CN105141568A

CN105141568A - Safe communication channel establishment method and system, client and server

Info

Publication number: CN105141568A
Application number: CN201410230794.0A
Authority: CN
Inventors: 于东海
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd; Tencent Cloud Computing Beijing Co Ltd
Priority date: 2014-05-28
Filing date: 2014-05-28
Publication date: 2015-12-09
Anticipated expiration: 2034-05-28
Also published as: CN105141568B

Abstract

The embodiment of the present invention discloses a safe communication channel establishment method and a system, a client and a server, belonging to the technical field of security communication processing. The method comprises a step of generating the private key of a client and the public key of the client and sends a request message for requesting the establishment of communication with the server to the server, wherein the request message at least comprises the public key of the client, a step of obtaining the current public key of the server stored in advance, and generating the shared secret key of the client according to the private key of the client and the current public key of the server, and a step of receiving the response message of approving the establishment of communication sent by the server, and deciphering the response message according to the shared secret key of the client and encrypting the request message subsequently sent to the server so as to establish the safe communication channel between the client and the server. According to the safe communication channel establishment method and the system, the client and the server, the current public key of the server stored in advance is obtained through the client, the sending of the public key of the server to the client by the server is not needed, the attack from a third party is avoided, and the security of communication is improved.

Description

Secured communication channel method for building up and system, client and server

Technical field

The present invention relates to communication security processing technology field, particularly a kind of secured communication channel method for building up and system, client and server.

Background technology

The Internet and communication network obtain swift and violent development in the world in recent years, and it creates impact greatly to the life style of the mankind and changes, and thing followed Network Information Security Problem just seems more and more important.The appearance of the means such as network hacker, virus, information stealth and interference, makes the information security of network service both sides face serious provocation.People adopt Diffie-Hellman key exchange method to set up the communication port between communicating pair usually for this reason.

Diffie-Hellman Diffie-Hellman is adopted to set up the process of the communication port between client and server normally: first, user end to server sends and sets up with server the request message communicated for asking, the PKI of client is carried in this request message, server is after the request message receiving client transmission, the response message agreeing to set up communication is sent to client, the current PKI of server is carried in this response message, simultaneously, client also produces shared secret key according to the current PKI of server, the PKI that server also sends according to client produces shared secret key, so can set up the communication port between client and server.Client and server is when follow-up communication, and the message all adopting shared secret double secret key to send is encrypted, and is decrypted according to the message that shared secret double secret key receives.

Realizing in process of the present invention, inventor finds that background technology at least exists following problem: due to the method adopting Diffie-Hellman Diffie-Hellman to set up communication port at present, server carries its PKI in the response message sending to client, so, be easy to be subject to third-party attack, such as, third party can intercept and capture and resolve the current PKI that this response message gets server, and the current PKI forging server communicates with client.In addition, when user end to server sends request message, third party also likely intercepts and captures the PKI of client entrained in request message, and the PKI forging client communicates with server, like this, third party is playing the part of server with during client communication, client is played the part of with during server communication, third party just can intercept and capture and forward arbitrarily client and issue the message that the message of server or server issue client, message is distorted as required in communication process, client and server is not all known, and they are communicating with third party, like this, the leakage completely of the communication information between client and server will be caused, cannot ensuring communication safety property.

Summary of the invention

The invention provides a kind of secured communication channel method for building up and system, client and server, to solve the problems such as the fail safe of existing communication port method for building up is low.

Described technical scheme is as follows:

First aspect, embodiments provide a kind of secured communication channel method for building up, described secured communication channel method for building up, comprise: produce the private key of client and the PKI of client, and set up with server the request message communicated for asking to server transmission, request message at least comprises the PKI of client; Obtain the current PKI of the server prestored, generate the shared secret key of client according to the private key of client and the current PKI of server; The response message of communication is set up in the agreement that reception server sends, be decrypted according to the shared secret double secret key response message of client and the follow-up request message of server that sends to is encrypted, to set up the secured communication channel between client and server.

Second aspect, embodiments provides a kind of client, and described client, comprising: the shared key generation module of communication request module, response message receiver module and client; Communication request module, for generation of the private key of client and the PKI of client, and set up with server the request message communicated for asking to server transmission, request message at least comprises the PKI of client; The shared key generation module of client, for obtaining the current PKI of the server prestored, generates the shared secret key of client according to the private key of client and the current PKI of server; Response message receiver module, the response message communicated is set up in the agreement sent for reception server, be decrypted according to the shared secret double secret key response message of client and the follow-up request message of server that sends to is encrypted, to set up the secured communication channel between client and server.

The third aspect, embodiments provide a kind of secured communication channel method for building up, described secured communication channel method for building up, comprising: what receive client transmission sets up with server the request message communicated for asking, wherein, request message at least comprises the PKI of client; The private key of generation server and the current PKI of server, according to the current shared privacy key of the private key of server and the PKI generation server of client; Generate the response message agreeing to set up communication, current shared privacy key according to server is encrypted response message and is decrypted the request message of receipt of subsequent, and send encrypted response message to client, to set up the secured communication channel between client and server.

Fourth aspect, embodiments provides a kind of server, and described server, comprising: request message receiver module, key production module and response message sending module; Request message receiver module, for receive client send set up with server the request message communicated for asking, wherein, request message at least comprises the PKI of client; Key production module, for the private key of generation server and the current PKI of server, according to the current shared privacy key of the private key of server and the PKI generation server of client; Response message sending module, for being encrypted response message according to the current shared privacy key of server and being decrypted the request message of receipt of subsequent, and send encrypted response message to client, to set up the secured communication channel between client and described server.

5th aspect, embodiments provide a kind of secured communication channel and set up system, described secured communication channel sets up system, comprising: client and server; Client comprises the shared key generation module of communication request module, response message receiver module and client; Server comprises the shared key generation module of request message receiver module, key production module and server; Communication request module, for generation of the private key of client and the PKI of client, and set up with server the request message communicated for asking to server transmission, request message at least comprises the PKI of client; Request message receiver module, for receive client send set up with server the request message communicated for asking; The shared key generation module of client, for obtaining the current PKI of the described server prestored, generates the shared secret key of described client according to the private key of described client and the current PKI of described server; Key production module, for the current PKI of the private key and described server that generate described server, generates the current shared privacy key of described server according to the private key of described server and the PKI of described client; Response message sending module, described response message is encrypted for the current shared privacy key according to described server and the request message of receipt of subsequent is decrypted, and send encrypted response message to described client, to set up the secured communication channel between described client and described server; Response message receiver module, the response message of communication is set up in the agreement sent for receiving described server, according to the shared secret double secret key of described client, response message is decrypted and is encrypted, to set up the secured communication channel between described client and described server the follow-up request message of described server that sends to.

The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:

When communicating by agreeing at server set up with client, client just can obtain the current PKI of the server prestored, and sends its PKI to client again without the need to server.Solve the leakage completely that existing communication port method for building up causes the communication information between client and server, cannot the problem such as ensuring communication safety property, the embodiment of the present invention can avoid third-party attack, promotes the fail safe of communication.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent to allow above and other object of the present invention, feature and advantage, below especially exemplified by preferred embodiment, and coordinate accompanying drawing, be described in detail as follows.

Accompanying drawing explanation

Figure 1A is the flow chart of the secured communication channel method for building up that first embodiment of the invention provides;

Figure 1B is the schematic diagram that client and server sets up communication port;

Fig. 2 A is the flow chart of the secured communication channel method for building up that second embodiment of the invention provides;

Fig. 2 B is after client and server sets up communication port, the schematic diagram of the current PKI of server update;

Fig. 3 is the flow chart of the secured communication channel method for building up that third embodiment of the invention provides;

Fig. 4 A is the flow chart of the secured communication channel method for building up that fourth embodiment of the invention provides;

Fig. 4 B is that client and server is set up in communication port, the schematic diagram of the current PKI of server update;

Fig. 5 is the main frame block diagram of the client that fifth embodiment of the invention provides;

Fig. 6 is the main frame block diagram of the client that sixth embodiment of the invention provides;

Fig. 7 is the main frame block diagram of the client that seventh embodiment of the invention provides;

Fig. 8 is the main frame block diagram of the client that eighth embodiment of the invention provides;

Fig. 9 is the flow chart of the secured communication channel method for building up that ninth embodiment of the invention provides;

Figure 10 is the flow chart of the secured communication channel method for building up that tenth embodiment of the invention provides;

Figure 11 is the flow chart of the secured communication channel method for building up that eleventh embodiment of the invention provides;

Figure 12 is the main frame block diagram of the server that twelveth embodiment of the invention provides;

Figure 13 is the main frame block diagram of the server that thriteenth embodiment of the invention provides;

Figure 14 is the main frame block diagram of the server that fourteenth embodiment of the invention provides;

Figure 15 is the main frame block diagram that secured communication channel that fifteenth embodiment of the invention provides sets up system;

Figure 16 is the main frame block diagram that secured communication channel that sixteenth embodiment of the invention provides sets up system;

Figure 17 is the main frame block diagram that secured communication channel that seventeenth embodiment of the invention provides sets up system;

Figure 18 is a kind of structured flowchart of client.

Embodiment

For further setting forth the present invention for the technological means reaching predetermined goal of the invention and take and effect, below in conjunction with accompanying drawing and preferred embodiment, to the secured communication channel method for building up proposed according to the present invention and system, its embodiment of client and server, structure, feature and effect, be described in detail as follows.

Aforementioned and other technology contents, Characteristic for the present invention, can clearly present in following cooperation describes in detail with reference to graphic preferred embodiment.By the explanation of embodiment, when can to the present invention for the technological means reaching predetermined object and take and effect be able to more deeply and concrete understanding, however institute's accompanying drawings be only to provide with reference to and the use of explanation, be not used for being limited the present invention.

First embodiment

Please refer to Figure 1A, it illustrates the flow chart of the secured communication channel method for building up that first embodiment of the invention provides.The method can secured communication channel process of establishing performed by client; Described secured communication channel method for building up, can comprise the following steps 101-105:

Step 101, produces the private key of client and the PKI of client, and sets up with server the request message communicated for asking to server transmission, and request message at least comprises the PKI of client.

Carry out communicating for client and server, as shown in Figure 1B, in step 101, client can select a random number as the private key of client, and meets X _a<p, and according to the private key X of client _agenerate the PKI of client, the computing formula generating the PKI of client can be wherein, X _a, Y _athe private key of client and the PKI of client respectively, p, g are open parameters, open parameter p, g can be arranged in advance by server and client side, also can carry out when this client sends request message arranging (as shown in Figure 1B), such as, p can be a prime number, and g is an integer, and g is a primitive root of p.In addition, client can to the private key X of client _amaintain secrecy and to deposit and by the PKI Y of client _asend to server.

Step 103, obtains the current PKI of the server prestored, and generates the current shared privacy key of client according to the private key of client and the current PKI of server.

The current PKI of server can be stored in advance in the memory of client, and without the need to server, its PKI is sent to client, so can prevent third party from intercepting the current PKI of server, thus promotes communications security.

The computing formula that client generates shared secret key can be wherein, K is the shared secret key of client, Y _bthe current PKI of server, X _abe the private key of client, mod asks modular arithmetic, and p is open parameter.

As shown in Figure 1B, client generates the shared secret key of client according to the current PKI of the private key of client and server.

Step 105, the response message of communication is set up in the agreement that reception server sends, be decrypted according to the shared secret double secret key response message of client and the follow-up request message of server that sends to is encrypted, to set up the secured communication channel between client and server.

If server receive that client sends for after asking to set up with server the request message communicated, and agree to set up communication with it, then server will send to client to agree to set up the response message (as shown in Figure 1B) (this response message adopts the current shared privacy key of server to be encrypted) of communication, so can set up the secured communication channel between client and server, client and server is when follow-up communication, also the message all adopting shared secret double secret key to send is encrypted, and be decrypted according to the message that shared secret double secret key receives.

In sum, the secured communication channel method for building up that the present embodiment provides, when communicating by agreeing at server set up with client, client just can obtain the current PKI of the server prestored, and sends its current PKI to client again without the need to server.Solve the leakage completely that existing communication port method for building up causes the communication information between client and server, cannot the problem such as ensuring communication safety property, the embodiment of the present invention can avoid third-party attack, promotes the fail safe of communication.

Second embodiment

Please refer to Fig. 2 A, it illustrates the flow chart of the secured communication channel method for building up that second embodiment of the invention provides.The method can secured communication channel process of establishing performed by client; Secured communication channel method for building up shown in its to Figure 1A is similar, and its difference is, in the present embodiment, client can inquire that server is the need of the current PKI of renewal, and namely the step 105 of Figure 1A can also comprise afterwards: step 201-205.

Step 201, send for inquiring that server is the need of the inquiry request message upgrading current PKI to server, inquiry request message at least comprises the current public key information of server, if desired upgrade, then carry out step 203, upgrade if do not need, then carry out step 206.

As shown in Figure 2 B, client can send for inquiring that server is the need of the inquiry request message upgrading current PKI to server.The current public key information of server can comprise the current PKI Y of server _bor the current PKI Y of server _bthe information such as sequence number.Sequence number can be the sequence number, code name etc. of current PKI.

Step 203, if server needs to upgrade current PKI, then the response message of the current PKI of renewal of reception server transmission, response message at least comprises the new PKI of server.

If server needs to upgrade current PKI, then server sends new PKI to client, the client server that then reception server sends carries the response message (as shown in Figure 2 B) of new PKI, and this response message adopts current shared privacy key to be encrypted.

Step 205, the new PKI of server is replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

As shown in Figure 2 B, after client receives new PKI, the i.e. current PKI of replaceable server, follow-up when setting up secured communication channel again, just use the new PKI of server, namely adopt the private key of new PKI and client to generate the new shared secret key of client, set up the new secured communication channel between client and server.Client and server is when follow-up communication, and the message all adopting new shared secret double secret key to send is encrypted, and is decrypted according to the message that new shared secret double secret key receives.

Step 206, what reception server sent does not need the response message upgrading current PKI.

Wherein, this response message adopts current shared privacy key to be encrypted.

In sum, the secured communication channel method for building up that the present embodiment provides, also send inquiry server the need of when upgrading the inquiry request of current PKI by user end to server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key according to client demand, thus ensure that the fail safe of communication.

3rd embodiment

Please refer to Fig. 3, it illustrates the flow chart of the secured communication channel method for building up that third embodiment of the invention provides.The method can secured communication channel process of establishing performed by client; Secured communication channel method for building up shown in its to Figure 1A is similar, its difference is, in the present embodiment, server can upgrade current PKI voluntarily, and new PKI is sent to client, and carry out inquiry without the need to client and just carry out upgrading current PKI, i.e. can also comprise after the step 105 of Figure 1A: step 301.

Step 301, the response message of the current PKI of renewal that reception server sends, response message at least comprises the new PKI of server, the new PKI of server is replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

After client receives new PKI, the i.e. current PKI of replaceable server, follow-up when setting up secured communication channel again, just use the new PKI of server, namely the private key of new PKI and client is adopted to generate the new shared secret key of client, to set up the new secured communication channel between client and server.

In sum, the secured communication channel method for building up that the present embodiment provides, also can send to client by the PKI of renewal automatically by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key automatically, thus ensure that the fail safe of communication.

4th embodiment

Please refer to Fig. 4 A, it illustrates the flow chart of the secured communication channel method for building up that fourth embodiment of the invention provides.The method can secured communication channel process of establishing performed by client; Secured communication channel method for building up shown in its to Figure 1A is similar, its difference is, in the present embodiment, when starting to set up communication port, client just can inquire whether server will upgrade current PKI, namely the step 101 of Figure 1A can also comprise afterwards: step 401, described step 103 and 105 can replace with step 403 and 405 respectively.

Step 401, send for inquiring that server is the need of the inquiry request message upgrading current PKI to server, inquiry request message at least comprises the current public key information of server, if desired upgrades, then carry out step 403;

As shown in Figure 4 B, client is when sending request message to server, and also can send inquiry request message to server, the current public key information of server comprises the current PKI Y of server _bor current PKI Y _bsequence number at least one of them.Wherein step 401 and step 101 also can be carried out simultaneously, if server needs to upgrade, then can generate new PKI and private key, and the new PKI of server is sent to client.

Step 403, the response message of communication is set up in the agreement that reception server sends, and at least comprises the new PKI of server in response message;

Step 405, the new PKI of server is replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

As shown in Figure 4 B, after client receives new PKI, the i.e. current PKI of replaceable server, follow-up when setting up secured communication channel again, just use the new PKI of server, namely adopt the private key of new PKI and client to generate the new shared secret key of client, set up the new secured communication channel between client and server.Client and server is when follow-up communication, and the message all adopting new shared secret double secret key to send is encrypted, and is decrypted according to the message that new shared secret double secret key receives.

In sum, the secured communication channel method for building up that the present embodiment provides, also can set up in communication port process server and client side, the current PKI of client inquiry server whether update server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key setting up in communication port process with client, thus ensure that the fail safe of communication.

Be below the embodiment of client of the present invention, the details of not detailed description in client embodiment, can with reference to secured communication channel method for building up first to fourth embodiment of above-mentioned correspondence.

5th embodiment

Please refer to Fig. 5, it illustrates the main frame block diagram of the client that fifth embodiment of the invention provides.Described client, comprising: the shared key generation module 503 of communication request module 501, client and response message receiver module 505.

Particularly, communication request module 501, for generation of the private key of client and the PKI of client, and set up with server the request message communicated for asking to server transmission, request message at least comprises the PKI of client;

Communication request module 501, can select a random number as the private key of client, and meet X _a<p, the computing formula generating the PKI of client is wherein, X _a, Y _abe the private key of client and the PKI of client respectively, p, g are open parameters, and p is prime number, and g is integer, and g is a primitive root of p.

The shared key generation module 503 of client, for obtaining the current PKI of the server prestored, the shared secret key of client is generated, to set up the secured communication channel between client and server according to the private key of client and the current PKI of server.

The shared key generation module 503 of client, the computing formula generating the shared secret key of client can be wherein, K is the shared secret key of client, Y _bthe current PKI of server, X _abe the private key of client, mod asks modular arithmetic, and p is open parameter.

Response message receiver module 505, the response message communicated is set up in the agreement sent for reception server, be decrypted according to the shared secret double secret key response message of client and the follow-up request message of server that sends to is encrypted, to set up the secured communication channel between client and server.

In sum, the client that the present embodiment provides, when communicating by agreeing at server set up with client, client just can obtain the current PKI of the server prestored, and sends its PKI to client again without the need to server.Solve the leakage completely that existing communication port method for building up causes the communication information between client and server, cannot the problem such as ensuring communication safety property, the embodiment of the present invention can avoid third-party attack, promotes the fail safe of communication.

6th embodiment

Please refer to Fig. 6, it illustrates the main frame block diagram of the client that sixth embodiment of the invention provides.Client shown in its to Fig. 5 is similar, and its difference is, described client can also comprise: inquiry module 601, new PKI receiver module 603 and replacement module 605.

Inquiry module 601, for sending to server for inquiring that server is the need of the inquiry request message upgrading current PKI, inquiry request message at least comprises the current public key information of server;

New PKI receiver module 603, if need to upgrade current PKI for server, then the response message of the current PKI of renewal of reception server transmission, response message at least comprises the new PKI of server;

Replacement module 605, for the new PKI of server being replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

In sum, the client that the present embodiment provides, also send inquiry server the need of when upgrading the inquiry request of current PKI by user end to server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key according to client demand, thus ensure that the fail safe of communication.

7th embodiment

Please refer to Fig. 7, it illustrates the main frame block diagram of the client that seventh embodiment of the invention provides.Client shown in its to Fig. 5 is similar, and its difference is, described client can also comprise: new PKI receiver module 701.

New PKI receiver module 701, for the response message of the current PKI of renewal that reception server sends, response message at least comprises the new PKI of server, the new PKI of server is replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

In sum, the client that the present embodiment provides, also can send to client by the PKI of renewal automatically by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key automatically, thus ensure that the fail safe of communication.

8th embodiment

Please refer to Fig. 8, it illustrates the main frame block diagram of the client that eighth embodiment of the invention provides.Client shown in its to Fig. 5 is similar, and its difference is, described communication request module 501, also comprises: inquiry module 801;

Inquiry module 801, for sending to server for inquiring that server is the need of the inquiry request message upgrading current PKI, inquiry request message at least comprises the current public key information of server;

Response message receiver module 503, the response message communicated is set up in the agreement sent for reception server, at least comprises the new PKI of server in response message;

The shared key generation module 505 of client, also for the new PKI of server being replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

In sum, the client that the present embodiment provides, also can set up in communication port process server and client side, the current PKI of client inquiry server whether update server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key setting up in communication port process with client, thus ensure that the fail safe of communication.

9th embodiment

Please refer to Fig. 9, it illustrates the flow chart of the secured communication channel method for building up that ninth embodiment of the invention provides.The method can secured communication channel process of establishing performed by server; Described secured communication channel method for building up, can comprise the following steps 901-905:

Step 901, what receive client transmission sets up with server the request message communicated for asking, and wherein, request message at least comprises the PKI of client.

When client wishes to communicate with server, the request message carrying the PKI of client is then sent to server, if server receive that client sends for after asking to set up with server the request message communicated, and agree to set up communication with it, then server will send to client to agree to set up the response message of communication.

Step 903, the private key of generation server and the current PKI of server, according to the current shared privacy key of the private key of server and the PKI generation server of client.

Transformational relation between the current PKI of server and private key can be wherein, X _b, Y _bbe private key and the PKI of server respectively, p, g are open parameters, and open parameter p, g can be arranged in advance by server and client side, and such as, p can be a prime number, and g is an integer, and g is a primitive root of p.In addition, server can to private key X _bmaintain secrecy and deposit.In addition, server can generate private key and current PKI in advance and be stored, can according to the respective private keys of the current Pubic-Key search of server to server in this step.

The computing formula of the current shared privacy key of server generation server is

K = {(Y_{B})}^{X_{A}} \mod p =

{(g^{X_{B}} \mod p)}^{X_{A}} \mod p = {(g^{X_{B}})}^{X_{A}} \mod p = g^{X_{B} X_{A}} \mod p = {(g^{X_{A}})}^{X_{B}} \mod p = {(g^{X_{A}} \mod p)}^{X_{B}}

\mod p = {(Y_{A})}^{X_{B}} \mod p,

Wherein, K is the current shared privacy key of server, X _bthe PKI of client, Y _abe the private key of server, mod asks modular arithmetic, and p is open parameter.

Step 905, generate the response message agreeing to set up communication, current shared privacy key according to server is encrypted response message and is decrypted the request message of receipt of subsequent, and send encrypted response message to client, to set up the secured communication channel between client and server.

In sum, the secured communication channel method for building up that the present embodiment provides, when communicating by agreeing at server set up with client, server just can generate private key according to the current PKI of the server preset.Solve the leakage completely that existing communication port method for building up causes the communication information between client and server, cannot the problem such as ensuring communication safety property, the embodiment of the present invention can avoid third-party attack, promotes the fail safe of communication.

Tenth embodiment

Please refer to Figure 10, it illustrates the flow chart of the secured communication channel method for building up that tenth embodiment of the invention provides.The method can secured communication channel process of establishing performed by server; Secured communication channel method for building up shown in its to Fig. 9 is similar, and its difference is, in the present embodiment, when client is inquired, server determines that, the need of the current PKI of renewal, namely the step 905 of Fig. 9 can also comprise afterwards: step 1001-1007.

Step 1001, receive that client sends for inquiring that server is the need of upgrading the inquiry request message of current PKI, inquiry request message at least comprises the current public key information of server, if desired upgrade, then carry out step 1003, upgrade if do not need, then carry out step 1005.

Client can send for inquiring that server is the need of the inquiry request message upgrading current PKI to server.The current public key information of server can comprise the information such as the sequence number of the current PKI of server or the current PKI of server.Sequence number can be the sequence number, code name etc. of PKI.

Step 1003, if desired upgrades current PKI, then the new PKI of generation server and new private key, and according to the new shared secret key of the new private key of server and the PKI generation server of client.

After client receives new PKI, the current PKI of server can be replaced, follow-up when setting up secured communication channel again, just use the new PKI of server, namely the private key of new PKI and client is adopted to generate the new shared secret key of client, to set up the new secured communication channel between client and server.

Step 1005, generate the response message upgrading current PKI, current shared privacy key according to server is encrypted response message, and the response message of the current PKI of encrypted renewal is sent to client, and be encrypted according to the new shared secret double secret key subsequent response message of server and the request message of receipt of subsequent is decrypted, to set up the new secured communication channel between client and server, the response message upgrading current PKI at least comprises the new PKI of server.

Step 1007, sends to client and does not need the response message upgrading current PKI.

11 embodiment

Please refer to Figure 11, it illustrates the flow chart of the secured communication channel method for building up that eleventh embodiment of the invention provides.The method can secured communication channel process of establishing performed by server; Secured communication channel method for building up shown in its to Fig. 9 is similar, its difference is, in the present embodiment, when starting to set up communication port, client just can inquire whether server will upgrade current PKI, namely the step 901 of Fig. 9 can also comprise afterwards: step 1101, described step 903 and 905 can replace with step 1103 and 1105 respectively.

Step 1101, receive that client sends for inquiring that server is the need of upgrading the inquiry request message of current PKI, inquiry request message at least comprises the current public key information of server;

Step 1103, according to the new shared secret key of the new private key of server and the PKI generation server of client;

Step 1105, generate the response message agreeing to set up communication, current shared privacy key according to server is encrypted response message, and send encrypted response message to client, agree to the new PKI at least comprising server in the response message of foundation communication, and be encrypted according to the new shared secret double secret key subsequent response message of server and the request message of receipt of subsequent is decrypted, client generates the new shared secret key of client according to the PKI of the private key of client and the new of server.

Be below the embodiment of server of the present invention, the details of not detailed description in server example, can with reference to secured communication channel method for building up the 9th to the 11 embodiment of above-mentioned correspondence.

12 embodiment

Please refer to Figure 12, it illustrates the main frame block diagram of the server that twelveth embodiment of the invention provides.Described server, comprising: request message receiver module 1201, key production module 1203 and response message sending module 1205.

Particularly, request message receiver module 1201, for receive client send set up with server the request message communicated for asking, wherein, request message at least comprises the PKI of client;

Key production module 1203, for the private key of generation server and the current PKI of server, according to the current shared privacy key of the private key of server and the PKI generation server of client;

Key production module 1203, the computing formula of the current shared privacy key of generation server can be wherein, K is the current shared privacy key of server, X _bthe PKI of client, Y _abe the private key of server, mod asks modular arithmetic, and p is open parameter.

Response message sending module 1205, for generating the response message agreeing to set up communication, current shared privacy key according to server is encrypted response message and is decrypted the request message of receipt of subsequent, and send encrypted response message to client, to set up the secured communication channel between client and server.

In sum, the server that the present embodiment provides, when communicating by agreeing at server set up with client, server just can generate private key according to the current PKI of the server preset.Solve the leakage completely that existing communication port method for building up causes the communication information between client and server, cannot the problem such as ensuring communication safety property, the embodiment of the present invention can avoid third-party attack, promotes the fail safe of communication.

13 embodiment

With reference to Figure 13, it illustrates the main frame block diagram of the server that thriteenth embodiment of the invention provides.Server shown in its to Figure 12 is similar, and its difference is, described server can also comprise: inquiry request receiving module 1301, new PKI generation module 1303 and new PKI sending module 1305.

Inquiry request receiving module 1301, for receive that client sends for inquiring that server is the need of the inquiry request message upgrading current PKI, inquiry request message at least comprises the current public key information of server;

The current public key information of server comprise the current PKI of server or the sequence number of current PKI at least one of them.

New PKI generation module 1303, for if desired upgrading current PKI, then the new PKI of generation server and new private key, and according to the new shared secret key of the new private key of server and the PKI generation server of client;

New PKI sending module 1305, for generating the response message upgrading current PKI, current shared privacy key according to server is encrypted response message, and the response message of the current PKI of encrypted renewal is sent to client, and be encrypted according to the new shared secret double secret key subsequent response message of server and the request message of receipt of subsequent is decrypted, to set up the new secured communication channel between client and server, the response message upgrading current PKI at least comprises the new PKI of server.

In sum, the server that the present embodiment provides, also send inquiry server the need of when upgrading the inquiry request of current PKI by user end to server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key according to client demand, thus ensure that the fail safe of communication.

14 embodiment

Please refer to Figure 14, it illustrates the main frame block diagram of the server that fourteenth embodiment of the invention provides.Server shown in its to Figure 12 is similar, and its difference is, described request message receiver module 1201, also comprises: inquiry receiver module 1401;

Inquiry receiver module 1401, for receive that client sends for inquiring that server is the need of upgrading the inquiry request message of current PKI, inquiry request message at least comprises the current public key information of server;

Key production module 1203, also for the new shared secret key according to the new private key of server and the PKI generation server of client.

New PKI sending module 1205, also for generating the response message agreeing to set up communication, current shared privacy key according to server is encrypted response message, and send encrypted response message to client, agree to the new PKI at least comprising server in the response message of foundation communication, and be encrypted according to the new shared secret double secret key subsequent response message of server and the request message of receipt of subsequent is decrypted, client generates the new shared secret key of client according to the PKI of the private key of client and the new of server.

In sum, the server that the present embodiment provides, also can set up in communication port process server and client side, the current PKI of client inquiry server whether update server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key setting up in communication port process with client, thus ensure that the fail safe of communication.

15 embodiment

Please refer to Figure 15, the secured communication channel that it illustrates fifteenth embodiment of the invention provides sets up the main frame block diagram of system.Described secured communication channel is set up system and is comprised: client and server.Wherein, client comprises the shared key generation module 1503 of communication request module 1501, response message receiver module 1505 and client.Server comprises request message receiver module 1507, key production module 1509 and response message sending module 1511.

Communication request module 1501, for generation of the private key of client and the PKI of client, and set up with server the request message communicated for asking to server transmission, request message at least comprises the PKI of client;

Request message receiver module 1507, for receive client send sets up with server request message communicate for asking, to client send agree to foundation communicate response message;

The shared key generation module 1503 of client, for obtaining the current PKI of the server prestored, generates the shared secret key of client according to the private key of client and the current PKI of server;

Key production module 1509, for the private key of generation server and the current PKI of server, according to the current shared privacy key of the private key of server and the PKI generation server of client;

Response message sending module 1511, for being encrypted response message according to the current shared privacy key of server and being decrypted the request message of receipt of subsequent, and send encrypted response message to client, to set up the secured communication channel between client and server;

Response message receiver module 1505, the response message communicated is set up in the agreement sent for reception server, be decrypted according to the shared secret double secret key response message of client and the follow-up request message of server that sends to is encrypted, to set up the secured communication channel between client and server.

In sum, the secured communication channel that the present embodiment provides sets up system, and when communicating by agreeing at server set up with client, server just can generate private key according to the current PKI of the server preset.Solve the leakage completely that existing communication port method for building up causes the communication information between client and server, cannot the problem such as ensuring communication safety property, the embodiment of the present invention can avoid third-party attack, promotes the fail safe of communication.

16 embodiment

Please refer to Figure 16, the secured communication channel that it illustrates sixteenth embodiment of the invention provides sets up the main frame block diagram of system.It is similar that secured communication channel shown in its to Figure 15 sets up system, and its difference is, described client, also comprises: inquiry module 1601, new PKI receiver module 1603 and replacement module 1605; Described server, also comprises: inquiry request receiving module 1607, new PKI generation module 1609 and new PKI sending module 1611.

Inquiry module 1601, for sending to server for inquiring that server is the need of the inquiry request message upgrading current PKI, inquiry request message at least comprises the current public key information of server;

Inquiry request receiving module 1607, for receive that client sends for inquiring that server is the need of the inquiry request message upgrading current PKI;

New PKI generation module 1609, for if desired upgrading current PKI, the then new PKI of generation server and new private key, and send the new PKI of server to client end, and according to the new shared secret key of the new private key of server and the PKI generation server of client;

New PKI sending module 1611, for generating the response message upgrading current PKI, current shared privacy key according to server is encrypted response message, and the response message of the current PKI of encrypted renewal is sent to client, and be encrypted according to the new shared secret double secret key subsequent response message of server and the request message of receipt of subsequent is decrypted, to set up the new secured communication channel between client and server, the response message upgrading current PKI at least comprises the new PKI of server.

New PKI receiver module 1603, for the response message of the current PKI of renewal that reception server sends;

Replacement module 1605, for the new PKI of server being replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted according to the subsequent response message that the new shared secret double secret key server of client sends and the follow-up request message of server that sends to is encrypted.

In sum, the secured communication channel that the present embodiment provides sets up system, also send inquiry server the need of when upgrading the inquiry request of current PKI by user end to server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key according to client demand, thus ensure that the fail safe of communication.

17 embodiment

Please refer to Figure 17, the secured communication channel that it illustrates seventeenth embodiment of the invention provides sets up the main frame block diagram of system.It is similar that secured communication channel shown in its to Figure 15 sets up system, and its difference is, described client, also comprises: the communication request module of client, also comprises: inquiry module 1701.Request message receiver module, also comprises: inquiry receiver module 1703;

Inquiry module 1701, for sending to server for inquiring that server is the need of the inquiry request message upgrading current PKI, inquiry request message at least comprises the current public key information of server;

Inquiry receiver module 1703, for receive that client sends for inquiring that server is the need of upgrading the inquiry request message of current PKI.

New PKI generation module 1509, also for the new shared secret key according to the new private key of server and the PKI generation server of client.

New PKI sending module 1511, also for generating the response message agreeing to set up communication, current shared privacy key according to server is encrypted response message, and send encrypted response message to client, agree to the new PKI at least comprising server in the response message of foundation communication, and be encrypted according to the new shared secret double secret key subsequent response message of server and the request message of receipt of subsequent is decrypted;

Response message receiver module 1503, the response message communicated is set up in the agreement sent for reception server, agrees to the new PKI at least comprising server in the response message of foundation communication;

The shared key generation module 1505 of client, also for the new PKI of server being replaced the current PKI of server, and the new shared secret key of client is generated according to the PKI of the private key of client and the new of server, be decrypted and the follow-up request message of server that sends to is encrypted according to the subsequent response message that the new shared secret double secret key server of client sends, to set up the new secured communication channel between client and server.

In sum, the secured communication channel that the present embodiment provides sets up system, also can set up in communication port process server and client side, the current PKI of client inquiry server whether update server, the PKI of renewal can be sent to client according to inquiry request by server, upgrades for the current PKI of client to server.Like this, server can upgrade its current PKI and private key setting up in communication port process with client, thus ensure that the fail safe of communication.

18 embodiment

Please refer to Figure 18, it illustrates a kind of structured flowchart of client.As shown in figure 18, client comprises memory 1802, storage control 1804, one or more (only illustrating one in figure) processor 1806, Peripheral Interface 1808, radio-frequency module 1810, photographing module 1814, audio-frequency module 1816, Touch Screen 1818 and key-press module 1820.These assemblies are by the mutual communication of one or more communication bus/holding wire.

Be appreciated that the structure shown in Figure 18 is only signal, client also can comprise than assembly more or less shown in Figure 18, or has the configuration different from shown in Figure 18.Each assembly shown in Figure 18 can adopt hardware, software or its combination to realize.

Memory 1802 can be used for storing software program and module, program command/module as corresponding in the Path Setup method that securely communicates in client in the embodiment of the present invention (such as, corresponding module in client), processor 1802 is by running the software program and module that are stored in memory 1804, thus perform the application of various function and data processing, namely realize above-mentioned in client, securely communicating Path Setup method.

Memory 1802 can comprise high speed random asccess memory, also can comprise nonvolatile memory, as one or more magnetic storage device, flash memory or other non-volatile solid state memories.In some instances, memory 1802 can comprise the memory relative to the long-range setting of processor 1806 further, and these remote memories can be connected to client by network.The example of above-mentioned network includes but not limited to the Internet, intranet, local area network (LAN), mobile radio communication and combination thereof.Processor 1806 and other possible assemblies can carry out the access of memory 1802 under the control of storage control 1804.

Various input/output device is coupled to CPU and memory 1802 by Peripheral Interface 1808.Various softwares in processor 806 run memory 802, instruction are to perform the various function of client and to carry out data processing.

In certain embodiments, Peripheral Interface 1808, processor 1806 and storage control 1804 can realize in one single chip.In some other example, they can respectively by independently chip realization.

Radio-frequency module 1810, for receiving and sending electromagnetic wave, realizes the mutual conversion of electromagnetic wave and the signal of telecommunication, thus carries out communication with communication network or other equipment.Radio-frequency module 1810 can comprise the various existing circuit element for performing these functions, such as, and antenna, radio-frequency (RF) transceiver, digital signal processor, encrypt/decrypt chip, subscriber identity module (SIM) card, memory etc.Radio-frequency module 1810 can with various network as the Internet, intranet, wireless network carry out communication or carry out communication by wireless network and other equipment.Above-mentioned wireless network can comprise cellular telephone networks, WLAN (wireless local area network) or metropolitan area network.Above-mentioned wireless network can use various communication standard, agreement and technology, include, but are not limited to global system for mobile communications (GlobalSystemforMobileCommunication, GSM), enhancement mode mobile communication technology (EnhancedDataGSMEnvironment, EDGE), Wideband CDMA Technology (widebandcodedivisionmultipleaccess, W-CDMA), CDMA (Code Division Multiple Access) (Codedivisionaccess, CDMA), tdma (timedivisionmultipleaccess, TDMA), bluetooth, adopting wireless fidelity technology (Wireless, Fidelity, WiFi) (as IEEE-USA standard IEEE 802.11a, IEEE802.11b, IEEE802.11g and/or IEEE802.11n), the networking telephone (Voiceoverinternetprotocal, VoIP), worldwide interoperability for microwave access (WorldwideInteroperabilityforMicrowaveAccess, Wi-Max), other are for mail, the agreement of instant messaging and short message, and any other suitable communications protocol, even can comprise those current agreements be developed not yet.

Photographing module 1814 is for taking pictures or video.Photo or the video of shooting can be stored in memory 1802, and send by radio-frequency module 1810.

Audio-frequency module 1816 provides audio interface to user, and it can comprise one or more microphone, one or more loud speaker and voicefrequency circuit.Voicefrequency circuit receives voice data from Peripheral Interface 1808, voice data is converted to telecommunications breath, and telecommunications breath is transferred to loud speaker.Telecommunications breath is changed the sound wave can heard into people's ear by loud speaker.Voicefrequency circuit also from microphone receive telecommunications breath, convert electrical signals to voice data, and by data transmission in network telephony to Peripheral Interface 1808 to be further processed.Voice data can obtain from memory 1802 or by radio-frequency module 1810.In addition, voice data also can be stored in memory 1802 or by radio-frequency module 1810 and send.In some instances, audio-frequency module 1816 also can comprise an earphone and broadcast hole, for providing audio interface to earphone or other equipment.

Touch Screen 1818 provides one to export and inputting interface between client and user simultaneously.Particularly, Touch Screen 1818 exports to user's display video, and the content of these video frequency output can comprise word, figure, video and combination in any thereof.Some Output rusults correspond to some user interface object.Touch Screen 1818 also receives the input of user, and the gesture operation such as click, slip of such as user, so that response is made in the input of user interface object to these users.The technology detecting user's input can be based on resistance-type, condenser type or other touch control detection technology possible arbitrarily.The instantiation of Touch Screen 1818 display unit includes, but are not limited to liquid crystal display or light emitting polymer displays.

Key-press module 1820 provides user to carry out the interface inputted to client equally, and user can by pressing different buttons with the function making client executing different.

In addition, the embodiment of the present invention also provides a kind of computer-readable recording medium, is stored with computer executable instructions, and above-mentioned computer-readable recording medium is such as nonvolatile memory such as CD, hard disk or flash memory.Above-mentioned computer executable instructions completes above-mentioned secured communication channel method for building up for allowing computer or similar arithmetic unit.

The above, it is only preferred embodiment of the present invention, not any pro forma restriction is done to the present invention, although the present invention discloses as above with preferred embodiment, but and be not used to limit the present invention, any those skilled in the art, do not departing within the scope of technical solution of the present invention, make a little change when the technology contents of above-mentioned announcement can be utilized or be modified to the Equivalent embodiments of equivalent variations, in every case be do not depart from technical solution of the present invention content, according to any simple modification that technical spirit of the present invention is done above embodiment, equivalent variations and modification, all still belong in the scope of technical solution of the present invention.

Claims

1. a secured communication channel method for building up, is characterized in that, described secured communication channel method for building up, comprising:

Produce the private key of client and the PKI of client, and set up with described server the request message communicated for asking to server transmission, described request message at least comprises the PKI of described client;

Obtain the current PKI of the described server prestored, generate the shared secret key of described client according to the private key of described client and the current PKI of described server;

Receive the response message of the agreement foundation communication that described server sends, according to the shared secret double secret key of described client, response message is decrypted and is encrypted, to set up the secured communication channel between described client and described server the follow-up request message of described server that sends to.

2. secured communication channel method for building up according to claim 1, is characterized in that, produces the private key of client and the PKI of client, comprising:

Select a random number as the private key of described client, and meet X _a<p, the computing formula generating the PKI of described client is wherein, X _a, Y _abe the private key of described client and the PKI of described client respectively, p, g are open parameters, and p is prime number, and g is integer, and g is a primitive root of p.

3. secured communication channel method for building up according to claim 1, is characterized in that, generates the shared secret key of described client, comprising according to the private key of described client and the current PKI of described server:

The computing formula generating the shared secret key of described client is wherein, K is the shared secret key of described client, Y _bthe current PKI of described server, X _abe the private key of described client, mod asks modular arithmetic, and p is open parameter.

4. secured communication channel method for building up according to claim 1, it is characterized in that, receive the response message of the agreement foundation communication that described server sends, according to the shared secret double secret key of described client, response message is decrypted and is encrypted the follow-up request message of described server that sends to, after setting up the secured communication channel between described client and described server, comprising:

Send for inquiring that described server is the need of the inquiry request message upgrading current PKI to described server, described inquiry request message at least comprises the current public key information of described server;

If described server needs to upgrade described current PKI, then receive the response message of the current PKI of renewal that described server sends, described response message at least comprises the new PKI of described server;

The new PKI of described server is replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted, to set up the secured communication channel between described client and described server the follow-up request message of described server that sends to.

5. secured communication channel method for building up according to claim 1, is characterized in that, the current public key information of described server comprise the current PKI of described server or the sequence number of current PKI at least one of them.

6. secured communication channel method for building up according to claim 1, it is characterized in that, receive the response message of the agreement foundation communication that described server sends, according to the shared secret double secret key of described client, response message is decrypted and is encrypted the follow-up request message of described server that sends to, after setting up the secured communication channel between described client and described server, comprising:

Receive the response message of the current PKI of renewal that described server sends, described response message at least comprises the new PKI of described server, the new PKI of described server is replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted the follow-up request message of described server that sends to, to set up the new secured communication channel between described client and described server.

7. secured communication channel method for building up according to claim 1, it is characterized in that, produce the private key of client and the PKI of client, and set up with described server the request message communicated for asking to server transmission, described request message comprises after at least comprising the PKI of described client:

Send for inquiring that described server is the need of the inquiry request message upgrading current PKI to server, described inquiry request message at least comprises the current public key information of described server;

Receive the response message of the agreement foundation communication that described server sends, in described response message, at least comprise the new PKI of described server;

The new PKI of described server is replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted the follow-up request message of described server that sends to, to set up the new secured communication channel between described client and described server.

8. a client, is characterized in that, described client, comprising:

Communication request module, for generation of the private key of client and the PKI of client, and set up with described server the request message communicated for asking to server transmission, described request message at least comprises the PKI of described client;

The shared key generation module of client, for obtaining the current PKI of the described server prestored, generates the shared secret key of described client according to the private key of described client and the current PKI of described server;

Response message receiver module, the response message of communication is set up in the agreement sent for receiving described server, according to the shared secret double secret key of described client, response message is decrypted and is encrypted, to set up the secured communication channel between described client and described server the follow-up request message of described server that sends to.

9. client according to claim 8, is characterized in that, described communication request module, for selecting a random number as the private key of described client, and meets X _a<p, the computing formula generating the PKI of described client is wherein, X _a, Y _abe the private key of described client and the PKI of described client respectively, p, g are open parameters, and p is prime number, and g is integer, and g is a primitive root of p.

10. client according to claim 8, is characterized in that, the shared key generation module of described client, for generating the computing formula of the shared secret key of described client is wherein, K is the shared secret key of described client, Y _bthe current PKI of described server, X _abe the private key of described client, mod asks modular arithmetic, and p is open parameter.

11. clients according to claim 8, is characterized in that, described client, also comprises:

Inquiry module, for sending to described server for inquiring that described server is the need of the inquiry request message upgrading current PKI, described inquiry request message at least comprises the current public key information of described server;

New PKI receiver module, if need to upgrade described current PKI for described server, then receive the response message of the current PKI of renewal that described server sends, described response message at least comprises the new PKI of described server;

Replacement module, for the new PKI of described server being replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted the follow-up request message of described server that sends to, to set up the new secured communication channel between described client and described server.

12. clients according to claim 11, is characterized in that, the current public key information of described server comprise the current PKI of described server or the sequence number of current PKI at least one of them.

13. clients according to claim 8, is characterized in that, described client, also comprises:

New PKI receiver module, for receiving the response message of the current PKI of renewal that described server sends, described response message at least comprises the new PKI of described server, the new PKI of described server is replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted the follow-up request message of described server that sends to, to set up the new secured communication channel between described client and described server.

14. clients according to claim 8, is characterized in that,

Described communication request module, also comprises: inquiry module, and for sending to server for inquiring that described server is the need of the inquiry request message upgrading current PKI, described inquiry request message at least comprises the current public key information of described server;

Described response message receiver module, the response message of communication is set up in the agreement sent for receiving described server, at least comprises the new PKI of described server in described response message;

The shared key generation module of described client, also for the new PKI of described server being replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted the follow-up request message of described server that sends to, to set up the new secured communication channel between described client and described server.

15. 1 kinds of secured communication channel method for building up, is characterized in that, described secured communication channel method for building up, comprising:

What receive client transmission sets up with server the request message communicated for asking, and wherein, described request message at least comprises the PKI of described client;

Generate the private key of described server and the current PKI of described server, generate the current shared privacy key of described server according to the private key of described server and the PKI of described client;

Generate the response message agreeing to set up communication, current shared privacy key according to described server is encrypted described response message and is decrypted the request message of receipt of subsequent, and send encrypted response message to described client, to set up the secured communication channel between described client and described server.

16. secured communication channel method for building up according to claim 15, is characterized in that, generate the current shared privacy key of described server, comprising according to the private key of described server and the PKI of described client:

The computing formula generating the current shared privacy key of described server is wherein, K is the current shared privacy key of described server, X _bthe PKI of described client, Y _abe the private key of described server, mod asks modular arithmetic, and p is open parameter.

17. secured communication channel method for building up according to claim 15, it is characterized in that, generate the response message agreeing to set up communication, current shared privacy key according to described server is encrypted described response message and is decrypted the request message of receipt of subsequent, and send encrypted response message to described client, after setting up the secured communication channel between described client and described server, comprising:

Receive that described client sends for inquiring that described server is the need of upgrading the inquiry request message of current PKI, described inquiry request message at least comprises the current public key information of described server;

If desired upgrade described PKI, then generate the new PKI of described server and new private key, and generate the new shared secret key of described server according to the new private key of described server and the PKI of described client;

Generate the response message upgrading current PKI, current shared privacy key according to described server is encrypted described response message, and the response message of the current PKI of encrypted renewal is sent to described client, and be encrypted according to the new shared secret double secret key subsequent response message of described server and the request message of receipt of subsequent is decrypted, to set up the new secured communication channel between described client and described server, the response message of the current PKI of described renewal at least comprises the new PKI of described server.

18. secured communication channel method for building up according to claim 17, is characterized in that, the current public key information of described server comprise the current PKI of described server or the sequence number of current PKI at least one of them.

19. secured communication channel method for building up according to claim 15, is characterized in that, receive that client sends for after asking to set up with server the request message communicated, comprising:

The new shared secret key of described server is generated according to the new private key of described server and the PKI of described client;

Generate the response message agreeing to set up communication, current shared privacy key according to described server is encrypted described response message, and send encrypted response message to described client, the new PKI at least comprising described server in the response message of communication is set up in described agreement, and be encrypted according to the new shared secret double secret key subsequent response message of described server and the request message of receipt of subsequent is decrypted, described client generates the new shared secret key of described client according to the new PKI of the private key of described client and described server.

20. 1 kinds of servers, is characterized in that, described server, comprising:

Request message receiver module, for receive client send set up with server the request message communicated for asking, wherein, described request message at least comprises the PKI of described client;

Key production module, for the current PKI of the private key and described server that generate described server, generates the current shared privacy key of described server according to the private key of described server and the PKI of described client;

Response message sending module, described response message is encrypted for the current shared privacy key according to described server and the request message of receipt of subsequent is decrypted, and send encrypted response message to described client, to set up the secured communication channel between described client and described server.

21. servers according to claim 20, is characterized in that, described response message sending module, for generating the computing formula of the current shared privacy key of described server are wherein, K is the current shared privacy key of described server, X _bthe PKI of described client, Y _abe the private key of described server, mod asks modular arithmetic, and p is open parameter.

22. servers according to claim 20, is characterized in that, described server, also comprises:

Inquiry request receiving module, for receive that described client sends for inquiring that described server is the need of the inquiry request message upgrading current PKI, described inquiry request message at least comprises the current public key information of described server;

New PKI generation module, for if desired upgrading described PKI, then generates the new PKI of described server and new private key, and generates the new shared secret key of described server according to the new private key of described server and the PKI of described client;

New PKI sending module, for generating the response message upgrading current PKI, current shared privacy key according to described server is encrypted described response message, and the response message of the current PKI of encrypted renewal is sent to described client, and be encrypted according to the new shared secret double secret key subsequent response message of described server and the request message of receipt of subsequent is decrypted, to set up the new secured communication channel between described client and described server, the response message of the current PKI of described renewal at least comprises the new PKI of described server.

23. servers according to claim 22, is characterized in that, the current public key information of described server comprise the current PKI of described server or the sequence number of current PKI at least one of them.

24. servers according to claim 20, is characterized in that,

Described request message receiver module, also comprise: inquiry receiver module, for receive that described client sends for inquiring that described server is the need of upgrading the inquiry request message of current PKI, described inquiry request message at least comprises the current public key information of described server;

Described key production module, also for generating the new shared secret key of described server according to the new private key of described server and the PKI of described client;

New PKI sending module, also for generating the response message agreeing to set up communication, current shared privacy key according to described server is encrypted described response message, and send encrypted response message to described client, the new PKI at least comprising described server in the response message of communication is set up in described agreement, and be encrypted according to the new shared secret double secret key subsequent response message of described server and the request message of receipt of subsequent is decrypted, described client generates the new shared secret key of described client according to the new PKI of the private key of described client and described server.

25. 1 kinds of secured communication channels set up system, comprising: client and server;

Described client comprises the shared key generation module of communication request module, response message receiver module and client;

Described server comprises request message receiver module, key production module and response message sending module;

Request message receiver module, for receive client send set up with server the request message communicated for asking;

Response message sending module, described response message is encrypted for the current shared privacy key according to described server and the request message of receipt of subsequent is decrypted, and send encrypted response message to described client, to set up the secured communication channel between described client and described server;

26. secured communication channels according to claim 25 set up system, it is characterized in that, described client, also comprises: inquiry module, new PKI receiver module and replacement module; Described server, also comprises: inquiry request receiving module, new PKI generation module and new PKI sending module;

Described inquiry module, for sending to described server for inquiring that described server is the need of the inquiry request message upgrading current PKI, described inquiry request message at least comprises the current public key information of described server;

Described inquiry request receiving module, for receive that described client sends for inquiring that described server is the need of upgrading the inquiry request message of current PKI;

Described new PKI generation module, for if desired upgrading described PKI, then generates the new PKI of described server and new private key, and generates the new shared secret key of described server according to the new private key of described server and the PKI of described client;

New PKI sending module, for generating the response message upgrading current PKI, current shared privacy key according to described server is encrypted described response message, and the response message of the current PKI of encrypted renewal is sent to described client, and be encrypted according to the new shared secret double secret key subsequent response message of described server and the request message of receipt of subsequent is decrypted, to set up the new secured communication channel between described client and described server, the response message upgrading current PKI at least comprises the new PKI of described server;

Described new PKI receiver module, for receiving the response message of the current PKI of renewal that described server sends;

Described replacement module, for the new PKI of described server being replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, the subsequent response message that server sends according to the new shared secret double secret key of described client is decrypted and is encrypted the follow-up request message of described server that sends to.

27. secured communication channels according to claim 25 set up system, it is characterized in that,

The communication request module of described client, also comprise: inquiry module, described inquiry module is used for sending for inquiring that described server is the need of the inquiry request message upgrading current PKI to server, and described inquiry request message at least comprises the current public key information of described server;

Described request message receiver module, also comprises: inquiry receiver module, for receive that described client sends for inquiring that described server is the need of upgrading the inquiry request message of current PKI;

Described new PKI generation module, also for generating the new shared secret key of described server according to the new private key of described server and the PKI of described client;

New PKI sending module, also for generating the response message agreeing to set up communication, current shared privacy key according to described server is encrypted response message, and send encrypted response message to described client, agree to the new PKI at least comprising described server in the response message of foundation communication, and be encrypted according to the new shared secret double secret key subsequent response message of described server and the request message of receipt of subsequent is decrypted;

Described response message receiver module, the response message of communication is set up in the agreement sent for receiving described server, and the new PKI at least comprising described server in the response message of communication is set up in described agreement;

The shared key generation module of described client, also for the new PKI of described server being replaced the current PKI of described server, and the new shared secret key of described client is generated according to the private key of described client and the new PKI of described server, according to the new shared secret double secret key of described client, response message is decrypted and is encrypted the follow-up request message of described server that sends to, to set up the new secured communication channel between described client and described server.