CN104580189B

CN104580189B - A kind of safe communication system

Info

Publication number: CN104580189B
Application number: CN201410849875.9A
Authority: CN
Inventors: 杭程; 石彦伟; 贾正强
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2014-12-30
Filing date: 2014-12-30
Publication date: 2019-02-12
Anticipated expiration: 2034-12-30
Also published as: CN104580189A; WO2016107318A1

Abstract

The present invention provides a kind of safe communication system, the system includes: secure browser device and network server, the secure browser device, comprising: browser main business scheduler module and encryption subprocess module.Wherein, the encryption subprocess of the encryption subprocess module acts on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel as connection, and data forwarding, and encryption connection is established with the network server by the encryption subprocess module and is communicated, it ensure that the safe transmission of business datum, the risk that business datum leakage can be reduced, improves the safety and reliability of business data transmission.

Description

A kind of safe communication system

Technical field

The present invention relates to Internet technical fields, more particularly to a kind of safe communication system.

Background technique

Browser refers to the html file content that can show web page server or file system, and allow user and these A kind of software of file interaction.Browser mainly passes through http protocol and webpage is interacted and obtained with web page server, exists for user Image, animation, text, video, sound and Streaming Media etc. are shown in webpage, are rated as the client-side program being most widely used One of.Common browser includes the IE of Microsoft, the Safari of apple, the Chrome of Google, 360 safety browsings on PC Device, search dog high speed browser etc..

With the fast development of internet, network application has become a kind of trend, and more and more network applications can be with It realizes in a browser, such as Internet securities, Web bank, E-Government, e-commerce, online working.And then it is more and more Important information circulate in a network, but the network application authentication mechanism in browser is weaker, the security risks such as plaintext transmission Information-based development is seriously hindered, how to protect the circulation safety of these data is that browser realizes network application faces one A major issue.

Summary of the invention

In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind State the safe communication system of problem.

According to one aspect of the present invention, a kind of safe communication system is provided, comprising: secure browser device and network Server；Wherein, the network server is communicated for establishing encryption connection with the secure browser device；And institute After stating the success of encryption connection connection setup, business datum is executed by the second encrypted tunnel with the secure browser device and is handed over Mutually；The secure browser device, comprising: browser main business scheduler module and encryption subprocess module, wherein the browsing Device main business scheduler module, for start in browser client encryption that is communicated with browser main business process into The encryption subprocess module of journey, wherein the encryption subprocess is used to realize the first encrypted tunnel to second as connection agency The conversion and data forwarding of encrypted tunnel；The encryption subprocess module, comprising: agent sub-module, for browser master Business process is listened to, and obtains the first connection request that the browser main business process is sent；And in the encryption After connection communication is successfully established, the encryption subprocess executes business datum in first encrypted tunnel and the second encrypted tunnel Between forwarding；Secure connection submodule, for being taken according to first connection request, the encryption subprocess and the network Business device establishes encryption connection communication；Wherein, first encrypted tunnel is the browser main business process and encryption The secured communication channel of process；Second encrypted tunnel is the secure communication of the encryption subprocess and the network server Channel.

The present embodiment can realize turning for the first encrypted tunnel to the second encrypted tunnel as agency by encryption subprocess It changes and data forwarding, success establishes the encryption of a safety between the main business process and network server of browser Channel ensure that the safe transmission of business datum, can reduce the risk of business datum leakage, improve the peace of business data transmission Full property and reliability.Moreover, because the present embodiment realizes above-mentioned function by browser, therefore uses browser clients in user During end, browser client can start encryption subprocess automatically and establish between main business process and network server Exit passageway realizes above-mentioned function, improves browser and network server carries out the safety and reliability of stream compression, make Secure browser is obtained to be achieved.

The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.

Detailed description of the invention

By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:

Fig. 1 shows a kind of flow chart of the implementation method of secure browser according to an embodiment of the invention；

Fig. 2 shows a kind of flow charts of the implementation method of secure browser according to an embodiment of the invention；

Fig. 3 shows a kind of agency mechanism schematic diagram of encryption subprocess according to an embodiment of the invention；

Fig. 4 shows the handshake procedure signal of encryption subprocess and network server according to an embodiment of the invention Figure；

Fig. 5 shows a kind of structural block diagram of safe communication system according to an embodiment of the invention；

Fig. 6 shows a kind of structural block diagram of safe communication system according to an embodiment of the invention；

Fig. 7 shows a kind of structural block diagram of the encryption subprocess module provided according to embodiments of the present invention；And

Fig. 8 shows a kind of structural block diagram of the browser main business scheduler module provided according to embodiments of the present invention.

Specific embodiment

Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.

Embodiment one:

Referring to Fig.1, a kind of implementation method embodiment of secure browser according to an embodiment of the invention is shown Flow chart of steps can specifically include following steps:

Step 102, start the encryption subprocess communicated with browser main business process in browser client, In, the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel, and number as connection According to forwarding.

The website needs of financial business are related to by with safety for number of site, such as website of bank, Alipay website Encryption data is carried out for (HTTP-Hypertext transfer protocol, the hypertext transfer protocol) channel HTTP of target Transmission, but browser main business process and network server use different cryptographic protocol or algorithm sometimes, both cause Can not direct communication, can not access to the webpage of the network server.

In the present embodiment, a kind of secure browser client is provided, is also provided in a browser and browser master The encryption subprocess that business process is communicated.In order to enable secure browser can be realized, need first in browser clients Start the encryption subprocess communicated with browser main business process in end.The encryption subprocess functions primarily as Connection agency realizes the conversion and data forwarding of the first encrypted tunnel to the second encrypted tunnel.Made using encryption subprocess For the agency of main business process, the safe passing that can be encrypted with browser main business process can also take with network The secure communication that business device is encrypted, is such as sent to the business datum of browser main business process by the first encrypted tunnel Subprocess is encrypted, which is transferred to network server by the second encrypted tunnel for business datum, realizes that data turn The connection of hair and two encrypted tunnels.

It should be noted that under normal conditions, the main business process of browser is directly communicated with network server, but It is, when to be communicated for the channel HTTP of target safely, if the data that main business process can not feed back network server Information is parsed, and is started the encryption subprocess and is connected as agency, i.e., the described encryption subprocess as the main business into Agency between journey and the network server.Above-mentioned first encrypted tunnel is the browser main business process in the present embodiment With the secured communication channel of the encryption subprocess；Second encrypted tunnel is the encryption subprocess and network server Secured communication channel.Therefore the encryption subprocess is logical by the first encryption that will encrypt subprocess and the main business process Road is converted to the second encrypted tunnel of encryption subprocess and network server, to realize the main business process and the network Connection agency between server.Encryption subprocess is sent to by first encrypted tunnel certainly for main business process The business datum can be sent to network server by the second encrypted tunnel by business datum, encryption subprocess.

Step 104, the encryption subprocess listens to browser main business process, and obtains the browser main business The first connection request that business process is sent.

Encryption subprocess browser main business process is listened to, be in order to obtain at the first time browser main business into The first connection request that journey is sent.When specific implementation, encryption subprocess can be by serve port to the browser main business Process is listened to.When encrypting subprocess and listening to the first connection request and arrive, encryption subprocess receive the main business into The first connection request that journey is sent.The first connection request that the browser main business process is sent, can specifically include business Data.

Step 106, it establishes encryption according to first connection request, the encryption subprocess and the network server and connects Connect letter.

After encryption subprocess receives the first connection request that main business process is sent, the encryption subprocess foundation First connection request, establishes encryption connection with the network server and communicates.The encryption subprocess and the network take Business device establishes encryption connection communication, i.e., it is peace with confirmation that the described encryption subprocess and the network server, which carry out safety certification, Entirely, legal communication party, to establish the channel of secure communication.

It should be noted that the encryption subprocess is established encryption connection with the network server and is communicated, combining encryption Subprocess also can communicate with main business process, thus encrypt subprocess respectively with main business process and network server this Both ends establish corresponding connection, and encryption connection communication can be used as the bridge that the both ends carry out data exchange.

Step 108, after encryption connection connection setup success, the encryption subprocess executes business datum described Forwarding between first encrypted tunnel and the second encrypted tunnel.

First encrypted tunnel described in the present embodiment is the peace of the browser main business process and the encryption subprocess Full communication channel；Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.

The encryption subprocess is successfully established encryption connection with the network server and communicates, it is meant that encryption subprocess with Data, and the encrypted processing of these data can be mutually sent between network server, it is ensured that the safety of stream compression Reliably.Business datum in first connection request received can be sent to network server by encryption subprocess, be had Body, encryption subprocess executes forwarding of the business datum between first encrypted tunnel and the second encrypted tunnel, that is, encrypts Subprocess can receive business datum by first encrypted tunnel, after being decrypted, then using the second encrypted tunnel agreement Encryption method to business datum process encryption after, be sent to the network server.The business datum described in this way is just from first Encrypted tunnel is forwarded to the second encrypted tunnel, represents business datum from main business process and is forwarded to network server.

The present embodiment start first in browser client encryption that is communicated with browser main business process into Journey, wherein the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel as connection, with And data forwarding；Then the encryption subprocess listens to browser main business process, and obtains the browser main business The first connection request that business process is sent；Then it is taken according to first connection request, the encryption subprocess and the network Business device establishes encryption connection communication；Finally after encryption connection connection setup success, the encryption subprocess executes business Forwarding of the data between first encrypted tunnel and the second encrypted tunnel；Wherein, first encrypted tunnel is described clear Look at device main business process and it is described encryption subprocess secured communication channel；Second encrypted tunnel is the encryption subprocess With the secured communication channel of the network server.The present embodiment can realize the first encryption as agency by encryption subprocess Channel to the second encrypted tunnel conversion and data forwarding, success browser main business process and network server it Between establish the encrypted tunnel of a safety, ensure that the safe transmission of business datum, the wind of business datum leakage can be reduced Danger, improves the safety and reliability of business data transmission.Moreover, because the present embodiment realizes above-mentioned function by browser, Therefore during user uses browser client, browser client can start encryption subprocess in main business automatically Exit passageway is established between process and network server, realizes above-mentioned function, is improved browser and is counted with network server According to the safety and reliability of circulation, so that secure browser is achieved.

Embodiment two:

On the basis of the above embodiments, the present embodiment continues to discuss the implementation method of secure browser.

Referring to Fig. 2, a kind of implementation method embodiment of secure browser according to an embodiment of the invention is shown Flow chart of steps can specifically include following steps:

Step 202, start the encryption subprocess communicated with browser main business process in browser client, In, the encryption subprocess is used to act on behalf of the conversion for realizing the first encrypted tunnel to the second encrypted tunnel, and number as connection According to forwarding.

Start the encryption subprocess communicated with browser main business process in the present embodiment in browser client, It can be started automatically by browser, specifically, when browser main business process and network server communication failure, browser is certainly The dynamic starting encryption subprocess, the encryption subprocess receives the first connection request of main business process, according to described first The business datum for including in connection request carries out respective handling, forms agency's connection of browser main business process.

Above-mentioned first encrypted tunnel is the peace of the browser main business process and the encryption subprocess in the present embodiment Full communication channel；Second encrypted tunnel is the secured communication channel of the encryption subprocess and network server.Therefore institute The first encrypted tunnel of subprocess Yu the main business process will encrypt by stating encryption subprocess and passing through, be converted to encrypt subprocess and Second encrypted tunnel of network server, to realize that the connection between the main business process and the network server is acted on behalf of. The business datum of encryption subprocess is sent to by first encrypted tunnel certainly for main business process, encryption subprocess can The business datum is sent to network server by the second encrypted tunnel.

In the present embodiment, browser main business process and encryption subprocess use agency and two kinds of communication modes of IPC, thus Encryption subprocess can be used as connection agency, be responsible for and the first encrypted tunnel of browser main business process, arrive and network server The second encrypted tunnel channel conversion and data forwarding, and IPC communication mode be responsible for inter-process data transmitting.The present embodiment In, encryption subprocess acts on behalf of realization mechanism as shown in figure 3, can specifically include such as flowering structure:

Main thread: reading all kinds of configurations, and creation listening thread, main business thread and browser host process IPC are logical.

Intercepting thread: for monitoring serve port, when with the presence of main business process connection request and receive (accept) at Function executes corresponding agent operation.

Business processing thread: respective encrypted channel is established respectively with main business process and network server both ends and connect and ties up It holds, to carry out the data exchange at both ends as bridge.

Step 204, the encryption subprocess listens to browser main business process, and obtains the browser main business The first connection request that business process is sent.

The encryption subprocess listens to browser main business process, can specifically be accomplished by the following way: The encryption subprocess creates intercepting thread；The intercepting thread carries out the browser main business process by serve port It listens to.When intercepting thread, which listens to the first connection request, to arrive, the first connection request that the main business process is sent is received. The first connection request that the browser main business process is sent, can specifically include business datum.Subprocess is encrypted to browsing Device main business process is listened to, and is the first connection request in order to obtain the transmission of browser main business process at the first time.

Step 206, it establishes encryption according to first connection request, the encryption subprocess and the network server and connects Connect letter.

It establishes and encrypts according to first connection request, the encryption subprocess and the network server in the present embodiment Connection communication can specifically include following sub-step:

Sub-step one, after confirming that first connection request receives successfully, the encryption subprocess and the network are taken Business device successively carries out encryption data negotiation and certificate verification.

Sub-step two establishes the browser client and net after encryption data negotiation finishes and certificate verification passes through The encryption connection of network server communicates.

It should be noted that encrypting subprocess and network server progress encryption data negotiation in the sub-step one The step of, it can specifically be accomplished by the following way: firstly, the encryption subprocess sends client to the network server Hold hello messages, wherein the client hello message includes the first encryption data of the browser client, and described first Encryption data includes several protocol versions；Secondly, the network server is greeted to the encryption subprocess back services end Message, wherein the server-side hello messages include the second encryption data of the server client, the second encryption number According to include: from first encryption data select protocol version.It should be noted that above-mentioned client hello message and Server-side hello messages are used to determine the safe transmission ability of both sides, including several protocol versions, session identification, cipher suite Equal attributes, and generate and exchange random number.

Client hello message (ClientHello message) is as browser client and network server Handshake Protocol A piece of news after the encryption subprocess sends client hello message to the network server, waits network service Device returns to Server Hello message.The definition of client-side issue message structure:

1, Clien_vision indicates client protocol version used in this session.If protocol version is 1.1.

2, Radom is the random information that client generates, and content includes always and random number.

3, session_id is the session identification that client uses in this connection.Session_id is a variable length word Section, value are determined by server.If not reusable session identification wishes to negotiate security parameter, which is sky, no Then indicate that client wishes to reuse the session.This session identification may be before connection identifier, current connection identifier or its He is in the connection identifier of connection status.Session identification generate after should unanimously remain to by time-out delete or it is related to this session Connection encounter fatal error and be closed.One session failed or then relative connection should all be forced to close when being closed It closes.

4, cipher_suites is the cipher suit list that client is supported, client should be used according to cipher suite Priority orders arrangement, the cipher suite of highest priority should rank the first.If session identity fields are not empty, this field Cipher suite used in the session that will be reused should be included at least.Each cipher suite include a Diffie-Hellman, one Encryption Algorithm and a checking algorithm.Server will select a matching cipher suite in cipher suit list, such as Fruit not can matched cipher suite, should return and shake hands failure warning message and close connection.

5, compression_methods is the compression algorithm list that client is supported, client should be according to compression The priority orders arrangement that algorithm uses, the compression algorithm of highest priority rank the first.Server will be in compression algorithm list One matching compression algorithm of middle selection must include pneumatics compression algorithm, such client and server total energy in list Negotiate consistent compression algorithm.

It should be noted that if server can find matched cipher suite, server from client hello message The server-side hello messages (Server Hello message) are sent as the reply to client hello message.If can not find Matched cipher suite, server will respond warning message.

Certificate verification is successively carried out with the network server it should be noted that encrypting subprocess in the sub-step one The step of, can specifically include: the encryption subprocess carries out unidirectional certificate verification to the network server；Or, described add Close subprocess and the network server carry out two-way certificate verification.

In an alternative embodiment of the invention, when carrying out the two-way authentication of digital certificate, the encryption subprocess pop-up Certificate selection frame, and show in the certificate selection frame letter for each user certificate that the browser loads in the terminal Breath；The user certificate of user's selection is received by the certificate selection frame.

Further include: the encryption subprocess shows password entry message, and the password entry message is for prompting user defeated Enter the corresponding protection password of the user certificate；The encryption subprocess receives the protection password of user's input, and protects to stating Password is verified, and is confirming the access right for protecting the user that confirms password to have the user certificate.

In the present embodiment, in order to guarantee to access the safety of website and user, CA mechanism is that different websites promulgates different Website certificate, while different user certificates is promulgated for the different user of different web sites.Wherein, in digital certificate include website or The contents such as the information and digital signature of the public key of user, website or user.

In mutual authentication process, the encryption subprocess can be hit by a bullet out certificate choice box in browser client, and The information for each user certificate that the browser loads in the terminal is shown in the certificate selection frame；Pass through the certificate Choice box receives the user certificate of user's selection, and user is after selecting user certificate, the encryption subprocess display port Input message is enabled, the password entry message is such as inputted for prompting user to input the corresponding protection password of the user certificate Personal identification number (Personal Identification Number, PIN), the encryption subprocess receive the guarantor of user's input Retaining enables, and verifies to protection password is stated, i.e., by protecting password that can authenticate to user identity, confirmation user is The no use claim with the user certificate, to correctly confirm that the protection confirms password the use afterwards in protection password entry Family has the access right of the user certificate.Also, above-mentioned user certificate and protection password can be used as user certificate certification Authentication data in the process is sent to network server.

Optionally, further includes: the encryption subprocess prompts user to be inserted into security key storage hardware by prompt information, User certificate is stored in the security key storage hardware；It is close that the encryption subprocess call driver detects the safety Key storage hardware；After detecting the security key storage hardware, the encryption subprocess obtains the security key storage The information of the user certificate stored in hardware.

When browser client loads user certificate, the encryption subprocess described first prompts user to be inserted by prompt information Security key storage hardware, the security key storage hardware, that is, USB Key, it is a kind of hardware device of USB interface, built-in list Piece machine or intelligent card chip have certain memory space, can store the private key and digital certificate of user, utilize USB Key Built-in public key algorithm realizes the certification to user identity.Since private key for user is stored in coded lock, theoretically using any Mode can not all be read, therefore ensure that the safety of user authentication.

The encryption subprocess identifies security key storage hardware by driving, and according to the hardware certificate carrier double Cryptographic calculation is carried out into certification authentication process.For example, if necessary to two-way authentication, the encryption in SSL connection establishment process Subprocess can prompt user to be inserted into security key storage hardware, i.e. USBKey equipment.Security key storage hardware is inserted into user After automatic identification and certificate selection dialog box can be popped up, prompt user to select certificate.The encryption subprocess automatic identification peace Full key storage hardware needs to rely on two key messages in CSP registry entry: SKFImagePath: specified SKF dynamic base Path and TokenVidPid: string format.

The VendorID and ProductID of KEY equipment, the format of use similar to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum format namely VID_XXXX&PID_XXXX in USB.Browser can be set by USBKey Standby vendorid, productid is associated with respective drive, completes relevant operation.Browser will not store the pin of user's input Password will not store the private key information in USBKey.Detailed process is as follows: being firstly connected to USBKey equipment；Then it opens Respective application (Application), Application are determined by user's selection；Then corresponding container (Container) is opened, Container is determined by user's selection；Then checking PIN code (Personal Identity Number) can prompt again after authentication error defeated Enter；Then signing certificate information is obtained；Then encrypted certificate information is obtained；Last pass hull closure disconnects.

1, unilateral authentication

In an alternative example of an embodiment of the present invention, the encryption subprocess carries out the network server unidirectional Certificate verification can specifically be accomplished by the following way: send firstly, the encryption subprocess receives the network server Server-side certificate message, the server-side certificate message includes the website signing certificate of the network server；Secondly, described Encryption subprocess authenticates the website signing certificate of the network server.Below to server-side certificate message (Server Certificate message) it is illustrated, network server needs to send a server-side certificate message to client, the message Always after server-side hello messages, when the cipher suite in choosing uses RSA or ECC or ECDHE algorithm, the clothes The content for end certificate message of being engaged in is server-side mark and IBC common parameter, negotiates IBC for client and server and discloses ginseng Number.Diffie-Hellman and the relationship of credential key type are as shown in table 1.

Diffie-Hellman	Credential key type
		RSA	RSA public key, it is necessary to use the public key in encrypted certificate
IBC	Server-side mark and IBC common parameter
		IBSDH	Server-side mark and IBC common parameter
ECC	ECC public key, it is necessary to use the public key in encrypted certificate
		ECDHE	ECC public key, it is necessary to use the public key in encrypted certificate

Table 1, Diffie-Hellman and credential key type of relationship table

2, two-way authentication

In an alternative example of an embodiment of the present invention, the encryption subprocess and the network server carry out two-way Certificate verification can specifically be accomplished by the following way:

1) the encryption subprocess receives the server-side certificate message that the network server is sent, the server-side certificate Message includes the website signing certificate of the network server；

2) the encryption subprocess receives the certificate verification request message that the network server is sent, the certificate verification Request message is used to indicate the certificate verification for carrying out client；

3) the encryption subprocess receives the server-side cipher key exchange message that the network server is sent, including key is handed over Change parameter；

4) the encryption subprocess receives the server-side that the network server is sent and greets the message that finishes；

5) the encryption subprocess authenticates the website signing certificate；

6) after website signing certificate certification passes through, the encryption subprocess sends client to the network server Certificate message is held, the client certificate message includes the signing certificate of the browser client, so that the network service Device authenticates the signing certificate.

In an alternative example of an embodiment of the present invention, the method further includes the steps that key exchanges: described to add Pre- master key is randomly generated according to the key exchange parameters in close subprocess, wherein the pre- master key is using the network The encrypted public key of server carries out what computations obtained by elliptic curve cryptography SM2；The encryption subprocess uses The pre- master key generates Client Key Exchange message, and is sent to network server, so that the network server obtains The pre- master key.

In a kind of optional example of the embodiment of the present invention, the method further includes the steps that verifying certificate signature, specifically It include: that the encryption subprocess obtains the signature check parameter calculated according to website signing certificate, and generates client certificate school It tests message and is sent to the network server；The encryption subprocess sends client password specification to the network server and becomes More message is completed with characterizing the negotiation of encryption data；The encryption subprocess sends client to the network server and shakes hands End message；The encryption subprocess receives the server-side password specification change message that the network server is sent, with characterization Approve the negotiation of the encryption data；The encryption subprocess receives the server-side that the network server is sent end of shaking hands and disappears Breath.It should be noted that all having been carried out strictly to server certificate in each SSL handshake process of the close SSL connection procedure of state Verifying.

In the present embodiment, above-mentioned encryption data negotiation, certificate verification, key exchange and signature authentication are all clear in safety It lookes in the encryption subprocess of device client and the handshake procedure of network server and to execute.In the present embodiment, two-way authentication is used The asymmetric arithmetic of double certificate mechanism, certificate uses SM2 algorithm, is based on ECDSA signature using signing certificate and realizes that identity is recognized Card is based on ECDH using encrypted certificate and realizes key agreement.The SM4 algorithm used encrypts data, uses SM3 algorithm pair Data are made a summary.

Wherein, SM2 algorithm (SM2algorithm) is a kind of ellipse curve public key cipher algorithm, key length 256 Bit.SM3 algorithm (SM3algorithm) is a kind of cryptographic Hash algorithm, and key length is 128 bits, SM4 algorithm It (SM4algorithm) is a kind of block cipher, block length is 128 bits, and key length is 128 bits.

As shown in figure 4, the handshake procedure of encryption subprocess and network server includes:

4.02, encryption subprocess sends client hello message ClientHello to network server.

4.04, network server sends server-side hello messages SeverHello to the safe secure browser client Encryption subprocess.

Wherein, network server finds matched cipher suite from ClientHello message, sends SeverHello and makees To reply, if can not find matched cipher suite, warning message is sent.In the SeverHello, Sever_vision is indicated The version number that server is supported, such as 1.1；The random number that Radom server end generates；The session that session_id server-side uses Mark；The cipher suite that cipher_suites server-side is chosen from ClientHello message；compression_methods The compression algorithm that server-side is chosen from ClientHello message.

4.06, network server sends server-side certificate message Certificate and gives encryption subprocess.

I.e. this message content of SeverCertificate is signing certificate and encrypted certificate.It signs and demonstrate,proves such as the website of server-side Book (X.509 sequence)

4.08, network server sends certificate verification request message SeverRequest and gives encryption subprocess.

Certificate is provided by SeverRequest message calls client.Specify auth type (ECDSA) simultaneously

4.10, network server sends server-side cipher key exchange message SeverKeyExchange and gives encryption subprocess.

SeverKeyExchange calculates the pre- master key for generating 48 bytes for client.Public key can be directly from service It is obtained in the encrypted certificate at device end.As pre- master key pre_master_seceret key, and use clothes are randomly generated in client The public key of business device certificate carries out ECDH operation

4.12, network server transmission greets the message SeverHelloDone that finishes and gives encryption subprocess.

The hello message phase that SeverHelloDone characterizes handshake procedure is completed, and then the response of client is waited to disappear Breath.

4.14, encryption subprocess sends client key exchange message Certificate to network server.

I.e. ClientCertificate message is a piece of news after the completion of hello message phase, as included client Signing certificate (X.509 sequence).

4.16, encryption subprocess sends client key exchange message ClientKeyExchange to network server.

The pre- master key of the public key encryption of network server in ClientKeyExchange message.

4.18, encryption subprocess sends certificate verification message CertificateVerify to network server.

It is the legitimate holder for being enough certificate that CertificateVerify message, which is used to identify client,.In the present embodiment, Prompt user can prompt user to input protection password after being inserted into USBKey, which carries verifying within the message and use Whether family is legal.

Such as, client carries out ESDSA signature to the abstract of handshaking information using the ECC private key of signing certificate

4.20, encryption subprocess sends client password specification change message ChangeCipherSpec and gives network service Device.

I.e. ClientChangeCipherSpec message shows that algorithm and key agreement are completed to server-side.

4.22, encryption subprocess sends client and shakes hands end message Finished to network server.

In the present embodiment, random number, the random number of server-side, pre_master_ of the subprocess according to client are encrypted Seceret calculates master_seceret using key algorithm, then reuses random number and master_seceret is calculated very Then encryption after all handshake informations abstract is formed ClientFinished message and sent out to server-side by positive data encryption key It send.

4.24, network server send server-side password specification change message ChangeCipherSpec to encryption son into Journey.

4.26, network server send server-side shake hands end message Finished to encryption subprocess.

Server-side verifies client certificate, uses the signature of the signing certificate verifying client of client.Service uses certainly The encryption key of body and progress ECDH operation, obtain pre_master_seceret, are calculated using the same algorithm of client Master_seceret and data encryption key verify the correctness of SeverFinished message, send to client SeverChangeCipherSpec message, express one's approval algorithm and key agreement.

The certification of browser client and network server both sides is completed by above-mentioned handshake procedure, key agreement waited Journey, so that end can be engaged in respectively using the calculated key encryption of negotiation using data by encrypting subprocess and network clothes.

Step 208, after encryption connection connection setup success, the encryption subprocess and network clothes are established as The second encrypted tunnel that business device securely communicates.

The process coded communication in the second encrypted tunnel of the encryption subprocess and the network server.Specifically, may be used The data communicated in the second encrypted tunnel to encrypt business datum using symmetric encipherment algorithm SM4.

Step 210, the encryption subprocess creates business processing thread；The business processing thread is respectively with described first Encrypted tunnel and second encrypted tunnel establish connection.

The business processing thread of the encryption subprocess creation, the between the encryption subprocess and main business process The second encrypted tunnel between one encrypted tunnel and the encryption subprocess and network server all establishes connection.The business Handle the data exchange that thread specifically carries out both ends as the bridge between the main business process and the network server.

Step 212, after encryption connection connection setup success, the encryption subprocess executes business datum described Forwarding between first encrypted tunnel and the second encrypted tunnel.

Encryption subprocess described in the present embodiment executes business datum in first encrypted tunnel and the second encrypted tunnel Between forwarding, can specifically be accomplished by the following way: the business processing thread is connect by first encrypted tunnel Receive the first business datum that the browser main business process is sent；The business processing thread is using the first symmetry algorithm to institute It states the first business datum to be decrypted, obtains original service data；The business processing thread uses the second symmetry algorithm The original service data are encrypted, second business datum is obtained；The business processing thread, which uses, to be passed through Second business datum is sent to the network server between second encrypted tunnel.It should be noted that the above process It is that subprocess is encrypted in data communication process respectively to the process of two channel datas conversion.

In an alternative example of an embodiment of the present invention, the encryption subprocess and the browser main business process are logical It crosses handshake procedure and establishes encryption connection communication, and after encryption connection communicates successfully, be established as the browser main business process The first encrypted tunnel securely communicated with the encryption subprocess；Wherein, it is executed in the handshake procedure non-by first Symmetry algorithm executes two-way certificate verification, key exchange between the encryption subprocess and the browser main business process, And execute certificate verification；Symmetric key is generated in the key exchange process.It should be noted that the first asymmetric arithmetic has Body can be RSA Algorithm.

In an alternative example of an embodiment of the present invention, the implementation method of the secure browser further include: the industry The first connection request is encrypted to obtain the second connection request by the second symmetry algorithm for business processing thread；The business It handles thread and second connection request is sent to the network server；The business processing thread receives the network clothes The second connection reply that business device is fed back based on second connection request；Second connection request passes through second connection reply Second symmetry algorithm is decrypted to obtain the first connection reply, and feeds back to the browser main business process.

It should be noted that the detailed process of business processing thread is as follows: (1) Receiving Agent data, specific Receiving Agent The http request data of connection.(2) SSL connection is carried out with network server, specifically includes SSL establishment of connection, SSL association View is negotiated, negotiating algorithm, and client certificate verification (crl checking or OCSP certification) (3) is interacted with web server.It specifically will generation Reason connection http request data issue Web server via the channel SSL of Encryption Algorithm, obtain the http of Web server response.(4) web servers return data is sent to connect to agency.Specifically by the http response of network server It is given to agency's connection.(5) connection is closed.In case of mistake in business processing flow, then connection is closed, while giving agency's connection Return to the wrong page.It should be noted that second symmetry algorithm specifically can be national secret algorithm.

It should be noted that being obtained using the safe practice solution network application authentication of SSL and data security Extensive to approve, also built-in SSL module, professional SSL hardware product are also extensive in the browser and network server of mainstream It uses.But also all there is certain limitation in current SSL product:

(1) current SSL product generallys use single certificate mechanism.And double certificate mechanism is current PKI Public Key Infrastructure The prevailing model of (Public Key Infrastructure) System Construction.The present embodiment, which carries out identity using signing certificate, to be recognized Card is carried out the exchange and protection of key using encrypted certificate, has played the advantage of PKI technology unsymmetrical key.

(2) symmetry algorithm disclosed in foreign countries is generallyd use in current SSL product, does not meet security requirements, had certain Risk.Password product symmetry algorithm uses SM1 algorithm or SM4 algorithm in the present embodiment.

(3) current certificate asymmetric arithmetic uses RSA Algorithm, and the elliptic curve cipher (ECC) that the present embodiment uses It is a kind of public key cryptography than RSA with greater security, higher efficiency, there is encryption/decryption, digital signature and key agreement Etc. important cryptographic function, it can safely and conveniently meet user identity identification in various information networks, electronic information The true and false identifies and the important information security demands such as secrecy transmission, is the core technology of information security field, and gradually all Multinational border and national standards organizations are adopted as public key cryptography standard (IEEE P1363, ANSI X9, ISO/IEC and IETF etc.), will One of the mainstream cryptographic technique that Information Security Industry circle uses can be become.China is ordered by domestic ECC (ECDSA+ECDH) algorithm Entitled SM2.

The implementation method of secure browser provided in this embodiment may be implemented to meet China's PKI mechanism and password product The rapid growth of the safe network browsing device of management policy, normalization and network application to the management of internal security product all rises To positive impetus.

For embodiment of the method, for simple description, therefore, it is stated as a series of action combinations, but this field Technical staff should be aware of, and embodiment of that present invention are not limited by the describe sequence of actions, because implementing according to the present invention Example, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know that, specification Described in embodiment belong to preferred embodiment, the actions involved are not necessarily necessary for embodiments of the present invention.

Embodiment three

On the basis of the above embodiments, the present embodiment also discloses a kind of safe communication system.

Referring to Fig. 5, the structural block diagram of safe communication system embodiment according to an embodiment of the invention is shown.

Referring to Fig. 6, shows secure browser in safe communication system embodiment according to an embodiment of the invention and fill The structural block diagram set.

The safe communication system, comprising: secure browser device 504 and network server 502.

Wherein, the network server 502 is communicated for establishing encryption connection with the secure browser device；And After encryption connection connection setup success, business datum is executed by the second encrypted tunnel with the secure browser device Interaction.

The secure browser device 504, comprising: browser main business scheduler module 50402 and encryption subprocess module 50404。

Wherein, the browser main business scheduler module 50402, for the starting in browser client and browser master The encryption subprocess module for the encryption subprocess that business process is communicated, wherein the encryption subprocess is used for as connection Agency realizes the conversion and data forwarding of the first encrypted tunnel to the second encrypted tunnel.

The encryption subprocess module 50404, comprising: agent sub-module 504042, for browser main business process It is listened to, and obtains the first connection request that the browser main business process is sent.And it is communicated in the encryption connection After being successfully established, the encryption subprocess executes business datum and turns between first encrypted tunnel and the second encrypted tunnel Hair.

Secure connection submodule 504044, for according to first connection request, the encryption subprocess and the net Network server establishes encryption connection communication.

Wherein, first encrypted tunnel is the secure communication of the browser main business process and the encryption subprocess Channel；Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.

After encryption subprocess receives the first connection request that main business process is sent, the encryption subprocess foundation First connection request, establishes encryption connection with the network server and communicates.The encryption subprocess and the network take Business device establishes encryption connection communication, i.e., it is peace with confirmation that the described encryption subprocess and the network server, which carry out safety certification, Entirely, legal communication party, to establish the channel of secure communication.It should be noted that the encryption subprocess and the network Server establishes encryption connection communication, and combining encryption subprocess also can communicate with main business process, thus encrypt it is sub into Journey establishes corresponding connection to main business process and this both ends of network server respectively, and encryption connection communication can be used as described two End carries out the bridge of data exchange.

In an alternative embodiment of the invention, agent sub-module 504042 listens to line for encryption subprocess creation Journey；The intercepting thread listens to the main business process by serve port.

In an alternative embodiment of the invention, the secure connection submodule 504044, for confirming that described first connects It connects after requesting to receive successfully, the encryption subprocess successively carries out encryption data negotiation with the network server and certificate is recognized Card；After encryption data negotiation finishes and certificate verification passes through, the encryption of the browser client and network server is established Connection communication.

The secure connection submodule 504044 sends client to the network server for the encryption subprocess Hello messages, wherein the client hello message includes the first encryption data of the browser client, and described first adds Ciphertext data includes several protocol versions；Receive the server-side hello messages of the network server feedback, wherein the service End hello messages include the second encryption data of the server client, and second encryption data includes: from described first The protocol version selected in encryption data；The network server 502 is used for the secure browser device back services Hold hello messages.

The secure connection submodule 504044, for carrying out unidirectional certificate verification to the network server；Or, described It encrypts subprocess and the network server carries out two-way certificate verification.

The agent sub-module 504042, is also used to create business processing thread；The business processing thread respectively with institute It states the first encrypted tunnel and second encrypted tunnel establishes connection.

The agent sub-module 504042, for being received using the business processing thread by first encrypted tunnel The first business datum that the main business process is sent；Place is decrypted to first business datum using the first symmetry algorithm Reason obtains original service data；The original service data are encrypted using the second symmetry algorithm, obtain described the Two business datums；Second business datum is sent to the network server using by second encrypted tunnel；Institute Network server 502 is stated, the second business number is sent by second encrypted tunnel for receiving the secure browser According to.

The network server 502, the server-side certificate message for sending the network server are clear to the safety Look at device, the server-side certificate message includes the website signing certificate of the network server；In the secure browser device, The secure connection submodule 504044, the server-side certificate message sent for receiving the network server；And it is described Encryption subprocess authenticates the website signing certificate of the network server.

The network server 502, the server-side certificate message for the network server give the secure browser, The server-side certificate message includes the website signing certificate of the network server；Send server-side cipher key exchange message, institute Stating server-side cipher key exchange message includes key exchange parameters；Certificate verification request message is sent, the certificate verification request disappears Breath is used to indicate the certificate verification for carrying out client；It sends server-side and greets the message that finishes；And receive the secure browser The client certificate message that device is sent, authenticates signing certificate, the client certificate message includes that the safety is clear Look at the signing certificate of device client.The secure connection submodule 504044 receives the network for the encryption subprocess The server-side certificate message that server is sent；The encryption subprocess receives the server-side key that the network server is sent and hands over Change message；The encryption subprocess receives the certificate verification request message that the network server is sent；The encryption subprocess It receives the server-side that the network server is sent and greets the message that finishes；The encryption subprocess to the website signing certificate into Row certification；After website signing certificate certification passes through, the encryption subprocess sends client to the network server Certificate message, the client certificate message include the signing certificate of the browser client.

The secure connection submodule 504044 is also used to that pre- master key is randomly generated according to the key exchange parameters, Wherein, the pre- master key is to be added using the encrypted public key of the network server by elliptic curve cryptography SM2 It is close to be calculated；The encryption subprocess generates Client Key Exchange message using the pre- master key, and is sent to net Network server；The network server 502 is also used to receive the cipher key exchange message that the secure browser device is sent, from The pre- master key is obtained in the cipher key exchange message.

The secure connection submodule 504044 is also used to obtain the signature check ginseng calculated according to website signing certificate Number, and generate client certificate verification message and be sent to the network server；The encryption subprocess is to the network service Device sends client password specification and changes message, is completed with characterizing the negotiation of encryption data；The encryption subprocess is to the net Network server sends client and shakes hands end message；It is close that the encryption subprocess receives the server-side that the network server is sent Code specification changes message, to characterize the negotiation for approving the encryption data；The encryption subprocess receives the network server hair The server-side sent is shaken hands end message；The network server 502 is also used to successively receive the secure browser device and sends Client certificate verification message, client password specification change message and client shake hands end message；And it successively sends Server-side password specification change message and server-side shake hands end message to the secure browser device.

In the present embodiment, secure browser client 504 is using encryption 50404 proxy-explorer main business of subprocess module Scheduler module 50402, encryption data negotiation is carried out by handshake procedure with network server 502, certificate verification, key exchange and The SSL encryptions communication process such as signature authentication, specific handshake procedure is as shown in figure 4, related handshaking information and Encryption Algorithm refer to The discussion of two part of embodiment.

Further include: the secure connection submodule 504044 is also used to after encryption connection connection setup success, builds Found the second encrypted tunnel securely communicated for the encryption subprocess and the network server.

The agent sub-module 504042 is also used to using the encryption subprocess and the main business process by shaking hands Process establishes encryption connection communication, and after encryption connection communicates successfully, is established as the main business process and encryption The first encrypted tunnel that process securely communicates；Wherein, it executes in the handshake procedure and is executed by the first asymmetric arithmetic Two-way certificate verification, cipher key interaction between the encryption subprocess and the main business process, and execute certificate verification；Institute It states cipher key interaction and generates symmetric key in the process.

The agent sub-module 504042 is also used to the business processing thread the first connection request is symmetrical by second Algorithm is encrypted to obtain the second connection request；Second connection request is sent to described by the business processing thread Network server；The business processing thread receives the network server and connects based on second connection request is fed back second It scoops out and answers；Second connection request is decrypted second connection reply to obtain the first connection by the second symmetry algorithm Response, and feed back to the main business process；The network server 502 is sent for receiving the secure browser device The second connection request, to second connection request processing after generate the second connection reply, will second connection reply hair Give the secure browser device.

The crypto process submodule 50404, further includes: hardware management module 504046 passes through for encrypting subprocess Driving identification security key storage hardware.Certification authentication module 504048 is used for and according to the hardware certificate carrier two-way Cryptographic calculation is carried out in certification authentication process.

It should be noted that being referred to encryption subprocess module shown in Fig. 7 is a kind of its knot in specific implementation Structure block diagram can be understood that encryption subprocess module includes: configuration module 702, proxy module 704 (with above-mentioned agency Submodule is corresponding), CTL management module 706, CRL management module 708, Session management module 710, certification authentication module 712, SSL link block 714 (corresponding with above-mentioned secure connection submodule), USBKey operation module 716 are (with above-mentioned hardware management submodule Block is corresponding).CTL management module 706, CRL management module 708 are corresponding with above-mentioned certification authentication submodule,

Wherein, proxy module receives the connection of browser main business scheduler module, according to browser main business scheduler module The type of connection carries out respective handling, forms the connection agency of browser main business scheduler module.CTL module is trusted for managing Root certificate list.CRL management module manages local CRL list for obtaining CRL list.Session management module administration agent The session of process and web server connection.SSL link block is responsible for establishing the secure connection with network server.USBKey Management module is responsible for operating USBKey equipment.Configuration module is responsible for reading, storing the relevant configuration of client.

Wherein, for CTL management module 706, its working principles are as follows: CTL, which describes browser, trusts root certificate column Table is used for authentication server end certificate.In secure browser client, the trust root certificate of support is PEM coding mode, simultaneously Support two kinds of certificate addition manners: 1) root certificate is trusted in addition inside program；2) root certificate, configuration text are trusted in configuration file addition Part uses des encrypting storing.Wherein, CTL is configurable to not support to import and export function.

For CRL management module 708, its working principles are as follows: CRL describes the certificate revocation of certification authority CA List, essence are certificate serial numbers, and certificate serial number is indicated with the Integer that ASN.1 is encoded.One in X509v3 certificate Extension (OID 2.5.29.31) is used to specify the CRL publishing point of the certificate.Device pair in the secure browser of the present embodiment CRL has carried out local cache, while CRL is searched and carried out level-one index according to CA.The step of to the verification operation of CRL, is as follows: (1) Obtain certificate in Issuer item, position corresponding CA node, if Issuer be not present or can not find it is CA corresponding, Then it is considered illegal certificate.((2) use CRL item all under the dichotomizing search CA.

For Session management module 710, SSL connection needs increase by 4 times on the basis of shaking hands for TCP 3 times shakes hands, even Connecing establishment process is that the connection than relatively time-consuming, therefore before preservation Session, multiplexing can effectively optimize switching performance.This In the secure browser device of embodiment after completion is established in a SSL connection, host+port to session can be established Memory index, subsequent operation can be multiplexed before session, as session validity period be 1 hour.Browser closing, USBKey Session before being emptied when equipment extraction.

For certification authentication module 612, if necessary to two-way authentication, the encryption subprocess in SSL connection establishment process User can be prompted to be inserted into security key storage hardware, i.e. USBKey equipment.It can after user is inserted into security key storage hardware Automatic identification simultaneously pops up certificate selection dialog box, and user is prompted to select certificate.The encryption subprocess automatic identification security key Storage hardware needs to rely on two key messages in CSP registry entry: SKFImagePath: the path of specified SKF dynamic base And TokenVidPid: string format.The VendorID and ProductID of KEY equipment, the format of use is similar to HKEY_ LOCAL_MACHINE SYSTEM CurrentControlSet Enum format namely VID_XXXX&PID_ in USB XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, complete relevant operation.It is clear Device of looking at will not store the pin password of user's input, will not store the private key information in USBKey.Detailed process is as follows: first It is connected to USBKey equipment；Then respective application (Application) is opened, Application is determined by user's selection；Then It opens corresponding container (Container), Container is determined by user's selection；Then checking PIN code (person identification Code), it can prompt to re-enter after authentication error；Then signing certificate information is obtained；Then encrypted certificate information is obtained；Finally close Hull closure disconnects.

In the present embodiment, for the credentials verification process of above method embodiment, the certification authentication of server end is occurred During Handshake Protocol, after browser receives ServerHelloDone message, before transmission Certificate message.Card Book verifying mainly ensures the reasonability of server, and verification process depends on CTL, CRL module, and detailed process is tested in subprocess certificate It is carried out in card thread pool.Checking step is as follows: initialization trusted root list of cert；Check whether it is self-signed certificate；It checks Certificate extension information；Check certificate trusting relationship；Check CRL list；Check certificate signature；Check certificate available time；Inspection Book is investigated whether in blacklist.

It should be noted that a kind of structure referring to browser main business scheduler module shown in Fig. 8 in specific implementation Block diagram, it is to be understood that browser main business scheduler module include: certificate display module 802, whitelist management module 804, Network server certificate storage module 806 acts on behalf of setup module 808.Wherein certificate display module 802 is responsible for display number card Book.Whitelist management module 804 is responsible for the web server list that the Encryption Algorithm of the present embodiment is supported in management.Network server Certificate storage module 806 is used to store the certificate for being responsible for management network server.The agency's setting of setup module 808 is acted on behalf of to be responsible for setting Set the agency with encryption subprocess.

For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple Place illustrates referring to the part of embodiment of the method.

Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.

Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) realize one in safe communication system equipment according to an embodiment of the present invention The some or all functions of a little or whole components.The present invention is also implemented as executing method as described herein Some or all device or device programs (for example, computer program and computer program product).Such realization Program of the invention can store on a computer-readable medium, or may be in the form of one or more signals.This The signal of sample can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or mentions in any other forms For.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of safe communication system, comprising: secure browser device and network server；Wherein, The network server is communicated for establishing encryption connection with the secure browser device；And it is logical in the encryption connection After letter is successfully established, service data interaction is executed by the second encrypted tunnel with the secure browser device；The safety is clear Look at device device, comprising: browser main business scheduler module and encryption subprocess module, wherein the browser main business process Module, in browser client starting communicated with browser main business process encrypt subprocess encryption into Journey module, wherein the encryption subprocess, which is used to act on behalf of as connection, realizes turning for the first encrypted tunnel to the second encrypted tunnel It changes and data forwarding；The encryption subprocess module, comprising: agent sub-module, for being carried out to browser main business process It listens to, and obtains the first connection request that the browser main business process is sent；And in the encryption connection connection setup After success, the encryption subprocess executes forwarding of the business datum between first encrypted tunnel and the second encrypted tunnel； Secure connection submodule, for establishing and adding according to first connection request, the encryption subprocess and the network server Close connection communication；Wherein, first encrypted tunnel is the safety of the browser main business process and the encryption subprocess Communication channel；Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server.

A2, system as described in a1, agent sub-module create intercepting thread for the encryption subprocess；It is described to listen to Thread listens to the main business process by serve port.

A3, system as described in a1, the secure connection submodule, for confirm first connection request receive at After function, the encryption subprocess and the network server successively carry out encryption data negotiation and certificate verification；In encryption data After negotiation finishes and certificate verification passes through, establishes the browser client and communicated with the encryption connection of network server.

A4, the system as described in A3, the secure connection submodule are used for the encryption subprocess to the network service Device sends client hello message, wherein the client hello message includes the first encryption number of the browser client According to first encryption data includes several protocol versions；The server-side hello messages of the network server feedback are received, Wherein, the server-side hello messages include the second encryption data of the server client, second encrypted packet It includes: the protocol version selected from first encryption data；The network server, for being filled to the secure browser Set back services end hello messages.

A5, the system as described in A3, the secure connection submodule, for carrying out unidirectional certificate to the network server Certification；Or, the encryption subprocess and the network server carry out two-way certificate verification.

A6, system as described in a1, the agent sub-module are also used to create business processing thread；The business processing Thread establishes connection with first encrypted tunnel and second encrypted tunnel respectively.

A7, the system as described in A6, the agent sub-module, for passing through described first using the business processing thread Encrypted tunnel receives the first business datum that the main business process is sent；Using the first symmetry algorithm to the first business number According to being decrypted, original service data are obtained；The original service data are carried out at encryption using the second symmetry algorithm Reason obtains second business datum；It is described using second business datum is sent to by second encrypted tunnel Network server；The network server passes through described in second encrypted tunnel transmission for receiving the secure browser Second business datum.

A8, device as described in a5, the network server, the server-side certificate for sending the network server disappear It ceases to the secure browser, the server-side certificate message includes the website signing certificate of the network server；The peace In full browser device, the secure connection submodule, the server-side certificate message sent for receiving the network server； And the encryption subprocess authenticates the website signing certificate of the network server.

A9, device as described in a5, the network server, the server-side certificate message for the network server are given The secure browser, the server-side certificate message include the website signing certificate of the network server；Send server-side Cipher key exchange message, the server-side cipher key exchange message includes key exchange parameters；Certificate verification request message is sent, it is described Certificate verification request message is used to indicate the certificate verification for carrying out client；It sends server-side and greets the message that finishes；And it receives The client certificate message that the secure browser device is sent, authenticates signing certificate, the client certificate message Signing certificate including the secure browser client；The secure connection submodule is received for the encryption subprocess The server-side certificate message that the network server is sent；The encryption subprocess receives the service that the network server is sent Hold cipher key exchange message；The encryption subprocess receives the certificate verification request message that the network server is sent；It is described to add Close subprocess receives the server-side that the network server is sent and greets the message that finishes；The encryption subprocess is to the website label Name certificate is authenticated；After website signing certificate certification passes through, the encryption subprocess is sent out to the network server Client certificate message is sent, the client certificate message includes the signing certificate of the browser client.

A10, the system as described in A9, the secure connection submodule are also used to random according to the key exchange parameters Generate pre- master key, wherein the pre- master key is to pass through elliptic curve cipher using the encrypted public key of the network server Algorithm SM2 carries out what computations obtained；The encryption subprocess generates client key exchange using the pre- master key and disappears Breath, and it is sent to network server；The network server is also used to receive the key that the secure browser device is sent and hands over Message is changed, the pre- master key is obtained from the cipher key exchange message.

A11, the system as described in A9, the secure connection submodule are also used to obtain according to the calculating of website signing certificate Signature check parameter, and generate client certificate verification message and be sent to the network server；The encryption subprocess to The network server sends client password specification and changes message, is completed with characterizing the negotiation of encryption data；Encryption Process sends client to the network server and shakes hands end message；The encryption subprocess receives the network server hair The server-side password specification change message sent, to characterize the negotiation for approving the encryption data；Described in the encryption subprocess receives The server-side that network server is sent is shaken hands end message；The network server is also used to successively receive the safety browsing Client certificate verification message, client password specification change message and the client that device device is sent are shaken hands end message；With And successively transmission server-side password specification change message and server-side shake hands end message to the secure browser device.

A12, the system as described in A11, further includes: the secure connection submodule is also used to logical in the encryption connection After letter is successfully established, it is established as the second encrypted tunnel that the encryption subprocess and the network server securely communicate.

A13, the system as described in A7, the agent sub-module are also used to using the encryption subprocess and the main business Business process establishes encryption connection communication by handshake procedure, and after encryption connection communicates successfully, be established as the main business into The first encrypted tunnel that journey and the encryption subprocess securely communicate；Wherein, it is executed in the handshake procedure and passes through first Asymmetric arithmetic executes the two-way certificate verification encrypted between subprocess and the main business process, cipher key interaction, and Execute certificate verification；Symmetric key is generated during the cipher key interaction.

A14, system as described in a1, the agent sub-module are also used to the business processing thread and ask the first connection It asks and is encrypted to obtain the second connection request by the second symmetry algorithm；The business processing thread is connected described second Request is sent to the network server；The business processing thread is received the network server and is asked based on second connection It negates the second connection reply of feedback；Place is decrypted by the second symmetry algorithm in second connection reply by the second connection request Reason obtains the first connection reply, and feeds back to the main business process；The network server, for receiving the safety browsing The second connection request that device device is sent, to the second connection reply is generated after second connection request processing, by described second Connection reply is sent to the secure browser device.

A15, system as described in a5, the encryption subprocess module, further includes: hardware management submodule, for encrypting Subprocess passes through driving identification security key storage hardware；Certification authentication submodule is used for and according to the hardware certificate carrier Cryptographic calculation is carried out in two-way certification authentication process.

Claims

1. a kind of safe communication system, comprising: secure browser device and network server；

Wherein, the network server is communicated for establishing encryption connection with the secure browser device；And add described After close connection communication is successfully established, service data interaction is executed by the second encrypted tunnel with the secure browser device；

The secure browser device, comprising: browser main business scheduler module and encryption subprocess module,

Wherein, the browser main business scheduler module, for the starting in browser client and browser main business process The encryption subprocess module of the encryption subprocess communicated, wherein the encryption subprocess is used to realize as connection agency The conversion and data forwarding of first encrypted tunnel to the second encrypted tunnel；

The encryption subprocess module, comprising:

Agent sub-module for listening to browser main business process, and obtains the browser main business process and sends The first connection request；And after encryption connection connection setup success, the encryption subprocess executes business datum and exists Forwarding between first encrypted tunnel and the second encrypted tunnel；The agent sub-module is also used to create business processing line Journey；The business processing thread establishes connection with first encrypted tunnel and second encrypted tunnel respectively；

Secure connection submodule, for according to first connection request, the encryption subprocess to be built with the network server Vertical encryption connection communication；

Wherein, first encrypted tunnel is that the secure communication of the browser main business process and the encryption subprocess is led to Road；Second encrypted tunnel is the secured communication channel of the encryption subprocess and the network server；

Wherein, the system also includes agent sub-modules, for encryption subprocess creation intercepting thread；It is described to listen to line Journey listens to the main business process by serve port.

2. the system as claimed in claim 1, it is characterised in that:

The secure connection submodule, for after confirming that first connection request receives successfully, the encryption subprocess and The network server successively carries out encryption data negotiation and certificate verification；It is finished in encryption data negotiation and certificate verification passes through Afterwards, the browser client is established to communicate with the encryption connection of network server.

3. system as claimed in claim 2, it is characterised in that:

The secure connection submodule sends client hello message to the network server for the encryption subprocess, Wherein, the client hello message includes the first encryption data of the browser client, first encrypted packet Include several protocol versions；Receive the server-side hello messages of the network server feedback, wherein the server-side greeting disappears Breath includes the second encryption data of the server client, and second encryption data includes: from first encryption data In select protocol version；

The network server is used for secure browser device back services end hello messages.

4. system as claimed in claim 2, it is characterised in that:

The secure connection submodule, for carrying out unidirectional certificate verification to the network server；Or, the encryption subprocess Two-way certificate verification is carried out with the network server.

5. the system as claimed in claim 1, it is characterised in that:

The agent sub-module, for receiving the main business by first encrypted tunnel using the business processing thread The first business datum that process is sent；First business datum is decrypted using the first symmetry algorithm, is obtained former Beginning business datum；The original service data are encrypted using the second symmetry algorithm, obtain the second business datum；It adopts Second business datum is sent to the network server with by second encrypted tunnel；

The network server sends second business by second encrypted tunnel for receiving the secure browser Data.

6. system as claimed in claim 4, it is characterised in that:

The network server, for sending the server-side certificate message of the network server to the secure browser, institute State the website signing certificate that server-side certificate message includes the network server；

In the secure browser device, the secure connection submodule, the service sent for receiving the network server Hold certificate message；And the encryption subprocess authenticates the website signing certificate of the network server.

7. system as claimed in claim 4, it is characterised in that:

The network server, the server-side certificate message for the network server give the secure browser, the clothes Business end certificate message includes the website signing certificate of the network server；Send server-side cipher key exchange message, the service Holding cipher key exchange message includes key exchange parameters；Certificate verification request message is sent, the certificate verification request message is used for Indicate the certificate verification of progress client；It sends server-side and greets the message that finishes；And receive the secure browser device hair The client certificate message sent, authenticates signing certificate, and the client certificate message includes the secure browser visitor The signing certificate at family end；

The secure connection submodule receives the server-side certificate that the network server is sent for the encryption subprocess and disappears Breath；The encryption subprocess receives the server-side cipher key exchange message that the network server is sent；The encryption subprocess connects Receive the certificate verification request message that the network server is sent；The encryption subprocess receives what the network server was sent Server-side greets the message that finishes；The encryption subprocess authenticates the website signing certificate；It signs and demonstrate,proves when the website After book certification passes through, the encryption subprocess sends client certificate message, the client certificate to the network server Message includes the signing certificate of the browser client.

8. system as claimed in claim 7, it is characterised in that:

The secure connection submodule is also used to that pre- master key is randomly generated according to the key exchange parameters, wherein described pre- Master key is to carry out computations by elliptic curve cryptography SM2 using the encrypted public key of the network server to obtain 's；The encryption subprocess generates Client Key Exchange message using the pre- master key, and is sent to network server；

The network server is also used to receive the cipher key exchange message that the secure browser device is sent, from the key The pre- master key is obtained in exchange message.

9. system as claimed in claim 7, it is characterised in that:

The secure connection submodule is also used to obtain the signature check parameter calculated according to website signing certificate, and generates visitor Family end certificate verification message is sent to the network server；The encryption subprocess sends client to the network server Password specification changes message, is completed with characterizing the negotiation of encryption data；The encryption subprocess is sent to the network server Client is shaken hands end message；The encryption subprocess receives the server-side password specification change that the network server is sent and disappears Breath, to characterize the negotiation for approving the encryption data；The encryption subprocess receives the server-side that the network server is sent and holds Hand end message；

The network server, be also used to successively receive client certificate verification message that the secure browser device sends, Client password specification change message and client are shaken hands end message；And it successively sends server-side password specification and changes message End message is shaken hands to the secure browser device with server-side.

10. system as claimed in claim 9, which is characterized in that further include:

The secure connection submodule is also used to after encryption connection connection setup success, be established as the encryption it is sub into The second encrypted tunnel that journey and the network server securely communicate.

11. system as claimed in claim 5, it is characterised in that:

The agent sub-module is also used to add using the encryption subprocess and the main business process by handshake procedure foundation Close connection communication, and after encryption connection communicates successfully, it is established as the main business process and the encryption subprocess is pacified First encrypted tunnel of full communication；Wherein, it is executed in the handshake procedure and encryption is executed by the first asymmetric arithmetic Two-way certificate verification, cipher key interaction between process and the main business process, and execute certificate verification；The cipher key interaction Symmetric key is generated in the process.

12. the system as claimed in claim 1, it is characterised in that:

The agent sub-module is also used to the business processing thread and is added the first connection request by the second symmetry algorithm Close processing obtains the second connection request；Second connection request is sent to the network service by the business processing thread Device；The business processing thread receives the second connection reply that the network server is fed back based on second connection request； Second connection reply is decrypted to obtain the first connection reply by the second symmetry algorithm for second connection request, and Feed back to the main business process；

The network server, the second connection request sent for receiving the secure browser device, connects to described second The second connection reply is generated after connecing request processing, second connection reply is sent to the secure browser device.

13. system as claimed in claim 4, which is characterized in that the encryption subprocess module, further includes:

Hardware management submodule passes through driving identification security key storage hardware for encrypting subprocess；

Certification authentication submodule carries out encryption fortune for and according to the hardware certificate carrier in two-way certification authentication process It calculates.