, obtains described second business datum; Described Business Processing thread adopts and sends to the described webserver by the second business datum described between described second encrypted tunnel.It should be noted that, said process encrypts subprocess in data communication process respectively to the process of two channel data conversions.
In a kind of alternate exemplary of the embodiment of the present invention, described encryption subprocess is set up encryption connection with described browser main business process by handshake procedure and is communicated, and after encryption connection communication success, be established as the first encrypted tunnel that described browser main business process and described encryption subprocess securely communicate; Wherein, perform in described handshake procedure and perform two-way certificate verification between described encryption subprocess and described browser main business process, cipher key change by the first asymmetric arithmetic, and perform certificate verification; Symmetric key is generated in described key exchange process.It should be noted that, the first asymmetric arithmetic can be specifically RSA Algorithm.
In a kind of alternate exemplary of the embodiment of the present invention, the implementation method of described secure browser also comprises: the first connection request is encrypted by the second symmetry algorithm and obtains the second connection request by described Business Processing thread; Described second connection request is sent to the described webserver by described Business Processing thread; Described Business Processing thread receives the described webserver and connects response based on second of described second connection request feedback; Described second connection response is decrypted process by the second symmetry algorithm and obtains the first connection response by the second connection request, and feeds back to described browser main business process.
It should be noted that, the idiographic flow of Business Processing thread is as follows: (1) Receiving Agent data, the http request data that concrete Receiving Agent connects.(2) carry out SSL with the webserver to be connected, specifically comprise SSL establishment of connection, ssl protocol is consulted, negotiating algorithm, and client certificate verification (crl checking or OCSP certification) (3) is mutual with web server.Specifically agency is connected http request data and issue Web server via the SSL passage of cryptographic algorithm, obtain the httpresponse of Web server.(4) send web servers return data to connect to agency.Specifically the http response of the webserver is given to agency to connect.(5) connection is closed.If made a mistake in business processing flow, then closing connection, returning the wrong page to acting on behalf of connection simultaneously.It should be noted that, described second symmetry algorithm can be specifically the close algorithm of state.
It should be noted that, adopt the safe practice of SSL to solve network application authentication and data security and approved widely, also built-in SSL module in the browser of main flow and the webserver, the SSL hardware product of specialty also widely uses.But also all there is certain limitation in current SSL product:
(1) current SSL product generally adopts single certificate mechanism.And double certificate mechanism is the prevailing model of current PKI PKIX (Public Key Infrastructure) System Construction.The present embodiment uses signing certificate to carry out authentication, uses encrypted certificate to carry out exchange and the protection of key, has played the advantage of PKI technology unsymmetrical key.
(2) generally adopt external disclosed symmetry algorithm in current SSL product, do not meet security requirements, there is certain risk.In the present embodiment, password product symmetry algorithm adopts SM1 algorithm or SM4 algorithm.
(3) current certificate asymmetric arithmetic adopts RSA Algorithm, and the elliptic curve cipher (ECC) that the present embodiment adopts a kind of has greater security than RSA, more high efficiency public key cryptography, there is encrypt/decrypt, the cryptographic function that digital signature and key agreement etc. are important, the user identity identification in various information network can be met safely and easily, the information security demand that the True-false distinguish of electronic information and secrecy transmission etc. are important, it is the core technology of information security field, and be adopted as public key cryptography standard (IEEE P1363 by many worlds and national standards organizations gradually, ANSI X9, ISO/IEC and IETF etc.), one of main flow cryptographic technique of Information Security Industry circle use will be become.China is by domestic ECC (ECDSA+ECDH) algorithm called after SM2.
The implementation method of the secure browser that the present embodiment provides, the safe network browsing device meeting China PKI mechanism and password management of product policy can be realized, positive impetus is all played to the normalization of the management of internal security product and the quick growth of network application.
For embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the embodiment of the present invention is not by the restriction of described sequence of movement, because according to the embodiment of the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action might not be that the embodiment of the present invention is necessary.
Embodiment three
On the basis of above-described embodiment, the present embodiment also discloses a kind of safe communication system.
With reference to Fig. 5, show the structured flowchart of safe communication system embodiment according to an embodiment of the invention.
With reference to Fig. 6, show the structured flowchart of secure browser device in safe communication system embodiment according to an embodiment of the invention.
This safe communication system, comprising: secure browser device 504 and the webserver 502.
Wherein, the described webserver 502, communicates for setting up encryption connection with described secure browser device; And after described encryption connection connection setup success, perform service data interaction with described secure browser device by the second encrypted tunnel.
Described secure browser device 504, comprising: browser main business scheduler module 50402 and encryption subprocess module 50404.
Wherein, described browser main business scheduler module 50402, for starting the encryption subprocess module of carrying out the encryption subprocess communicated with browser main business process in browser client, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.
Described encryption subprocess module 50404, comprising: agent sub-module 504042, for intercepting browser main business process, and obtains the first connection request of described browser main business process transmission.And after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel.
Secure connection submodule 504044, for according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated.
Wherein, described first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.
For number of site, as website of bank, Alipay website etc. relate to HTTP (the HTTP-Hypertext transfer protocol of website needs by taking safety as target of financial business, HTTP) passage is encrypted the transmission of data, but browser main business process and the webserver adopt different cryptographic protocols or algorithm sometimes, cause both cannot direct communication, cannot conduct interviews to the webpage of this webserver.
In the present embodiment, provide a kind of secure browser client, it is also provided with the encryption subprocess carrying out with browser main business process communicating in a browser.In order to make secure browser to realize, need in browser client, first start the encryption subprocess carrying out with browser main business process communicating.The major function of described encryption subprocess realizes the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.Namely adopt encryption subprocess as the agency of main business process, its safe passing that can be encrypted with browser main business process, the secure communication that also can be encrypted with the webserver, as sent to encryption subprocess for the business datum of browser main business process by the first encrypted tunnel, business datum is transferred to the webserver by the second encrypted tunnel by this encryption subprocess, realizes the connection of data retransmission and two encrypted tunnels.
It should be noted that, under normal circumstances, the main business process of browser directly communicates with the webserver, but, when the HTTP passage taking safety as target communicates, if main business process cannot be resolved the data message of webserver feedback, start described encryption subprocess and connect as agency, namely described encryption subprocess is as the agency between described main business process and the described webserver.In the present embodiment, above-mentioned first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the webserver.Therefore described encryption subprocess is by the first encrypted tunnel by encryption subprocess and described main business process, be converted to the second encrypted tunnel of encryption subprocess and the webserver, realize the Connection Proxy between described main business process and the described webserver.Certainly main business process is sent to the business datum of encryption subprocess by described first encrypted tunnel, described business datum can be sent to the webserver by the second encrypted tunnel by encryption subprocess.
After encryption subprocess receives the first connection request that main business process sends, described encryption subprocess, according to described first connection request, is set up encryption connection with the described webserver and is communicated.Described encryption subprocess is set up encryption connection with the described webserver and is communicated, and namely described encryption subprocess and the described webserver carry out safety certification, to be confirmed to be safety, legal communication party, thus sets up the passage of secure communication.It should be noted that, described encryption subprocess is set up encryption connection with the described webserver and is communicated, combining encryption subprocess also can communicate with main business process, therefore encrypt subprocess and establish corresponding connection to main business process and these two ends of the webserver respectively, encryption connection communication can carry out the bridge of exchanges data as described two ends.
First encrypted tunnel described in the present embodiment is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.
Described encryption subprocess and the described webserver are successfully set up encryption connection and are communicated, and mean and mutually can send data between encryption subprocess and the webserver, and these data are through encryption, can ensure the safe and reliable of stream compression.Business datum in described first connection request received can be sent to the webserver by encryption subprocess, particularly, encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel, namely encrypt subprocess and can receive business datum by described first encrypted tunnel, after being decrypted, adopt the encryption method of the second encrypted tunnel agreement to after the encryption of business datum process again, send to the described webserver.Described like this business datum is just forwarded to the second encrypted tunnel from the first encrypted tunnel, represents business datum and is forwarded to the webserver from main business process.
First the present embodiment starts the encryption subprocess carrying out with browser main business process communicating in browser client, and wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission; Then described encryption subprocess is intercepted browser main business process, and obtains the first connection request of described browser main business process transmission; Then according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated; Finally after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel; Wherein, described first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.The present embodiment can realize the conversion of the first encrypted tunnel to the second encrypted tunnel by encryption subprocess as agency, and data retransmission, success establishes the encrypted tunnel of a safety between the main business process and the webserver of browser, ensure that the safe transmission of business datum, the risk that business datum is revealed can be reduced, improve the safety and reliability of business data transmission.And, because the present embodiment realizes above-mentioned functions by browser, therefore use in the process of browser client user, browser client automatically can start encryption subprocess and set up escape way between main business process and the webserver, realize above-mentioned functions, improve the safety and reliability that browser and the webserver carry out stream compression, secure browser is achieved.
In the present invention's embodiment, agent sub-module 504042, creates intercepting thread for described encryption subprocess; Described intercepting thread is intercepted described main business process by serve port.
In the present invention's embodiment, described secure connection submodule 504044, for receiving successfully at described first connection request of confirmation, described encryption subprocess and the described webserver are encrypted data agreement and certificate verification successively; After enciphered data negotiation is complete and certificate verification is passed through, sets up described browser client and communicate with the encryption connection of the webserver.
Described secure connection submodule 504044, client hello message is sent to the described webserver for described encryption subprocess, wherein, described client hello message comprises the first enciphered data of described browser client, and described first enciphered data comprises some protocol versions; Receive the service end hello messages of described webserver feedback, wherein, described service end hello messages comprises the second enciphered data of described server client, and described second enciphered data comprises: protocol version selected from described first enciphered data; The described webserver 502, for described secure browser device back services end hello messages.
Described secure connection submodule 504044, for carrying out unidirectional certificate verification to the described webserver; Or described encryption subprocess and the described webserver carry out two-way certificate verification.
Described agent sub-module 504042, also for creating Business Processing thread; Described Business Processing thread connects with described first encrypted tunnel and described second encrypted tunnel respectively.
Described agent sub-module 504042, receives the first business datum of described main business process transmission for adopting described Business Processing thread by described first encrypted tunnel; Adopt the first symmetry algorithm to be decrypted process to described first business datum, obtain original service data; Adopt the second symmetry algorithm to be encrypted described original service data, obtain described second business datum; Adopt, by described second encrypted tunnel, described second business datum is sent to the described webserver; The described webserver 502, sends described second business datum for receiving described secure browser by described second encrypted tunnel.
The described webserver 502, for sending the service end certificate message of the described webserver to described secure browser, described service end certificate message comprises the website signing certificate of the described webserver; In described secure browser device, described secure connection submodule 504044, for receiving the service end certificate message that the described webserver sends; And the website signing certificate of described encryption subprocess to the described webserver carries out certification.
The described webserver 502, the service end certificate message for the described webserver gives described secure browser, and described service end certificate message comprises the website signing certificate of the described webserver; Send service end cipher key exchange message, described service end cipher key exchange message comprises key exchange parameters; Send certificate verification request message, described certificate verification request message is used to indicate the certificate verification carrying out client; Send service end and greet the message that finishes; And receive the client certificate message of described secure browser device transmission, carry out certification to signing certificate, described client certificate message comprises the signing certificate of described secure browser client.Described secure connection submodule 504044, receives the service end certificate message of described webserver transmission for described encryption subprocess; Described encryption subprocess receives the service end cipher key exchange message that the described webserver sends; Described encryption subprocess receives the certificate verification request message that the described webserver sends; The service end that described encryption subprocess receives the transmission of the described webserver greets the message that finishes; Described encryption subprocess carries out certification to described website signing certificate; After the certification of described website signing certificate is passed through, described encryption subprocess sends client certificate message to the described webserver, and described client certificate message comprises the signing certificate of described browser client.
Described secure connection submodule 504044, also for producing pre-master key at random according to described key exchange parameters, wherein, described pre-master key adopts the encrypted public key of the described webserver to be encrypted by elliptic curve cryptography SM2 to calculate; Described encryption subprocess adopts described pre-master secret generating Client Key Exchange message, and sends to the webserver; The described webserver 502, also for receiving the cipher key exchange message that described secure browser device sends, obtains described pre-master key from described cipher key exchange message.
Described secure connection submodule 504044, also for obtaining the signature check parameter calculated according to website signing certificate, and generates client certificate verification message and sends to the described webserver; Described encryption subprocess sends client password specification to the described webserver and changes message, completes with the negotiation characterizing enciphered data; Described encryption subprocess sends client to the described webserver and to shake hands end; Described encryption subprocess receives the service end password specification change message that the described webserver sends, to characterize the negotiation of this enciphered data of accreditation; Described encryption subprocess receives the service end that the described webserver sends and to shake hands end; The described webserver 502, also for receiving client certificate verification message that described secure browser device sends successively, client password specification changes message and client and to shake hands end; And transmission service end password specification change message and service end shake hands end to described secure browser device successively.
In the present embodiment, secure browser client 504 adopts encryption subprocess module 50404 proxy-explorer main business scheduler module 50402, the SSL coded communication processes such as data agreement, certificate verification, cipher key change and signature authentication are encrypted by handshake procedure with the webserver 502, as shown in Figure 4, relevant handshaking information and cryptographic algorithm refer to the discussion of embodiment two part to concrete handshake procedure.
Also comprise: described secure connection submodule 504044, also for after the success of described encryption connection connection setup, be established as the second encrypted tunnel that described encryption subprocess and the described webserver securely communicate.
Described agent sub-module 504042, also communicate for adopting described encryption subprocess to set up encryption connection with described main business process by handshake procedure, and after encryption connection communication success, be established as the first encrypted tunnel that described main business process and described encryption subprocess securely communicate; Wherein, perform in described handshake procedure and perform two-way certificate verification between described encryption subprocess and described main business process, cipher key interaction by the first asymmetric arithmetic, and perform certificate verification; Symmetric key is generated in described cipher key interaction process.
Described agent sub-module 504042, to be also encrypted the first connection request by the second symmetry algorithm for described Business Processing thread and to obtain the second connection request; Described second connection request is sent to the described webserver by described Business Processing thread; Described Business Processing thread receives the described webserver and connects response based on second of described second connection request feedback; Described second connection response is decrypted process by the second symmetry algorithm and obtains the first connection response by the second connection request, and feeds back to described main business process; The described webserver 502, for receiving the second connection request that described secure browser device sends, connecting response to generating second after described second connection request process, connecting response send to described secure browser device by described second.
Described crypto process submodule 50404, also comprises: hardware management module 504046, identifies secure key storage hardware for encrypting subprocess by driving.Certification authentication module 504048, for and in two-way certification authentication process, be encrypted computing according to described hardware certificate carrier.
It should be noted that, a kind of structured flowchart that can be it in concrete enforcement with reference to the encryption subprocess module shown in Fig. 7, can carry out understanding, encryption subprocess module comprises: configuration module 702, proxy module 704 (corresponding with above-mentioned agent sub-module), CTL administration module 706, CRL administration module 708, Session administration module 710, certification authentication module 712, SSL link block 714 (corresponding with above-mentioned secure connection submodule), USBKey operational module 716 (corresponding with above-mentioned hardware management submodule).CTL administration module 706, CRL administration module 708 are corresponding with above-mentioned certification authentication submodule,
Wherein, proxy module accepts the connection of browser main business scheduler module, carries out respective handling according to the type that browser main business scheduler module connects, and forms the Connection Proxy of browser main business scheduler module.CTL module is for managing root of trust list of cert.CRL administration module, for obtaining CRL list, manages local CRL list.Session administration module administration agent process is connected with the session of web server.SSL link block is responsible for setting up the secure connection with the webserver.USBKey administration module is responsible for operation USBKey equipment.Configuration module is responsible for the relevant configuration reading, store client.
Wherein, for CTL administration module 706, its operation principle is as follows: what CTL described is browser root of trust list of cert, for authentication server end certificate.In secure browser client, the root of trust certificate of support is PEM coded system, supports two kinds of certificate addition manners simultaneously: 1) root of trust certificate is added in program inside; 2) configuration file adds root of trust certificate, and configuration file adopts des encrypting storing.Wherein, CTL can be configured to not support to import and export function.
For CRL administration module 708, its operation principle is as follows: what CRL described is the certificate revocation list of certification authority CA, and its essence is certificate serial number, and the Integer that certificate serial number is encoded with ASN.1 represents.An extension (OID is 2.5.29.31) in X509v3 certificate is used to specify the CRL publishing point of this certificate.In the secure browser of the present embodiment, device has carried out local cache to CRL, and CRL searches and carries out one-level index according to CA simultaneously.As follows to the step of the verification operation of CRL: (1) obtains the Issuer item in certificate, the CA node that location is corresponding, if Issuer item does not exist or can not find corresponding CA item, then thinks illegal certificate.(the CRL item that (2) are all under using this CA of dichotomizing search.
Connect for Session administration module 710, SSL and need to increase on the basis that TCP shakes hands for 3 times and shake hands for 4 times, connection establishment process is more consuming time, therefore preserve Session, multiplexing before connection effectively can optimize switching performance.In the secure browser device of the present embodiment after a SSL connection establishment completes, the internal memory index of host+port to session can be set up, subsequent operation can multiplexing before session, if the session term of validity is 1 hour.Session before browser closedown, USBKey equipment can empty when extracting.
For certification authentication module 612, if need two-way authentication in SSL connection establishment process, described encryption subprocess can point out user to insert secure key storage hardware, i.e. USBKey equipment.Automatically can identify after user inserts secure key storage hardware and eject certificate selection dialog box, prompting user selects certificate.Described encryption subprocess identifies that secure key storage hardware needs to rely on two key message: SKFImagePath in CSP registry entry automatically: the path and the TokenVidPid that specify SKF dynamic base: string format.VendorID and ProductID of KEY equipment, the similar HKEY_LOCAL_MACHINE of form of employing SYSTEM CurrentControlSet Enum form in USB, also i.e. VID_XXXX & PID_XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, completes associative operation.Browser can not store the pin password of user's input, also can not store the private key information in USBKey.Idiographic flow is as follows: be first connected to USBKey equipment; Then open respective application (Application), Application is selected to determine by user; Then open corresponding container (Container), Container is selected to determine by user; Then checking PIN code (Personal Identity Number), can point out after authentication error and re-enter; Then signing certificate information is obtained; Then encrypted certificate information is obtained; Last closing device, to disconnect.
In the present embodiment, for the credentials verification process of said method embodiment, occur in Handshake Protocol process to the certification authentication of server end, after browser receives ServerHelloDone message, before sending Certificate message.The reasonability of server is mainly guaranteed in certification authentication, and proof procedure depends on CTL, CRL module, and detailed process is carried out in subprocess certification authentication thread pool.Inspection step is as follows: initialization trusted root list of cert; Check whether it is self-signed certificate; Check certificate extension information; Check certificate trusting relationship; Check CRL list; Check certificate signature; Check certificate available time; Check that certificate is whether in blacklist.
It should be noted that, with reference to a kind of structured flowchart of the browser main business scheduler module shown in Fig. 8 in concrete enforcement, be understandable that, browser main business scheduler module comprises: certificate display module 802, white list administration module 804, webserver certificate storage module 806, agency arrange module 808.Wherein certificate display module 802 is responsible for display digital certificate.White list administration module 804 is in charge of the web server list of the cryptographic algorithm supporting the present embodiment.Webserver certificate storage module 806 is in charge of the certificate of the webserver for storing.Agency arranges module 808 agency and arranges the agency being responsible for setting and encryption subprocess.
For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the safe communication system equipment of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention discloses A1, a kind of safe communication system, comprising: secure browser device and the webserver; Wherein, the described webserver, communicates for setting up encryption connection with described secure browser device; And after described encryption connection connection setup success, perform service data interaction with described secure browser device by the second encrypted tunnel; Described secure browser device, comprise: browser main business scheduler module and encryption subprocess module, wherein, described browser main business scheduler module, for starting the encryption subprocess module of carrying out the encryption subprocess communicated with browser main business process in browser client, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission; Described encryption subprocess module, comprising: agent sub-module, for intercepting browser main business process, and obtains the first connection request of described browser main business process transmission; And after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel; Secure connection submodule, for according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated; Wherein, described first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.
A2, system as described in A1, agent sub-module, creates intercepting thread for described encryption subprocess; Described intercepting thread is intercepted described main business process by serve port.
A3, system as described in A1, described secure connection submodule, for receiving successfully at described first connection request of confirmation, described encryption subprocess and the described webserver are encrypted data agreement and certificate verification successively; After enciphered data negotiation is complete and certificate verification is passed through, sets up described browser client and communicate with the encryption connection of the webserver.
A4, system as described in A3, described secure connection submodule, client hello message is sent to the described webserver for described encryption subprocess, wherein, described client hello message comprises the first enciphered data of described browser client, and described first enciphered data comprises some protocol versions; Receive the service end hello messages of described webserver feedback, wherein, described service end hello messages comprises the second enciphered data of described server client, and described second enciphered data comprises: protocol version selected from described first enciphered data; The described webserver, for described secure browser device back services end hello messages.
A5, system as described in A3, described secure connection submodule, for carrying out unidirectional certificate verification to the described webserver; Or described encryption subprocess and the described webserver carry out two-way certificate verification.
A6, system as described in A1, described agent sub-module, also for creating Business Processing thread; Described Business Processing thread connects with described first encrypted tunnel and described second encrypted tunnel respectively.
A7, system as described in A6, described agent sub-module, receives by described first encrypted tunnel the first business datum that described main business process sends for adopting described Business Processing thread; Adopt the first symmetry algorithm to be decrypted process to described first business datum, obtain original service data; Adopt the second symmetry algorithm to be encrypted described original service data, obtain described second business datum; Adopt, by described second encrypted tunnel, described second business datum is sent to the described webserver; The described webserver, sends described second business datum for receiving described secure browser by described second encrypted tunnel.
A8, device as described in A5, the described webserver, for sending the service end certificate message of the described webserver to described secure browser, described service end certificate message comprises the website signing certificate of the described webserver; In described secure browser device, described secure connection submodule, for receiving the service end certificate message that the described webserver sends; And the website signing certificate of described encryption subprocess to the described webserver carries out certification.
A9, device as described in A5, the described webserver, the service end certificate message for the described webserver gives described secure browser, and described service end certificate message comprises the website signing certificate of the described webserver; Send service end cipher key exchange message, described service end cipher key exchange message comprises key exchange parameters; Send certificate verification request message, described certificate verification request message is used to indicate the certificate verification carrying out client; Send service end and greet the message that finishes; And receive the client certificate message of described secure browser device transmission, carry out certification to signing certificate, described client certificate message comprises the signing certificate of described secure browser client; Described secure connection submodule, receives the service end certificate message of described webserver transmission for described encryption subprocess; Described encryption subprocess receives the service end cipher key exchange message that the described webserver sends; Described encryption subprocess receives the certificate verification request message that the described webserver sends; The service end that described encryption subprocess receives the transmission of the described webserver greets the message that finishes; Described encryption subprocess carries out certification to described website signing certificate; After the certification of described website signing certificate is passed through, described encryption subprocess sends client certificate message to the described webserver, and described client certificate message comprises the signing certificate of described browser client.
A10, system as described in A9, described secure connection submodule, also for producing pre-master key at random according to described key exchange parameters, wherein, described pre-master key adopts the encrypted public key of the described webserver to be encrypted by elliptic curve cryptography SM2 to calculate; Described encryption subprocess adopts described pre-master secret generating Client Key Exchange message, and sends to the webserver; The described webserver, also for receiving the cipher key exchange message that described secure browser device sends, obtains described pre-master key from described cipher key exchange message.
A11, system as described in A9, described secure connection submodule, also for obtaining the signature check parameter calculated according to website signing certificate, and generates client certificate verification message and sends to the described webserver; Described encryption subprocess sends client password specification to the described webserver and changes message, completes with the negotiation characterizing enciphered data; Described encryption subprocess sends client to the described webserver and to shake hands end; Described encryption subprocess receives the service end password specification change message that the described webserver sends, to characterize the negotiation of this enciphered data of accreditation; Described encryption subprocess receives the service end that the described webserver sends and to shake hands end; The described webserver, also for receiving client certificate verification message that described secure browser device sends successively, client password specification changes message and client and to shake hands end; And transmission service end password specification change message and service end shake hands end to described secure browser device successively.
A12, system as described in A11, also comprise: described secure connection submodule, also for after described encryption connection connection setup success, is established as the second encrypted tunnel that described encryption subprocess and the described webserver securely communicate.
A13, system as described in A7, described agent sub-module, also communicate for adopting described encryption subprocess to set up encryption connection with described main business process by handshake procedure, and after encryption connection communication success, be established as the first encrypted tunnel that described main business process and described encryption subprocess securely communicate; Wherein, perform in described handshake procedure and perform two-way certificate verification between described encryption subprocess and described main business process, cipher key interaction by the first asymmetric arithmetic, and perform certificate verification; Symmetric key is generated in described cipher key interaction process.
A14, system as described in A1, described agent sub-module, to be also encrypted the first connection request by the second symmetry algorithm for described Business Processing thread and to obtain the second connection request; Described second connection request is sent to the described webserver by described Business Processing thread; Described Business Processing thread receives the described webserver and connects response based on second of described second connection request feedback; Described second connection response is decrypted process by the second symmetry algorithm and obtains the first connection response by the second connection request, and feeds back to described main business process; The described webserver, for receiving the second connection request that described secure browser device sends, connecting response to generating second after described second connection request process, connecting response send to described secure browser device by described second.
A15, system as described in A5, described encryption subprocess module, also comprises: hardware management submodule, identifies secure key storage hardware for encrypting subprocess by driving; Certification authentication submodule, for and in two-way certification authentication process, be encrypted computing according to described hardware certificate carrier.

Claims (10)

1. a safe communication system, comprising: secure browser device and the webserver;
Wherein, the described webserver, communicates for setting up encryption connection with described secure browser device; And after described encryption connection connection setup success, perform service data interaction with described secure browser device by the second encrypted tunnel;
Described secure browser device, comprising: browser main business scheduler module and encryption subprocess module,
Wherein, described browser main business scheduler module, for starting the encryption subprocess module of carrying out the encryption subprocess communicated with browser main business process in browser client, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission;
Described encryption subprocess module, comprising:
Agent sub-module, for intercepting browser main business process, and obtains the first connection request of described browser main business process transmission; And after described encryption connection connection setup success, described encryption subprocess performs the forwarding of business datum between described first encrypted tunnel and the second encrypted tunnel;
Secure connection submodule, for according to described first connection request, described encryption subprocess is set up encryption connection with the described webserver and is communicated;
Wherein, described first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the described webserver.
2. the system as claimed in claim 1, is characterized in that:
Agent sub-module, creates intercepting thread for described encryption subprocess; Described intercepting thread is intercepted described main business process by serve port.
3. the system as claimed in claim 1, is characterized in that:
Described secure connection submodule, for receiving successfully at described first connection request of confirmation, described encryption subprocess and the described webserver are encrypted data agreement and certificate verification successively; After enciphered data negotiation is complete and certificate verification is passed through, sets up described browser client and communicate with the encryption connection of the webserver.
4. system as claimed in claim 3, is characterized in that:
Described secure connection submodule, client hello message is sent to the described webserver for described encryption subprocess, wherein, described client hello message comprises the first enciphered data of described browser client, and described first enciphered data comprises some protocol versions; Receive the service end hello messages of described webserver feedback, wherein, described service end hello messages comprises the second enciphered data of described server client, and described second enciphered data comprises: protocol version selected from described first enciphered data;
The described webserver, for described secure browser device back services end hello messages.
5. system as claimed in claim 3, is characterized in that:
Described secure connection submodule, for carrying out unidirectional certificate verification to the described webserver; Or described encryption subprocess and the described webserver carry out two-way certificate verification.
6. the system as claimed in claim 1, is characterized in that:
Described agent sub-module, also for creating Business Processing thread; Described Business Processing thread connects with described first encrypted tunnel and described second encrypted tunnel respectively.
7. system as claimed in claim 6, is characterized in that:
Described agent sub-module, receives the first business datum of described main business process transmission for adopting described Business Processing thread by described first encrypted tunnel; Adopt the first symmetry algorithm to be decrypted process to described first business datum, obtain original service data; Adopt the second symmetry algorithm to be encrypted described original service data, obtain described second business datum; Adopt, by described second encrypted tunnel, described second business datum is sent to the described webserver;
The described webserver, sends described second business datum for receiving described secure browser by described second encrypted tunnel.
8. device as claimed in claim 5, is characterized in that:
The described webserver, for sending the service end certificate message of the described webserver to described secure browser, described service end certificate message comprises the website signing certificate of the described webserver;
In described secure browser device, described secure connection submodule, for receiving the service end certificate message that the described webserver sends; And the website signing certificate of described encryption subprocess to the described webserver carries out certification.
9. device as claimed in claim 5, is characterized in that:
The described webserver, the service end certificate message for the described webserver gives described secure browser, and described service end certificate message comprises the website signing certificate of the described webserver; Send service end cipher key exchange message, described service end cipher key exchange message comprises key exchange parameters; Send certificate verification request message, described certificate verification request message is used to indicate the certificate verification carrying out client; Send service end and greet the message that finishes; And receive the client certificate message of described secure browser device transmission, carry out certification to signing certificate, described client certificate message comprises the signing certificate of described secure browser client;
Described secure connection submodule, receives the service end certificate message of described webserver transmission for described encryption subprocess; Described encryption subprocess receives the service end cipher key exchange message that the described webserver sends; Described encryption subprocess receives the certificate verification request message that the described webserver sends; The service end that described encryption subprocess receives the transmission of the described webserver greets the message that finishes; Described encryption subprocess carries out certification to described website signing certificate; After the certification of described website signing certificate is passed through, described encryption subprocess sends client certificate message to the described webserver, and described client certificate message comprises the signing certificate of described browser client.
10. system as claimed in claim 9, is characterized in that:
Described secure connection submodule, also for producing pre-master key at random according to described key exchange parameters, wherein, described pre-master key adopts the encrypted public key of the described webserver to be encrypted by elliptic curve cryptography SM2 to calculate; Described encryption subprocess adopts described pre-master secret generating Client Key Exchange message, and sends to the webserver;
The described webserver, also for receiving the cipher key exchange message that described secure browser device sends, obtains described pre-master key from described cipher key exchange message.
CN201410849875.9A 2014-12-30 2014-12-30 A kind of safe communication system Expired - Fee Related CN104580189B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410849875.9A CN104580189B (en) 2014-12-30 2014-12-30 A kind of safe communication system
PCT/CN2015/094846 WO2016107318A1 (en) 2014-12-30 2015-11-17 Secure communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410849875.9A CN104580189B (en) 2014-12-30 2014-12-30 A kind of safe communication system

Publications (2)

Publication Number Publication Date
CN104580189A true CN104580189A (en) 2015-04-29
CN104580189B CN104580189B (en) 2019-02-12

Family

ID=53095370

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410849875.9A Expired - Fee Related CN104580189B (en) 2014-12-30 2014-12-30 A kind of safe communication system

Country Status (2)

Country Link
CN (1) CN104580189B (en)
WO (1) WO2016107318A1 (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243330A (en) * 2015-10-13 2016-01-13 武汉大学 Protection method and system facing internal data transfer process of Android system
CN105681279A (en) * 2015-12-28 2016-06-15 上海瀚银信息技术有限公司 Application data transmission method and mobile terminal
WO2016107321A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Secure communication system
WO2016107320A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Website security information loading method, and browser device
WO2016107322A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Implementation method for secure browser, and secure browser device
WO2016107318A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Secure communication system
CN106330942A (en) * 2016-08-31 2017-01-11 成都秦川科技发展有限公司 Information distribution method, apparatus and system based on Internet of Things information private channel and public network fuzziness
CN107925573A (en) * 2015-07-21 2018-04-17 因特鲁斯特公司 The method and apparatus that secure communication between constrained devices is provided
CN108270739A (en) * 2016-12-30 2018-07-10 华为技术有限公司 A kind of method and device of managing encrypted information
CN108429620A (en) * 2018-01-25 2018-08-21 新华三技术有限公司 Method for building up, system and the client and server-side of secure connection
CN109714337A (en) * 2018-12-26 2019-05-03 网宿科技股份有限公司 A kind of data encryption and transmission method and equipment
CN110225515A (en) * 2019-06-24 2019-09-10 晏保华 A kind of authentication administrative system, method and device
CN110870277A (en) * 2017-06-26 2020-03-06 微软技术许可有限责任公司 Introducing middleboxes into secure communication between a client and a server
CN111381903A (en) * 2020-03-18 2020-07-07 支付宝(杭州)信息技术有限公司 Program running method, device, equipment and medium
CN112398805A (en) * 2019-08-15 2021-02-23 罗伯特·博世有限公司 Method for establishing communication channel between client machine and service machine
CN112507269A (en) * 2020-12-10 2021-03-16 中国农业科学院农业信息研究所 Website background risk assessment system
CN112613025A (en) * 2020-12-30 2021-04-06 宁波三星医疗电气股份有限公司 Communication method of USB (universal serial bus) equipment and browser on computer
CN113904773A (en) * 2021-10-11 2022-01-07 博雅中科(北京)信息技术有限公司 SSL connection establishment method and device, electronic equipment and computer readable storage medium
CN114143082A (en) * 2021-11-30 2022-03-04 北京天融信网络安全技术有限公司 Encryption communication method, system and device
CN114553957A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 Service system and method compatible with national password and international HTTPS transmission
CN114553476A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm
CN115987688A (en) * 2023-03-20 2023-04-18 北京网藤科技有限公司 Method and system for guaranteeing safe communication between PLC and upper computer

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112020037A (en) * 2020-09-25 2020-12-01 卡斯柯信号(郑州)有限公司 Domestic communication encryption method suitable for rail transit
CN112437437A (en) * 2020-12-10 2021-03-02 深圳市天辰防务通信技术有限公司 Method and system for carrying out point-to-point secret communication connection by utilizing 4G network
CN115085949A (en) * 2021-03-10 2022-09-20 航天信息股份有限公司 Data communication method and device based on national secret SSL transparent proxy
CN115001936B (en) * 2022-07-18 2023-05-02 确信信息股份有限公司 Operation and maintenance management system and method based on management agent and computer equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1359074A (en) * 2001-11-29 2002-07-17 上海格尔软件股份有限公司 SSLL proxy method with MIME data type filter technology
CN1879382A (en) * 2003-11-04 2006-12-13 Ntt通信公司 Method, apparatus and program for establishing encrypted communication channel between apparatuses
US20080235508A1 (en) * 2007-03-22 2008-09-25 Cisco Technology, Inc. (A California Corporation) Reducing processing load in proxies for secure communications
CN102103725A (en) * 2009-12-22 2011-06-22 新竹货运股份有限公司 Information processing system, processing station and method for card swiping on delivery
CN103188074A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 Proxy method for improving SSL algorithm intensity of browser

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580189B (en) * 2014-12-30 2019-02-12 北京奇虎科技有限公司 A kind of safe communication system
CN104580190B (en) * 2014-12-30 2018-09-04 北京奇虎科技有限公司 The implementation method and secure browser device of secure browser

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1359074A (en) * 2001-11-29 2002-07-17 上海格尔软件股份有限公司 SSLL proxy method with MIME data type filter technology
CN1879382A (en) * 2003-11-04 2006-12-13 Ntt通信公司 Method, apparatus and program for establishing encrypted communication channel between apparatuses
US20080235508A1 (en) * 2007-03-22 2008-09-25 Cisco Technology, Inc. (A California Corporation) Reducing processing load in proxies for secure communications
CN102103725A (en) * 2009-12-22 2011-06-22 新竹货运股份有限公司 Information processing system, processing station and method for card swiping on delivery
CN103188074A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 Proxy method for improving SSL algorithm intensity of browser

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016107321A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Secure communication system
WO2016107320A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Website security information loading method, and browser device
WO2016107322A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Implementation method for secure browser, and secure browser device
WO2016107318A1 (en) * 2014-12-30 2016-07-07 北京奇虎科技有限公司 Secure communication system
CN107925573A (en) * 2015-07-21 2018-04-17 因特鲁斯特公司 The method and apparatus that secure communication between constrained devices is provided
CN105243330A (en) * 2015-10-13 2016-01-13 武汉大学 Protection method and system facing internal data transfer process of Android system
CN105681279A (en) * 2015-12-28 2016-06-15 上海瀚银信息技术有限公司 Application data transmission method and mobile terminal
CN106330942A (en) * 2016-08-31 2017-01-11 成都秦川科技发展有限公司 Information distribution method, apparatus and system based on Internet of Things information private channel and public network fuzziness
CN108270739A (en) * 2016-12-30 2018-07-10 华为技术有限公司 A kind of method and device of managing encrypted information
CN110870277A (en) * 2017-06-26 2020-03-06 微软技术许可有限责任公司 Introducing middleboxes into secure communication between a client and a server
CN110870277B (en) * 2017-06-26 2022-03-29 微软技术许可有限责任公司 Introducing middleboxes into secure communication between a client and a server
CN108429620A (en) * 2018-01-25 2018-08-21 新华三技术有限公司 Method for building up, system and the client and server-side of secure connection
CN108429620B (en) * 2018-01-25 2021-10-12 新华三技术有限公司 Method and system for establishing secure connection, client and server
CN109714337A (en) * 2018-12-26 2019-05-03 网宿科技股份有限公司 A kind of data encryption and transmission method and equipment
CN110225515A (en) * 2019-06-24 2019-09-10 晏保华 A kind of authentication administrative system, method and device
CN110225515B (en) * 2019-06-24 2022-08-23 喀斯玛(北京)科技有限公司 Authentication management system, method and device
CN112398805A (en) * 2019-08-15 2021-02-23 罗伯特·博世有限公司 Method for establishing communication channel between client machine and service machine
CN111381903A (en) * 2020-03-18 2020-07-07 支付宝(杭州)信息技术有限公司 Program running method, device, equipment and medium
CN112507269A (en) * 2020-12-10 2021-03-16 中国农业科学院农业信息研究所 Website background risk assessment system
CN112507269B (en) * 2020-12-10 2023-08-08 中国农业科学院农业信息研究所 Website background risk assessment system
CN112613025A (en) * 2020-12-30 2021-04-06 宁波三星医疗电气股份有限公司 Communication method of USB (universal serial bus) equipment and browser on computer
CN113904773A (en) * 2021-10-11 2022-01-07 博雅中科(北京)信息技术有限公司 SSL connection establishment method and device, electronic equipment and computer readable storage medium
CN113904773B (en) * 2021-10-11 2023-07-07 博雅中科(北京)信息技术有限公司 SSL connection establishment method, SSL connection establishment device, electronic equipment and computer readable storage medium
CN114143082A (en) * 2021-11-30 2022-03-04 北京天融信网络安全技术有限公司 Encryption communication method, system and device
CN114143082B (en) * 2021-11-30 2023-10-13 北京天融信网络安全技术有限公司 Encryption communication method, system and device
CN114553957A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 Service system and method compatible with national password and international HTTPS transmission
CN114553476A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm
CN114553957B (en) * 2022-01-10 2024-05-24 网宿科技股份有限公司 Service system and method compatible with national cipher and international HTTPS transmission
CN114553476B (en) * 2022-01-10 2024-06-25 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm
CN115987688A (en) * 2023-03-20 2023-04-18 北京网藤科技有限公司 Method and system for guaranteeing safe communication between PLC and upper computer
CN115987688B (en) * 2023-03-20 2023-08-01 北京网藤科技有限公司 Method and system for guaranteeing safe communication between PLC and upper computer

Also Published As

Publication number Publication date
WO2016107318A1 (en) 2016-07-07
CN104580189B (en) 2019-02-12

Similar Documents

Publication Publication Date Title
CN104580189A (en) Safety communication system
CN104639534A (en) Website safety information uploading method and browser device
CN104580190A (en) Safety browser realizing method and safety browser device
WO2017045552A1 (en) Method and device for loading digital certificate in ssl or tls communication
WO2016107319A1 (en) Method for loading secure key storage hardware, and browser client device
JP6613909B2 (en) Mutual authentication method, authentication device, and authentication program
WO2016107321A1 (en) Secure communication system
US8291231B2 (en) Common key setting method, relay apparatus, and program
US9565180B2 (en) Exchange of digital certificates in a client-proxy-server network configuration
CN112737779B (en) Cryptographic machine service method, device, cryptographic machine and storage medium
US11683170B2 (en) Implicit RSA certificates
CN107800675A (en) A kind of data transmission method, terminal and server
US9398024B2 (en) System and method for reliably authenticating an appliance
AU2020336124A1 (en) Decentralized techniques for verification of data in transport layer security and other contexts
CN112422560A (en) Lightweight substation secure communication method and system based on secure socket layer
WO2023174038A9 (en) Data transmission method and related device
Yüksel et al. A secure key establishment protocol for ZigBee wireless sensor networks
Zhang et al. Authentication and Key Agreement Protocol in Hybrid Edge–Fog–Cloud Computing Enhanced by 5G Networks
CN116366262A (en) Double SSL certificate web server setting method and web service system
CN113422753B (en) Data processing method, device, electronic equipment and computer storage medium
Reimair et al. In Certificates We Trust--Revisited
US20240333695A1 (en) Secure device pairing
Åkesson Hermod: A File Transfer Protocol Using Noise Protocol Framework
WO2016141513A1 (en) Service processing method and apparatus
CN107370598A (en) Method using smart mobile phone as PC electronic key

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190212

Termination date: 20211230