CN104618108B - Safe communication system - Google Patents
Safe communication system Download PDFInfo
- Publication number
- CN104618108B CN104618108B CN201410851101.XA CN201410851101A CN104618108B CN 104618108 B CN104618108 B CN 104618108B CN 201410851101 A CN201410851101 A CN 201410851101A CN 104618108 B CN104618108 B CN 104618108B
- Authority
- CN
- China
- Prior art keywords
- certificate
- user
- security key
- key storage
- storage hardware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Abstract
The present invention provides a kind of safe communication system, the system includes:Browser clients end device, security key storage hardware and network server, the browser clients end device, including:Link block, read module, authentication module and load-on module.In the case of being able to confirm that user identity, the content of the user certificate stored in security key storage hardware is loaded, the user certificate stored in security key storage hardware can be prevented to be leaked, improves the safety of load security key storage hardware.
Description
Technical field
The present invention relates to fields of communication technology, more particularly to a kind of safe communication system.
Background technology
With the continuous development of network technology, more and more users obtain information by browser access webpage, go forward side by side
The various operations of row, wherein browser refers to that can show web page server or the HTML (HyperText of file system
Mark-up Language, standard generalized markup language) file content, and allow a kind of software of user and these file interactions.
It such as does shopping in shopping website, video is watched in video website, financial business is carried out in website of bank, swimming
Play plays game etc. in website.For the web-page requests of different web sites, browser can execute different access operations, should to access
Webpage.Number of site is being accessed, such as when website of bank, Alipay website are related to the website of financial business, is needing load safety
Key storage hardware, but load security key storage hardware in there are the information leakage stored in security key storage hardware,
Can not ensure to load the safety of security key storage hardware the problems such as, be related to the website of financial business to accessing and cause to hinder
Hinder.
Invention content
In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly
That states problem adds safe communication system.
One side according to the present invention provides a kind of safe communication system, including:Browser clients end device, peace
Full key storage hardware and network server, the network server, for passing through handshake procedure and the browser client
Device carries out safety certification, and establishes escape way after safety certification passes through, the transmitting encrypted data in the escape way;
The browser clients end device for carrying out safety certification by handshake procedure and the network server, and is recognized in safety
Card establishes escape way after passing through, the transmitting encrypted data in the escape way;And with the security key storage hardware
Connection obtains the user certificate needed in safety certification process;The security key storage hardware, for connecing by terminal
Mouth connects the browser, provides the user certificate needed in safety certification process;The browser clients end device, including:
Link block, for automatic identification and the security key of the interface insertion of terminal where connecting the browser clients end device is deposited
Store up hardware;Read module, for read and show the user certificate stored in the security key storage hardware for user into
Row selection;Authentication module, for when receiving selection information of the user to the user certificate, identity to be carried out to user
Verification;Load-on module after passing through for the authentication, loads the corresponding user certificate content of the selection information.
When the user certificate that safe communication system according to the present invention can store in loading security key storage hardware,
Authentication first is carried out to user, in the case where authentication passes through and is able to confirm that user identity, load security key is deposited
The content of the user certificate stored in storage hardware, existing information is let out during thus solving load security key storage hardware
Dew, load security key storage hardware the problems such as there are security risks, achieving prevents from storing in security key storage hardware
User certificate is leaked, to improve the advantageous effect for the safety for loading security key storage hardware.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field
Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow of the method for load security key storage hardware according to an embodiment of the invention
Figure;
Fig. 2 shows a kind of flows of the method for load security key storage hardware according to an embodiment of the invention
Figure;
Fig. 3 shows a kind of agency mechanism schematic diagram of encryption subprocess according to an embodiment of the invention;
Fig. 4 shows the handshake procedure signal of encryption subprocess and network server according to an embodiment of the invention
Figure;
Fig. 5 shows that the prompt user according to an embodiment of the invention in browser client is inserted into showing for USBKey
It is intended to;
Fig. 6 shows showing for the pop-up certificate selection dialog box according to an embodiment of the invention in browser client
It is intended to;
Fig. 7 shows that the prompt user according to an embodiment of the invention in browser client inputs protection password
Schematic diagram;
Fig. 8 A show that according to an embodiment of the invention loaded in browser client is routinely believed in user certificate
The schematic diagram of breath;
Fig. 8 B show that according to an embodiment of the invention loaded in browser client is believed in detail in user certificate
The schematic diagram of breath;
Fig. 9 shows a kind of structure diagram of safe communication system according to an embodiment of the invention;
Figure 10 shows a kind of structure diagram of browser clients end device according to an embodiment of the invention;
Figure 11 shows a kind of alternative construction block diagram of browser clients end device according to an embodiment of the present invention;
Figure 12 A show the first structure diagram of read module according to an embodiment of the invention;
Figure 12 B show second of structure diagram of read module according to an embodiment of the invention;
Figure 13 shows the structure diagram of encryption subprocess according to an embodiment of the invention;And
Figure 14 shows the structure diagram of main business process according to an embodiment of the invention.
Specific implementation mode
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Embodiment one:
Referring to Fig.1, the method for showing a kind of load security key storage hardware according to an embodiment of the invention is real
The step flow chart for applying example, can specifically include following steps:
Step 102, automatic identification and to connect the security key storage that the interface of terminal where browser client is inserted into hard
Part.
When user logs in the online payments platform such as Web bank or Alipay using browser client, in order to ensure data
The safety of transmission needs user to be inserted into security key storage hardware.I.e. user inputs in the address field of browser client
When the address of above-mentioned website is accessed with asking to correspond to webpage to the station address, browser client can prompt user to be inserted into
Security key storage hardware.The station address that the address field of browser client is received may be what user directly inputted,
Can be inputted after user clicks search result by search, the present embodiment is not construed as limiting this.
Security key storage hardware, i.e. USBKey are stored with user certificate in security key storage hardware, and user can select
Select the user certificate.It should be noted that being commonly stored in a security key storage hardware, there are one user certificates, major
There is oneself corresponding security key storage hardware in bank.For example, in the security key storage hardware of the Web bank of Bank of Beijing
It is stored with Bank of Beijing and issues user certificate;Construction silver is stored in the security key storage hardware of the Web bank of Construction Bank
The user certificate that row issues.
It should be noted that security key storage hardware be usually arranged as with the matched form of USB interface, can pass through
USB interface is inserted into the terminals such as computer.After the security key storage hardware is inserted into terminal by USB interface, this implementation
The security key storage hardware that browser client can be inserted into the interface of terminal where automatic identification browser client in example,
Can the security key storage hardware hardware be connect with other USB to distinguish.It is to have security key storage when identifying
It after hardware is inserted into terminal, establishes and connects with the security key storage hardware automatically, foundation connection described here, is to download driving
It establishes and communicates to connect with the security key storage hardware, the user certificate stored in the security key storage hardware can be read
Book, and it is not limited to connection physically.
Step 104, browser client read and show the user certificate that is stored in the security key storage hardware with
It is selected for user.
After browser client establishes communication connection with the security key storage hardware, it is close that the safety can be read
The user certificate stored in key storage hardware, and the user certificate is shown and is selected for user.When specific implementation,
Browser client can show the user certificate by the form of pop-up, can also show the user by other means
Certificate, the present embodiment are not limited specific display mode, can user certificate be shown number, user is allowed to can be visually seen use
Family certificate is to facilitate user to select the user certificate.
Step 106, when browser client receives selection information of the user to the user certificate, user is carried out
Authentication.
Why browser client needs automatic identification security key storage hardware, is because accessing the branch such as Web bank
When paying platform, need to carry out safety verification.It specifically needs to verify the identity of user in the present embodiment, selects to use in user
After the certificate of family, authentication is carried out to user.Although it should be noted that authentication browser client carry out,
Reality is that the network server requirement of bank carries out authentication to user, to confirm the identity of user.
Various ways can be taken to realize it should be noted that carrying out authentication to user in the present embodiment.For
The mode of the independent password of the password or Web bank that allow user to input bank card may be used in the scene of logging in online banks,
Authentication is carried out to user.Because being stored with the password of the bank of user setting or online silver in the network server of bank
The identity informations such as bank card password input by user can be sent to network service by capable independent password, browser client
Device is matched with the subscriber identity information stored in network server, if it is possible to successful match, the then authentication of user
Pass through;If matching is unsuccessful, authentication failure.It should be noted that when carrying out authentication to user, user's input
Identity information can be above-mentioned bank card password, can also be protection password, can also be that the identification card number etc. of user can
The information of user identity is represented, the present embodiment is not limited the particular content of identity information, to carrying out the specific of authentication
Process is not also limited, as long as being able to confirm that user identity.
Step 108, after the authentication passes through, the corresponding user certificate content of the selection information is loaded.
After authentication passes through, browser client can be confirmed that the user is safe, not be that the malice such as hacker is attacked
The user hit loads the particular content of the corresponding user certificate of the selection information at this time.The user shown in step 104
Certificate just to be selected for user, therefore shown in step 104 be not user certificate particular content, can be with
The only title of user certificate.In the case that browser client confirms user security after authentication passes through, described in load
Select the particular content of the corresponding user certificate of information.
In conclusion the present embodiment browser client is when loading security key storage hardware, automatic identification is simultaneously first
The security key storage hardware that the interface of terminal where connecting browser client is inserted into;Then browser client reads and shows
Show the user certificate stored in the security key storage hardware so that user selects;Then when browser client receives
When to user to the selection information of the user certificate, authentication is carried out to user;After the last authentication passes through, add
Carry the corresponding user certificate content of the selection information.The user certificate that the present embodiment stores in loading security key storage hardware
When book, authentication first has been carried out to user, in the case where authentication passes through and is able to confirm that user identity, load safety
The content of the user certificate stored in key storage hardware can prevent the user certificate quilt stored in security key storage hardware
Leakage improves the safety of load security key storage hardware.
Embodiment two:
On the basis of the above embodiments, the present embodiment continues the method for loading security key storage hardware.
With reference to Fig. 2, the method for showing a kind of load security key storage hardware according to an embodiment of the invention is real
The step flow chart for applying example, can specifically include following steps:
Step 202, start the encryption subprocess communicated with main business process in browser client, wherein institute
It states encryption subprocess and is used to act on behalf of conversion and data of the first encrypted tunnel of realization to the second encrypted tunnel as connection and turn
Hair.
The website needs of financial business are related to by with safety for number of site, such as website of bank, Alipay website
Data are encrypted for HTTP (HTTP-Hypertext transfer protocol, hypertext transfer protocol) channel of target
Transmission, but browser main business process and network server use different cryptographic protocol or algorithm sometimes, both cause
Can not direct communication, can not access to the webpage of the network server.
In the present embodiment, a kind of secure browser client is provided, is also provided in a browser and browser master
The encryption subprocess that business process is communicated.In order to enable secure browser can be realized, need first in browser clients
Start the encryption subprocess communicated with browser main business process in end.The encryption subprocess functions primarily as
Connection agency realizes conversion and data forwarding of first encrypted tunnel to the second encrypted tunnel.Made using encryption subprocess
For the agency of main business process, the safe passing that can be encrypted with browser main business process can also take with network
The secure communication that business device is encrypted, is such as sent to the business datum of browser main business process by the first encrypted tunnel
Subprocess is encrypted, which is transferred to network server by business datum by the second encrypted tunnel, realizes that data turn
The connection of hair and two encrypted tunnels.
It should be noted that under normal conditions, the main business process of browser is directly communicated with network server, but
It is, when to be communicated for the channels HTTP of target safely, if the data that main business process can not feed back network server
Information is parsed, and starts the encryption subprocess as agency's connection, i.e., the described encryption subprocess as the main business into
Agency between journey and the network server.Above-mentioned first encrypted tunnel is the browser main business process in the present embodiment
With the secured communication channel of the encryption subprocess;Second encrypted tunnel is the encryption subprocess and network server
Secured communication channel.Therefore the encryption subprocess is logical by that will encrypt subprocess and the first encryption of the main business process
Road is converted to the second encrypted tunnel of encryption subprocess and network server, to realize the main business process and the network
Connection agency between server.Encryption subprocess is sent to by first encrypted tunnel certainly for main business process
The business datum can be sent to network server by business datum, encryption subprocess by the second encrypted tunnel.Specifically,
The data communicated in the second encrypted tunnel can be encrypted business datum using symmetric encipherment algorithm SM4.
In the present embodiment, browser main business process uses agency and two kinds of communication modes of IPC with encryption subprocess, to
Connection agency can be used as by encrypting subprocess, be responsible for and browser main business the first encrypted tunnel of process, be arrived and network server
The second encrypted tunnel channel conversion and data forwarding, and IPC communication modes be responsible for inter-process data transmission.The present embodiment
In, encryption subprocess acts on behalf of realization mechanism as shown in figure 3, can specifically include such as lower structure:
Main thread:All kinds of configurations are read, it is logical to create watcher thread, main business thread and browser host process IPC.
Intercepting thread:For monitoring serve port, when with the presence of main business process connection request and receive (accept) at
Work(executes corresponding agent operation.
Business processing thread:Respective encrypted channel is established respectively with main business process and network server both ends to connect and tie up
It holds, to carry out the data exchange at both ends as bridge.
It should be noted that the detailed process of business processing thread is as follows:(1) Receiving Agent data, specific Receiving Agent
The http request data of connection.(2) it carries out SSL with network server to connect, specifically includes SSL establishment of connections, SSL associations
View is negotiated, and negotiating algorithm, client certificate verification (crl checking or OCSP certifications) (3) is interacted with web server.It specifically will generation
Reason connection http request data issue Web server via the close channels SSL of state, obtain the http of Web server
response.(4) web servers return data is sent to connect to agency.Specifically by the http response of network server
It is given to agency's connection.(5) connection is closed.In case of mistake in business processing flow, then connection is closed, while giving agency's connection
Return to the wrong page.It should be noted that second symmetry algorithm can be specifically national secret algorithm.
It should be noted that being obtained using the safe practice solution network application authentication of SSL and data security
Extensive to approve, also built-in SSL modules, professional SSL hardware products are also extensive in the browser and network server of mainstream
It uses.But also all there is certain limitation in current SSL products:
(1) current SSL products generally use single certificate mechanism.And double certificate mechanism is current PKI Public Key Infrastructure
(the prevailing model of Public Key Infrastructure System Constructions.The present embodiment carries out identity using signing certificate to be recognized
Card is carried out the exchange and protection of key using encrypted certificate, has played the advantage of PKI technology unsymmetrical key.
(2) symmetry algorithm disclosed in foreign countries is generally used in current SSL products, does not meet security requirements, is had certain
Risk.Password product symmetry algorithm uses SM1 algorithms or SM4 algorithms in the present embodiment.
(3) current certificate asymmetric arithmetic uses RSA Algorithm, and the elliptic curve cipher (ECC) that the present embodiment uses
It is a kind of public key cryptography than RSA with greater security, higher efficiency, there is encryption/decryption, digital signature and key agreement
Etc. important cryptographic function, it can safely and conveniently meet user identity identification in various information networks, electronic information
The true and false differentiates and the important information security demands such as secrecy transmission, is the core technology of information security field, and gradually all
Multinational border and national standards organizations are adopted as public key cryptography standard (IEEE P1363, ANSI X9, ISO/IEC and IETF etc.), will
One of the mainstream cryptographic technique that Information Security Industry circle uses can be become.China is ordered by domestic ECC (ECDSA+ECDH) algorithm
Entitled SM2.
The method of load security key storage hardware provided in this embodiment, meets China's PKI mechanism and password product pipe
The rapid growth of the requirement of reason policy, normalization and network application to the management of internal security product all plays positive promotion
Effect.
Step 204, the encryption subprocess carries out that digital certificate is two-way to be recognized by handshake procedure and the network server
Card.
In the present embodiment, two-way authentication be to the network server and browser client of accessed website be intended to each other into
Row certification confirms that the digital certificate that the digital certificate of the network server of access and browser client are loaded is that have safely
Effect, therefore it includes added by the website certificate and browser client of the website accessed that the certificate of certification is needed when two-way authentication
The user certificate of load.Subprocess is encrypted described in the present embodiment, and digital certificate is carried out by handshake procedure and the network server
Two-way authentication the step of, can specifically be accomplished by the following way:The encryption subprocess by handshake procedure with it is described
Network server executes following security authentication operation successively:Encryption data negotiation, certificate verification, key exchanges and signature authentication.
It should be noted that the process of above-mentioned two-way authentication is also in browser client and website belonging network service
It is completed in the handshake procedure of device, which can at least be accomplished by the following way:
First, browser client sends client hello message ClientHello, the net to the network server
Network server negotiates encryption data to browser client back services end hello messages SeverHello.
Then, network server sends server-side certificate message SeverCertificate to the browser client,
Due to two-way authentication to be carried out, network server sends server-side cipher key exchange message to browser client successively
SeverKeyExchange, certificate verification request message SeverRequest and server-side greet the message that finishes
SeverHelloDone.Wherein.The certificate verification request message is used to indicate the certificate verification for carrying out client.
Then, browser client is authenticated the website certificate of the network server using asymmetric arithmetic SM2,
After certification passes through, browser client sends client certificate message ClientCertificate to the network server,
The client certificate message includes the user certificate of browser client load, to which network server is based on asymmetric arithmetic
The user certificate that SM2 loads the browser client is authenticated.
In subsequent handshake procedure, browser client can also send client key to network server and exchange message
Finish message ClientHelloDone and key of ClientKeyExchange and client hello exchanges and signature authentication institute
Other handshake informations needed, the present embodiment are not discussed one by one.
It should be noted that above-mentioned client hello message (ClientHello message) is used as browser client and net
The a piece of news of network server handshaking agreement, the encryption subprocess send client hello message to the network server
Later, network server is waited for return to Server Hello message.Client-side issue message structure defines:
1, Clien_vision indicates the protocol version that client uses in this session.If protocol version is 1.1.
2, Radom is the random information that client generates, and content includes always and random number.
3, session_id is the session identification that client uses in this connection.Session_id is a variable length word
Section, value are determined by server.If not reusable session identification or hope negotiates security parameter, which is sky, no
Then indicate that client wishes to reuse the session.This session identification may be before connection identifier, current connection identifier or its
He is in the connection identifier of connection status.Session identification generate after should unanimously remain to by time-out delete or it is related to this session
Connection encounter fatal error and be closed.One session failed or then relative connection should all be forced to close when being closed
It closes.
4, cipher_suites is the cipher suit list that client is supported, client should be used according to cipher suite
Priority orders arrangement, the cipher suite of highest priority should rank the first.If session identity fields are not sky, this field
Cipher suite used in the session that will be reused should be included at least.Each cipher suite includes a Diffie-Hellman, one
Encryption Algorithm and a checking algorithm.Server will select a matching cipher suite in cipher suit list, such as
Fruit not can matched cipher suite, should return and shake hands failure warning message and close connection.
5, compression_methods is the compression algorithm list that client is supported, client should be according to compression
The priority orders arrangement that algorithm uses, the compression algorithm of highest priority rank the first.Server will be in compression algorithm list
One matching compression algorithm of middle selection must include pneumatics compression algorithm, such client and server total energy in list
Negotiate consistent compression algorithm.
It should be noted that if server can find matched cipher suite, server from client hello message
The server-side hello messages (Server Hello message) are sent as the reply to client hello message.If can not find
Matched cipher suite, server will respond warning message.
It in the present embodiment, is authenticated using asymmetric arithmetic in the verification process of digital certificate, i.e., sender uses and connects
Data are encrypted in the public key of receipts person, and corresponding recipient is decrypted data using the private key of oneself.Wherein, certificate is non-
Symmetry algorithm uses SM2 algorithms, and being based on ECDSA signatures using signing certificate realizes authentication, is based on using encrypted certificate
ECDH realizes key agreement.
In a kind of optional example of the embodiment of the present invention, the encryption subprocess and network server progress are two-way
Certificate verification can specifically be accomplished by the following way:
1) the encryption subprocess receives the server-side certificate message that the network server is sent, the server-side certificate
Message includes the website signing certificate of the network server;
2) the encryption subprocess receives the certificate verification request message that the network server is sent, the certificate verification
Request message is used to indicate the certificate verification for carrying out client;
3) the encryption subprocess receives the server-side cipher key exchange message that the network server is sent, including key is handed over
Change parameter;
4) the encryption subprocess receives the server-side that the network server is sent and greets the message that finishes;
5) the encryption subprocess is authenticated the website signing certificate;
6) after the website signing certificate certification passes through, the encryption subprocess sends client to the network server
Certificate message is held, the client certificate message includes the signing certificate of the browser client, so that the network service
Device is authenticated the signing certificate.
In the present embodiment, above-mentioned encryption data negotiation, certificate verification, key exchanges and signature authentication is all clear in safety
It lookes in the encryption subprocess of device client and the handshake procedure of network server and to execute.In the present embodiment, two-way authentication uses
The asymmetric arithmetic of double certificate mechanism, certificate uses SM2 algorithms, and being based on ECDSA signatures using signing certificate realizes that identity is recognized
Card is based on ECDH using encrypted certificate and realizes key agreement.Data are encrypted in the SM4 algorithms used, use SM3 algorithms pair
Data are made a summary.
Wherein, SM2 algorithms (SM2algorithm) are a kind of ellipse curve public key cipher algorithm, key length 256
Bit.SM3 algorithms (SM3algorithm) are a kind of cryptographic Hash algorithms, and key length is 128 bits, SM4 algorithms
(SM4algorithm) it is a kind of block cipher, block length is 128 bits, and key length is 128 bits.
As shown in figure 4, the handshake procedure of encryption subprocess and network server includes:
4.02, encryption subprocess sends client hello message ClientHello to network server.
4.04, network server sends server-side hello messages SeverHello to the safe secure browser client
Encryption subprocess.
Wherein, network server finds matched cipher suite from ClientHello message, sends SeverHello and makees
To reply, if can not find matched cipher suite, warning message is sent.In the SeverHello, Sever_vision is indicated
The version number that server is supported, such as 1.1;The random number that Radom server ends generate;The session that session_id server-sides use
Mark;The cipher suite that cipher_suites server-sides are chosen from ClientHello message;compression_methods
The compression algorithm that server-side is chosen from ClientHello message.
4.06, network server sends server-side certificate message Certificate and gives encryption subprocess.
I.e. this message content of SeverCertificate is signing certificate and encrypted certificate.It signs and demonstrate,proves such as the website of server-side
Book (X.509 sequence)
4.08, network server sends certificate verification request message SeverRequest and gives encryption subprocess.
Certificate is provided by SeverRequest message calls clients.Specify auth type (ECDSA) simultaneously
4.10, network server sends server-side cipher key exchange message SeverKeyExchange and gives encryption subprocess.
SeverKeyExchange calculates the pre- master key for generating 48 bytes for client.Public key can be directly from service
It is obtained in the encrypted certificate at device end.As client randomly generates pre- master key pre_master_seceret keys, and use clothes
The public key of business device certificate carries out ECDH operations
4.12, network server transmission greets the message SeverHelloDone that finishes and gives encryption subprocess.
The hello message phases that SeverHelloDone characterizes handshake procedure are completed, and then the response of client are waited for disappear
Breath.
4.14, encryption subprocess sends client key and exchanges message Certificate to network server.
I.e. ClientCertificate message is a piece of news after the completion of hello message phases, as including client
Signing certificate (X.509 sequence).
4.16, encryption subprocess sends client key and exchanges message ClientKeyExchange to network server.
The pre- master key of the public key encryption of network server in ClientKeyExchange message.
4.18, encryption subprocess sends certificate verification message CertificateVerify to network server.
CertificateVerify message is used to differentiate that client to be the legitimate holder for being enough certificate.In the present embodiment,
Prompt user can prompt user to input protection password after being inserted into USBKey, which carries verification within the message and use
Whether family is legal.
Such as, client carries out ESDSA signatures using the ECC private keys of signing certificate to the abstract of handshaking information
4.20, encryption subprocess sends client password specification change message ChangeCipherSpec and gives network service
Device.
I.e. ClientChangeCipherSpec message shows that algorithm and key agreement are completed to server-side.
4.22, encryption subprocess sends client and shakes hands end message Finished to network server.
In the present embodiment, random number, the random number of server-side, pre_master_ of the subprocess according to client are encrypted
Seceret calculates master_seceret using key algorithm, then reuses random number and master_seceret is calculated very
Positive data encryption key is encrypted after then all handshake informations are made a summary and forms ClientFinished message to server-side hair
It send.
4.24, network server send server-side password specification change message ChangeCipherSpec to encryption son into
Journey.
4.26, network server send server-side shake hands end message Finished to encryption subprocess.
Server-side verifies client certificate, and the signature of client is verified using the signing certificate of client.Service uses certainly
The encryption key of body and progress ECDH operations, obtain pre_master_seceret, are calculated using the same algorithm of client
Master_seceret and data encryption key verify the correctness of SeverFinished message, are sent to client
SeverChangeCipherSpec message, express one's approval algorithm and key agreement.
The certification of browser client and network server both sides is completed by above-mentioned handshake procedure, key agreement waited
Journey can be engaged in end respectively using the calculated key encryption of negotiation using data to encrypt subprocess and network clothes.
Step 206, automatic identification and to connect the security key storage that the interface of terminal where browser client is inserted into hard
Part.
The present embodiment is illustrated so that the website accessed needs to carry out two-way authentication as an example, when the ground of browser client
When location column receives the station address input by user for needing two-way authentication, browser client pops up dialog box prompt user and inserts
Enter security key storage hardware, that is, prompts user to be inserted into USBKey, as shown in Figure 5.Two-way authentication is the net to accessed website
Network server and browser client are intended to be authenticated each other, confirm the digital certificate and browsing of the network server of access
The digital certificate that device client is loaded is that safely and effectively, therefore it includes the net accessed that the certificate of certification is needed when two-way authentication
The user certificate that the website certificate and browser client stood are loaded.Therefore, automatic identification described in the present embodiment and company
The security key storage hardware that the interface of terminal where connecing browser client is inserted into, can specifically include following two sub-steps
Suddenly:
Sub-step one, when carrying out the two-way authentication of digital certificate, the encryption subprocess is deposited by the security key
The vendor ID and product identification for storing up hardware are associated with corresponding activation point and driving interface.It should be noted that carrying out
The digital certificate specifically includes the website certificate of the website of access when two-way authentication and what browser client was loaded deposit
Store up the user certificate in security key storage hardware.The encryption subprocess of browser can be stored hard by the security key
The vendor ID and product identification of part are associated with corresponding activation point and driving interface.
Sub-step two is established connection with the security key storage hardware by the activation point and driving interface and is led to
Road.It, can be according to the activation point and drive after knowing activation point and the driving interface of the security key storage hardware
Mobile interface establishes communication port with the security key storage hardware.
It should be noted that in a kind of optional example of the embodiment of the present invention, step 206 automatic identification simultaneously connects
Before the security key storage hardware that the interface of terminal where browser client is inserted into, further include:The encryption subprocess exists
Determine whether to receive the certificate verification request message that the network server is sent in handshake procedure;It is taken when receiving the network
When the certificate verification request message that business device is sent, whether the interface of terminal has security key storage where monitoring browser client
Hardware is inserted into;When having monitored that security key storage hardware is inserted into, executes step 206 automatic identification and connect browser
The security key storage hardware that the interface of terminal where client is inserted into.
Step 208, browser client read and show the user certificate that is stored in the security key storage hardware with
It is selected for user.
Browser client described in the present embodiment reads and shows the user stored in the security key storage hardware
Certificate selects for user, can specifically pass through following sub-step:
Sub-step one, the encryption subprocess are read in the security key storage hardware by the interface channel and are stored
User certificate.The encryption subprocess is established according to the activation point and driving interface with the security key storage hardware
Interface channel can be read in security key storage hardware by the interface channel and store user certificate.It needs to illustrate
It is the information encrypted only title of user certificate etc. that subprocess is read at this time and do not include user certificate particular content.
In a kind of optional example of the embodiment of the present invention, the encryption subprocess reads the security key by the interface channel and deposits
The user certificate stored in storage hardware, can specifically include:The encryption subprocess reads the peace by the interface channel
The application stored in full key storage hardware shows the application so that user selects, wherein each application includes container
With the user certificate stored in container;The application for opening user's selection loads the container and appearance under of user's selection
The user certificate stored in device.
Sub-step two, pop up certificate selection dialog box, loaded in the certificate selection dialog box user certificate with
User is prompted to select the user certificate.It should be noted that as shown in fig. 6, the present embodiment pop-up in browser client
Certificate selection dialog box, can specifically include in certificate selection dialog box it is following any one or a few:Current device, application name
Title, Container Name, certificate CN, issuer, the effective date, the out-of-service time, user certificate the information such as title, user can be prompted
It is not the limitation to certificate selection dialog box concrete form or particular content to select the user certificate, the present embodiment.
In the present embodiment, in order to ensure to access the safety of website and user, CA mechanisms are that different websites promulgates different
Website certificate, while promulgating different user certificates for the different user of different web sites.Wherein, digital certificate include website or
The contents such as the information and digital signature of the public key of user, website or user.
Therefore, before carrying out digital certificate authentication, it is preferred that, can be in browser clients in mutual authentication process
End is hit by a bullet out certificate choice box, terminal where loading browser in the certificate selection frame currently possessed by user certificate, use
Family prompts user to input protection password after selecting user certificate, as shown in fig. 7, input personal identification number
(Personal Identification Number, PIN), to illustrate the user to the use after protection password is by verification
Family certificate has claim.Also, above-mentioned user certificate and protection password can be as the certification numbers in user certificate verification process
According to being sent to network server.
In a kind of optional example of the embodiment of the present invention, the sub-step one encrypts subprocess and passes through the interface channel
After reading the user certificate stored in the security key storage hardware, further include:The encryption subprocess is to the safety
The user certificate that is stored in key storage hardware carries out certificate station recognition, as unit of certificate website to the user certificate into
Row classification;Correspondingly, the sub-step two pops up certificate selection dialog box, and the use is loaded in the certificate selection dialog box
Family certificate can specifically include with prompting user to select the user certificate:Certificate selection dialog box is popped up, is selected in the certificate
It selects in dialog box and the user certificate is shown for index with certificate website.It should be noted that the certificate website i.e. certificate corresponds to
Bank site, certificate website can be specifically:Construction Bank, industrial and commercial bank, agricultural bank etc..It in other words, in the present embodiment, specifically can be with
It shows which bank user certificate is specifically in certificate selection dialog box, intuitively shows the security key storage hardware
It is which bank, user is facilitated to be judged whether to be needed user certificate according to bank, i.e., is judged according to the certificate website
Whether user certificate is needed.
Step 210, when browser client receives selection information of the user to the user certificate, user is carried out
Authentication.
Described in the present embodiment when browser client receives selection information of the user to the user certificate, to
Family carries out authentication, can specifically be accomplished by the following way:The selection of the user certificate is believed when receiving user
When breath, the encryption subprocess pops up password input box, and receives protection password input by user by the password input box.
Authentication is carried out to user according to the protection password input by user.It should be noted that selecting protection in the present embodiment
Password carries out authentication as the identity information of user, when specific implementation, other modes can also be used to carry out authentication,
The present embodiment is not the restriction to authentication concrete mode.
It is described when browser client receives user to the user in a kind of optional example of the embodiment of the present invention
When the selection information of certificate, authentication is carried out to user, further includes specifically:If the authentication does not pass through, described
Password mistake is shown in password input box and user is prompted to reenter protection password, the protection password re-entered according to described in
Carry out authentication.When user is in input protection password due to keyboard maloperation etc., protection password is inputed in user's storage by mistake
Situation happens occasionally, thus this optional example authentication not by when, be not direct disconnect and security key storage hardware
Connection, but user is allowed to reenter protection password, the unlimited number of input of user cannot be allowed to protect password certainly, needed
The number of input protection password is limited.It is described as browser visitor i.e. in a kind of optional example of the embodiment of the present invention
When family termination receives selection information of the user to the user certificate, authentication is carried out to user, further includes:Encryption
The maximum input number of the password input box is arranged in process, when time of protection password input by user in the password input box
When number reaches the maximum input number, the personal identification number input frame is closed, and disconnect and the security key storage hardware
Connection.Protection password both can have once been inputed by mistake to avoid user so just to disconnect and the connection of the security key storage hardware,
Caused user needs to reinsert the cumbersome and load safety of the security key storage hardware progress user's checking
The not high problem of key storage hardware efficiency, also avoids resource occupation caused by inputting close guarantor's password infinitely or endless loop is asked
Topic improves the efficiency of load security key storage hardware.
Step 212, after the authentication passes through, the corresponding user certificate content of the selection information is loaded.
After authentication described in the present embodiment passes through, the corresponding user certificate content of the selection information is loaded, specifically
It may include following sub-step:
Sub-step one, after the authentication passes through, the encryption subprocess obtains the letter of the certification in the user certificate
Breath, and the authentication information is loaded into certificate reader.
Sub-step two, the encryption subprocess start the certificate reader according to triggering instruction, are checked in the certificate
The authentication information of the user certificate is shown in device.It should be noted that showing the user certificate in the certificate reader
The authentication information of book can specifically be accomplished by the following way:General tab is respectively set in the certificate reader
With detailed options card;The routine information of the corresponding user certificate of the selection information is shown in the general tab;Institute
State the details that the corresponding user certificate of the selection information is shown in detailed options card.I.e. according to described in triggering instruction startup
Certificate reader is respectively set by general tab and detailed options card in the certificate reader, is loaded in general tab
The routine information of the user certificate loads the detailed letter of the user certificate in the detailed options card as shown in Figure 8 A
Breath, as shown in Figure 8 B, by the different content that can check user certificate to the selection of different options card.
It should be noted that in a kind of optional example of the embodiment of the present invention, the load selection information corresponds to
User certificate content after, further include:The encryption subprocess disconnects the connection with the security key storage hardware.
It, first can bullet when browser client loads user certificate in a kind of optional example of the embodiment of the present invention
Go out certificate choice box prompt user and be inserted into security key storage hardware, the security key storage hardware, that is, USB Key, it is a kind of
The hardware device of USB interface, built-in microcontroller or intelligent card chip, there is certain memory space, can store the private key of user
And digital certificate, realize the certification to user identity using the public key algorithm built in USB Key.Since private key for user is stored in
In coded lock, theoretically make all read in any way, therefore ensure that the safety of user authentication.
After user is inserted into security key storage hardware, call the driver of the security key storage hardware described
By loading the certificate information in security key storage hardware in the certificate selection frame, the certificate letter of user's selection is then received
Breath;The pop-up protection password input window in the certificate selection frame, then receive protection password input by user.
Wherein, browser automatic identification USBKey needs to rely on two key messages in CSP registry entries:
SKFImagePath:The path of specified SKF dynamic bases.TokenVidPid:String format.The VendorID of KEY equipment and
ProductID, the format of use similar to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum USB
In format namely VID_XXXX&PID_XXXX.
Browser can be associated with phase by vendor ID vendorid, the product identification productid of USBKey equipment
It should drive, complete relevant operation.Browser will not store pin passwords input by user, will not store the private key in USBKey
Information.It is as follows to the operating process of USBKey:It is connected to USBKey equipment;It opens and applies Application accordingly,
Application is determined by user's selection;It opens cell therefor Container, Container to be determined by user's selection, so
Input validation PIN code afterwards can prompt to re-enter after authentication error, then obtain signing certificate information, obtain encrypted certificate letter
Breath, carries out the certification of digital certificate, subsequently during carrying out data interaction with network server, to the Encrypt and Decrypt of data
Process is also to be completed in USBKey, to pass hull closure after the completion of to the website visiting and is disconnected.
In an alternative embodiment of the invention, the permission connection message that the network server returns is received, described in foundation
The secure connection channel of data transmission is encrypted between browser and the website corresponding network server, it is described to allow to connect
Message is sent after being passed through to the safety certification of the user certificate by the network server.
After above-mentioned certificate verification passes through, network server, which returns, allows connection message, establishes the browser and institute at this time
State the secure connection channel that data transmission is encrypted between the corresponding network server of website.It is transmitted in the secure connection channel
Data in the present embodiment, carry out Encrypt and Decrypt, wherein SM4 algorithms are using symmetry algorithm SM4 algorithms to data
SM4algorithm is a kind of block cipher, and block length is 128 bits, and key length is 128 bits.
For embodiment of the method, for simple description, therefore it is all expressed as a series of combination of actions, but this field
Technical staff should know that the embodiment of the present invention is not limited by the described action sequence, because implementing according to the present invention
Example, certain steps can be performed in other orders or simultaneously.Next, those skilled in the art should also know that, specification
Described in embodiment belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.
Embodiment three
On the basis of the above embodiments, the present embodiment also discloses a kind of safe communication system.
With reference to Fig. 9, the structure diagram of safe communication system embodiment according to an embodiment of the invention is shown.
Referring to Fig.1 0, show that browser clients end device is real in safe communication system according to an embodiment of the invention
Apply the structure diagram of example.
The safe communication system, including:Browser clients end device 902, security key storage hardware 904 and network service
Device 906.
Wherein, the network server 906, for being carried out by handshake procedure and the browser clients end device 902
Safety certification, and escape way is established after safety certification passes through, the transmitting encrypted data in the escape way;
The browser clients end device 902 is recognized safely for passing through handshake procedure with the network server 906
Card, and escape way is established after safety certification passes through, the transmitting encrypted data in the escape way;And with the safety
Key storage hardware connects, and obtains the user certificate needed in safety certification process;
The security key storage hardware 904 provides safety certification for connecting the browser by the interface of terminal
The user certificate needed in the process;
The browser clients end device 902, including:
Link block 90202, for automatic identification and where connecting the browser clients end device, the interface of terminal is inserted
The security key storage hardware entered;
Read module 90204, for read and show the user certificate stored in the security key storage hardware for
User selects;
Authentication module 90206, for when receiving selection information of the user to the user certificate, to user into
Row authentication;
Load-on module 90208 after passing through for the authentication, loads in the corresponding user certificate of the selection information
Hold.
User is gone to bank using browser clients end device debarkation net or when the online payments platform such as Alipay, in order to ensure
The safety of data transmission needs user to be inserted into security key storage hardware.I.e. user is in the address of browser clients end device
When inputting the address of above-mentioned website in column and being accessed with asking to correspond to webpage to the station address, browser clients end device meeting
User is prompted to be inserted into security key storage hardware.The station address that the address field of browser clients end device is received may be use
What family directly inputted, can also be inputted after user clicks search result by search, the present embodiment is not construed as limiting this.
Security key storage hardware, i.e. USBKey are stored with user certificate in security key storage hardware, and user can select
Select the user certificate.It should be noted that being commonly stored in a security key storage hardware, there are one user certificates, major
There is oneself corresponding security key storage hardware in bank.For example, in the security key storage hardware of the Web bank of Bank of Beijing
It is stored with Bank of Beijing and issues user certificate;Construction silver is stored in the security key storage hardware of the Web bank of Construction Bank
The user certificate that row issues.
It should be noted that security key storage hardware be usually arranged as with the matched form of USB interface, can pass through
USB interface is inserted into the terminals such as computer.After the security key storage hardware is inserted into terminal by USB interface, this implementation
The security key that browser client can be inserted into the interface of terminal where automatic identification browser clients end device in example stores
The security key storage hardware can be connect hardware with other USB and distinguished by hardware.It is to have security key when identifying
It after storage hardware is inserted into terminal, establishes and connects with the security key storage hardware automatically, foundation connection described here, is to download
Driving is established with the security key storage hardware and is communicated to connect, and the use stored in the security key storage hardware can be read
Family certificate, and it is not limited to connection physically.
Wherein, it after browser clients end device establishes communication connection with the security key storage hardware, can read
The user certificate stored in the security key storage hardware, and the user certificate is shown and is selected for user.
When specific implementation, browser client can show the user certificate by the form of pop-up, can also be by other means
It shows that the user certificate, the present embodiment are not limited specific display mode, user certificate can be shown number, allow use
Family can be visually seen user certificate to facilitate user to select the user certificate.
Why browser clients end device needs automatic identification security key storage hardware, is because accessing Web bank
When equal payment platforms, need to carry out safety verification.It specifically needs to verify the identity of user in the present embodiment, be selected in user
After selecting user certificate, authentication is carried out to user.It should be noted that although authentication is in browser clients end device
It carries out, is that the network server requirement of bank carries out authentication to user in fact, to confirm the identity of user.
Various ways can be taken to realize it should be noted that carrying out authentication to user in the present embodiment.For
The mode of the independent password of the password or Web bank that allow user to input bank card may be used in the scene of logging in online banks,
Authentication is carried out to user.Because being stored with the password of the bank of user setting or online silver in the network server of bank
The identity informations such as bank card password input by user can be sent to network clothes by capable independent password, browser clients end device
Be engaged in device, matched with the subscriber identity information stored in network server, if it is possible to successful match, then the identity of user test
Card passes through;If matching is unsuccessful, authentication failure.It should be noted that when carrying out authentication to user, user is defeated
The identity information entered can be above-mentioned bank card password, can also be protection password, can also be the energy such as the identification card number of user
The information of user identity is enough represented, the present embodiment is not limited the particular content of identity information, to carrying out the tool of authentication
Body process is not also limited, as long as being able to confirm that user identity.
In conclusion the present embodiment browser clients end device is when loading security key storage hardware, it is automatic first to know
Not and connect the security key storage hardware that the interface of browser clients end device place terminal is inserted into;Then browser client
Device reads and shows the user certificate stored in the security key storage hardware so that user selects;Then work as browsing
When device client receives selection information of the user to the user certificate, authentication is carried out to user;The last identity
After being verified, the corresponding user certificate content of the selection information is loaded.The present embodiment is in load security key storage hardware
When the user certificate of middle storage, authentication first has been carried out to user, has been passed through in authentication, has been able to confirm that the feelings of user identity
Under condition, the content of the user certificate stored in security key storage hardware is loaded, can prevent from depositing in security key storage hardware
The user certificate of storage is leaked, and improves the safety of load security key storage hardware
In an alternative embodiment as shown in figure 11 of the invention, the browser clients end device further includes:
Main business scheduler module 90210 is carried out for starting in browser clients end device with main business scheduler module
The encryption subprocess of communication, wherein the encryption subprocess as connection agency for realizing that the first encrypted tunnel adds to second
The conversion in close channel and data forwarding;
Subprocess module 90212 is encrypted, it is double for carrying out digital certificate with the network server 906 by handshake procedure
To certification.
In an alternative embodiment of the invention, the encryption subprocess module 90212, for pass through handshake procedure with it is described
Network server 906 executes following security authentication operation successively:Encryption data negotiation, certificate verification, key exchanges and signature is recognized
Card.
In the present embodiment, browser clients end device 902 is using 90212 proxy-explorer main business of encryption subprocess module
Scheduler module 90210, data agreement is encrypted by handshake procedure with network server 906, certificate verification, key exchange and
The SSL encryptions communication process such as signature authentication, specific handshake procedure is as shown in figure 4, related handshaking information and Encryption Algorithm refer to
The discussion of two part of embodiment.
In an alternative embodiment of the invention, the security key storage hardware 904 is specifically used for passing through the terminal
Activation point and driving interface establish interface channel with browser clients end device;
The link block 90202 of the browser clients end device is specifically used in the two-way authentication for carrying out digital certificate
When, the encryption subprocess module 90212 is associated with by the vendor ID of the security key storage hardware with product identification
To corresponding activation point and driving interface;It is built with the security key storage hardware by the activation point and driving interface
Vertical interface channel.
2A referring to Fig.1 shows the first structure diagram of read module according to an embodiment of the invention.
In an alternative embodiment of the invention, the read module 90204 of the browser clients end device, including:
Reading submodule 9020402 is stored for being read in the security key storage hardware by the interface channel
User certificate;
Submodule 9020404 is loaded, certificate selection dialog box is used for ejecting, institute is loaded in the certificate selection dialog box
User certificate is stated to prompt user to select the user certificate.
After browser clients end device establishes communication connection with the security key storage hardware, the peace can be read
The user certificate stored in full key storage hardware, and the user certificate is shown and is selected for user.It is specific real
Now, browser clients end device can show the user certificate by the form of pop-up, can also show by other means
Show that the user certificate, the present embodiment are not limited specific display mode, user certificate can be shown number, allow user
User certificate be can be visually seen to facilitate user to select the user certificate.
2B referring to Fig.1 shows second of structure diagram of read module according to an embodiment of the invention.
In an alternative embodiment of the invention, the read module 90204 of the browser clients end device further includes:
It identifies submodule 9020406, is stored for being read in the security key storage hardware by the interface channel
User certificate after, certificate station recognition is carried out to the user certificate that is stored in the security key storage hardware, with certificate
Website is that unit classifies to the user certificate;
The load submodule 9020404 is specifically used for pop-up certificate selection dialog box, in the certificate selection dialog box
In with certificate website be that index shows the user certificate.
In an alternative embodiment of the invention, the security key storage hardware 904 is specifically used for for browser visitor
Family end device provides the application of storage, wherein each application includes the user certificate stored in container and container;
The reading submodule 9020404 is specifically used for reading the security key storage firmly by the interface channel
The application stored in part shows the application so that user selects;The application for opening user's selection loads user's choosing
The user certificate stored in the container and container under selected.
In an alternative embodiment of the invention, the authentication module 90206 receives user to institute specifically for working as
When stating the selection information of user certificate, personal identification number input frame is popped up, and defeated by personal identification number input frame reception user
The personal identification number entered;Authentication is carried out to user according to the personal identification number input by user.
In an alternative embodiment of the invention, the authentication module 90206 is additionally operable to not lead in the authentication
It is out-of-date, password mistake is shown in the personal identification number input frame and user is prompted to re-enter personal identification number, according to described heavy
The personal identification number newly inputted carries out authentication.
In an alternative embodiment of the invention, the authentication module 90206 is additionally operable to input the personal identification number
The maximum input number of frame setting, when personal identification number input by user reaches maximum input number in the personal identification number input frame
When, the personal identification number input frame is closed, and disconnect the connection with the security key storage hardware.
In an alternative embodiment of the invention, the load-on module 90208, after passing through specifically for the authentication,
The authentication information in the user certificate is obtained, and the authentication information is loaded into certificate reader;
The encryption subprocess module 90212, for starting the certificate reader according to triggering instruction, in the certificate
The authentication information of the user certificate is shown in reader.
In an alternative embodiment of the invention, the encryption subprocess module 90212, in the certificate reader
General tab and detailed options card is respectively set;The corresponding user certificate of the selection information is shown in the general tab
The routine information of book;The details of the corresponding user certificate of the selection information are shown in the detailed options card.
In an alternative embodiment of the invention, the encryption subprocess module 90212 is additionally operable to determine during shaking hands
Whether certificate verification request message that the network server send is received;
The link block 90202 of the browser clients end device is additionally operable to connect when the encryption subprocess module 90212
When receiving the certificate verification request message that the network server is sent, whether the interface of terminal where monitoring browser client
There is the insertion of security key storage hardware;When having monitored that security key storage hardware is inserted into, automatic identification simultaneously connects browser
The security key storage hardware that the interface of terminal where client is inserted into.
In an alternative embodiment of the invention, the encryption subprocess module 90212 is additionally operable to the load-on module load
After the corresponding user certificate content of the selection information, the connection with the security key storage hardware is disconnected.
It should be noted that being referred to encrypt the structure diagram of subprocess module shown in Figure 13 to encrypting subprocess mould
Block is understood that as shown in figure 13, encryption subprocess module includes:Configuration module 1302, proxy module 1304, CTL manage mould
Block 1306, CRL management modules 1308, Session management modules 1310, certification authentication module 1312, SSL link blocks 1314,
USBKey operation modules 1316.Wherein, proxy module receives the connection of browser main business process, according to browser main business process
The type of connection carries out respective handling, forms the connection agency of browser main business process.CTL modules are for managing root of trust card
Book list.CRL management modules manage local CRL lists for obtaining CRL lists.Session management module administration agent processes
It is connect with the session of web server.SSL link blocks are responsible for establishing the secure connection with web server.USBKey is managed
Module is responsible for operating USBKey equipment.Configuration module is responsible for reading, storing the relevant configuration of client.
Wherein, for CTL management modules 1306, operation principle is as follows:CTL describes browser and trusts root certificate row
Table is used for authentication server end certificate.In 360 secure browsers, the trust root certificate of support is PEM coding modes, is propped up simultaneously
Hold two kinds of certificate addition manners:1) root certificate is trusted in addition inside program;2) root certificate, configuration file are trusted in configuration file addition
Using des encrypting storings.Wherein, CTL is configurable to not support to import and export function.
For CRL management modules 1308, operation principle is as follows:The certificate that CRL describes certification authority CA is removed
List is sold, essence is certificate serial number, and certificate serial number is indicated with the ASN.1 Integer encoded.One in X509v3 certificates
A extension (OID 2.5.29.31) is used to specify the CRL publishing point of the certificate.Device in the secure browser of the present embodiment
Local cache is carried out to CRL, while CRL is searched and carried out level-one index according to CA.The step of to the verification operation of CRL, is as follows:
(1) the Issuer items in certificate are obtained, corresponding CA nodes are positioned, if Issuer are not present or can not find corresponding CA
, then it is assumed that it is illegal certificate.((2) use CRL items all under the dichotomizing search CA.
For Session management modules 1310, SSL connections, which need to increase by 4 times on the basis of TCP shakes hands for 3 times, shakes hands,
Connection establish process be than relatively time-consuming, therefore preserve Session, the connection before multiplexing can effectively optimize switching performance.
In the secure browser device of the present embodiment after completion is established in a SSL connection, host+port to session can be established
Memory index, subsequent operation can be multiplexed before session, as the session terms of validity be 1 hour.Browser closing,
Session before being emptied when the extraction of USBKey equipment.
For certification authentication module 1312, two-way authentication if necessary during SSL connections are established, the encryption subprocess
Module can prompt user to be inserted into security key storage hardware, i.e. USBKey equipment.After user is inserted into security key storage hardware
Automatic identification and certificate selection dialog box can be popped up, user is prompted to select certificate.The encryption subprocess module automatic identification
Security key storage hardware needs to rely on two key messages in CSP registry entries:SKFImagePath:Specified SKF dynamics
The path in library and TokenVidPid:String format.The VendorID and ProductID of KEY equipment, the format of use are similar
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum format namely VID_XXXX& in USB
PID_XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, complete related behaviour
Make.Browser will not store pin passwords input by user, will not store the private key information in USBKey.Detailed process is as follows:
It is firstly connected to USBKey equipment;Then respective application (Application) is opened, Application is determined by user's selection;
Then corresponding container (Container) is opened, Container is determined by user's selection;Then checking PIN code (know by personal identification
Other code), it can prompt to re-enter after authentication error;Then signing certificate information is obtained;Then encrypted certificate information is obtained;Finally
Pass hull closure disconnects.
In the present embodiment, for the credentials verification process of above method embodiment, the certification authentication of server end is occurred
During Handshake Protocol, after browser receives ServerHelloDone message, before transmission Certificate message.Card
Book verification mainly ensures that the reasonability of server, verification process depend on CTL, CRL modules, detailed process to be tested in subprocess certificate
It is carried out in card thread pool.Checking step is as follows:Initialize trusted root list of cert;Check whether it is self-signed certificate;It checks
Certificate extension information;Check certificate trusting relationship;Check CRL lists;Check certificate signature;Check certificate available time;Inspection
Book is investigated whether in blacklist.
It should be noted that the structure diagram for being referred to main business process shown in Figure 14 manages main business process
Solution, as shown in figure 14, main business process includes:Certificate display module 1402, white list management module 1404, network server card
Book memory module 1406 acts on behalf of setup module 14014.Wherein certificate display module 1402 is responsible for display digital certificate.White list
Management module 1404 is responsible for supporting the web server list of the Encryption Algorithm of the present embodiment.Network server certificate stores
Module 1406 is for storing the certificate for being responsible for network server.Act on behalf of setup module 14014 agency setting be responsible for setting with
Encrypt the agency of subprocess module.
For device embodiments, since it is basically similar to the method embodiment, so fairly simple, the correlation of description
Place illustrates referring to the part of embodiment of the method.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect
Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors
Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) come realize in safe communication system according to the ... of the embodiment of the present invention some or
The some or all functions of person's whole component.The present invention is also implemented as one for executing method as described herein
Divide either whole equipment or program of device (for example, computer program and computer program product).Such this hair of realization
Bright program can may be stored on the computer-readable medium, or can be with the form of one or more signal.It is such
Signal can be downloaded from internet website and be obtained, and either provided on carrier signal or provided in any other forms.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch
To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of safe communication systems, including:Browser clients end device, security key storage are hard
Part and network server, the network server, for carrying out safety by handshake procedure and the browser clients end device
Certification, and escape way is established after safety certification passes through, the transmitting encrypted data in the escape way;The browser visitor
Family end device for carrying out safety certification by handshake procedure and the network server, and is established after safety certification passes through
Escape way, the transmitting encrypted data in the escape way;And connect with the security key storage hardware, acquisition is being pacified
The user certificate needed in full verification process;The security key storage hardware, it is described clear for being connected by the interface of terminal
It lookes at device, the user certificate needed in safety certification process is provided;The browser clients end device, including:Link block is used for
The security key storage hardware that automatic identification and the interface for connecting browser clients end device place terminal are inserted into;Read mould
Block, for reading and showing the user certificate stored in the security key storage hardware so that user selects;Identity is tested
Module is demonstrate,proved, for when receiving selection information of the user to the user certificate, authentication to be carried out to user;Load mould
Block after passing through for the authentication, loads the corresponding user certificate content of the selection information.
A2, the system as described in A1, the browser clients end device further include:Main business scheduler module, for clear
Look at the encryption subprocess for starting in device client and being communicated with main business process, wherein the encryption subprocess is for conduct
Connection agency realizes conversion and data forwarding of first encrypted tunnel to the second encrypted tunnel;Subprocess module is encrypted, is used for
Digital certificate two-way authentication is carried out by handshake procedure and the network server.
A3, the system as described in A2, the encryption subprocess module, for passing through handshake procedure and the network server
Following security authentication operation is executed successively:Encryption data negotiation, certificate verification, key exchanges and signature authentication.
A4, the system as described in A3, the security key storage hardware are specifically used for the activation point by the terminal
Interface channel is established with driving interface and browser clients end device;The link block of the browser clients end device, specifically
For carry out digital certificate two-way authentication when, the encryption confession of the subprocess module by the security key storage hardware
It should just identify and be associated with corresponding activation point and driving interface with product identification;By the activation point and driving interface with
The security key storage hardware establishes interface channel.
A5, the system as described in A4, the read module of the browser clients end device, including:Reading submodule is used for
It is read in the security key storage hardware by the interface channel and stores user certificate;Submodule is loaded, card is used for ejecting
Book selects dialog box, and the user certificate is loaded in the certificate selection dialog box to prompt user to select the user certificate
Book.
A6, the system as described in A5, the read module of the browser clients end device further include:It identifies submodule, uses
After reading the user certificate stored in the security key storage hardware by the interface channel, to the security key
The user certificate stored in storage hardware carries out certificate station recognition, is divided the user certificate as unit of certificate website
Class;The load submodule is specifically used for pop-up certificate selection dialog box, with certificate website in the certificate selection dialog box
The user certificate is shown for index.
A7, the system as described in A3, the security key storage hardware are specifically used for being the browser clients end device
There is provided the application of storage, wherein each application includes the user certificate stored in container and container;The reading submodule, tool
Body is used to read the application stored in the security key storage hardware by the interface channel, display is described apply for
Family is selected;The application for opening user's selection loads the use stored in the container and container under of user's selection
Family certificate.
A8, the system as described in A1, the authentication module receive user to the user certificate specifically for working as
Selection information when, pop up personal identification number input frame, and it is close by the personal identification number input frame to receive individual input by user
Code;Authentication is carried out to user according to the personal identification number input by user.
A9, the system as described in A8, the authentication module, be additionally operable to the authentication not by when, in institute
It states and shows password mistake in personal identification number input frame and user is prompted to re-enter personal identification number, re-entered according to described in
People's password carries out authentication.
A10, the system as described in A9, the authentication module are additionally operable to personal identification number input frame setting most
Big input number closes institute when personal identification number input by user reaches maximum input number in the personal identification number input frame
Personal identification number input frame is stated, and disconnects the connection with the security key storage hardware.
A11, the system as described in A1, the load-on module after passing through specifically for the authentication, obtain the use
Authentication information in the certificate of family, and the authentication information is loaded into certificate reader;The encryption subprocess module, is used for
Start the certificate reader according to triggering instruction, the authentication information of the user certificate is shown in the certificate reader.
A12, the system as described in A11, the encryption subprocess module, for being respectively set in the certificate reader
General tab and detailed options card;The routine of the corresponding user certificate of the selection information is shown in the general tab
Information;The details of the corresponding user certificate of the selection information are shown in the detailed options card.
A13, the system as described in A3, the encryption subprocess module are additionally operable to determine whether to receive during shaking hands
The certificate verification request message that the network server is sent;The link block of the browser clients end device, is additionally operable to work as
When the encryption subprocess module receives the certificate verification request message that the network server is sent, browser clients are monitored
Whether the interface of terminal where end has the insertion of security key storage hardware;When having monitored that security key storage hardware is inserted into,
The security key storage hardware that automatic identification and the interface for connecting browser client place terminal are inserted into.
A14, the system as described in A2, the encryption subprocess module are additionally operable to the load-on module and load the selection
After the corresponding user certificate content of information, the connection with the security key storage hardware is disconnected.
Claims (13)
1. a kind of safe communication system, including:Browser clients end device, security key storage hardware and network server,
The network server for carrying out safety certification by handshake procedure and the browser clients end device, and is being pacified
Full certification establishes escape way after passing through, the transmitting encrypted data in the escape way;
The browser clients end device for carrying out safety certification by handshake procedure and the network server, and is being pacified
Full certification establishes escape way after passing through, the transmitting encrypted data in the escape way;And it is stored with the security key
Hardware connects, and obtains the user certificate needed in safety certification process;
The security key storage hardware, for connecting the browser by the interface of terminal where browser clients end device
Client terminal device provides the user certificate needed in safety certification process;
The browser clients end device, including:
Link block, for automatic identification and the safety of the interface insertion of terminal where connecting the browser clients end device is close
Key storage hardware;
Read module, for reading and showing the user certificate stored in the security key storage hardware so that user selects
It selects;
Authentication module, for when receiving selection information of the user to the user certificate, carrying out identity to user and testing
Card;
Load-on module after passing through for the authentication, loads the corresponding user certificate content of the selection information;
The browser clients end device further includes:
Main business scheduler module, for starting the encryption communicated with main business scheduler module in browser clients end device
Subprocess module, wherein the encryption subprocess module is used to realize the first encrypted tunnel to the second encryption as connection agency
The conversion in channel and data forwarding, wherein encryption subprocess connection, which is acted on behalf of, includes:Main thread, intercepting thread and business processing
Thread;Main thread creates watcher thread, main business thread and the IPC communications of browser host process for reading all kinds of configurations;
Intercepting thread, for monitoring serve port, when with the presence of main business process connection request and receiving successful execution and act on behalf of accordingly
Operation;Business processing thread is connect simultaneously for establishing respective encrypted channel respectively with main business process and network server both ends
It maintains, to carry out data exchange as bridge, wherein the first encrypted tunnel is the main business scheduler module and the encryption
The secured communication channel of subprocess module;Second encrypted tunnel is the peace of encryption the subprocess module and network server
Full communication channel, the IPC communications of browser host process are responsible for inter-process data and are transmitted;
Subprocess module is encrypted, for carrying out digital certificate two-way authentication by handshake procedure and the network server.
2. system according to claim 1, which is characterized in that
The encryption subprocess module executes following safety certification behaviour successively for passing through handshake procedure and the network server
Make:Encryption data negotiation, certificate verification, key exchanges and signature authentication.
3. system according to claim 2, it is characterised in that:
The security key storage hardware is specifically used for activation point and driving interface and browser clients by the terminal
End device establishes interface channel;
The link block of the browser clients end device is specifically used for when carrying out the two-way authentication of digital certificate, described to add
Close subprocess module is associated with corresponding driving position by the vendor ID and product identification of the security key storage hardware
It sets and driving interface;By the activation point and driving interface interface channel is established with the security key storage hardware.
4. system according to claim 3, which is characterized in that the read module of the browser clients end device, including:
Reading submodule stores user certificate for being read in the security key storage hardware by the interface channel;
Submodule is loaded, certificate selection dialog box is used for ejecting, the user certificate is loaded in the certificate selection dialog box
To prompt user to select the user certificate.
5. system according to claim 4, which is characterized in that the read module of the browser clients end device also wraps
It includes:
Identify submodule, for by the interface channel read the user certificate stored in the security key storage hardware it
Afterwards, certificate station recognition is carried out to the user certificate stored in the security key storage hardware, it is right as unit of certificate website
The user certificate is classified;
The load submodule is specifically used for pop-up certificate selection dialog box, with certificate station in the certificate selection dialog box
Point shows the user certificate for index.
6. system according to claim 4, it is characterised in that:
The security key storage hardware, specifically for providing the application of storage for the browser clients end device, wherein every
A application includes the user certificate stored in container and container;
The reading submodule, specifically for reading answering of being stored in the security key storage hardware by the interface channel
With the display application selects for user;The application for opening user's selection, load user selection under
The user certificate stored in container and container.
7. system according to claim 1, it is characterised in that:
The authentication module, specifically for when receiving selection information of the user to the user certificate, pop-up is personal
Password Input frame, and personal identification number input by user is received by the personal identification number input frame;According to described input by user
Personal identification number carries out authentication to user.
8. system according to claim 7, it is characterised in that:
The authentication module, be additionally operable to the authentication not by when, shown in the personal identification number input frame
Password mistake simultaneously prompts user to re-enter personal identification number, and the personal identification number re-entered according to described in carries out authentication.
9. system according to claim 8, it is characterised in that:
The authentication module is additionally operable to that maximum input number is arranged to the personal identification number input frame, when the individual is close
When personal identification number input by user reaches maximum input number in code input frame, the personal identification number input frame is closed, and disconnect
With the connection of the security key storage hardware.
10. system according to claim 1, it is characterised in that:
The load-on module after passing through specifically for the authentication, obtains the authentication information in the user certificate, and will
The authentication information is loaded into certificate reader;
The encryption subprocess module, for starting the certificate reader according to triggering instruction, in the certificate reader
Show the authentication information of the user certificate.
11. system according to claim 10, it is characterised in that:
The encryption subprocess module, for general tab and detailed options card to be respectively set in the certificate reader;
The routine information of the corresponding user certificate of the selection information is shown in the general tab;In the detailed options card
Show the details of the corresponding user certificate of the selection information.
12. system according to claim 2, it is characterised in that:
The encryption subprocess module is additionally operable to determine whether to receive the certificate that the network server is sent during shaking hands
Authentication request message;
The link block of the browser clients end device is additionally operable to receive the network clothes when the encryption subprocess module
When the certificate verification request message that business device is sent, whether the interface of terminal has security key where monitoring browser clients end device
Storage hardware is inserted into;When having monitored that security key storage hardware is inserted into, automatic identification simultaneously connects browser clients end device
The security key storage hardware that the interface of place terminal is inserted into.
13. system according to claim 1, it is characterised in that:
The encryption subprocess module, be additionally operable to the load-on module load the corresponding user certificate content of the selection information it
Afterwards, the connection with the security key storage hardware is disconnected.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410851101.XA CN104618108B (en) | 2014-12-30 | 2014-12-30 | Safe communication system |
PCT/CN2015/094850 WO2016107321A1 (en) | 2014-12-30 | 2015-11-17 | Secure communication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410851101.XA CN104618108B (en) | 2014-12-30 | 2014-12-30 | Safe communication system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104618108A CN104618108A (en) | 2015-05-13 |
CN104618108B true CN104618108B (en) | 2018-07-27 |
Family
ID=53152402
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410851101.XA Expired - Fee Related CN104618108B (en) | 2014-12-30 | 2014-12-30 | Safe communication system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104618108B (en) |
WO (1) | WO2016107321A1 (en) |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104618108B (en) * | 2014-12-30 | 2018-07-27 | 北京奇虎科技有限公司 | Safe communication system |
CN106127016B (en) * | 2016-07-18 | 2018-08-17 | 浪潮集团有限公司 | A kind of operating system user logs in the system and implementation method of authentic authentication |
DE102016216115A1 (en) * | 2016-08-26 | 2018-03-01 | Siemens Aktiengesellschaft | Computer apparatus for transferring a certificate to a device in a system |
CN108111469B (en) * | 2016-11-24 | 2020-06-02 | 阿里巴巴集团控股有限公司 | Method and device for establishing security channel in cluster |
CN108205616A (en) * | 2016-12-16 | 2018-06-26 | 北京小米移动软件有限公司 | Identity information method of calibration and device |
CN109274663A (en) * | 2018-09-07 | 2019-01-25 | 西安莫贝克半导体科技有限公司 | Communication means based on SM2 dynamic key exchange and SM4 data encryption |
CN110838917B (en) * | 2019-10-16 | 2022-03-18 | 郑州地铁集团有限公司 | Subway comprehensive monitoring system based on SM9 password authentication |
CN111159684B (en) * | 2019-12-31 | 2023-02-03 | 郑州信大捷安信息技术股份有限公司 | Safety protection system and method based on browser |
CN111327634B (en) * | 2020-03-09 | 2023-02-03 | 深信服科技股份有限公司 | Website access supervision method, secure socket layer agent device, terminal and system |
CN111464317B (en) * | 2020-04-14 | 2022-08-19 | 淮北师范大学 | Digital certificate-based cryptography operation method |
CN111901301B (en) * | 2020-06-24 | 2023-08-08 | 乾讯信息技术(无锡)有限公司 | Security protection method based on network multimedia equipment data transmission |
CN112401477A (en) * | 2020-09-01 | 2021-02-26 | 深圳中时利和科技有限公司 | Electronic information intelligent management device based on computer and use method |
CN112149097B (en) * | 2020-09-22 | 2023-02-28 | 龙芯中科(合肥)技术有限公司 | Identity authentication method, device, equipment and storage medium |
CN115085949A (en) * | 2021-03-10 | 2022-09-20 | 航天信息股份有限公司 | Data communication method and device based on national secret SSL transparent proxy |
CN113992702B (en) * | 2021-09-16 | 2023-11-03 | 深圳市证通电子股份有限公司 | Ceph distributed file system storage state password reinforcement method and system |
CN114357423A (en) * | 2021-12-20 | 2022-04-15 | 国家电网有限公司 | Data security management system based on transparent encryption, computer equipment and terminal |
CN114760143A (en) * | 2022-04-26 | 2022-07-15 | 中国邮政储蓄银行股份有限公司 | Decryption method, decryption device and decryption system for communication data |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030014629A1 (en) * | 2001-07-16 | 2003-01-16 | Zuccherato Robert J. | Root certificate management system and method |
CN2667807Y (en) * | 2004-01-08 | 2004-12-29 | 中国工商银行 | Network bank with device for encrypting and idetificating utilizing USB key |
CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
CN101587458A (en) * | 2009-06-30 | 2009-11-25 | 北京握奇数据系统有限公司 | Operation method and device for intelligent storing card |
CN101674304B (en) * | 2009-10-15 | 2013-07-10 | 浙江师范大学 | Network identity authentication system and method |
CN103188074B (en) * | 2011-12-28 | 2016-08-10 | 上海格尔软件股份有限公司 | A kind of Proxy Method strengthening browser SSL algorithm intensity |
CN102882857B (en) * | 2012-09-10 | 2015-07-15 | 福建伊时代信息科技股份有限公司 | Client side device, encryption storage device, and remote access method and system |
CN103391197B (en) * | 2013-07-19 | 2016-06-08 | 武汉大学 | A kind of web identity authentication based on handset token and NFC technique |
CN104184743B (en) * | 2014-09-10 | 2017-06-16 | 西安电子科技大学 | Towards three layers of Verification System and authentication method of cloud computing platform |
CN104573554A (en) * | 2014-12-30 | 2015-04-29 | 北京奇虎科技有限公司 | Method for loading safety key storage hardware and browser client device |
CN104618108B (en) * | 2014-12-30 | 2018-07-27 | 北京奇虎科技有限公司 | Safe communication system |
CN104580189B (en) * | 2014-12-30 | 2019-02-12 | 北京奇虎科技有限公司 | A kind of safe communication system |
-
2014
- 2014-12-30 CN CN201410851101.XA patent/CN104618108B/en not_active Expired - Fee Related
-
2015
- 2015-11-17 WO PCT/CN2015/094850 patent/WO2016107321A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
CN104618108A (en) | 2015-05-13 |
WO2016107321A1 (en) | 2016-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104618108B (en) | Safe communication system | |
CN104639534B (en) | The loading method and browser device of web portal security information | |
CN104580189B (en) | A kind of safe communication system | |
CN104580190B (en) | The implementation method and secure browser device of secure browser | |
WO2016107319A1 (en) | Method for loading secure key storage hardware, and browser client device | |
US9485254B2 (en) | Method and system for authenticating a security device | |
US8468582B2 (en) | Method and system for securing electronic transactions | |
CN104486343B (en) | A kind of method and system of double factor two-way authentication | |
CA2689847C (en) | Network transaction verification and authentication | |
CN110770695A (en) | Internet of things (IOT) device management | |
US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
CN105072125B (en) | A kind of http communication system and method | |
CN106533689A (en) | Method and device for loading digital certificate in SSL/TLS communication | |
CN106790090A (en) | Communication means, apparatus and system based on SSL | |
CN110492990A (en) | Private key management method, apparatus and system under block chain scene | |
US8973111B2 (en) | Method and system for securing electronic transactions | |
CN107800675A (en) | A kind of data transmission method, terminal and server | |
CN108429620A (en) | Method for building up, system and the client and server-side of secure connection | |
US8397281B2 (en) | Service assisted secret provisioning | |
CN106878245A (en) | The offer of graphic code information, acquisition methods, device and terminal | |
CN107918731A (en) | Method and apparatus for controlling the authority to access to open interface | |
WO2014067925A1 (en) | Telecommunications chip card | |
CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
WO2012126392A1 (en) | Internet based security information interaction apparatus and method | |
CN109218334A (en) | Data processing method, device, access control equipment, certificate server and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180727 Termination date: 20211230 |