CN104618108B

CN104618108B - Safe communication system

Info

Publication number: CN104618108B
Application number: CN201410851101.XA
Authority: CN
Inventors: 杭程; 石彦伟; 贾正强
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2014-12-30
Filing date: 2014-12-30
Publication date: 2018-07-27
Anticipated expiration: 2034-12-30
Also published as: CN104618108A; WO2016107321A1

Abstract

The present invention provides a kind of safe communication system, the system includes：Browser clients end device, security key storage hardware and network server, the browser clients end device, including：Link block, read module, authentication module and load-on module.In the case of being able to confirm that user identity, the content of the user certificate stored in security key storage hardware is loaded, the user certificate stored in security key storage hardware can be prevented to be leaked, improves the safety of load security key storage hardware.

Description

Safe communication system

Technical field

The present invention relates to fields of communication technology, more particularly to a kind of safe communication system.

Background technology

With the continuous development of network technology, more and more users obtain information by browser access webpage, go forward side by side The various operations of row, wherein browser refers to that can show web page server or the HTML (HyperText of file system Mark-up Language, standard generalized markup language) file content, and allow a kind of software of user and these file interactions.

It such as does shopping in shopping website, video is watched in video website, financial business is carried out in website of bank, swimming Play plays game etc. in website.For the web-page requests of different web sites, browser can execute different access operations, should to access Webpage.Number of site is being accessed, such as when website of bank, Alipay website are related to the website of financial business, is needing load safety Key storage hardware, but load security key storage hardware in there are the information leakage stored in security key storage hardware, Can not ensure to load the safety of security key storage hardware the problems such as, be related to the website of financial business to accessing and cause to hinder Hinder.

Invention content

In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly That states problem adds safe communication system.

One side according to the present invention provides a kind of safe communication system, including：Browser clients end device, peace Full key storage hardware and network server, the network server, for passing through handshake procedure and the browser client Device carries out safety certification, and establishes escape way after safety certification passes through, the transmitting encrypted data in the escape way； The browser clients end device for carrying out safety certification by handshake procedure and the network server, and is recognized in safety Card establishes escape way after passing through, the transmitting encrypted data in the escape way；And with the security key storage hardware Connection obtains the user certificate needed in safety certification process；The security key storage hardware, for connecing by terminal Mouth connects the browser, provides the user certificate needed in safety certification process；The browser clients end device, including： Link block, for automatic identification and the security key of the interface insertion of terminal where connecting the browser clients end device is deposited Store up hardware；Read module, for read and show the user certificate stored in the security key storage hardware for user into Row selection；Authentication module, for when receiving selection information of the user to the user certificate, identity to be carried out to user Verification；Load-on module after passing through for the authentication, loads the corresponding user certificate content of the selection information.

When the user certificate that safe communication system according to the present invention can store in loading security key storage hardware, Authentication first is carried out to user, in the case where authentication passes through and is able to confirm that user identity, load security key is deposited The content of the user certificate stored in storage hardware, existing information is let out during thus solving load security key storage hardware Dew, load security key storage hardware the problems such as there are security risks, achieving prevents from storing in security key storage hardware User certificate is leaked, to improve the advantageous effect for the safety for loading security key storage hardware.

Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention, And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.

Description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings：

Fig. 1 shows a kind of flow of the method for load security key storage hardware according to an embodiment of the invention Figure；

Fig. 2 shows a kind of flows of the method for load security key storage hardware according to an embodiment of the invention Figure；

Fig. 3 shows a kind of agency mechanism schematic diagram of encryption subprocess according to an embodiment of the invention；

Fig. 4 shows the handshake procedure signal of encryption subprocess and network server according to an embodiment of the invention Figure；

Fig. 5 shows that the prompt user according to an embodiment of the invention in browser client is inserted into showing for USBKey It is intended to；

Fig. 6 shows showing for the pop-up certificate selection dialog box according to an embodiment of the invention in browser client It is intended to；

Fig. 7 shows that the prompt user according to an embodiment of the invention in browser client inputs protection password Schematic diagram；

Fig. 8 A show that according to an embodiment of the invention loaded in browser client is routinely believed in user certificate The schematic diagram of breath；

Fig. 8 B show that according to an embodiment of the invention loaded in browser client is believed in detail in user certificate The schematic diagram of breath；

Fig. 9 shows a kind of structure diagram of safe communication system according to an embodiment of the invention；

Figure 10 shows a kind of structure diagram of browser clients end device according to an embodiment of the invention；

Figure 11 shows a kind of alternative construction block diagram of browser clients end device according to an embodiment of the present invention；

Figure 12 A show the first structure diagram of read module according to an embodiment of the invention；

Figure 12 B show second of structure diagram of read module according to an embodiment of the invention；

Figure 13 shows the structure diagram of encryption subprocess according to an embodiment of the invention；And

Figure 14 shows the structure diagram of main business process according to an embodiment of the invention.

Specific implementation mode

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.

Embodiment one：

Referring to Fig.1, the method for showing a kind of load security key storage hardware according to an embodiment of the invention is real The step flow chart for applying example, can specifically include following steps：

Step 102, automatic identification and to connect the security key storage that the interface of terminal where browser client is inserted into hard Part.

When user logs in the online payments platform such as Web bank or Alipay using browser client, in order to ensure data The safety of transmission needs user to be inserted into security key storage hardware.I.e. user inputs in the address field of browser client When the address of above-mentioned website is accessed with asking to correspond to webpage to the station address, browser client can prompt user to be inserted into Security key storage hardware.The station address that the address field of browser client is received may be what user directly inputted, Can be inputted after user clicks search result by search, the present embodiment is not construed as limiting this.

Security key storage hardware, i.e. USBKey are stored with user certificate in security key storage hardware, and user can select Select the user certificate.It should be noted that being commonly stored in a security key storage hardware, there are one user certificates, major There is oneself corresponding security key storage hardware in bank.For example, in the security key storage hardware of the Web bank of Bank of Beijing It is stored with Bank of Beijing and issues user certificate；Construction silver is stored in the security key storage hardware of the Web bank of Construction Bank The user certificate that row issues.

It should be noted that security key storage hardware be usually arranged as with the matched form of USB interface, can pass through USB interface is inserted into the terminals such as computer.After the security key storage hardware is inserted into terminal by USB interface, this implementation The security key storage hardware that browser client can be inserted into the interface of terminal where automatic identification browser client in example, Can the security key storage hardware hardware be connect with other USB to distinguish.It is to have security key storage when identifying It after hardware is inserted into terminal, establishes and connects with the security key storage hardware automatically, foundation connection described here, is to download driving It establishes and communicates to connect with the security key storage hardware, the user certificate stored in the security key storage hardware can be read Book, and it is not limited to connection physically.

Step 104, browser client read and show the user certificate that is stored in the security key storage hardware with It is selected for user.

After browser client establishes communication connection with the security key storage hardware, it is close that the safety can be read The user certificate stored in key storage hardware, and the user certificate is shown and is selected for user.When specific implementation, Browser client can show the user certificate by the form of pop-up, can also show the user by other means Certificate, the present embodiment are not limited specific display mode, can user certificate be shown number, user is allowed to can be visually seen use Family certificate is to facilitate user to select the user certificate.

Step 106, when browser client receives selection information of the user to the user certificate, user is carried out Authentication.

Why browser client needs automatic identification security key storage hardware, is because accessing the branch such as Web bank When paying platform, need to carry out safety verification.It specifically needs to verify the identity of user in the present embodiment, selects to use in user After the certificate of family, authentication is carried out to user.Although it should be noted that authentication browser client carry out, Reality is that the network server requirement of bank carries out authentication to user, to confirm the identity of user.

Various ways can be taken to realize it should be noted that carrying out authentication to user in the present embodiment.For The mode of the independent password of the password or Web bank that allow user to input bank card may be used in the scene of logging in online banks, Authentication is carried out to user.Because being stored with the password of the bank of user setting or online silver in the network server of bank The identity informations such as bank card password input by user can be sent to network service by capable independent password, browser client Device is matched with the subscriber identity information stored in network server, if it is possible to successful match, the then authentication of user Pass through；If matching is unsuccessful, authentication failure.It should be noted that when carrying out authentication to user, user's input Identity information can be above-mentioned bank card password, can also be protection password, can also be that the identification card number etc. of user can The information of user identity is represented, the present embodiment is not limited the particular content of identity information, to carrying out the specific of authentication Process is not also limited, as long as being able to confirm that user identity.

Step 108, after the authentication passes through, the corresponding user certificate content of the selection information is loaded.

After authentication passes through, browser client can be confirmed that the user is safe, not be that the malice such as hacker is attacked The user hit loads the particular content of the corresponding user certificate of the selection information at this time.The user shown in step 104 Certificate just to be selected for user, therefore shown in step 104 be not user certificate particular content, can be with The only title of user certificate.In the case that browser client confirms user security after authentication passes through, described in load Select the particular content of the corresponding user certificate of information.

In conclusion the present embodiment browser client is when loading security key storage hardware, automatic identification is simultaneously first The security key storage hardware that the interface of terminal where connecting browser client is inserted into；Then browser client reads and shows Show the user certificate stored in the security key storage hardware so that user selects；Then when browser client receives When to user to the selection information of the user certificate, authentication is carried out to user；After the last authentication passes through, add Carry the corresponding user certificate content of the selection information.The user certificate that the present embodiment stores in loading security key storage hardware When book, authentication first has been carried out to user, in the case where authentication passes through and is able to confirm that user identity, load safety The content of the user certificate stored in key storage hardware can prevent the user certificate quilt stored in security key storage hardware Leakage improves the safety of load security key storage hardware.

Embodiment two：

On the basis of the above embodiments, the present embodiment continues the method for loading security key storage hardware.

With reference to Fig. 2, the method for showing a kind of load security key storage hardware according to an embodiment of the invention is real The step flow chart for applying example, can specifically include following steps：

Step 202, start the encryption subprocess communicated with main business process in browser client, wherein institute It states encryption subprocess and is used to act on behalf of conversion and data of the first encrypted tunnel of realization to the second encrypted tunnel as connection and turn Hair.

The website needs of financial business are related to by with safety for number of site, such as website of bank, Alipay website Data are encrypted for HTTP (HTTP-Hypertext transfer protocol, hypertext transfer protocol) channel of target Transmission, but browser main business process and network server use different cryptographic protocol or algorithm sometimes, both cause Can not direct communication, can not access to the webpage of the network server.

In the present embodiment, a kind of secure browser client is provided, is also provided in a browser and browser master The encryption subprocess that business process is communicated.In order to enable secure browser can be realized, need first in browser clients Start the encryption subprocess communicated with browser main business process in end.The encryption subprocess functions primarily as Connection agency realizes conversion and data forwarding of first encrypted tunnel to the second encrypted tunnel.Made using encryption subprocess For the agency of main business process, the safe passing that can be encrypted with browser main business process can also take with network The secure communication that business device is encrypted, is such as sent to the business datum of browser main business process by the first encrypted tunnel Subprocess is encrypted, which is transferred to network server by business datum by the second encrypted tunnel, realizes that data turn The connection of hair and two encrypted tunnels.

It should be noted that under normal conditions, the main business process of browser is directly communicated with network server, but It is, when to be communicated for the channels HTTP of target safely, if the data that main business process can not feed back network server Information is parsed, and starts the encryption subprocess as agency's connection, i.e., the described encryption subprocess as the main business into Agency between journey and the network server.Above-mentioned first encrypted tunnel is the browser main business process in the present embodiment With the secured communication channel of the encryption subprocess；Second encrypted tunnel is the encryption subprocess and network server Secured communication channel.Therefore the encryption subprocess is logical by that will encrypt subprocess and the first encryption of the main business process Road is converted to the second encrypted tunnel of encryption subprocess and network server, to realize the main business process and the network Connection agency between server.Encryption subprocess is sent to by first encrypted tunnel certainly for main business process The business datum can be sent to network server by business datum, encryption subprocess by the second encrypted tunnel.Specifically, The data communicated in the second encrypted tunnel can be encrypted business datum using symmetric encipherment algorithm SM4.

In the present embodiment, browser main business process uses agency and two kinds of communication modes of IPC with encryption subprocess, to Connection agency can be used as by encrypting subprocess, be responsible for and browser main business the first encrypted tunnel of process, be arrived and network server The second encrypted tunnel channel conversion and data forwarding, and IPC communication modes be responsible for inter-process data transmission.The present embodiment In, encryption subprocess acts on behalf of realization mechanism as shown in figure 3, can specifically include such as lower structure：

Main thread：All kinds of configurations are read, it is logical to create watcher thread, main business thread and browser host process IPC.

Intercepting thread：For monitoring serve port, when with the presence of main business process connection request and receive (accept) at Work(executes corresponding agent operation.

Business processing thread：Respective encrypted channel is established respectively with main business process and network server both ends to connect and tie up It holds, to carry out the data exchange at both ends as bridge.

It should be noted that the detailed process of business processing thread is as follows：(1) Receiving Agent data, specific Receiving Agent The http request data of connection.(2) it carries out SSL with network server to connect, specifically includes SSL establishment of connections, SSL associations View is negotiated, and negotiating algorithm, client certificate verification (crl checking or OCSP certifications) (3) is interacted with web server.It specifically will generation Reason connection http request data issue Web server via the close channels SSL of state, obtain the http of Web server response.(4) web servers return data is sent to connect to agency.Specifically by the http response of network server It is given to agency's connection.(5) connection is closed.In case of mistake in business processing flow, then connection is closed, while giving agency's connection Return to the wrong page.It should be noted that second symmetry algorithm can be specifically national secret algorithm.

It should be noted that being obtained using the safe practice solution network application authentication of SSL and data security Extensive to approve, also built-in SSL modules, professional SSL hardware products are also extensive in the browser and network server of mainstream It uses.But also all there is certain limitation in current SSL products：

(1) current SSL products generally use single certificate mechanism.And double certificate mechanism is current PKI Public Key Infrastructure (the prevailing model of Public Key Infrastructure System Constructions.The present embodiment carries out identity using signing certificate to be recognized Card is carried out the exchange and protection of key using encrypted certificate, has played the advantage of PKI technology unsymmetrical key.

(2) symmetry algorithm disclosed in foreign countries is generally used in current SSL products, does not meet security requirements, is had certain Risk.Password product symmetry algorithm uses SM1 algorithms or SM4 algorithms in the present embodiment.

(3) current certificate asymmetric arithmetic uses RSA Algorithm, and the elliptic curve cipher (ECC) that the present embodiment uses It is a kind of public key cryptography than RSA with greater security, higher efficiency, there is encryption/decryption, digital signature and key agreement Etc. important cryptographic function, it can safely and conveniently meet user identity identification in various information networks, electronic information The true and false differentiates and the important information security demands such as secrecy transmission, is the core technology of information security field, and gradually all Multinational border and national standards organizations are adopted as public key cryptography standard (IEEE P1363, ANSI X9, ISO/IEC and IETF etc.), will One of the mainstream cryptographic technique that Information Security Industry circle uses can be become.China is ordered by domestic ECC (ECDSA+ECDH) algorithm Entitled SM2.

The method of load security key storage hardware provided in this embodiment, meets China's PKI mechanism and password product pipe The rapid growth of the requirement of reason policy, normalization and network application to the management of internal security product all plays positive promotion Effect.

Step 204, the encryption subprocess carries out that digital certificate is two-way to be recognized by handshake procedure and the network server Card.

In the present embodiment, two-way authentication be to the network server and browser client of accessed website be intended to each other into Row certification confirms that the digital certificate that the digital certificate of the network server of access and browser client are loaded is that have safely Effect, therefore it includes added by the website certificate and browser client of the website accessed that the certificate of certification is needed when two-way authentication The user certificate of load.Subprocess is encrypted described in the present embodiment, and digital certificate is carried out by handshake procedure and the network server Two-way authentication the step of, can specifically be accomplished by the following way：The encryption subprocess by handshake procedure with it is described Network server executes following security authentication operation successively：Encryption data negotiation, certificate verification, key exchanges and signature authentication.

It should be noted that the process of above-mentioned two-way authentication is also in browser client and website belonging network service It is completed in the handshake procedure of device, which can at least be accomplished by the following way：

First, browser client sends client hello message ClientHello, the net to the network server Network server negotiates encryption data to browser client back services end hello messages SeverHello.

Then, network server sends server-side certificate message SeverCertificate to the browser client, Due to two-way authentication to be carried out, network server sends server-side cipher key exchange message to browser client successively SeverKeyExchange, certificate verification request message SeverRequest and server-side greet the message that finishes SeverHelloDone.Wherein.The certificate verification request message is used to indicate the certificate verification for carrying out client.

Then, browser client is authenticated the website certificate of the network server using asymmetric arithmetic SM2, After certification passes through, browser client sends client certificate message ClientCertificate to the network server, The client certificate message includes the user certificate of browser client load, to which network server is based on asymmetric arithmetic The user certificate that SM2 loads the browser client is authenticated.

In subsequent handshake procedure, browser client can also send client key to network server and exchange message Finish message ClientHelloDone and key of ClientKeyExchange and client hello exchanges and signature authentication institute Other handshake informations needed, the present embodiment are not discussed one by one.

It should be noted that above-mentioned client hello message (ClientHello message) is used as browser client and net The a piece of news of network server handshaking agreement, the encryption subprocess send client hello message to the network server Later, network server is waited for return to Server Hello message.Client-side issue message structure defines：

1, Clien_vision indicates the protocol version that client uses in this session.If protocol version is 1.1.

2, Radom is the random information that client generates, and content includes always and random number.

3, session_id is the session identification that client uses in this connection.Session_id is a variable length word Section, value are determined by server.If not reusable session identification or hope negotiates security parameter, which is sky, no Then indicate that client wishes to reuse the session.This session identification may be before connection identifier, current connection identifier or its He is in the connection identifier of connection status.Session identification generate after should unanimously remain to by time-out delete or it is related to this session Connection encounter fatal error and be closed.One session failed or then relative connection should all be forced to close when being closed It closes.

4, cipher_suites is the cipher suit list that client is supported, client should be used according to cipher suite Priority orders arrangement, the cipher suite of highest priority should rank the first.If session identity fields are not sky, this field Cipher suite used in the session that will be reused should be included at least.Each cipher suite includes a Diffie-Hellman, one Encryption Algorithm and a checking algorithm.Server will select a matching cipher suite in cipher suit list, such as Fruit not can matched cipher suite, should return and shake hands failure warning message and close connection.

5, compression_methods is the compression algorithm list that client is supported, client should be according to compression The priority orders arrangement that algorithm uses, the compression algorithm of highest priority rank the first.Server will be in compression algorithm list One matching compression algorithm of middle selection must include pneumatics compression algorithm, such client and server total energy in list Negotiate consistent compression algorithm.

It should be noted that if server can find matched cipher suite, server from client hello message The server-side hello messages (Server Hello message) are sent as the reply to client hello message.If can not find Matched cipher suite, server will respond warning message.

It in the present embodiment, is authenticated using asymmetric arithmetic in the verification process of digital certificate, i.e., sender uses and connects Data are encrypted in the public key of receipts person, and corresponding recipient is decrypted data using the private key of oneself.Wherein, certificate is non- Symmetry algorithm uses SM2 algorithms, and being based on ECDSA signatures using signing certificate realizes authentication, is based on using encrypted certificate ECDH realizes key agreement.

In a kind of optional example of the embodiment of the present invention, the encryption subprocess and network server progress are two-way Certificate verification can specifically be accomplished by the following way：

1) the encryption subprocess receives the server-side certificate message that the network server is sent, the server-side certificate Message includes the website signing certificate of the network server；

2) the encryption subprocess receives the certificate verification request message that the network server is sent, the certificate verification Request message is used to indicate the certificate verification for carrying out client；

3) the encryption subprocess receives the server-side cipher key exchange message that the network server is sent, including key is handed over Change parameter；

4) the encryption subprocess receives the server-side that the network server is sent and greets the message that finishes；

5) the encryption subprocess is authenticated the website signing certificate；

6) after the website signing certificate certification passes through, the encryption subprocess sends client to the network server Certificate message is held, the client certificate message includes the signing certificate of the browser client, so that the network service Device is authenticated the signing certificate.

In the present embodiment, above-mentioned encryption data negotiation, certificate verification, key exchanges and signature authentication is all clear in safety It lookes in the encryption subprocess of device client and the handshake procedure of network server and to execute.In the present embodiment, two-way authentication uses The asymmetric arithmetic of double certificate mechanism, certificate uses SM2 algorithms, and being based on ECDSA signatures using signing certificate realizes that identity is recognized Card is based on ECDH using encrypted certificate and realizes key agreement.Data are encrypted in the SM4 algorithms used, use SM3 algorithms pair Data are made a summary.

Wherein, SM2 algorithms (SM2algorithm) are a kind of ellipse curve public key cipher algorithm, key length 256 Bit.SM3 algorithms (SM3algorithm) are a kind of cryptographic Hash algorithms, and key length is 128 bits, SM4 algorithms (SM4algorithm) it is a kind of block cipher, block length is 128 bits, and key length is 128 bits.

As shown in figure 4, the handshake procedure of encryption subprocess and network server includes：

4.02, encryption subprocess sends client hello message ClientHello to network server.

4.04, network server sends server-side hello messages SeverHello to the safe secure browser client Encryption subprocess.

Wherein, network server finds matched cipher suite from ClientHello message, sends SeverHello and makees To reply, if can not find matched cipher suite, warning message is sent.In the SeverHello, Sever_vision is indicated The version number that server is supported, such as 1.1；The random number that Radom server ends generate；The session that session_id server-sides use Mark；The cipher suite that cipher_suites server-sides are chosen from ClientHello message；compression_methods The compression algorithm that server-side is chosen from ClientHello message.

4.06, network server sends server-side certificate message Certificate and gives encryption subprocess.

I.e. this message content of SeverCertificate is signing certificate and encrypted certificate.It signs and demonstrate,proves such as the website of server-side Book (X.509 sequence)

4.08, network server sends certificate verification request message SeverRequest and gives encryption subprocess.

Certificate is provided by SeverRequest message calls clients.Specify auth type (ECDSA) simultaneously

4.10, network server sends server-side cipher key exchange message SeverKeyExchange and gives encryption subprocess.

SeverKeyExchange calculates the pre- master key for generating 48 bytes for client.Public key can be directly from service It is obtained in the encrypted certificate at device end.As client randomly generates pre- master key pre_master_seceret keys, and use clothes The public key of business device certificate carries out ECDH operations

4.12, network server transmission greets the message SeverHelloDone that finishes and gives encryption subprocess.

The hello message phases that SeverHelloDone characterizes handshake procedure are completed, and then the response of client are waited for disappear Breath.

4.14, encryption subprocess sends client key and exchanges message Certificate to network server.

I.e. ClientCertificate message is a piece of news after the completion of hello message phases, as including client Signing certificate (X.509 sequence).

4.16, encryption subprocess sends client key and exchanges message ClientKeyExchange to network server.

The pre- master key of the public key encryption of network server in ClientKeyExchange message.

4.18, encryption subprocess sends certificate verification message CertificateVerify to network server.

CertificateVerify message is used to differentiate that client to be the legitimate holder for being enough certificate.In the present embodiment, Prompt user can prompt user to input protection password after being inserted into USBKey, which carries verification within the message and use Whether family is legal.

Such as, client carries out ESDSA signatures using the ECC private keys of signing certificate to the abstract of handshaking information

4.20, encryption subprocess sends client password specification change message ChangeCipherSpec and gives network service Device.

I.e. ClientChangeCipherSpec message shows that algorithm and key agreement are completed to server-side.

4.22, encryption subprocess sends client and shakes hands end message Finished to network server.

In the present embodiment, random number, the random number of server-side, pre_master_ of the subprocess according to client are encrypted Seceret calculates master_seceret using key algorithm, then reuses random number and master_seceret is calculated very Positive data encryption key is encrypted after then all handshake informations are made a summary and forms ClientFinished message to server-side hair It send.

4.24, network server send server-side password specification change message ChangeCipherSpec to encryption son into Journey.

4.26, network server send server-side shake hands end message Finished to encryption subprocess.

Server-side verifies client certificate, and the signature of client is verified using the signing certificate of client.Service uses certainly The encryption key of body and progress ECDH operations, obtain pre_master_seceret, are calculated using the same algorithm of client Master_seceret and data encryption key verify the correctness of SeverFinished message, are sent to client SeverChangeCipherSpec message, express one's approval algorithm and key agreement.

The certification of browser client and network server both sides is completed by above-mentioned handshake procedure, key agreement waited Journey can be engaged in end respectively using the calculated key encryption of negotiation using data to encrypt subprocess and network clothes.

Step 206, automatic identification and to connect the security key storage that the interface of terminal where browser client is inserted into hard Part.

The present embodiment is illustrated so that the website accessed needs to carry out two-way authentication as an example, when the ground of browser client When location column receives the station address input by user for needing two-way authentication, browser client pops up dialog box prompt user and inserts Enter security key storage hardware, that is, prompts user to be inserted into USBKey, as shown in Figure 5.Two-way authentication is the net to accessed website Network server and browser client are intended to be authenticated each other, confirm the digital certificate and browsing of the network server of access The digital certificate that device client is loaded is that safely and effectively, therefore it includes the net accessed that the certificate of certification is needed when two-way authentication The user certificate that the website certificate and browser client stood are loaded.Therefore, automatic identification described in the present embodiment and company The security key storage hardware that the interface of terminal where connecing browser client is inserted into, can specifically include following two sub-steps Suddenly：

Sub-step one, when carrying out the two-way authentication of digital certificate, the encryption subprocess is deposited by the security key The vendor ID and product identification for storing up hardware are associated with corresponding activation point and driving interface.It should be noted that carrying out The digital certificate specifically includes the website certificate of the website of access when two-way authentication and what browser client was loaded deposit Store up the user certificate in security key storage hardware.The encryption subprocess of browser can be stored hard by the security key The vendor ID and product identification of part are associated with corresponding activation point and driving interface.

Sub-step two is established connection with the security key storage hardware by the activation point and driving interface and is led to Road.It, can be according to the activation point and drive after knowing activation point and the driving interface of the security key storage hardware Mobile interface establishes communication port with the security key storage hardware.

It should be noted that in a kind of optional example of the embodiment of the present invention, step 206 automatic identification simultaneously connects Before the security key storage hardware that the interface of terminal where browser client is inserted into, further include：The encryption subprocess exists Determine whether to receive the certificate verification request message that the network server is sent in handshake procedure；It is taken when receiving the network When the certificate verification request message that business device is sent, whether the interface of terminal has security key storage where monitoring browser client Hardware is inserted into；When having monitored that security key storage hardware is inserted into, executes step 206 automatic identification and connect browser The security key storage hardware that the interface of terminal where client is inserted into.

Step 208, browser client read and show the user certificate that is stored in the security key storage hardware with It is selected for user.

Browser client described in the present embodiment reads and shows the user stored in the security key storage hardware Certificate selects for user, can specifically pass through following sub-step：

Sub-step one, the encryption subprocess are read in the security key storage hardware by the interface channel and are stored User certificate.The encryption subprocess is established according to the activation point and driving interface with the security key storage hardware Interface channel can be read in security key storage hardware by the interface channel and store user certificate.It needs to illustrate It is the information encrypted only title of user certificate etc. that subprocess is read at this time and do not include user certificate particular content. In a kind of optional example of the embodiment of the present invention, the encryption subprocess reads the security key by the interface channel and deposits The user certificate stored in storage hardware, can specifically include：The encryption subprocess reads the peace by the interface channel The application stored in full key storage hardware shows the application so that user selects, wherein each application includes container With the user certificate stored in container；The application for opening user's selection loads the container and appearance under of user's selection The user certificate stored in device.

Sub-step two, pop up certificate selection dialog box, loaded in the certificate selection dialog box user certificate with User is prompted to select the user certificate.It should be noted that as shown in fig. 6, the present embodiment pop-up in browser client Certificate selection dialog box, can specifically include in certificate selection dialog box it is following any one or a few：Current device, application name Title, Container Name, certificate CN, issuer, the effective date, the out-of-service time, user certificate the information such as title, user can be prompted It is not the limitation to certificate selection dialog box concrete form or particular content to select the user certificate, the present embodiment.

In the present embodiment, in order to ensure to access the safety of website and user, CA mechanisms are that different websites promulgates different Website certificate, while promulgating different user certificates for the different user of different web sites.Wherein, digital certificate include website or The contents such as the information and digital signature of the public key of user, website or user.

Therefore, before carrying out digital certificate authentication, it is preferred that, can be in browser clients in mutual authentication process End is hit by a bullet out certificate choice box, terminal where loading browser in the certificate selection frame currently possessed by user certificate, use Family prompts user to input protection password after selecting user certificate, as shown in fig. 7, input personal identification number (Personal Identification Number, PIN), to illustrate the user to the use after protection password is by verification Family certificate has claim.Also, above-mentioned user certificate and protection password can be as the certification numbers in user certificate verification process According to being sent to network server.

In a kind of optional example of the embodiment of the present invention, the sub-step one encrypts subprocess and passes through the interface channel After reading the user certificate stored in the security key storage hardware, further include：The encryption subprocess is to the safety The user certificate that is stored in key storage hardware carries out certificate station recognition, as unit of certificate website to the user certificate into Row classification；Correspondingly, the sub-step two pops up certificate selection dialog box, and the use is loaded in the certificate selection dialog box Family certificate can specifically include with prompting user to select the user certificate：Certificate selection dialog box is popped up, is selected in the certificate It selects in dialog box and the user certificate is shown for index with certificate website.It should be noted that the certificate website i.e. certificate corresponds to Bank site, certificate website can be specifically：Construction Bank, industrial and commercial bank, agricultural bank etc..It in other words, in the present embodiment, specifically can be with It shows which bank user certificate is specifically in certificate selection dialog box, intuitively shows the security key storage hardware It is which bank, user is facilitated to be judged whether to be needed user certificate according to bank, i.e., is judged according to the certificate website Whether user certificate is needed.

Step 210, when browser client receives selection information of the user to the user certificate, user is carried out Authentication.

Described in the present embodiment when browser client receives selection information of the user to the user certificate, to Family carries out authentication, can specifically be accomplished by the following way：The selection of the user certificate is believed when receiving user When breath, the encryption subprocess pops up password input box, and receives protection password input by user by the password input box. Authentication is carried out to user according to the protection password input by user.It should be noted that selecting protection in the present embodiment Password carries out authentication as the identity information of user, when specific implementation, other modes can also be used to carry out authentication, The present embodiment is not the restriction to authentication concrete mode.

It is described when browser client receives user to the user in a kind of optional example of the embodiment of the present invention When the selection information of certificate, authentication is carried out to user, further includes specifically：If the authentication does not pass through, described Password mistake is shown in password input box and user is prompted to reenter protection password, the protection password re-entered according to described in Carry out authentication.When user is in input protection password due to keyboard maloperation etc., protection password is inputed in user's storage by mistake Situation happens occasionally, thus this optional example authentication not by when, be not direct disconnect and security key storage hardware Connection, but user is allowed to reenter protection password, the unlimited number of input of user cannot be allowed to protect password certainly, needed The number of input protection password is limited.It is described as browser visitor i.e. in a kind of optional example of the embodiment of the present invention When family termination receives selection information of the user to the user certificate, authentication is carried out to user, further includes：Encryption The maximum input number of the password input box is arranged in process, when time of protection password input by user in the password input box When number reaches the maximum input number, the personal identification number input frame is closed, and disconnect and the security key storage hardware Connection.Protection password both can have once been inputed by mistake to avoid user so just to disconnect and the connection of the security key storage hardware, Caused user needs to reinsert the cumbersome and load safety of the security key storage hardware progress user's checking The not high problem of key storage hardware efficiency, also avoids resource occupation caused by inputting close guarantor's password infinitely or endless loop is asked Topic improves the efficiency of load security key storage hardware.

Step 212, after the authentication passes through, the corresponding user certificate content of the selection information is loaded.

After authentication described in the present embodiment passes through, the corresponding user certificate content of the selection information is loaded, specifically It may include following sub-step：

Sub-step one, after the authentication passes through, the encryption subprocess obtains the letter of the certification in the user certificate Breath, and the authentication information is loaded into certificate reader.

Sub-step two, the encryption subprocess start the certificate reader according to triggering instruction, are checked in the certificate The authentication information of the user certificate is shown in device.It should be noted that showing the user certificate in the certificate reader The authentication information of book can specifically be accomplished by the following way：General tab is respectively set in the certificate reader With detailed options card；The routine information of the corresponding user certificate of the selection information is shown in the general tab；Institute State the details that the corresponding user certificate of the selection information is shown in detailed options card.I.e. according to described in triggering instruction startup Certificate reader is respectively set by general tab and detailed options card in the certificate reader, is loaded in general tab The routine information of the user certificate loads the detailed letter of the user certificate in the detailed options card as shown in Figure 8 A Breath, as shown in Figure 8 B, by the different content that can check user certificate to the selection of different options card.

It should be noted that in a kind of optional example of the embodiment of the present invention, the load selection information corresponds to User certificate content after, further include：The encryption subprocess disconnects the connection with the security key storage hardware.

It, first can bullet when browser client loads user certificate in a kind of optional example of the embodiment of the present invention Go out certificate choice box prompt user and be inserted into security key storage hardware, the security key storage hardware, that is, USB Key, it is a kind of The hardware device of USB interface, built-in microcontroller or intelligent card chip, there is certain memory space, can store the private key of user And digital certificate, realize the certification to user identity using the public key algorithm built in USB Key.Since private key for user is stored in In coded lock, theoretically make all read in any way, therefore ensure that the safety of user authentication.

After user is inserted into security key storage hardware, call the driver of the security key storage hardware described By loading the certificate information in security key storage hardware in the certificate selection frame, the certificate letter of user's selection is then received Breath；The pop-up protection password input window in the certificate selection frame, then receive protection password input by user.

Wherein, browser automatic identification USBKey needs to rely on two key messages in CSP registry entries： SKFImagePath：The path of specified SKF dynamic bases.TokenVidPid：String format.The VendorID of KEY equipment and ProductID, the format of use similar to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum USB In format namely VID_XXXX＆PID_XXXX.

Browser can be associated with phase by vendor ID vendorid, the product identification productid of USBKey equipment It should drive, complete relevant operation.Browser will not store pin passwords input by user, will not store the private key in USBKey Information.It is as follows to the operating process of USBKey：It is connected to USBKey equipment；It opens and applies Application accordingly, Application is determined by user's selection；It opens cell therefor Container, Container to be determined by user's selection, so Input validation PIN code afterwards can prompt to re-enter after authentication error, then obtain signing certificate information, obtain encrypted certificate letter Breath, carries out the certification of digital certificate, subsequently during carrying out data interaction with network server, to the Encrypt and Decrypt of data Process is also to be completed in USBKey, to pass hull closure after the completion of to the website visiting and is disconnected.

In an alternative embodiment of the invention, the permission connection message that the network server returns is received, described in foundation The secure connection channel of data transmission is encrypted between browser and the website corresponding network server, it is described to allow to connect Message is sent after being passed through to the safety certification of the user certificate by the network server.

After above-mentioned certificate verification passes through, network server, which returns, allows connection message, establishes the browser and institute at this time State the secure connection channel that data transmission is encrypted between the corresponding network server of website.It is transmitted in the secure connection channel Data in the present embodiment, carry out Encrypt and Decrypt, wherein SM4 algorithms are using symmetry algorithm SM4 algorithms to data SM4algorithm is a kind of block cipher, and block length is 128 bits, and key length is 128 bits.

For embodiment of the method, for simple description, therefore it is all expressed as a series of combination of actions, but this field Technical staff should know that the embodiment of the present invention is not limited by the described action sequence, because implementing according to the present invention Example, certain steps can be performed in other orders or simultaneously.Next, those skilled in the art should also know that, specification Described in embodiment belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.

Embodiment three

On the basis of the above embodiments, the present embodiment also discloses a kind of safe communication system.

With reference to Fig. 9, the structure diagram of safe communication system embodiment according to an embodiment of the invention is shown.

Referring to Fig.1 0, show that browser clients end device is real in safe communication system according to an embodiment of the invention Apply the structure diagram of example.

The safe communication system, including：Browser clients end device 902, security key storage hardware 904 and network service Device 906.

Wherein, the network server 906, for being carried out by handshake procedure and the browser clients end device 902 Safety certification, and escape way is established after safety certification passes through, the transmitting encrypted data in the escape way；

The browser clients end device 902 is recognized safely for passing through handshake procedure with the network server 906 Card, and escape way is established after safety certification passes through, the transmitting encrypted data in the escape way；And with the safety Key storage hardware connects, and obtains the user certificate needed in safety certification process；

The security key storage hardware 904 provides safety certification for connecting the browser by the interface of terminal The user certificate needed in the process；

The browser clients end device 902, including：

Link block 90202, for automatic identification and where connecting the browser clients end device, the interface of terminal is inserted The security key storage hardware entered；

Read module 90204, for read and show the user certificate stored in the security key storage hardware for User selects；

Authentication module 90206, for when receiving selection information of the user to the user certificate, to user into Row authentication；

Load-on module 90208 after passing through for the authentication, loads in the corresponding user certificate of the selection information Hold.

User is gone to bank using browser clients end device debarkation net or when the online payments platform such as Alipay, in order to ensure The safety of data transmission needs user to be inserted into security key storage hardware.I.e. user is in the address of browser clients end device When inputting the address of above-mentioned website in column and being accessed with asking to correspond to webpage to the station address, browser clients end device meeting User is prompted to be inserted into security key storage hardware.The station address that the address field of browser clients end device is received may be use What family directly inputted, can also be inputted after user clicks search result by search, the present embodiment is not construed as limiting this.

It should be noted that security key storage hardware be usually arranged as with the matched form of USB interface, can pass through USB interface is inserted into the terminals such as computer.After the security key storage hardware is inserted into terminal by USB interface, this implementation The security key that browser client can be inserted into the interface of terminal where automatic identification browser clients end device in example stores The security key storage hardware can be connect hardware with other USB and distinguished by hardware.It is to have security key when identifying It after storage hardware is inserted into terminal, establishes and connects with the security key storage hardware automatically, foundation connection described here, is to download Driving is established with the security key storage hardware and is communicated to connect, and the use stored in the security key storage hardware can be read Family certificate, and it is not limited to connection physically.

Wherein, it after browser clients end device establishes communication connection with the security key storage hardware, can read The user certificate stored in the security key storage hardware, and the user certificate is shown and is selected for user. When specific implementation, browser client can show the user certificate by the form of pop-up, can also be by other means It shows that the user certificate, the present embodiment are not limited specific display mode, user certificate can be shown number, allow use Family can be visually seen user certificate to facilitate user to select the user certificate.

Why browser clients end device needs automatic identification security key storage hardware, is because accessing Web bank When equal payment platforms, need to carry out safety verification.It specifically needs to verify the identity of user in the present embodiment, be selected in user After selecting user certificate, authentication is carried out to user.It should be noted that although authentication is in browser clients end device It carries out, is that the network server requirement of bank carries out authentication to user in fact, to confirm the identity of user.

Various ways can be taken to realize it should be noted that carrying out authentication to user in the present embodiment.For The mode of the independent password of the password or Web bank that allow user to input bank card may be used in the scene of logging in online banks, Authentication is carried out to user.Because being stored with the password of the bank of user setting or online silver in the network server of bank The identity informations such as bank card password input by user can be sent to network clothes by capable independent password, browser clients end device Be engaged in device, matched with the subscriber identity information stored in network server, if it is possible to successful match, then the identity of user test Card passes through；If matching is unsuccessful, authentication failure.It should be noted that when carrying out authentication to user, user is defeated The identity information entered can be above-mentioned bank card password, can also be protection password, can also be the energy such as the identification card number of user The information of user identity is enough represented, the present embodiment is not limited the particular content of identity information, to carrying out the tool of authentication Body process is not also limited, as long as being able to confirm that user identity.

In conclusion the present embodiment browser clients end device is when loading security key storage hardware, it is automatic first to know Not and connect the security key storage hardware that the interface of browser clients end device place terminal is inserted into；Then browser client Device reads and shows the user certificate stored in the security key storage hardware so that user selects；Then work as browsing When device client receives selection information of the user to the user certificate, authentication is carried out to user；The last identity After being verified, the corresponding user certificate content of the selection information is loaded.The present embodiment is in load security key storage hardware When the user certificate of middle storage, authentication first has been carried out to user, has been passed through in authentication, has been able to confirm that the feelings of user identity Under condition, the content of the user certificate stored in security key storage hardware is loaded, can prevent from depositing in security key storage hardware The user certificate of storage is leaked, and improves the safety of load security key storage hardware

In an alternative embodiment as shown in figure 11 of the invention, the browser clients end device further includes：

Main business scheduler module 90210 is carried out for starting in browser clients end device with main business scheduler module The encryption subprocess of communication, wherein the encryption subprocess as connection agency for realizing that the first encrypted tunnel adds to second The conversion in close channel and data forwarding；

Subprocess module 90212 is encrypted, it is double for carrying out digital certificate with the network server 906 by handshake procedure To certification.

In an alternative embodiment of the invention, the encryption subprocess module 90212, for pass through handshake procedure with it is described Network server 906 executes following security authentication operation successively：Encryption data negotiation, certificate verification, key exchanges and signature is recognized Card.

In the present embodiment, browser clients end device 902 is using 90212 proxy-explorer main business of encryption subprocess module Scheduler module 90210, data agreement is encrypted by handshake procedure with network server 906, certificate verification, key exchange and The SSL encryptions communication process such as signature authentication, specific handshake procedure is as shown in figure 4, related handshaking information and Encryption Algorithm refer to The discussion of two part of embodiment.

In an alternative embodiment of the invention, the security key storage hardware 904 is specifically used for passing through the terminal Activation point and driving interface establish interface channel with browser clients end device；

The link block 90202 of the browser clients end device is specifically used in the two-way authentication for carrying out digital certificate When, the encryption subprocess module 90212 is associated with by the vendor ID of the security key storage hardware with product identification To corresponding activation point and driving interface；It is built with the security key storage hardware by the activation point and driving interface Vertical interface channel.

2A referring to Fig.1 shows the first structure diagram of read module according to an embodiment of the invention.

In an alternative embodiment of the invention, the read module 90204 of the browser clients end device, including：

Reading submodule 9020402 is stored for being read in the security key storage hardware by the interface channel User certificate；

Submodule 9020404 is loaded, certificate selection dialog box is used for ejecting, institute is loaded in the certificate selection dialog box User certificate is stated to prompt user to select the user certificate.

After browser clients end device establishes communication connection with the security key storage hardware, the peace can be read The user certificate stored in full key storage hardware, and the user certificate is shown and is selected for user.It is specific real Now, browser clients end device can show the user certificate by the form of pop-up, can also show by other means Show that the user certificate, the present embodiment are not limited specific display mode, user certificate can be shown number, allow user User certificate be can be visually seen to facilitate user to select the user certificate.

2B referring to Fig.1 shows second of structure diagram of read module according to an embodiment of the invention.

In an alternative embodiment of the invention, the read module 90204 of the browser clients end device further includes：

It identifies submodule 9020406, is stored for being read in the security key storage hardware by the interface channel User certificate after, certificate station recognition is carried out to the user certificate that is stored in the security key storage hardware, with certificate Website is that unit classifies to the user certificate；

The load submodule 9020404 is specifically used for pop-up certificate selection dialog box, in the certificate selection dialog box In with certificate website be that index shows the user certificate.

In an alternative embodiment of the invention, the security key storage hardware 904 is specifically used for for browser visitor Family end device provides the application of storage, wherein each application includes the user certificate stored in container and container；

The reading submodule 9020404 is specifically used for reading the security key storage firmly by the interface channel The application stored in part shows the application so that user selects；The application for opening user's selection loads user's choosing The user certificate stored in the container and container under selected.

In an alternative embodiment of the invention, the authentication module 90206 receives user to institute specifically for working as When stating the selection information of user certificate, personal identification number input frame is popped up, and defeated by personal identification number input frame reception user The personal identification number entered；Authentication is carried out to user according to the personal identification number input by user.

In an alternative embodiment of the invention, the authentication module 90206 is additionally operable to not lead in the authentication It is out-of-date, password mistake is shown in the personal identification number input frame and user is prompted to re-enter personal identification number, according to described heavy The personal identification number newly inputted carries out authentication.

In an alternative embodiment of the invention, the authentication module 90206 is additionally operable to input the personal identification number The maximum input number of frame setting, when personal identification number input by user reaches maximum input number in the personal identification number input frame When, the personal identification number input frame is closed, and disconnect the connection with the security key storage hardware.

In an alternative embodiment of the invention, the load-on module 90208, after passing through specifically for the authentication, The authentication information in the user certificate is obtained, and the authentication information is loaded into certificate reader；

The encryption subprocess module 90212, for starting the certificate reader according to triggering instruction, in the certificate The authentication information of the user certificate is shown in reader.

In an alternative embodiment of the invention, the encryption subprocess module 90212, in the certificate reader General tab and detailed options card is respectively set；The corresponding user certificate of the selection information is shown in the general tab The routine information of book；The details of the corresponding user certificate of the selection information are shown in the detailed options card.

In an alternative embodiment of the invention, the encryption subprocess module 90212 is additionally operable to determine during shaking hands Whether certificate verification request message that the network server send is received；

The link block 90202 of the browser clients end device is additionally operable to connect when the encryption subprocess module 90212 When receiving the certificate verification request message that the network server is sent, whether the interface of terminal where monitoring browser client There is the insertion of security key storage hardware；When having monitored that security key storage hardware is inserted into, automatic identification simultaneously connects browser The security key storage hardware that the interface of terminal where client is inserted into.

In an alternative embodiment of the invention, the encryption subprocess module 90212 is additionally operable to the load-on module load After the corresponding user certificate content of the selection information, the connection with the security key storage hardware is disconnected.

It should be noted that being referred to encrypt the structure diagram of subprocess module shown in Figure 13 to encrypting subprocess mould Block is understood that as shown in figure 13, encryption subprocess module includes：Configuration module 1302, proxy module 1304, CTL manage mould Block 1306, CRL management modules 1308, Session management modules 1310, certification authentication module 1312, SSL link blocks 1314, USBKey operation modules 1316.Wherein, proxy module receives the connection of browser main business process, according to browser main business process The type of connection carries out respective handling, forms the connection agency of browser main business process.CTL modules are for managing root of trust card Book list.CRL management modules manage local CRL lists for obtaining CRL lists.Session management module administration agent processes It is connect with the session of web server.SSL link blocks are responsible for establishing the secure connection with web server.USBKey is managed Module is responsible for operating USBKey equipment.Configuration module is responsible for reading, storing the relevant configuration of client.

Wherein, for CTL management modules 1306, operation principle is as follows：CTL describes browser and trusts root certificate row Table is used for authentication server end certificate.In 360 secure browsers, the trust root certificate of support is PEM coding modes, is propped up simultaneously Hold two kinds of certificate addition manners：1) root certificate is trusted in addition inside program；2) root certificate, configuration file are trusted in configuration file addition Using des encrypting storings.Wherein, CTL is configurable to not support to import and export function.

For CRL management modules 1308, operation principle is as follows：The certificate that CRL describes certification authority CA is removed List is sold, essence is certificate serial number, and certificate serial number is indicated with the ASN.1 Integer encoded.One in X509v3 certificates A extension (OID 2.5.29.31) is used to specify the CRL publishing point of the certificate.Device in the secure browser of the present embodiment Local cache is carried out to CRL, while CRL is searched and carried out level-one index according to CA.The step of to the verification operation of CRL, is as follows： (1) the Issuer items in certificate are obtained, corresponding CA nodes are positioned, if Issuer are not present or can not find corresponding CA , then it is assumed that it is illegal certificate.((2) use CRL items all under the dichotomizing search CA.

For Session management modules 1310, SSL connections, which need to increase by 4 times on the basis of TCP shakes hands for 3 times, shakes hands, Connection establish process be than relatively time-consuming, therefore preserve Session, the connection before multiplexing can effectively optimize switching performance. In the secure browser device of the present embodiment after completion is established in a SSL connection, host+port to session can be established Memory index, subsequent operation can be multiplexed before session, as the session terms of validity be 1 hour.Browser closing, Session before being emptied when the extraction of USBKey equipment.

For certification authentication module 1312, two-way authentication if necessary during SSL connections are established, the encryption subprocess Module can prompt user to be inserted into security key storage hardware, i.e. USBKey equipment.After user is inserted into security key storage hardware Automatic identification and certificate selection dialog box can be popped up, user is prompted to select certificate.The encryption subprocess module automatic identification Security key storage hardware needs to rely on two key messages in CSP registry entries：SKFImagePath：Specified SKF dynamics The path in library and TokenVidPid：String format.The VendorID and ProductID of KEY equipment, the format of use are similar HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum format namely VID_XXXX＆ in USB PID_XXXX.Browser can be associated with respective drive by vendorid, productid of USBKey equipment, complete related behaviour Make.Browser will not store pin passwords input by user, will not store the private key information in USBKey.Detailed process is as follows： It is firstly connected to USBKey equipment；Then respective application (Application) is opened, Application is determined by user's selection； Then corresponding container (Container) is opened, Container is determined by user's selection；Then checking PIN code (know by personal identification Other code), it can prompt to re-enter after authentication error；Then signing certificate information is obtained；Then encrypted certificate information is obtained；Finally Pass hull closure disconnects.

In the present embodiment, for the credentials verification process of above method embodiment, the certification authentication of server end is occurred During Handshake Protocol, after browser receives ServerHelloDone message, before transmission Certificate message.Card Book verification mainly ensures that the reasonability of server, verification process depend on CTL, CRL modules, detailed process to be tested in subprocess certificate It is carried out in card thread pool.Checking step is as follows：Initialize trusted root list of cert；Check whether it is self-signed certificate；It checks Certificate extension information；Check certificate trusting relationship；Check CRL lists；Check certificate signature；Check certificate available time；Inspection Book is investigated whether in blacklist.

It should be noted that the structure diagram for being referred to main business process shown in Figure 14 manages main business process Solution, as shown in figure 14, main business process includes：Certificate display module 1402, white list management module 1404, network server card Book memory module 1406 acts on behalf of setup module 14014.Wherein certificate display module 1402 is responsible for display digital certificate.White list Management module 1404 is responsible for supporting the web server list of the Encryption Algorithm of the present embodiment.Network server certificate stores Module 1406 is for storing the certificate for being responsible for network server.Act on behalf of setup module 14014 agency setting be responsible for setting with Encrypt the agency of subprocess module.

For device embodiments, since it is basically similar to the method embodiment, so fairly simple, the correlation of description Place illustrates referring to the part of embodiment of the method.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：It is i.e. required to protect Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.

The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) come realize in safe communication system according to the ... of the embodiment of the present invention some or The some or all functions of person's whole component.The present invention is also implemented as one for executing method as described herein Divide either whole equipment or program of device (for example, computer program and computer program product).Such this hair of realization Bright program can may be stored on the computer-readable medium, or can be with the form of one or more signal.It is such Signal can be downloaded from internet website and be obtained, and either provided on carrier signal or provided in any other forms.

It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of safe communication systems, including：Browser clients end device, security key storage are hard Part and network server, the network server, for carrying out safety by handshake procedure and the browser clients end device Certification, and escape way is established after safety certification passes through, the transmitting encrypted data in the escape way；The browser visitor Family end device for carrying out safety certification by handshake procedure and the network server, and is established after safety certification passes through Escape way, the transmitting encrypted data in the escape way；And connect with the security key storage hardware, acquisition is being pacified The user certificate needed in full verification process；The security key storage hardware, it is described clear for being connected by the interface of terminal It lookes at device, the user certificate needed in safety certification process is provided；The browser clients end device, including：Link block is used for The security key storage hardware that automatic identification and the interface for connecting browser clients end device place terminal are inserted into；Read mould Block, for reading and showing the user certificate stored in the security key storage hardware so that user selects；Identity is tested Module is demonstrate,proved, for when receiving selection information of the user to the user certificate, authentication to be carried out to user；Load mould Block after passing through for the authentication, loads the corresponding user certificate content of the selection information.

A2, the system as described in A1, the browser clients end device further include：Main business scheduler module, for clear Look at the encryption subprocess for starting in device client and being communicated with main business process, wherein the encryption subprocess is for conduct Connection agency realizes conversion and data forwarding of first encrypted tunnel to the second encrypted tunnel；Subprocess module is encrypted, is used for Digital certificate two-way authentication is carried out by handshake procedure and the network server.

A3, the system as described in A2, the encryption subprocess module, for passing through handshake procedure and the network server Following security authentication operation is executed successively：Encryption data negotiation, certificate verification, key exchanges and signature authentication.

A4, the system as described in A3, the security key storage hardware are specifically used for the activation point by the terminal Interface channel is established with driving interface and browser clients end device；The link block of the browser clients end device, specifically For carry out digital certificate two-way authentication when, the encryption confession of the subprocess module by the security key storage hardware It should just identify and be associated with corresponding activation point and driving interface with product identification；By the activation point and driving interface with The security key storage hardware establishes interface channel.

A5, the system as described in A4, the read module of the browser clients end device, including：Reading submodule is used for It is read in the security key storage hardware by the interface channel and stores user certificate；Submodule is loaded, card is used for ejecting Book selects dialog box, and the user certificate is loaded in the certificate selection dialog box to prompt user to select the user certificate Book.

A6, the system as described in A5, the read module of the browser clients end device further include：It identifies submodule, uses After reading the user certificate stored in the security key storage hardware by the interface channel, to the security key The user certificate stored in storage hardware carries out certificate station recognition, is divided the user certificate as unit of certificate website Class；The load submodule is specifically used for pop-up certificate selection dialog box, with certificate website in the certificate selection dialog box The user certificate is shown for index.

A7, the system as described in A3, the security key storage hardware are specifically used for being the browser clients end device There is provided the application of storage, wherein each application includes the user certificate stored in container and container；The reading submodule, tool Body is used to read the application stored in the security key storage hardware by the interface channel, display is described apply for Family is selected；The application for opening user's selection loads the use stored in the container and container under of user's selection Family certificate.

A8, the system as described in A1, the authentication module receive user to the user certificate specifically for working as Selection information when, pop up personal identification number input frame, and it is close by the personal identification number input frame to receive individual input by user Code；Authentication is carried out to user according to the personal identification number input by user.

A9, the system as described in A8, the authentication module, be additionally operable to the authentication not by when, in institute It states and shows password mistake in personal identification number input frame and user is prompted to re-enter personal identification number, re-entered according to described in People's password carries out authentication.

A10, the system as described in A9, the authentication module are additionally operable to personal identification number input frame setting most Big input number closes institute when personal identification number input by user reaches maximum input number in the personal identification number input frame Personal identification number input frame is stated, and disconnects the connection with the security key storage hardware.

A11, the system as described in A1, the load-on module after passing through specifically for the authentication, obtain the use Authentication information in the certificate of family, and the authentication information is loaded into certificate reader；The encryption subprocess module, is used for Start the certificate reader according to triggering instruction, the authentication information of the user certificate is shown in the certificate reader.

A12, the system as described in A11, the encryption subprocess module, for being respectively set in the certificate reader General tab and detailed options card；The routine of the corresponding user certificate of the selection information is shown in the general tab Information；The details of the corresponding user certificate of the selection information are shown in the detailed options card.

A13, the system as described in A3, the encryption subprocess module are additionally operable to determine whether to receive during shaking hands The certificate verification request message that the network server is sent；The link block of the browser clients end device, is additionally operable to work as When the encryption subprocess module receives the certificate verification request message that the network server is sent, browser clients are monitored Whether the interface of terminal where end has the insertion of security key storage hardware；When having monitored that security key storage hardware is inserted into, The security key storage hardware that automatic identification and the interface for connecting browser client place terminal are inserted into.

A14, the system as described in A2, the encryption subprocess module are additionally operable to the load-on module and load the selection After the corresponding user certificate content of information, the connection with the security key storage hardware is disconnected.

Claims

1. a kind of safe communication system, including：Browser clients end device, security key storage hardware and network server,

The network server for carrying out safety certification by handshake procedure and the browser clients end device, and is being pacified Full certification establishes escape way after passing through, the transmitting encrypted data in the escape way；

The browser clients end device for carrying out safety certification by handshake procedure and the network server, and is being pacified Full certification establishes escape way after passing through, the transmitting encrypted data in the escape way；And it is stored with the security key Hardware connects, and obtains the user certificate needed in safety certification process；

The security key storage hardware, for connecting the browser by the interface of terminal where browser clients end device Client terminal device provides the user certificate needed in safety certification process；

The browser clients end device, including：

Link block, for automatic identification and the safety of the interface insertion of terminal where connecting the browser clients end device is close Key storage hardware；

Read module, for reading and showing the user certificate stored in the security key storage hardware so that user selects It selects；

Authentication module, for when receiving selection information of the user to the user certificate, carrying out identity to user and testing Card；

Load-on module after passing through for the authentication, loads the corresponding user certificate content of the selection information；

The browser clients end device further includes：

Main business scheduler module, for starting the encryption communicated with main business scheduler module in browser clients end device Subprocess module, wherein the encryption subprocess module is used to realize the first encrypted tunnel to the second encryption as connection agency The conversion in channel and data forwarding, wherein encryption subprocess connection, which is acted on behalf of, includes：Main thread, intercepting thread and business processing Thread；Main thread creates watcher thread, main business thread and the IPC communications of browser host process for reading all kinds of configurations； Intercepting thread, for monitoring serve port, when with the presence of main business process connection request and receiving successful execution and act on behalf of accordingly Operation；Business processing thread is connect simultaneously for establishing respective encrypted channel respectively with main business process and network server both ends It maintains, to carry out data exchange as bridge, wherein the first encrypted tunnel is the main business scheduler module and the encryption The secured communication channel of subprocess module；Second encrypted tunnel is the peace of encryption the subprocess module and network server Full communication channel, the IPC communications of browser host process are responsible for inter-process data and are transmitted；

Subprocess module is encrypted, for carrying out digital certificate two-way authentication by handshake procedure and the network server.

2. system according to claim 1, which is characterized in that

The encryption subprocess module executes following safety certification behaviour successively for passing through handshake procedure and the network server Make：Encryption data negotiation, certificate verification, key exchanges and signature authentication.

3. system according to claim 2, it is characterised in that：

The security key storage hardware is specifically used for activation point and driving interface and browser clients by the terminal End device establishes interface channel；

The link block of the browser clients end device is specifically used for when carrying out the two-way authentication of digital certificate, described to add Close subprocess module is associated with corresponding driving position by the vendor ID and product identification of the security key storage hardware It sets and driving interface；By the activation point and driving interface interface channel is established with the security key storage hardware.

4. system according to claim 3, which is characterized in that the read module of the browser clients end device, including：

Reading submodule stores user certificate for being read in the security key storage hardware by the interface channel；

Submodule is loaded, certificate selection dialog box is used for ejecting, the user certificate is loaded in the certificate selection dialog box To prompt user to select the user certificate.

5. system according to claim 4, which is characterized in that the read module of the browser clients end device also wraps It includes：

Identify submodule, for by the interface channel read the user certificate stored in the security key storage hardware it Afterwards, certificate station recognition is carried out to the user certificate stored in the security key storage hardware, it is right as unit of certificate website The user certificate is classified；

The load submodule is specifically used for pop-up certificate selection dialog box, with certificate station in the certificate selection dialog box Point shows the user certificate for index.

6. system according to claim 4, it is characterised in that：

The security key storage hardware, specifically for providing the application of storage for the browser clients end device, wherein every A application includes the user certificate stored in container and container；

The reading submodule, specifically for reading answering of being stored in the security key storage hardware by the interface channel With the display application selects for user；The application for opening user's selection, load user selection under The user certificate stored in container and container.

7. system according to claim 1, it is characterised in that：

The authentication module, specifically for when receiving selection information of the user to the user certificate, pop-up is personal Password Input frame, and personal identification number input by user is received by the personal identification number input frame；According to described input by user Personal identification number carries out authentication to user.

8. system according to claim 7, it is characterised in that：

The authentication module, be additionally operable to the authentication not by when, shown in the personal identification number input frame Password mistake simultaneously prompts user to re-enter personal identification number, and the personal identification number re-entered according to described in carries out authentication.

9. system according to claim 8, it is characterised in that：

The authentication module is additionally operable to that maximum input number is arranged to the personal identification number input frame, when the individual is close When personal identification number input by user reaches maximum input number in code input frame, the personal identification number input frame is closed, and disconnect With the connection of the security key storage hardware.

10. system according to claim 1, it is characterised in that：

The load-on module after passing through specifically for the authentication, obtains the authentication information in the user certificate, and will The authentication information is loaded into certificate reader；

The encryption subprocess module, for starting the certificate reader according to triggering instruction, in the certificate reader Show the authentication information of the user certificate.

11. system according to claim 10, it is characterised in that：

The encryption subprocess module, for general tab and detailed options card to be respectively set in the certificate reader； The routine information of the corresponding user certificate of the selection information is shown in the general tab；In the detailed options card Show the details of the corresponding user certificate of the selection information.

12. system according to claim 2, it is characterised in that：

The encryption subprocess module is additionally operable to determine whether to receive the certificate that the network server is sent during shaking hands Authentication request message；

The link block of the browser clients end device is additionally operable to receive the network clothes when the encryption subprocess module When the certificate verification request message that business device is sent, whether the interface of terminal has security key where monitoring browser clients end device Storage hardware is inserted into；When having monitored that security key storage hardware is inserted into, automatic identification simultaneously connects browser clients end device The security key storage hardware that the interface of place terminal is inserted into.

13. system according to claim 1, it is characterised in that：

The encryption subprocess module, be additionally operable to the load-on module load the corresponding user certificate content of the selection information it Afterwards, the connection with the security key storage hardware is disconnected.