CN104618108A

CN104618108A - Safety communication system

Info

Publication number: CN104618108A
Application number: CN201410851101.XA
Authority: CN
Inventors: 杭程; 石彦伟; 贾正强
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2014-12-30
Filing date: 2014-12-30
Publication date: 2015-05-13
Anticipated expiration: 2034-12-30
Also published as: WO2016107321A1; CN104618108B

Abstract

The invention provides a safety communication system. The safety communication system comprises a browser client device, safe key storage hardware, and a network server; the browser client device comprises a connecting module, a reading module, an authentication module and a loading module. Under the condition of confirming the user's identity, the safety communication system can load the content of a user warrant stored in the safe key storage hardware, prevent the user warrant stored in the safe key storage hardware from being leaked, and improve the safety of loading the safe key storage hardware.

Description

Safe communication system

Technical field

The present invention relates to communication technical field, particularly relate to a kind of safe communication system.

Background technology

Along with the development of network technology, increasing user is by browser access webpage obtaining information, and carry out various operation, wherein, browser refers to can HTML (the HyperText Mark-up Language of display web page server or file system, standard generalized markup language) file content, and allow a kind of software of user and these file interactions.

As done shopping in shopping website, in video website, watching video, in website of bank, carrying out financial business, play games in game website.For the web-page requests of different web sites, browser can perform different accessing operations, thus accesses this webpage.At access number of site, as website of bank, Alipay website etc. relate to the website of financial business time, need to load secure key storage hardware, but load in secure key storage hardware exist the information leakage stored in secure key storage hardware, the fail safe that cannot ensure to load secure key storage hardware etc. problem, obstruction is caused in the website relating to financial business to access.

Summary of the invention

In view of the above problems, propose the present invention in case provide a kind of overcome the problems referred to above or solve the problem at least in part add safe communication system.

According to one aspect of the present invention, provide a kind of safe communication system, comprise: browser clients end device, secure key storage hardware and the webserver, the described webserver, for carrying out safety certification by handshake procedure and described browser clients end device, and safety certification by after set up escape way, transmitting encrypted data in described escape way; Described browser clients end device, for carrying out safety certification by handshake procedure and the described webserver, and safety certification by after set up escape way, transmitting encrypted data in described escape way; And with described secure key storage signal wiring, obtain the user certificate needed in safety certification process; Described secure key storage hardware, for connecting described browser by the interface of terminal, provides the user certificate needed in safety certification process; Described browser clients end device, comprising: link block, for automatically identify and connect described browser clients end device place terminal interface insert secure key storage hardware; Read module, selects for user for reading and showing the user certificate stored in described secure key storage hardware; Authentication module, for when receiving the selection information of user to described user certificate, carries out authentication to user; Load-on module, after passing through, loads the user certificate content that described selection information is corresponding for described authentication.

Can when loading the user certificate stored in secure key storage hardware according to safe communication system of the present invention, first authentication is carried out to user, pass through in authentication, when can confirm user identity, load the content of the user certificate stored in secure key storage hardware, solve the information leakage loading and exist in secure key storage hardware process thus, load secure key storage hardware and there is the problems such as potential safety hazard, achieve the user certificate preventing from storing in secure key storage hardware to be revealed, thus improve the beneficial effect of the fail safe loading secure key storage hardware.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows a kind of according to an embodiment of the invention flow chart loading the method for secure key storage hardware;

Fig. 2 shows a kind of according to an embodiment of the invention flow chart loading the method for secure key storage hardware;

Fig. 3 shows a kind of agency mechanism schematic diagram encrypting subprocess according to an embodiment of the invention;

Fig. 4 shows the handshake procedure schematic diagram encrypting subprocess and the webserver according to an embodiment of the invention;

Fig. 5 shows in browser client, points out user to insert the schematic diagram of USBKey according to an embodiment of the invention;

Fig. 6 shows the schematic diagram of window certificate selection dialog box of being hit by a bullet at browser client according to an embodiment of the invention;

Fig. 7 shows the schematic diagram of pointing out user's input protection password according to an embodiment of the invention in browser client;

Fig. 8 A shows the schematic diagram loading routine information in user certificate according to an embodiment of the invention in browser client;

Fig. 8 B shows the schematic diagram loading details in user certificate according to an embodiment of the invention in browser client;

Fig. 9 shows a kind of according to an embodiment of the invention structured flowchart of safe communication system;

Figure 10 shows a kind of according to an embodiment of the invention structured flowchart of browser clients end device;

Figure 11 shows the alternate configurations block diagram according to a kind of browser clients end device of one embodiment of the invention;

Figure 12 A shows the first structured flowchart of read module according to an embodiment of the invention;

Figure 12 B shows the second structured flowchart of read module according to an embodiment of the invention;

Figure 13 shows the structured flowchart encrypting subprocess according to an embodiment of the invention; And

Figure 14 shows the structured flowchart of main business process according to an embodiment of the invention.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

Embodiment one:

With reference to Fig. 1, show a kind of according to an embodiment of the invention flow chart of steps loading the embodiment of the method for secure key storage hardware, specifically can comprise the steps:

Step 102, automatically identifies and connects the secure key storage hardware of the interface insertion of browser client place terminal.

User use browser client debarkation net to go to bank or the online payment platform such as Alipay time, in order to ensure the fail safe of transfer of data, need user to insert secure key storage hardware.Namely, when the address that user inputs above-mentioned website in the address field of browser client conducts interviews to the corresponding webpage of this station address with request, browser client can point out user to insert secure key storage hardware.The station address that the address field of browser client receives may be that user directly inputs, and also can be that user passes through to input after Search Results is clicked in search, the present embodiment be not construed as limiting this.

Secure key storage hardware, i.e. USBKey, store user certificate in secure key storage hardware, and user can select described user certificate.It should be noted that, usually store a user certificate in a secure key storage hardware, there is the secure key storage hardware of oneself correspondence in each big bank.Such as, store Bank of Beijing in the secure key storage hardware of the Web bank of Bank of Beijing and issue user certificate; The user certificate that Construction Bank issues is stored in the secure key storage hardware of the Web bank of Construction Bank.

It should be noted that, secure key storage hardware is set to the form of mating with USB interface usually, can be inserted in the terminals such as computer by USB interface.After described secure key storage hardware inserts terminal by USB interface, in the present embodiment, browser client automatically can identify and described secure key storage hardware can be connected the secure key storage hardware that the interface of browser client place terminal inserts hardware zone with other USB and separate.Have secure key storage hardware to insert after terminal when identifying, automatically connect with described secure key storage hardware, described herely to connect, download to drive to establish a communications link with described secure key storage hardware, the user certificate stored in described secure key storage hardware can be read, and be not limited to connection physically.

Step 104, browser client reads and shows the user certificate stored in described secure key storage hardware and selects for user.

After browser client and described secure key storage hardware establish a communications link, the user certificate stored in described secure key storage hardware can be read, and described user certificate is shown select for user.During specific implementation, browser client can show described user certificate by the form playing window, also described user certificate can be shown by other means, the present embodiment does not limit concrete display mode, user certificate display can be come, user certificate selects described user certificate to facilitate user to allow user intuitively see.

Step 106, when browser client receives the selection information of user to described user certificate, carries out authentication to user.

Why browser client needs automatically to identify secure key storage hardware, is because when accessing the payment platforms such as Web bank, need to carry out safety verification.Specifically need in the present embodiment to verify the identity of user, after user selects user certificate, authentication is carried out to user.It should be noted that, although authentication is carried out at browser client, be that the webserver of bank requires to carry out authentication to user, to confirm the identity of user in fact.

It should be noted that, in the present embodiment, authentication is carried out to user and can take various ways to realize.For the sight of logging in online banks, the password allowing user input bank card can be adopted, or the mode of the independent password of Web bank, authentication is carried out to user.Because store the password of bank or the independent password of Web bank of user's setting in the webserver of bank, the identity informations such as the bank card password that user can input by browser client are sent to the webserver, mate with the subscriber identity information stored in the webserver, if can successful match, then the authentication of user be passed through; If mate unsuccessful, then authentication failure.It should be noted that; when authentication is carried out to user; the identity information of user's input can be above-mentioned bank card password; also can be protection password; can also be that identification card number of user etc. can the information of representative of consumer identity; the particular content of the present embodiment to identity information does not limit, and does not also limit the detailed process of carrying out authentication, as long as can confirm user identity.

Step 108, after described authentication is passed through, loads the user certificate content that described selection information is corresponding.

After authentication is passed through, browser client can confirm that this user is safe, is not the user of the malicious attacks such as hacker, now loads the particular content of user certificate corresponding to described selection information.The user certificate shown in step 104 is just to selecting for user, and what therefore show in step 104 is not the particular content of user certificate, can be the title of user certificate.After authentication is passed through, when browser client confirms user security, load the particular content of user certificate corresponding to described selection information.

In sum, the present embodiment browser client, when loading secure key storage hardware, first automatically identifies and connects the secure key storage hardware of the interface insertion of browser client place terminal; Then browser client reads and shows the user certificate stored in described secure key storage hardware and selects for user; Then, when browser client receives the selection information of user to described user certificate, authentication is carried out to user; After last described authentication is passed through, load the user certificate content that described selection information is corresponding.The present embodiment is when loading the user certificate stored in secure key storage hardware, first authentication is carried out to user, pass through in authentication, when can confirm user identity, load the content of the user certificate stored in secure key storage hardware, can prevent the user certificate stored in secure key storage hardware from being revealed, improve the fail safe loading secure key storage hardware.

Embodiment two:

On the basis of above-described embodiment, the present embodiment continues the method loading secure key storage hardware.

With reference to Fig. 2, show a kind of according to an embodiment of the invention flow chart of steps loading the embodiment of the method for secure key storage hardware, specifically can comprise the steps:

Step 202, starts the encryption subprocess carrying out with main business process communicating in browser client, and wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.

For number of site, as website of bank, Alipay website etc. relate to HTTP (the HTTP-Hypertext transfer protocol of website needs by taking safety as target of financial business, HTTP) passage is encrypted the transmission of data, but browser main business process and the webserver adopt different cryptographic protocols or algorithm sometimes, cause both cannot direct communication, cannot conduct interviews to the webpage of this webserver.

In the present embodiment, provide a kind of secure browser client, it is also provided with the encryption subprocess carrying out with browser main business process communicating in a browser.In order to make secure browser to realize, need in browser client, first start the encryption subprocess carrying out with browser main business process communicating.The major function of described encryption subprocess realizes the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission.Namely adopt encryption subprocess as the agency of main business process, its safe passing that can be encrypted with browser main business process, the secure communication that also can be encrypted with the webserver, as sent to encryption subprocess for the business datum of browser main business process by the first encrypted tunnel, business datum is transferred to the webserver by the second encrypted tunnel by this encryption subprocess, realizes the connection of data retransmission and two encrypted tunnels.

It should be noted that, under normal circumstances, the main business process of browser directly communicates with the webserver, but, when the HTTP passage taking safety as target communicates, if main business process cannot be resolved the data message of webserver feedback, start described encryption subprocess and connect as agency, namely described encryption subprocess is as the agency between described main business process and the described webserver.In the present embodiment, above-mentioned first encrypted tunnel is the secured communication channel of described browser main business process and described encryption subprocess; Described second encrypted tunnel is the secured communication channel of described encryption subprocess and the webserver.Therefore described encryption subprocess is by the first encrypted tunnel by encryption subprocess and described main business process, be converted to the second encrypted tunnel of encryption subprocess and the webserver, realize the Connection Proxy between described main business process and the described webserver.Certainly main business process is sent to the business datum of encryption subprocess by described first encrypted tunnel, described business datum can be sent to the webserver by the second encrypted tunnel by encryption subprocess.Particularly, the data acquisition symmetric encipherment algorithm SM4 carrying out communicating in the second encrypted tunnel can be encrypted business datum.

In the present embodiment, browser main business process adopts with encryption subprocess and acts on behalf of and IPC two kinds of communication modes, thus encryption subprocess can as Connection Proxy, be responsible for and browser main business process first encrypted tunnel, to Channel-shifted and the data retransmission of the second encrypted tunnel with the webserver, and IPC communication mode is responsible for inter-process data transmission.In the present embodiment, encryption subprocess acts on behalf of realization mechanism as shown in Figure 3, specifically can comprise following structure:

Main thread: read all kinds of configuration, creates watcher thread, main business thread, and browser host process IPC leads to.

, there is connection request when there being main business process and receive the corresponding agent operation of (accept) successful execution in intercepting thread: for monitoring service port.

Business Processing thread: set up respective encrypted expanding channels respectively with main business process and webserver two ends and maintain, thus carrying out the exchanges data at two ends as bridge.

It should be noted that, the idiographic flow of Business Processing thread is as follows: (1) Receiving Agent data, the http request data that concrete Receiving Agent connects.(2) carry out SSL with the webserver to be connected, specifically comprise SSL establishment of connection, ssl protocol is consulted, negotiating algorithm, and client certificate verification (crl checking or OCSP certification) (3) is mutual with web server.Specifically agency is connected httprequest data and issue Web server via the close SSL passage of state, obtain the httpresponse of Web server.(4) send web servers return data to connect to agency.Specifically the http response of the webserver is given to agency to connect.(5) connection is closed.If made a mistake in business processing flow, then closing connection, returning the wrong page to acting on behalf of connection simultaneously.It should be noted that, described second symmetry algorithm can be specifically the close algorithm of state.

It should be noted that, adopt the safe practice of SSL to solve network application authentication and data security and approved widely, also built-in SSL module in the browser of main flow and the webserver, the SSL hardware product of specialty also widely uses.But also all there is certain limitation in current SSL product:

(1) current SSL product generally adopts single certificate mechanism.And double certificate mechanism is the current PKI PKIX (prevailing model of Public Key Infrastructure System Construction.The present embodiment uses signing certificate to carry out authentication, uses encrypted certificate to carry out exchange and the protection of key, has played the advantage of PKI technology unsymmetrical key.

(2) generally adopt external disclosed symmetry algorithm in current SSL product, do not meet security requirements, there is certain risk.In the present embodiment, password product symmetry algorithm adopts SM1 algorithm or SM4 algorithm.

(3) current certificate asymmetric arithmetic adopts RSA Algorithm, and the elliptic curve cipher (ECC) that the present embodiment adopts a kind of has greater security than RSA, more high efficiency public key cryptography, there is encrypt/decrypt, the cryptographic function that digital signature and key agreement etc. are important, the user identity identification in various information network can be met safely and easily, the information security demand that the True-false distinguish of electronic information and secrecy transmission etc. are important, it is the core technology of information security field, and be adopted as public key cryptography standard (IEEE P1363 by many worlds and national standards organizations gradually, ANSI X9, ISO/IEC and IETF etc.), one of main flow cryptographic technique of Information Security Industry circle use will be become.China is by domestic ECC (ECDSA+ECDH) algorithm called after SM2.

The method of the loading secure key storage hardware that the present embodiment provides, meets the requirement of China PKI mechanism and password management of product policy, all plays positive impetus to the normalization of the management of internal security product and the quick growth of network application.

Step 204, described encryption subprocess carries out digital certificate two-way authentication by handshake procedure and the described webserver.

In the present embodiment, two-way authentication all will carry out certification each other to the webserver of institute's access websites and browser client, confirm that the digital certificate that the digital certificate of the webserver of access and browser client load is safely and effectively, the user certificate therefore needing the certificate of certification to comprise the website certificate of the website of access and browser client during two-way authentication to load.Encrypt subprocess carries out the two-way authentication of digital certificate step by handshake procedure and the described webserver described in the present embodiment, specifically can realize in the following manner: described encryption subprocess performs following security authentication operation successively by handshake procedure and the described webserver: enciphered data is consulted, certificate verification, cipher key change and signature authentication.

It should be noted that, the process of above-mentioned two-way authentication is complete in the handshake procedure of browser client and website belonging network server equally, and this handshake procedure at least can realize in the following manner:

First, browser client sends client hello message ClientHello to the described webserver, and the described webserver, to described browser client back services end hello messages SeverHello, consults enciphered data.

Then, the webserver sends service end certificate message SeverCertificate to described browser client, owing to carrying out two-way authentication, the webserver sends service end cipher key exchange message SeverKeyExchange, certificate verification request message SeverRequest and service end successively to browser client and greets the message SeverHelloDone that finishes.Wherein.Described certificate verification request message is used to indicate the certificate verification carrying out client.

Then, browser client adopts the website certificate of asymmetric arithmetic SM2 to the described webserver to carry out certification, after certification is passed through, browser client sends client certificate message ClientCertificate to the described webserver, this client certificate message comprises the user certificate that browser client loads, thus the webserver carries out certification based on asymmetric arithmetic SM2 to the user certificate that described browser client loads.

In follow-up handshake procedure, browser client can also send exchange messages ClientKeyExchange and client hello of client key to the webserver and to finish message ClientHelloDone, and cipher key change and other handshake information needed for signature authentication, the present embodiment is not discussed one by one.

It should be noted that, above-mentioned client hello message (ClientHello message) is as the Article 1 message of browser client and webserver Handshake Protocol, described encryption subprocess, to after the described webserver sends client hello message, waits for webserver return service device hello messages.Client-side issue message structure defines:

1, Clien_vision represents the protocol version that client uses in this session.If protocol version is 1.1.

2, Radom is the random information that client produces, and its content comprises all the time and random number.

3, session_id is the session identification that client uses in this connection.Session_id is a variable length field, and its value is determined by server.If do not have reusable session identification or hope to consult security parameter, this field is empty, otherwise represents that client wishes to reuse this session.This session identification may be before connection identifier, current connection identifier, or other are in the connection identifier of connection status.Session identification should unanimously remain to after generating to be deleted by time-out or the connection relevant to this session runs into fatal error and be closed.A session failed or when being closed then relative connection all should be forced closed.

4, cipher_suites is the cipher suit list that client is supported, the priority orders arrangement that client should use according to cipher suite, the cipher suite that priority is the highest should rank the first.If session identity fields is not empty, this field should at least comprise the cipher suite session of reusing used.Each cipher suite comprises a Diffie-Hellman, a cryptographic algorithm and a checking algorithm.Server selects a cipher suite matched by cipher suit list, if do not have the cipher suite that can mate, should return and shakes hands failure warning message and close connection.

5, compression_methods is the compression algorithm list that client is supported, the priority orders arrangement that client should use according to compression algorithm, the compression algorithm that priority is the highest ranks the first.Server selects a compression algorithm matched by compression algorithm list, and must comprise pneumatics compression algorithm in list, such client and server can negotiate consistent compression algorithm.

It should be noted that, if server can find the cipher suite of coupling from client hello message, server sends described service end hello messages (Server Hello message) as the reply to client hello message.If can not find the cipher suite of coupling, server will respond warning message.

In the present embodiment, adopt asymmetric arithmetic to carry out certification in the verification process of digital certificate, namely sender adopts the PKI of recipient to be encrypted data, and corresponding recipient adopts the private key of oneself to decrypt data.Wherein, the asymmetric arithmetic of certificate adopts SM2 algorithm, uses signing certificate to realize authentication based on ECDSA signature, uses encrypted certificate to realize key agreement based on ECDH.

In a kind of alternate exemplary of the embodiment of the present invention, described encryption subprocess and the described webserver carry out two-way certificate verification, specifically can realize in the following manner:

1) described encryption subprocess receives the service end certificate message that the described webserver sends, and described service end certificate message comprises the website signing certificate of the described webserver;

2) described encryption subprocess receives the certificate verification request message that the described webserver sends, and described certificate verification request message is used to indicate the certificate verification carrying out client;

3) described encryption subprocess receives the service end cipher key exchange message that the described webserver sends, and comprises key exchange parameters;

4) described encryption subprocess receives service end that the described webserver sends and greets and to finish message;

5) described encryption subprocess carries out certification to described website signing certificate;

6) after the certification of described website signing certificate is passed through, described encryption subprocess sends client certificate message to the described webserver, described client certificate message comprises the signing certificate of described browser client, carries out certification to make the described webserver to described signing certificate.

In the present embodiment, above-mentioned enciphered data negotiation, certificate verification, cipher key change and signature authentication are all perform in the encryption subprocess of secure browser client and the handshake procedure of the webserver.In the present embodiment, two-way authentication have employed double certificate mechanism, and the asymmetric arithmetic of certificate adopts SM2 algorithm, uses signing certificate to realize authentication based on ECDSA signature, uses encrypted certificate to realize key agreement based on ECDH.The SM4 algorithm used is encrypted data, uses SM3 algorithm to make a summary to data.

Wherein, SM2 algorithm (SM2algorithm) is a kind of ellipse curve public key cipher algorithm, and its key length is 256 bits.SM3 algorithm (SM3algorithm) is a kind of cryptographic Hash algorithm, and its key length is 128 bits, and SM4 algorithm (SM4algorithm) is a kind of block cipher, and block length is 128 bits, and key length is 128 bits.

As shown in Figure 4, the handshake procedure encrypting subprocess and the webserver comprises:

4.02, encrypt subprocess and send client hello message ClientHello to the webserver.

4.04, the webserver sends service end hello messages SeverHello to the encryption subprocess of described safe secure browser client.

Wherein, the webserver finds the cipher suite of coupling from ClientHello message, sends SeverHello as reply, if can not find the cipher suite of coupling, then sends warning message.In this SeverHello, Sever_vision, represents the version number that server is supported, as 1.1; The random number that Radom server end produces; The session identification that session_id service end uses; The cipher suite that cipher_suites service end is chosen from ClientHello message; The compression algorithm that compression_methods service end is chosen from ClientHello message.

4.06, the webserver sends service end certificate message Certificate to encryption subprocess.

Namely this message content of SeverCertificate is signing certificate and encrypted certificate.As the website signing certificate (X.509 sequence) of service end

4.08, the webserver sends certificate verification request message SeverRequest to encryption subprocess.

Certificate is provided by SeverRequest message calls client.Specify auth type (ECDSA) simultaneously

4.10, the webserver sends service end cipher key exchange message SeverKeyExchange to encryption subprocess.

SeverKeyExchange is used for the pre-master key that client calculates generation 48 byte.PKI can directly obtain from the encrypted certificate of server end.As client produces pre-master key pre_master_seceret key at random, and the PKI of server certificate is used to carry out ECDH computing

4.12, the webserver sends greeting and finishes message SeverHelloDone to encryption subprocess.

The hello message phase that SeverHelloDone characterizes handshake procedure completes, and then waits for the response message of client.

4.14, encrypt subprocess transmission client key and exchange messages Certificate to the webserver.

Namely ClientCertificate message is the Article 1 message after hello message phase completes, as comprised the signing certificate (X.509 sequence) of client.

4.16, encrypt subprocess transmission client key and exchange messages ClientKeyExchange to the webserver.

The pre-master key of the public key encryption of the webserver in ClientKeyExchange message.

4.18, encrypt subprocess and send certificate verification message CertificateVerify to the webserver.

CertificateVerify message is enough the legitimate holder of certificate for differentiating that client is.In the present embodiment, can point out user's input protection password after prompting user inserts USBKey, whether namely this protection password carries authentication of users within the message legal.

As, client uses the ECC private key of signing certificate to carry out ESDSA signature to the summary of handshaking information

4.20, encrypt subprocess and send client password specification change message ChangeCipherSpec to the webserver.

Namely to service end, ClientChangeCipherSpec message shows that algorithm and key agreement complete.

4.22, encrypt subprocess transmission client and shake hands end Finished to the webserver.

In the present embodiment, encryption subprocess is according to random number, the random number of service end, the pre_master_seceret use key algorithm calculating master_seceret of client, and then use random number and master_seceret to calculate real data encryption key, then encryption after all handshake information summaries is formed ClientFinished message and send to service end.

4.24, the webserver sends service end password specification and changes message ChangeCipherSpec to encryption subprocess.

4.26, the webserver sends service end and shakes hands end Finished to encryption subprocess.

Service end checking client certificate, uses the signature of the signing certificate checking client of client.Service uses the encryption key of self and carries out ECDH computing, obtain pre_master_seceret, the algorithm adopting client same calculates master_seceret and data encryption key, the correctness of checking SeverFinished message, send SeverChangeCipherSpec message to client, express one's approval algorithm and key agreement.

Completed the process such as certification, key agreement of browser client and webserver both sides by above-mentioned handshake procedure, thus encryption subprocess and network clothes can be engaged in holding the secret key encryption application data using respectively and consult to calculate.

Step 206, automatically identifies and connects the secure key storage hardware of the interface insertion of browser client place terminal.

The present embodiment needs to carry out two-way authentication for accessed website and is described, when the address field of browser client receive user's input need the station address of two-way authentication time, browser client ejects dialog box prompting user and inserts secure key storage hardware, namely user is pointed out to insert USBKey, as shown in Figure 5.Two-way authentication all will carry out certification each other to the webserver of institute's access websites and browser client, confirm that the digital certificate that the digital certificate of the webserver of access and browser client load is safely and effectively, the user certificate therefore needing the certificate of certification to comprise the website certificate of the website of access and browser client during two-way authentication to load.Therefore, automatically identify described in the present embodiment and connect the secure key storage hardware of the interface insertion of browser client place terminal, specifically can comprise following two sub-steps:

Sub-step one, when carrying out the two-way authentication of digital certificate, described encryption subprocess is associated with corresponding activation point by the vendor ID of described secure key storage hardware and production code member and drives interface.It should be noted that, when carrying out two-way authentication, described digital certificate specifically comprises the user certificate be stored in secure key storage hardware that the website certificate of the website of access and browser client load.The encryption subprocess of browser can be associated with corresponding activation point by the vendor ID of described secure key storage hardware and production code member and drive interface.

Sub-step two, by described activation point with drive interface and described secure key storage hardware to connect passage.After knowing the activation point of described secure key storage hardware and driving interface, and interface and described secure key storage hardware can be driven to set up communication port according to described activation point.

It should be noted that, in a kind of alternate exemplary of the embodiment of the present invention, described step 206 automatically identifies and before the secure key storage hardware that inserts of the interface connecting browser client place terminal, also comprises: described encryption subprocess determines whether to receive the certificate verification request message of described webserver transmission in handshake procedure; When receiving the certificate verification request message that the described webserver sends, whether the interface of monitoring browser client place terminal has secure key storage hardware to insert; When having monitored secure key storage hardware and having inserted, perform described step 206 and automatically identified and the secure key storage hardware connecting the interface insertion of browser client place terminal.

Step 208, browser client reads and shows the user certificate stored in described secure key storage hardware and selects for user.

Browser client described in the present embodiment reads and shows the user certificate stored in described secure key storage hardware and selects for user, specifically can by following sub-step:

Sub-step one, described encryption subprocess reads the user certificate stored in described secure key storage hardware by described interface channel.Described encryption subprocess is according to described activation point and drive interface and described secure key storage hardware to establish interface channel, can be read in secure key storage hardware store user certificate by described interface channel.It should be noted that, the title etc. of now encrypting the just user certificate that subprocess reads does not comprise the information of user certificate particular content.In a kind of alternate exemplary of the embodiment of the present invention, described encryption subprocess reads the user certificate stored in described secure key storage hardware by described interface channel, specifically can comprise: described encryption subprocess reads the application stored in described secure key storage hardware by described interface channel, show described application to select for user, wherein each application comprises the user certificate stored in container and container; Open the application that user selects, load the user certificate that stores in container under the application that described user selects and container.

Sub-step two, ejects certificate selection dialog box, loads described user certificate and select described user certificate to point out user in described certificate selection dialog box.It should be noted that, as shown in Figure 6, the present embodiment to be hit by a bullet window certificate selection dialog box at browser client, specifically can comprise in certificate selection dialog box following any one or a few: the information such as the title of current device, Apply Names, Container Name, certificate CN, issuer, effective date, out-of-service time, user certificate, user can be pointed out to select described user certificate, and the present embodiment is not the restriction to certificate selection dialog box concrete form or particular content.

In the present embodiment, in order to ensure the safety of access websites and user, CA mechanism is that different website certificates is promulgated in different websites, simultaneously for the different user of different web sites promulgates different user certificates.Wherein, digital certificate comprises the PKI of website or user, the information of website or user, and the content such as digital signature.

Therefore; before carrying out digital certificate authentication; preferably; in mutual authentication process; can to be hit by a bullet out certificate choice box at browser client; the user certificate that browser place terminal is current had is loaded in this certificate selection frame; user is after selecting user certificate; prompting user input protection password; as shown in Figure 7; input PIN (Personal Identification Number, PIN), thus illustrate that this user has claim to this user certificate after protection password is by checking.Further, above-mentioned user certificate and protection password can send to the webserver as the verify data in user certificate verification process.

In a kind of alternate exemplary of the embodiment of the present invention, described sub-step one is encrypted after subprocess reads the user certificate stored in described secure key storage hardware by described interface channel, also comprise: described encryption subprocess carries out certificate station recognition to the user certificate stored in described secure key storage hardware, classifies in units of certificate website to described user certificate; Correspondingly, described sub-step two ejects certificate selection dialog box, in described certificate selection dialog box, load described user certificate select described user certificate to point out user, specifically can comprise: eject certificate selection dialog box, in described certificate selection dialog box with certificate website for index shows described user certificate.It should be noted that, the certificate website bank site that namely this certificate is corresponding, certificate website can be specifically: Construction Bank, industrial and commercial bank, agricultural bank etc.In other words, in the present embodiment, user certificate specifically which bank specifically can be shown in certificate selection dialog box, which bank shows described secure key storage hardware is intuitively, facilitating user to judge whether according to bank is the user certificate needed, and namely judges whether it is the user certificate needed according to described certificate website.

Step 210, when browser client receives the selection information of user to described user certificate, carries out authentication to user.

Described in the present embodiment when browser client receives the selection information of user to described user certificate; authentication is carried out to user; specifically can realize in the following manner: when receiving the selection information of user to described user certificate; described encryption subprocess ejects password input box, and receives the protection password of user's input by described password input box.The protection password inputted according to described user carries out authentication to user.It should be noted that, select protection password to carry out authentication as the identity information of user in the present embodiment, during specific implementation, other modes also can be adopted to carry out authentication, the restriction of the present embodiment not to the concrete mode of authentication.

In a kind of alternate exemplary of the embodiment of the present invention; it is described when browser client receives the selection information of user to described user certificate; authentication is carried out to user; specifically also comprise: if described authentication is not passed through; then in described password input box, show password mistake and point out user to reenter protection password, the protection password re-entered described in foundation carries out authentication.Due to user's reason such as keyboard misoperation when input protection password; user stores the situation inputing protection password by mistake and happens occasionally; therefore this alternate exemplary is not when authentication is passed through; not directly disconnect the connection with secure key storage hardware; but allow user to reenter protection password; certainly can not allow the input protection password that user is unlimited, need to limit the number of times of input protection password.Namely in a kind of alternate exemplary of the embodiment of the present invention; it is described when browser client receives the selection information of user to described user certificate; authentication is carried out to user; also comprise: described encryption subprocess arranges the maximum input number of times of described password input box; when in described password input box, the number of times of the protection password of user's input reaches described maximum input number of times; close described personal identification number input frame, and disconnect the connection with described secure key storage hardware.User so both can be avoided once to input protection password by mistake and just to have disconnected the connection with described secure key storage hardware; the user caused needs to reinsert described secure key storage hardware and carries out the complex operation of user rs authentication and load the not high problem of secure key storage hardware efficiency; it also avoid resource occupation or endless loop problem that unlimited input password protection password causes, improve the efficiency loading secure key storage hardware.

Step 212, after described authentication is passed through, loads the user certificate content that described selection information is corresponding.

After authentication is passed through described in the present embodiment, load the user certificate content that described selection information is corresponding, specifically can comprise following sub-step:

Sub-step one, after described authentication is passed through, described encryption subprocess obtains the authentication information in described user certificate, and is loaded in certificate reader by described authentication information.

Sub-step two, described encryption subprocess starts described certificate reader according to triggering instruction, shows the authentication information of described user certificate in described certificate reader.It should be noted that, in described certificate reader, show the authentication information of described user certificate, specifically can realize in the following manner: general tab and detailed options card are set respectively in described certificate reader; The routine information of user certificate corresponding to described selection information is shown in described general tab; The details of user certificate corresponding to described selection information are shown in described detailed options card.Namely described certificate reader is started according to triggering instruction, arrange respectively in this certificate reader by general tab and detailed options card, the routine information of described user certificate is loaded in general tab, as shown in Figure 8 A, the details of described user certificate are loaded in described detailed options card, as shown in Figure 8 B, by can check the different content of user certificate to the selection of different options card.

It should be noted that, in a kind of alternate exemplary of the embodiment of the present invention, after the user certificate content that described loading described selection information is corresponding, also comprise: described encryption subprocess disconnects the connection with described secure key storage hardware.

In a kind of alternate exemplary of the embodiment of the present invention, when browser client loads user certificate, first can eject certificate selection frame prompting user and insert secure key storage hardware, this secure key storage hardware and USB Key, it is a kind of hardware device of USB interface, and built-in single-chip microcomputer or intelligent card chip have certain memory space, can store private key and the digital certificate of user, the public key algorithm utilizing USBKey built-in realizes the certification to user identity.Because private key for user is kept in coded lock, make in theory all cannot read in any way, therefore ensure that the fail safe of user authentication.

After user inserts secure key storage hardware, the driver calling described secure key storage hardware described by described certificate selection frame in load certificate information in secure key storage hardware, then receive the certificate information that user selects; In described certificate selection frame, eject protection password input window, then receive the protection password of user's input.

Wherein, browser identifies that USBKey needs to rely on two key message: SKFImagePath in CSP registry entry automatically: the path of specifying SKF dynamic base.TokenVidPid: string format.VendorID and ProductID of KEY equipment, the similar HKEY_LOCAL_MACHINE of form of employing SYSTEM CurrentControlSet Enum form in USB, also i.e. VID_XXXX & PID_XXXX.

Browser can be associated with respective drive by the vendor ID vendorid of USBKey equipment, production code member productid, completes associative operation.Browser can not store the pin password of user's input, also can not store the private key information in USBKey.As follows to the operating process of USBKey: to be connected to USBKey equipment; Open and apply Application accordingly, Application is selected to determine by user; Open cell therefor Container, Container is selected to determine by user, then input validation PIN code, can point out after authentication error and re-enter, then obtain signing certificate information, obtain encrypted certificate information, carry out the certification of digital certificate, follow-uply carrying out in the process of data interaction with the webserver, the Encrypt and Decrypt process of data also to be completed in USBKey, thus after this website visiting is completed closing device disconnecting.

In the present invention's embodiment, receive the permission connection message that the described webserver returns, set up the secure connection passage being encrypted transfer of data between described browser and described website map network server, described permission connection message is by the described webserver to the safety certification of described user certificate by rear transmission.

After above-mentioned certificate verification is passed through, the webserver returns permission connection message, now sets up the secure connection passage being encrypted transfer of data between described browser and described website map network server.In this secure connection passage, transmit data, in the present embodiment, adopt symmetry algorithm SM4 algorithm to carry out Encrypt and Decrypt to data, wherein SM4 algorithm and SM4algorithm, be a kind of block cipher, block length is 128 bits, and key length is 128 bits.

For embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the embodiment of the present invention is not by the restriction of described sequence of movement, because according to the embodiment of the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action might not be that the embodiment of the present invention is necessary.

Embodiment three

On the basis of above-described embodiment, the present embodiment also discloses a kind of safe communication system.

With reference to Fig. 9, show the structured flowchart of safe communication system embodiment according to an embodiment of the invention.

With reference to Figure 10, show the structured flowchart of browser clients end device embodiment in safe communication system according to an embodiment of the invention.

This safe communication system, comprising: browser clients end device 902, secure key storage hardware 904 and the webserver 906.

Wherein, the described webserver 906, for carrying out safety certification by handshake procedure and described browser clients end device 902, and safety certification by after set up escape way, transmitting encrypted data in described escape way;

Described browser clients end device 902, for carrying out safety certification by handshake procedure and the described webserver 906, and safety certification by after set up escape way, transmitting encrypted data in described escape way; And with described secure key storage signal wiring, obtain the user certificate needed in safety certification process;

Described secure key storage hardware 904, for connecting described browser by the interface of terminal, provides the user certificate needed in safety certification process;

Described browser clients end device 902, comprising:

Link block 90202, for automatically identify and connect described browser clients end device place terminal interface insert secure key storage hardware;

Read module 90204, selects for user for reading and showing the user certificate stored in described secure key storage hardware;

Authentication module 90206, for when receiving the selection information of user to described user certificate, carries out authentication to user;

Load-on module 90208, after passing through, loads the user certificate content that described selection information is corresponding for described authentication.

User use browser clients end device debarkation net to go to bank or the online payment platform such as Alipay time, in order to ensure the fail safe of transfer of data, need user to insert secure key storage hardware.Namely, when the address that user inputs above-mentioned website in the address field of browser clients end device conducts interviews to the corresponding webpage of this station address with request, browser clients end device can point out user to insert secure key storage hardware.The station address that the address field of browser clients end device receives may be that user directly inputs, and also can be that user passes through to input after Search Results is clicked in search, the present embodiment be not construed as limiting this.

It should be noted that, secure key storage hardware is set to the form of mating with USB interface usually, can be inserted in the terminals such as computer by USB interface.After described secure key storage hardware inserts terminal by USB interface, in the present embodiment, browser client automatically can identify and described secure key storage hardware can be connected the secure key storage hardware that the interface of browser clients end device place terminal inserts hardware zone with other USB and separate.Have secure key storage hardware to insert after terminal when identifying, automatically connect with described secure key storage hardware, described herely to connect, download to drive to establish a communications link with described secure key storage hardware, the user certificate stored in described secure key storage hardware can be read, and be not limited to connection physically.

Wherein, after browser clients end device and described secure key storage hardware establish a communications link, the user certificate stored in described secure key storage hardware can be read, and described user certificate is shown select for user.During specific implementation, browser client can show described user certificate by the form playing window, also described user certificate can be shown by other means, the present embodiment does not limit concrete display mode, user certificate display can be come, user certificate selects described user certificate to facilitate user to allow user intuitively see.

Why browser clients end device needs automatically to identify secure key storage hardware, is because when accessing the payment platforms such as Web bank, need to carry out safety verification.Specifically need in the present embodiment to verify the identity of user, after user selects user certificate, authentication is carried out to user.It should be noted that, although authentication is carried out at browser clients end device, be that the webserver of bank requires to carry out authentication to user, to confirm the identity of user in fact.

It should be noted that, in the present embodiment, authentication is carried out to user and can take various ways to realize.For the sight of logging in online banks, the password allowing user input bank card can be adopted, or the mode of the independent password of Web bank, authentication is carried out to user.Because store the password of bank or the independent password of Web bank of user's setting in the webserver of bank, the identity informations such as the bank card password that user can input by browser clients end device are sent to the webserver, mate with the subscriber identity information stored in the webserver, if can successful match, then the authentication of user be passed through; If mate unsuccessful, then authentication failure.It should be noted that; when authentication is carried out to user; the identity information of user's input can be above-mentioned bank card password; also can be protection password; can also be that identification card number of user etc. can the information of representative of consumer identity; the particular content of the present embodiment to identity information does not limit, and does not also limit the detailed process of carrying out authentication, as long as can confirm user identity.

In sum, the present embodiment browser clients end device, when loading secure key storage hardware, first automatically identifies and connects the secure key storage hardware of the interface insertion of browser clients end device place terminal; Then browser clients end device reads and shows the user certificate stored in described secure key storage hardware and selects for user; Then, when browser client receives the selection information of user to described user certificate, authentication is carried out to user; After last described authentication is passed through, load the user certificate content that described selection information is corresponding.The present embodiment is when loading the user certificate stored in secure key storage hardware, first authentication is carried out to user, pass through in authentication, when can confirm user identity, load the content of the user certificate stored in secure key storage hardware, can prevent the user certificate stored in secure key storage hardware from being revealed, improve the fail safe loading secure key storage hardware

In the present invention one embodiment as shown in figure 11, described browser clients end device, also comprises:

Main business scheduler module 90210, for starting the encryption subprocess carrying out with main business scheduler module communicating in browser clients end device, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission;

Encryption subprocess module 90212, for carrying out digital certificate two-way authentication by handshake procedure and the described webserver 906.

In the present invention's embodiment, described encryption subprocess module 90212, for performing following security authentication operation successively by handshake procedure and the described webserver 906: enciphered data is consulted, certificate verification, cipher key change and signature authentication.

In the present embodiment, browser clients end device 902 adopts encryption subprocess module 90212 proxy-explorer main business scheduler module 90210, the SSL coded communication processes such as data agreement, certificate verification, cipher key change and signature authentication are encrypted by handshake procedure with the webserver 906, as shown in Figure 4, relevant handshaking information and cryptographic algorithm refer to the discussion of embodiment two part to concrete handshake procedure.

In the present invention's embodiment, described secure key storage hardware 904, specifically for by the activation point of described terminal with drive interface and browser clients end device to connect passage;

The link block 90202 of described browser clients end device, specifically for when carrying out the two-way authentication of digital certificate, described encryption subprocess module 90212 is associated with corresponding activation point by the vendor ID of described secure key storage hardware and production code member and drives interface; By described activation point with drive interface and described secure key storage hardware to connect passage.

With reference to Figure 12 A, show the first structured flowchart of read module according to an embodiment of the invention.

In the present invention's embodiment, the read module 90204 of described browser clients end device, comprising:

Reading submodule 9020402, stores user certificate for being read in described secure key storage hardware by described interface channel;

Load submodule 9020404, for ejecting certificate selection dialog box, in described certificate selection dialog box, loading described user certificate select described user certificate to point out user.

After browser clients end device and described secure key storage hardware establish a communications link, the user certificate stored in described secure key storage hardware can be read, and described user certificate is shown select for user.During specific implementation, browser clients end device can show described user certificate by the form playing window, also described user certificate can be shown by other means, the present embodiment does not limit concrete display mode, user certificate display can be come, user certificate selects described user certificate to facilitate user to allow user intuitively see.

With reference to Figure 12 B, show the second structured flowchart of read module according to an embodiment of the invention.

In the present invention's embodiment, the read module 90204 of described browser clients end device, also comprises:

Recognin module 9020406, for read the user certificate that stores in described secure key storage hardware by described interface channel after, certificate station recognition is carried out to the user certificate stored in described secure key storage hardware, in units of certificate website, described user certificate is classified;

Described loading submodule 9020404, specifically for ejecting certificate selection dialog box, in described certificate selection dialog box with certificate website for index shows described user certificate.

In the present invention's embodiment, described secure key storage hardware 904, specifically for providing the application of storage for described browser clients end device, wherein, each application comprises the user certificate stored in container and container;

Described reading submodule 9020404, specifically for being read the application stored in described secure key storage hardware by described interface channel, is shown described application and selects for user; Open the application that user selects, load the user certificate that stores in container under the application that described user selects and container.

In the present invention's embodiment, described authentication module 90206, specifically for when receiving the selection information of user to described user certificate, ejects personal identification number input frame, and receives the personal identification number of user's input by described personal identification number input frame; The personal identification number inputted according to described user carries out authentication to user.

In the present invention's embodiment, described authentication module 90206, also for when described authentication is not passed through, show code error and point out user to re-enter personal identification number in described personal identification number input frame, the personal identification number re-entered described in foundation carries out authentication.

In the present invention's embodiment, described authentication module 90206, also for arranging maximum input number of times to described personal identification number input frame, when the personal identification number of user's input in described personal identification number input frame reaches maximum input number of times, close described personal identification number input frame, and disconnect the connection with described secure key storage hardware.

In the present invention's embodiment, described load-on module 90208, after passing through, obtains the authentication information in described user certificate specifically for described authentication, and is loaded in certificate reader by described authentication information;

Described encryption subprocess module 90212, for starting described certificate reader according to triggering instruction, shows the authentication information of described user certificate in described certificate reader.

In the present invention's embodiment, described encryption subprocess module 90212, for arranging general tab and detailed options card respectively in described certificate reader; The routine information of user certificate corresponding to described selection information is shown in described general tab; The details of user certificate corresponding to described selection information are shown in described detailed options card.

In the present invention's embodiment, described encryption subprocess module 90212, also for determining whether the certificate verification request message receiving the transmission of the described webserver in handshake procedure;

The link block 90202 of described browser clients end device, time also for receiving certificate verification request message that the described webserver sends when described encryption subprocess module 90212, whether the interface of monitoring browser client place terminal has secure key storage hardware to insert; When having monitored secure key storage hardware and having inserted, automatically identify and connected the secure key storage hardware of the interface insertion of browser client place terminal.

In the present invention's embodiment, described encryption subprocess module 90212, after also loading user certificate content corresponding to described selection information for described load-on module, disconnects the connection with described secure key storage hardware.

It should be noted that, can understand encryption subprocess module with reference to the structured flowchart of the encryption subprocess module shown in Figure 13, as shown in figure 13, encrypt subprocess module to comprise: configuration module 1302, proxy module 1304, CTL administration module 1306, CRL administration module 1308, Session administration module 1310, certification authentication module 1312, SSL link block 1314, USBKey operational module 1316.Wherein, proxy module accepts browser main business process and connects, and carries out respective handling according to the type that browser main business process connects, and forms the Connection Proxy of browser main business process.CTL module is for managing root of trust list of cert.CRL administration module, for obtaining CRL list, manages local CRL list.Session administration module administration agent process is connected with the session of web server.SSL link block is responsible for setting up the secure connection with web server.USBKey administration module is responsible for operation USBKey equipment.Configuration module is responsible for the relevant configuration reading, store client.

Wherein, for CTL administration module 1306, its operation principle is as follows: what CTL described is browser root of trust list of cert, for authentication server end certificate.In 360 secure browsers, the root of trust certificate of support is PEM coded system, supports two kinds of certificate addition manners simultaneously: 1) root of trust certificate is added in program inside; 2) configuration file adds root of trust certificate, and configuration file adopts des encrypting storing.Wherein, CTL can be configured to not support to import and export function.

For CRL administration module 1308, its operation principle is as follows: what CRL described is the certificate revocation list of certification authority CA, and its essence is certificate serial number, and the Integer that certificate serial number is encoded with ASN.1 represents.An extension (OID is 2.5.29.31) in X509v3 certificate is used to specify the CRL publishing point of this certificate.In the secure browser of the present embodiment, device has carried out local cache to CRL, and CRL searches and carries out one-level index according to CA simultaneously.As follows to the step of the verification operation of CRL: (1) obtains the Issuer item in certificate, the CA node that location is corresponding, if Issuer item does not exist or can not find corresponding CA item, then thinks illegal certificate.(the CRL item that (2) are all under using this CA of dichotomizing search.

Connect for Session administration module 1310, SSL and need to increase on the basis that TCP shakes hands for 3 times and shake hands for 4 times, connection establishment process is more consuming time, therefore preserve Session, multiplexing before connection effectively can optimize switching performance.In the secure browser device of the present embodiment after a SSL connection establishment completes, the internal memory index of host+port to session can be set up, subsequent operation can multiplexing before session, if the session term of validity is 1 hour.Session before browser closedown, USBKey equipment can empty when extracting.

For certification authentication module 1312, if need two-way authentication in SSL connection establishment process, described encryption subprocess module can point out user to insert secure key storage hardware, i.e. USBKey equipment.Automatically can identify after user inserts secure key storage hardware and eject certificate selection dialog box, prompting user selects certificate.Described encryption subprocess module identifies that secure key storage hardware needs to rely on two key message: SKFImagePath in CSP registry entry automatically: the path and the TokenVidPid that specify SKF dynamic base: string format.VendorID and ProductID of KEY equipment, the similar HKEY_LOCAL_MACHINE of form of employing SYSTEM CurrentControlSet Enum form in USB, also i.e. VID_XXXX & PID_XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, completes associative operation.Browser can not store the pin password of user's input, also can not store the private key information in USBKey.Idiographic flow is as follows: be first connected to USBKey equipment; Then open respective application (Application), Application is selected to determine by user; Then open corresponding container (Container), Container is selected to determine by user; Then checking PIN code (Personal Identity Number), can point out after authentication error and re-enter; Then signing certificate information is obtained; Then encrypted certificate information is obtained; Last closing device, to disconnect.

In the present embodiment, for the credentials verification process of said method embodiment, occur in Handshake Protocol process to the certification authentication of server end, after browser receives ServerHelloDone message, before sending Certificate message.The reasonability of server is mainly guaranteed in certification authentication, and proof procedure depends on CTL, CRL module, and detailed process is carried out in subprocess certification authentication thread pool.Inspection step is as follows: initialization trusted root list of cert; Check whether it is self-signed certificate; Check certificate extension information; Check certificate trusting relationship; Check CRL list; Check certificate signature; Check certificate available time; Check that certificate is whether in blacklist.

It should be noted that, can understand main business process with reference to the structured flowchart of the main business process shown in Figure 14, as shown in figure 14, main business process comprises: certificate display module 1402, white list administration module 1404, webserver certificate storage module 1406, agency arrange module 14014.Wherein certificate display module 1402 is responsible for display digital certificate.White list administration module 1404 is in charge of the web server list of the cryptographic algorithm supporting the present embodiment.Webserver certificate storage module 1406 is in charge of the certificate of the webserver for storing.Agency arranges module 14014 agency and arranges the agency being responsible for setting and encryption subprocess module.

For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the safe communication system of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

The invention discloses A1, a kind of safe communication system, comprise: browser clients end device, secure key storage hardware and the webserver, the described webserver, for carrying out safety certification by handshake procedure and described browser clients end device, and safety certification by after set up escape way, transmitting encrypted data in described escape way; Described browser clients end device, for carrying out safety certification by handshake procedure and the described webserver, and safety certification by after set up escape way, transmitting encrypted data in described escape way; And with described secure key storage signal wiring, obtain the user certificate needed in safety certification process; Described secure key storage hardware, for connecting described browser by the interface of terminal, provides the user certificate needed in safety certification process; Described browser clients end device, comprising: link block, for automatically identify and connect described browser clients end device place terminal interface insert secure key storage hardware; Read module, selects for user for reading and showing the user certificate stored in described secure key storage hardware; Authentication module, for when receiving the selection information of user to described user certificate, carries out authentication to user; Load-on module, after passing through, loads the user certificate content that described selection information is corresponding for described authentication.

A2, system as described in A1, described browser clients end device, also comprise: main business scheduler module, for starting the encryption subprocess carrying out with main business process communicating in browser client, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission; Encryption subprocess module, for carrying out digital certificate two-way authentication by handshake procedure and the described webserver.

A3, system as described in A2, described encryption subprocess module, for performing following security authentication operation successively by handshake procedure and the described webserver: enciphered data is consulted, certificate verification, cipher key change and signature authentication.

A4, system as described in A3, described secure key storage hardware, specifically for by the activation point of described terminal with drive interface and browser clients end device to connect passage; The link block of described browser clients end device, specifically for when carrying out the two-way authentication of digital certificate, described encryption subprocess module is associated with corresponding activation point by the vendor ID of described secure key storage hardware and production code member and drives interface; By described activation point with drive interface and described secure key storage hardware to connect passage.

A5, system as described in A4, the read module of described browser clients end device, comprising: reading submodule, stores user certificate for being read in described secure key storage hardware by described interface channel; Load submodule, for ejecting certificate selection dialog box, in described certificate selection dialog box, loading described user certificate select described user certificate to point out user.

A6, system as described in A5, the read module of described browser clients end device, also comprise: recognin module, for read the user certificate that stores in described secure key storage hardware by described interface channel after, certificate station recognition is carried out to the user certificate stored in described secure key storage hardware, in units of certificate website, described user certificate is classified; Described loading submodule, specifically for ejecting certificate selection dialog box, in described certificate selection dialog box with certificate website for index shows described user certificate.

A7, system as described in A3, described secure key storage hardware, specifically for providing the application of storage for described browser clients end device, wherein, each application comprises the user certificate stored in container and container; Described reading submodule, specifically for being read the application stored in described secure key storage hardware by described interface channel, is shown described application and selects for user; Open the application that user selects, load the user certificate that stores in container under the application that described user selects and container.

A8, system as described in A1, described authentication module, specifically for when receiving the selection information of user to described user certificate, ejecting personal identification number input frame, and receiving the personal identification number of user's input by described personal identification number input frame; The personal identification number inputted according to described user carries out authentication to user.

A9, system as described in A8, described authentication module, also for when described authentication is not passed through, show code error and point out user to re-enter personal identification number in described personal identification number input frame, the personal identification number re-entered described in foundation carries out authentication.

A10, system as described in A9, described authentication module, also for arranging maximum input number of times to described personal identification number input frame, when the personal identification number of user's input in described personal identification number input frame reaches maximum input number of times, close described personal identification number input frame, and disconnect the connection with described secure key storage hardware.

A11, system as described in A1, described load-on module, after passing through, obtains the authentication information in described user certificate specifically for described authentication, and is loaded in certificate reader by described authentication information; Described encryption subprocess module, for starting described certificate reader according to triggering instruction, shows the authentication information of described user certificate in described certificate reader.

A12, system as described in A11, described encryption subprocess module, for arranging general tab and detailed options card respectively in described certificate reader; The routine information of user certificate corresponding to described selection information is shown in described general tab; The details of user certificate corresponding to described selection information are shown in described detailed options card.

A13, system as described in A3, described encryption subprocess module, also for determining whether to receive the certificate verification request message that the described webserver sends in handshake procedure; The link block of described browser clients end device, time also for receiving certificate verification request message that the described webserver sends when described encryption subprocess module, whether the interface of monitoring browser client place terminal has secure key storage hardware to insert; When having monitored secure key storage hardware and having inserted, automatically identify and connected the secure key storage hardware of the interface insertion of browser client place terminal.

A14, system as described in A2, described encryption subprocess module, after also loading user certificate content corresponding to described selection information for described load-on module, disconnects the connection with described secure key storage hardware.

Claims

1. a safe communication system, comprising: browser clients end device, secure key storage hardware and the webserver,

The described webserver, for carrying out safety certification by handshake procedure and described browser clients end device, and safety certification by after set up escape way, transmitting encrypted data in described escape way;

Described browser clients end device, for carrying out safety certification by handshake procedure and the described webserver, and safety certification by after set up escape way, transmitting encrypted data in described escape way; And with described secure key storage signal wiring, obtain the user certificate needed in safety certification process;

Described secure key storage hardware, for connecting described browser by the interface of terminal, provides the user certificate needed in safety certification process;

Described browser clients end device, comprising:

Link block, for automatically identify and connect described browser clients end device place terminal interface insert secure key storage hardware;

Read module, selects for user for reading and showing the user certificate stored in described secure key storage hardware;

Authentication module, for when receiving the selection information of user to described user certificate, carries out authentication to user;

Load-on module, after passing through, loads the user certificate content that described selection information is corresponding for described authentication.

2. system according to claim 1, is characterized in that, described browser clients end device, also comprises:

Main business scheduler module, for starting the encryption subprocess carrying out with main business process communicating in browser client, wherein, described encryption subprocess is used for realizing the conversion of the first encrypted tunnel to the second encrypted tunnel as Connection Proxy, and data retransmission;

Encryption subprocess module, for carrying out digital certificate two-way authentication by handshake procedure and the described webserver.

3. system according to claim 2, is characterized in that,

Described encryption subprocess module, for performing following security authentication operation successively by handshake procedure and the described webserver: enciphered data is consulted, certificate verification, cipher key change and signature authentication.

4. system according to claim 3, is characterized in that:

Described secure key storage hardware, specifically for by the activation point of described terminal with drive interface and browser clients end device to connect passage;

The link block of described browser clients end device, specifically for when carrying out the two-way authentication of digital certificate, described encryption subprocess module is associated with corresponding activation point by the vendor ID of described secure key storage hardware and production code member and drives interface; By described activation point with drive interface and described secure key storage hardware to connect passage.

5. system according to claim 4, is characterized in that, the read module of described browser clients end device, comprising:

Reading submodule, stores user certificate for being read in described secure key storage hardware by described interface channel;

Load submodule, for ejecting certificate selection dialog box, in described certificate selection dialog box, loading described user certificate select described user certificate to point out user.

6. system according to claim 5, is characterized in that, the read module of described browser clients end device, also comprises:

Recognin module, for read the user certificate that stores in described secure key storage hardware by described interface channel after, certificate station recognition is carried out to the user certificate stored in described secure key storage hardware, in units of certificate website, described user certificate is classified;

Described loading submodule, specifically for ejecting certificate selection dialog box, in described certificate selection dialog box with certificate website for index shows described user certificate.

7. system according to claim 3, is characterized in that:

Described secure key storage hardware, specifically for providing the application of storage for described browser clients end device, wherein, each application comprises the user certificate stored in container and container;

Described reading submodule, specifically for being read the application stored in described secure key storage hardware by described interface channel, is shown described application and selects for user; Open the application that user selects, load the user certificate that stores in container under the application that described user selects and container.

8. system according to claim 1, is characterized in that:

Described authentication module, specifically for when receiving the selection information of user to described user certificate, ejects personal identification number input frame, and receives the personal identification number of user's input by described personal identification number input frame; The personal identification number inputted according to described user carries out authentication to user.

9. system according to claim 8, is characterized in that:

Described authentication module, also for when described authentication is not passed through, show code error and point out user to re-enter personal identification number in described personal identification number input frame, the personal identification number re-entered described in foundation carries out authentication.

10. system according to claim 9, is characterized in that:

Described authentication module, also for arranging maximum input number of times to described personal identification number input frame, when the personal identification number of user's input in described personal identification number input frame reaches maximum input number of times, close described personal identification number input frame, and disconnect the connection with described secure key storage hardware.