CN105141705A

CN105141705A - Method for safety data transmission and terminal device

Info

Publication number: CN105141705A
Application number: CN201510640520.3A
Authority: CN
Inventors: 陈耀攀
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2015-09-30
Filing date: 2015-09-30
Publication date: 2015-12-09
Anticipated expiration: 2035-09-30
Also published as: CN105141705B

Abstract

The invention provides a method for safety data transmission and a terminal device, so that a problem that safety of data transmission can not be guaranteed because of a data transmission method by using a https channel can be solved. The method comprises: whether a mechanism where a target server is located belongs to a confidentiality mechanism is detected; if so, whether the target server supports establishment of a preset safety channel to receive to-be-sent data is determined; if so, an agent device arranged at the side of a terminal device is used for establishing a preset safety channel to transmit the to-be-sent data. Because the safety level of the preset safety channel is higher than that of the https channel, the data transmission safety is improved.

Description

A kind of method of safety-oriented data transfer and terminal equipment

Technical field

The present invention relates to Internet communication technology field, particularly relate to a kind of method and terminal equipment of safety-oriented data transfer.

Background technology

At present, along with the becoming increasingly abundant of class of business of the increasingly extensive and different field of computer technology and network communication applications, user can enjoy the various facilities that network service brings.Such as, user can obtain the current events, anecdote etc. of all parts of the world generation by network service.In addition, oneself surroundings, information etc. also can be shared with other people by user.

Network service is utilized to relate to transfer of data.The fail safe of current transfer of data just like to have become in internet security technology more and more part and parcel.How to improve in network the safety (data of especially some release mechanism transmission, such as data of financial transaction) transmitting data and become more and more concerned much-talked-about topic.

What generally adopt at present is the safe transmission that https passage realizes data, but this transmission means cannot ensure the safety of transfer of data.Such as, user, when carrying out financial transaction with bank server, can send data of financial transaction (as bank's card number, password etc.) to bank server via platforms such as browser, shopping softwares.But this kind of data of financial transaction is likely just stolen by third party's interception in midway, causes data of financial transaction to be revealed, brings loss to user.

Therefore, for current be the transmission means of https passage, even if receive the requirement needing safety-oriented data transfer, still can only utilize https channel transmission data, the fail safe of transfer of data cannot be ensured.

Summary of the invention

In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or a kind of method of safety-oriented data transfer solved the problem at least in part and terminal equipment.

One aspect of the present invention, provides a kind of method of safety-oriented data transfer, and described method comprises:

Whether the institution where he works detecting destination server corresponding to data to be sent belongs to privacy mechanism;

If detect, the institution where he works of described destination server belongs to described privacy mechanism, then judge whether described destination server supports to set up data to be sent described in preset security channel reception, described preset security passage is the another kind of escape way being different from hypertext transfer protocol secure https passage, and the level of security of described preset security passage is higher than described https passage;

If data to be sent described in described preset security channel reception are set up in described destination server support, then described data to be sent are sent to the agent apparatus of terminal equipment side, make described agent apparatus set up described preset security passage, then utilize described preset security passage to forward described data to be sent to described destination server.

Preferably, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

Whether detect the level of security of the IP address of described destination server higher than level of security threshold value;

If the level of security of the IP address of described destination server is higher than described level of security threshold value, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Whether the level of security detecting the institution where he works of described destination server belongs to described preset security rank;

If the level of security of the institution where he works of described destination server belongs to described preset security rank, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Whether the institution where he works detecting described destination server is present in records in the first white list of described privacy mechanism;

If the institution where he works of described destination server is present in described first white list, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Preferably, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or

When receiving the record request that other privacy mechanisms not on described first white list send, according to described record request by the information updating of other privacy mechanisms described on described first white list.

Preferably, describedly judge whether described destination server supports to set up data to be sent described in preset security channel reception, specifically comprises:

Extract the characteristic information about destination server in described data to be sent;

Characteristic information based on described destination server judges whether described destination server is supported to set up data to be sent described in described preset security channel reception.

Preferably, the described characteristic information based on described destination server judges whether described destination server supports to set up data to be sent described in preset security channel reception, specifically comprises:

Judge whether the characteristic information of described destination server exists in the second white list, in described second white list, describe the characteristic information of the server supporting described preset security passage;

If the characteristic information of described destination server exists in described second white list, then represent that data to be sent described in described preset security channel reception are set up in described destination server support.

Preferably, the characteristic information of described destination server comprises: IP address and/or receiving port.

Preferably, the renewal of described second white list comprises step below:

Timing upgrades described second white list; Or

When acquisition is not on described second white list and when supporting the update request of other servers of described preset security passage, the characteristic information of other servers described added described second white list and upgrade.

Preferably, described described data to be sent are sent to agent apparatus, are specially:

Described agent apparatus is sent to after described data to be sent are used secret key encryption.

Preferably, described judge whether described destination server supports to set up data to be sent described in preset security channel reception after, described method also comprises:

If described destination server is not supported to set up data to be sent described in described preset security channel reception, then utilize described https passage that described data to be sent are sent to described destination server.

Preferably, after described data to be sent are sent to agent apparatus, described method also comprises:

Receive the packet that described agent apparatus utilizes described preset security passage to forward.

Preferably, described agent apparatus is built in browser.

Another aspect of the present invention, provides a kind of terminal equipment, comprising:

Whether detection module, belong to privacy mechanism for the institution where he works detecting destination server corresponding to data to be sent;

Judge module, if for detecting that the institution where he works of described destination server belongs to described privacy mechanism, then judge whether described destination server supports to set up data to be sent described in preset security channel reception, described preset security passage is the another kind of escape way being different from hypertext transfer protocol secure https passage, and the level of security of described preset security passage is higher than described https passage;

First sending module, if set up data to be sent described in described preset security channel reception for described destination server support, then described data to be sent are sent to the agent apparatus of terminal equipment side, make described agent apparatus set up described preset security passage, then utilize described preset security passage to forward described data to be sent to described destination server.

Preferably, whether described detection module is specifically for detecting the level of security of the IP address of described destination server higher than level of security threshold value; If the level of security of the IP address of described destination server is higher than described level of security threshold value, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Preferably, whether described detection module belongs to described preset security rank specifically for the level of security detecting the institution where he works of described destination server; If the level of security of the institution where he works of described destination server belongs to described preset security rank, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Preferably, whether described detection module is present in specifically for the institution where he works detecting described destination server and records in the first white list of described privacy mechanism; If the institution where he works of described destination server is present in described first white list, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Preferably, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or

Preferably, described judge module specifically comprises:

Extraction module, for extracting the characteristic information about destination server in described data to be sent;

Judge submodule, for judging based on the characteristic information of described destination server whether described destination server is supported to set up data to be sent described in described preset security channel reception.

Preferably, describedly judge that submodule is specifically for judging whether the characteristic information of described destination server exists in the second white list, describes the characteristic information of the server supporting described preset security passage in described second white list; If the characteristic information of described destination server exists in described second white list, then represent that data to be sent described in described preset security channel reception are set up in described destination server support.

Preferably, the renewal of described second white list comprises step below:

Timing upgrades described second white list; Or

Preferably, described first sending module sends to described agent apparatus after described data to be sent are used secret key encryption.

Preferably, described terminal equipment also comprises:

Second sending module, for after judging whether described destination server supports to set up data to be sent described in preset security channel reception, if described destination server is not supported to set up data to be sent described in described preset security channel reception, then utilize described https passage that described data to be sent are sent to described destination server.

Preferably, described terminal equipment also comprises:

Receiver module, for after described data to be sent are sent to agent apparatus, receives the packet that described agent apparatus utilizes described preset security passage to forward.

Preferably, described agent apparatus is built in browser.

The technical scheme provided in the embodiment of the present application, at least has following technique effect or advantage:

The invention provides a kind of method and terminal equipment of safety-oriented data transfer, in order to solve the problem using the method for https channel transmission data cannot ensure the fail safe of transfer of data, whether the institution where he works that first method of the present invention detects destination server belongs to privacy mechanism, if detect, described destination server belongs to described privacy mechanism, then judge whether destination server supports to set up data to be sent described in preset security channel reception.If supported, just utilize the agent apparatus of terminal installation side to set up data to be sent described in preset security channel transfer, because the level of security of preset security passage is higher than described https passage, therefore can improve the safety of transfer of data.

Further, if destination server corresponding to data to be sent is not supported to set up preset security channel reception data to be sent, the present invention can also transmit data to be sent by https passage.As can be seen here, the present invention not only can improve the safety of transfer of data, can also compatible two kinds of transmission meanss transmission data.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows system architecture diagram corresponding to a kind of according to an embodiment of the invention method of safety-oriented data transfer;

Fig. 2 shows a kind of according to an embodiment of the invention implementation process figure of method of safety-oriented data transfer;

Fig. 3 shows a kind of according to an embodiment of the invention structural representation of terminal equipment.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

As a kind of optional embodiment, the invention provides a kind of method of safety-oriented data transfer, the mode in order to solve existing https channel transmission data cannot ensure the problem of data transmission security.Should be noted that, the method that the present invention relates to can but be not limited only to be applied in browser, that is: the present invention not only can use browser to transmit data to be sent (such as web data), and except being applied to browser, can also be applied in other application programs, as: shopping software (such as Taobao's software), MSN (micro-letter, QQ, Fetion etc. software) etc., transmit data to be sent by other application programs.Below to use the method to be described in browser side, the execution mode of other sides (shopping software, MSN etc.) and the execution mode of browser side similar, therefore repeat no more.

Please refer to Fig. 1 below, is system architecture diagram corresponding to the method for a kind of safety-oriented data transfer provided by the invention.

In system architecture diagram, the equipment related to comprises: terminal equipment, agent apparatus and destination server.Wherein, terminal equipment of the present invention can be specifically mobile phone, computer, PAD etc. electronic equipment.For this terminal equipment specifically which kind of electronic equipment, the present embodiment is not specifically limited.The user of terminal equipment is terminal use.Agent apparatus is mainly used in setting up preset security passage with destination server, then utilizes preset security passage to forward the data to be sent of terminal equipment side to destination server; Destination server is the final arrival point of data to be sent, is used for response pending to send data.Destination server can be any server, server that the server that such as bank server, financial transaction mechanism (stock exchange) provide, privacy mechanism (such as Flight Design institute) provide etc.

Specifically, terminal equipment side be provided with the monokaryon browser (such as IE browser) of support IE kernel or support the double-core browser of two kinds of kernels (as IE kernel and chrome kernel) simultaneously.Due to the closure of IE kernel, make the browser (comprising monokaryon browser and double-core browser) being provided with IE kernel can only support to set up single channel transmission data.Such as can only set up hypertext transfer protocol secure https channel transmission data, and this data transfer mode easily makes data to be sent be blocked in transmitting procedure steals.

In order to address this problem, the present invention is provided with agent apparatus in terminal equipment side.Specifically, the present invention can arrange agent apparatus in browser inside, becomes the part of browser.Or agent apparatus can be used as independently individuality and is present in terminal equipment side.And for other application programs, it is inner that agent apparatus is built in other application programs, become the part of other application programs.Or agent apparatus is present in terminal equipment side as independently individuality.

When agent apparatus is arranged at browser inside, due to the closure of IE kernel, the network library of a network library as agent apparatus can be increased newly at browser, the original network library of browser need not be revised, to reduce the original change of browser as far as possible.

When agent apparatus is arranged at browser inside, set up preset security passage (the close passage of such as state) if determine between needs and destination server and transmit data, and after destination server supports preset security passage, then certainly can employ new connection and replace original connection (https passage), namely automatically and between destination server set up preset security passage to replace original https passage, make browser can be joined seamlessly to preset security passage from https passage.

Agent apparatus has been supported on the basis of https channel transfer at browser, is used for setting up the preset security passage safer than existing https passage with destination server.For browser provides other escape way transmission data, to improve the fail safe of the transmission of data to be sent.Specifically, because agent apparatus is arranged at terminal equipment side, (no matter agent apparatus is arranged on that browser is inner or terminal equipment is inner, all belong to and be arranged on terminal equipment side), the transfer of data therefore between browser and agent apparatus belongs to internal transmission.And the transmission between agent apparatus and destination server, be the transmission being carried out data to be sent by the preset security passage of foundation.Because the level of security of preset security passage is higher than described https passage, therefore, use preset security channel transfer data to be sent, the fail safe transmitting data to be sent can be improved.

Further, data to be sent are transmitted owing to make use of agent apparatus to set up safer transmission channel, therefore do not affect the use of original https passage, make browser while raising data transmission security to be sent, go back compatibility two kinds of channel transmission datas.

In addition, browser of the present invention is not limited in the use of single channel at one time, such as, browser, while support utilizes preset security channel transfer data to be sent, can also utilize https channel transfer (send or receive) other data.For example, such as the server of certain privacy mechanism accessed by browser, and utilizing preset security passage to transmit confidential documents in this privacy mechanism server.And simultaneously on another webpage, browser can receive the homepage data (such as the webpage homepage data in so-and-so store) that other servers send.

Please refer to Fig. 2 below, is the implementation process figure of the method for safety-oriented data transfer provided by the invention.

S1, whether the institution where he works detecting destination server corresponding to data to be sent belongs to privacy mechanism.

Privacy mechanism, specifically national confidential departments, financial institution, military project manufacturer, research institute etc. need the mechanism ensureing data transmission security.If the institution where he works of terminal equipment belongs to this kind of mechanism, then the data of the transmission of terminal equipment then must ensure data transmission security at (comprise data to be sent and receive data), cause leaking data in order to avoid intercepted to steal by third party.

As a kind of possible implementation, before whether the institution where he works detecting destination server belongs to privacy mechanism, need the institution where he works first obtaining destination server.Specifically, the IP address of destination server can be extracted by data to be sent, then the IP address of described destination server is utilized to search the register information of its institution where he works described on the internet, or mechanism's register information of the IP address and correspondence of downloading Servers-all in advance, in local data base, is then searched in the local database.After the register information (the organization's title such as registered, organization's phone etc.) of the institution where he works obtaining destination server, then obtain the institution where he works (such as registration unit, organization's phone etc.) of described destination server based on the register information of the institution where he works of described destination server.

As a kind of possible implementation, when whether the institution where he works detecting destination server belongs to privacy mechanism, the level of security of the IP address of described destination server can be detected whether higher than level of security threshold value; If the level of security of the IP address of described destination server is higher than described level of security threshold value, then show that the institution where he works of described destination server belongs to described privacy mechanism.

For example, this locality stores security classification standard.And the IP address of all destination servers can according to security classification, it is such as the standard of 5 grades by the security classification of the IP address of destination server, specific as follows: 1 grade (representing that level of security is minimum), 2 grades, 3 grades, 4 grades, 5 grades (representing that level of security is the highest).Level of security threshold value is set to 3 grades, if detect, the IP address of the destination server in the embodiment of the present invention is 5 grades, whether then can detect it further higher than level of security threshold value (3 grades), if higher than 3 grades, then represent that the institution where he works of destination server belongs to described privacy mechanism.

In actual applications, the IP address of destination server level of security can according to the destination server institution where he works registration information, destination server present position, target server device model etc. in many ways reason comprehensively determine.And preset security threshold value also can judge to obtain according to the above informix of destination server.Should be noted that in addition; illustrate only for instruction and explanation of the present invention herein; and not as restriction citing of the present invention; the present invention also can use other modes to illustrate; such as utilize character, symbol, letter, word etc. to represent rank, this also should be within protection scope of the present invention.

As a kind of possible implementation, when whether the institution where he works detecting destination server belongs to privacy mechanism, can after the institution where he works obtaining destination server, described in direct-detection, whether the level of security of the institution where he works of destination server belongs to described preset security rank; If the level of security of the institution where he works of described destination server belongs to described preset security rank, then show that the institution where he works of described destination server belongs to described privacy mechanism.Similar with above-mentioned citing, the security classification of the institution where he works of all destination servers is 5 grades by the present invention, preset security rank is decided to be 3 grades and more than.If the level of security of the institution where he works of destination server of the present invention is 4 grades, so just represent that the level of security of the institution where he works of destination server belongs to described preset security rank.

As a kind of possible implementation, when whether the institution where he works detecting destination server belongs to privacy mechanism, whether the institution where he works can also detecting described destination server is present in records in the first white list of described privacy mechanism; If the institution where he works of described destination server is present in described first white list, then show that the institution where he works of described destination server belongs to described privacy mechanism.

Specifically, what the first white list was recorded is the information of all privacy mechanisms up to the present obtaining (initiatively the whole network search or passive reception server send), the title, IP address etc. of such as privacy mechanism.Therefore, after the institution where he works obtaining destination server, the information (such as title or IP address) of the institution where he works of destination server described in direct-detection whether can be present in and record in the first white list of described privacy mechanism.If exist, represent that the institution where he works of destination server belongs to described privacy mechanism

In addition, the first white list can have form, list, database etc. many forms.About the renewal of the first white list, the embodiment of the present invention also provides multiple update mode.Such as, search can be carried out to the first white list in real time and upgrade, to make the privacy mechanism on the first white list keep latest edition for terminal equipment side.Certainly, also timing can carry out search renewal to it, to save Internet resources, such as, just the first white list once be upgraded every 24 hours.In addition, can also receive other privacy mechanisms not on described first white list send record request time, according to described record request by the information updating of other privacy mechanisms described on described first white list.Such as: the equipment of other privacy mechanisms not on the first white list sends record request to terminal equipment, the information of himself is recorded on the first white list by requesting terminal equipment, and send the information of self to terminal equipment, so terminal equipment is after receiving this record request, then can be updated in the first white list.Or terminal equipment receives not on the first white list and after belonging to the information of privacy mechanism, just can is directly updated in the first white list.

And for described data to be sent, the present invention does not limit for the data type of data to be sent.It can be data or the data assemblies of any type.Such as document, file, video, audio frequency, image etc. data.In addition, data to be sent can be stored in the local data at any time etc. to be called of browser, document that such as browser this locality stores etc.Also can be that the browser of terminal equipment is collected and obtained data, picture that the external website of such as browser access is downloaded etc. from the Internet.

S2, if detect, the institution where he works of described destination server belongs to described privacy mechanism, then judge whether described destination server supports to set up data to be sent described in preset security channel reception.

Definition for preset security passage is: described preset security passage is the another kind of escape way being different from hypertext transfer protocol secure https passage, the close passage of such as state.

In addition, the level of security of described preset security passage is higher than HTML (Hypertext Markup Language) https passage.The fail safe of the close passage of such as state can higher than the fail safe of https passage.The close passage of state, is actually the data transmission channel set up based on state close algorithm (SM2-SM4), meets SSL (SecureSocketsLayer, SSL) data security protocol.The close algorithm of state is a set of public key algorithm that national Password Management office carries out issuing, and the fail safe of the data transmission channel set up based on this kind of algorithm can be higher than the fail safe of https passage.

Specifically, because the fail safe of preset security passage is higher than the fail safe of https passage, therefore after acquisition data to be sent, can judge that these data to be sent are the need of use preset security passage (the close passage of such as state) transmission in advance.If data to be sent need to use preset security channel transfer, then whether the destination server (that is: the final arrival point of data to be sent) that judgement data to be sent are corresponding further supports to set up data to be sent described in preset security channel reception.If when data to be sent described in preset security channel reception are set up in destination server support, can preferentially use preset security channel transmission data, to improve the fail safe of transfer of data.If do not support to set up data to be sent described in preset security channel reception, then select these data to be sent of https channel transfer.

In concrete implementation process, when judging whether destination server corresponding to data to be sent is supported to set up data to be sent described in preset security channel reception, first can extract the characteristic information about destination server in described data to be sent; Then the characteristic information based on described destination server judges whether described destination server is supported to set up data to be sent described in described preset security channel reception.

Data to be sent, except comprising one or several data assemblies (combination of such as document and image), also comprise source address (such as source IP address), the source port of terminal equipment; The receiver address (the IP address of such as Construction Bank) of destination server (the final arrival point of data to be sent), receiving port; Etc..

It can thus be appreciated that, the characteristic information of destination server of the present invention include but not limited to be: IP address and/or receiving port.Terminal equipment side, after obtaining data to be sent, can go out characteristic information about destination server from extracting data to be sent, such as: IP address and/or receiving port.

Therefore, after the characteristic information extracting destination server, ' judging whether the characteristic information of described destination server exists in the second white list ' can be utilized to judge, and whether corresponding destination server supports to set up data to be sent described in preset security channel reception.

Specifically, the second white list is recorded be up to the present obtain (initiatively the whole network search or passive reception server send) support described in the characteristic information of server of preset security passage.That is, on the second white list except recording destination server corresponding to data to be sent, also describe the characteristic information of other destination servers supporting described preset security passage.

Second white list can have form, list, database etc. many forms.Please refer to table 1 below, is the characteristic information of the partial target server that the second white list of enumerating in table form of the present invention is recorded.

Server	IP address	Receiving port
			Server A 1	118.114.168.212	147
Server A 2	118.114.168.211	140

Table 1

It should be noted that except form, the second white list can also have other forms of expression, these forms of expression also should belong within protection scope of the present invention.

In general, the second white list is stored in terminal equipment side.About the renewal of the second white list, the embodiment of the present invention also provides multiple update mode, specifically please refer to introduction below.

Terminal equipment can to the second white list real-time update.Whenever to find not on the second white list and to support other servers of described preset security passage (not only supported described preset security passage but also server) not on the second white list, can immediately by its characteristic of correspondence information updating in the second white list, to ensure that the second white list keeps latest edition for terminal equipment side always.

And in order to save Internet resources, terminal equipment can also upgrade the second white list in timing.Such as just the second white list was once upgraded every 24 hours.

In addition, not on the second white list and when supporting the characteristic information of other servers of described preset security passage, the characteristic information of other servers described can also be added described second white list and upgrade in acquisition.Such as: support to inform terminal equipment by the bank server of preset security passage it can support this message of preset security passage not on the second white list, and send the characteristic information of self to terminal equipment, so terminal equipment is after receiving this message, then the characteristic information of bank server can be updated in the second white list.Or terminal equipment to receive not on the second white list and after supporting the characteristic information of the bank server of preset security passage, just can be directly updated in the second white list by the characteristic information of this bank server.

And when judging whether the characteristic information of described destination server exists the second white list, if the characteristic information of described destination server exists in described second white list, then represent that data to be sent described in preset security channel reception are set up in described destination server support.

Characteristic information due to destination server includes but not limited to: IP address and/or receiving port.Therefore in concrete deterministic process, following several mode is had:

First kind of way: judge whether the IP address of destination server exists in the second white list, if the IP address of described destination server exists in described second white list, then represent that data to be sent described in preset security channel reception are set up in described destination server support.The IP address of such as destination server A1 is 118.114.168.212.The IP address of the storage on itself and the second white list is contrasted, if the second white list stores 118.114.168.212.So just represent that the IP address of destination server A1 is present on the second white list, therefore data to be sent described in preset security channel reception are set up in destination server support.

The second way: judge whether the port of destination server exists in the second white list, if the port of described destination server exists in described second white list, then represents that data to be sent described in preset security channel reception are set up in described destination server support.Such as destination server A1 port is 147.The port of the storage on itself and the second white list is contrasted, if the second white list stores 147.So just represent that the port of destination server A1 is present on the second white list, therefore data to be sent described in preset security channel reception are set up in destination server support.

The third mode: judge whether the IP address of destination server and port are all present in the second white list.If the IP address of destination server and port all exist in described second white list, then represent that data to be sent described in preset security channel reception are set up in described destination server support.

More than judge whether corresponding destination server supports to set up the specific implementation process of data to be sent described in preset security channel reception based on the characteristic information of described destination server.

S3, if data to be sent described in described preset security channel reception are set up in described destination server support, then described data to be sent are sent to the agent apparatus of terminal equipment side, make described agent apparatus set up described preset security passage, then utilize described preset security passage to forward described data to be sent to described destination server.

As a kind of possible implementation, when data to be sent being sent in browser side inner agent apparatus, after data to be sent can being used secret key encryption, send to described agent apparatus.The encryption key used includes but not limited to it is character, numeral, letter etc. any one or several combinations.

For agent apparatus, it may reside in browser inside, and as the part of browser, in addition, agent apparatus also can be present in terminal equipment inside as independently individuality.After agent apparatus receives data to be sent, corresponding decruption key can be used to be decrypted.

The data to be sent received are given tacit consent in agent apparatus side all to be needed to use preset security passage to send.Therefore, after receiving data to be sent, preset security passage can be set up, then utilize described preset security passage by data retransmission to be sent to described destination server.

In actual applications, agent apparatus can complete following functions (for the close passage of state):

(1) automatically identify and operate the close USBKEY of state, supporting many USBKEY, many certificate selections.

(2) the close certificate chain of checking and display state.

(3) the close white list of administering state.

(4) agreement is smelt the mechanism such as spy and is determined whether destination server is the close server of state, and agreement is smelt exploration and is used in the mode that in basic TCP connection, increase is once shaken hands and realizes.

(5) SM2/SM3/SM4 algorithm realization.

(6) the close SSL of state two-way/be bi-directionally connected foundation.

(7) state close/the close SSL of business is from main separation.

Therefore, when setting up preset security passage (for the close passage of state), following several stages can be experienced: handshake request stage, agent apparatus Qualify Phase, destination server Qualify Phase.

In request stage of shaking hands, agent apparatus elder generation and destination server mutually send access request and shake hands.After shaking hands, agent apparatus sends SM2 certificate, self cipher key exchange message and message of having shaken hands to destination server; Destination server sends the cipher key exchange message of self to agent apparatus after receiving the message of having shaken hands of agent apparatus transmission.Then both sides change cipher suite message and end; Both sides all receive the end of the other side and by after checking, represent that Path Setup completes.Both sides can use the security parameter of agreement to carry out Security Data Transmission.

After preset security Path Setup, agent apparatus then can utilize described preset security passage to forward described data to be sent.Rear transmission can be processed with the security parameter (such as arranging key) of agreement to data to be sent when forwarding.

After destination server side receives these data to be sent, then the security parameter of agreement (such as arranging key) can be used to process, then obtain data to be sent and carry out corresponding subsequent treatment.

It is more than the process that agent apparatus forwards data to be sent.And for terminal equipment, other data that described agent apparatus utilizes described preset security passage to forward can also be received.

In the implementation that another kind is possible, after the described characteristic information based on described destination server judges whether described destination server supports to set up data to be sent described in preset security channel reception, if described destination server does not support to set up data to be sent described in preset security channel reception, use described htttps passage that described data to be sent are directly sent to described destination server.

In order to improve the safety of transfer of data further, and when using described htttps passage to send described data to be sent, data to be sent can also be encrypted in advance, then send the data after encryption to described destination server.That is: if described destination server is not supported to set up described preset security channel reception data to be sent, described destination server is sent to utilizing described https passage after described data encryption to be sent.

It is more than the method for safety-oriented data transfer disclosed by the invention, first whether the institution where he works of testing goal server belongs to privacy mechanism, if detect, described destination server belongs to described privacy mechanism, and the characteristic information then based on described destination server judges whether described destination server supports to set up data to be sent described in preset security channel reception.If support, utilize agent apparatus to set up described preset security passage and forward data to be sent to described destination server.Because browser sends to the data to be sent of agent apparatus to belong to internal transmission, and when external transmission (agent apparatus sets up preset security channel transfer data to be sent to destination server), the level of security of described preset security passage is higher than https passage, therefore, the present invention can improve the fail safe of transfer of data.

Further, if described destination server does not support to set up data to be sent described in preset security channel reception, the present invention can also use described htttps passage that described data to be sent are directly sent to described destination server.Therefore, data to be sent compatible two kinds of transmission meanss can be sent to described destination server by the present invention.

And based on same inventive concept, the following examples provide a kind of terminal equipment.

Please refer to Fig. 3 below, in another kind of embodiment of the present invention, provide a kind of terminal equipment, comprising:

Whether detection module 301, belong to privacy mechanism for the institution where he works detecting destination server corresponding to data to be sent;

Judge module 302, if for detecting that the institution where he works of described destination server belongs to described privacy mechanism, then judge whether described destination server supports to set up data to be sent described in preset security channel reception, described preset security passage is the another kind of escape way being different from hypertext transfer protocol secure https passage, and the level of security of described preset security passage is higher than described https passage;

First sending module 303, if set up data to be sent described in described preset security channel reception for described destination server support, then described data to be sent are sent to the agent apparatus of terminal equipment side, make described agent apparatus set up described preset security passage, then utilize described preset security passage to forward described data to be sent to described destination server.

As a kind of optional embodiment, whether described detection module 301 is specifically for detecting the level of security of the IP address of described destination server higher than level of security threshold value; If the level of security of the IP address of described destination server is higher than described level of security threshold value, then show that the institution where he works of described destination server belongs to described privacy mechanism.

As a kind of optional embodiment, whether described detection module 301 belongs to described preset security rank specifically for the level of security detecting the institution where he works of described destination server; If the level of security of the institution where he works of described destination server belongs to described preset security rank, then show that the institution where he works of described destination server belongs to described privacy mechanism.

As a kind of optional embodiment, whether described detection module 301 is present in specifically for the institution where he works detecting described destination server records in the first white list of described privacy mechanism; If the institution where he works of described destination server is present in described first white list, then show that the institution where he works of described destination server belongs to described privacy mechanism.

As a kind of optional embodiment, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or

As a kind of optional embodiment, described judge module 302 specifically comprises:

As a kind of optional embodiment, describedly judge that submodule is specifically for judging whether the characteristic information of described destination server exists in the second white list, describes the characteristic information of the server supporting described preset security passage in described second white list; If the characteristic information of described destination server exists in described second white list, then represent that data to be sent described in described preset security channel reception are set up in described destination server support.

As a kind of optional embodiment, the characteristic information of described destination server comprises: IP address and/or receiving port.

As a kind of optional embodiment, the renewal of described second white list comprises step below:

Timing upgrades described second white list; Or

As a kind of optional embodiment, described first sending module 303 sends to described agent apparatus after described data to be sent are used secret key encryption.

As a kind of optional embodiment, described terminal equipment also comprises:

As a kind of optional embodiment, described agent apparatus is built in browser.

Due to the device of electronic equipment for adopting based on safety-oriented data transfer method in enforcement the embodiment of the present application that the present embodiment is introduced, so based on the method for the safety-oriented data transfer introduced in the embodiment of the present application, those skilled in the art can understand embodiment and its various version of the electronic equipment of the present embodiment, so introduce no longer in detail in this method based on safety-oriented data transfer how realized in the embodiment of the present application for this electronic equipment.As long as those skilled in the art implement based on the device that the method for safety-oriented data transfer adopts in the embodiment of the present application, all belong to the application for protection scope.

By one or more embodiment of the present invention, the present invention has following beneficial effect or advantage:

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although to comprise in other embodiment some included feature instead of further feature in this some embodiments, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize the some or all parts in gateway according to the embodiment of the present invention, proxy server, system.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

The invention discloses, a kind of method of A1, safety-oriented data transfer, is characterized in that, described method comprises:

A2, method as described in A1, it is characterized in that, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

A3, method as described in A1, it is characterized in that, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

A4, method as described in A1, it is characterized in that, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

A5, method as described in A4, it is characterized in that, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or

A6, method as described in A1, is characterized in that, describedly judges whether described destination server supports to set up data to be sent described in preset security channel reception, specifically comprises:

A7, method as described in A6, it is characterized in that, the described characteristic information based on described destination server judges whether described destination server supports to set up data to be sent described in preset security channel reception, specifically comprises:

A8, method as described in A1 or A6, it is characterized in that, the characteristic information of described destination server comprises: IP address and/or receiving port.

A9, method as described in A7, it is characterized in that, the renewal of described second white list comprises step below:

Timing upgrades described second white list; Or

A10, method as described in A1, is characterized in that, described described data to be sent sent to agent apparatus, is specially:

A11, method as described in A1, is characterized in that, described judge whether described destination server supports to set up data to be sent described in preset security channel reception after, described method also comprises:

A12, method as described in A1, it is characterized in that, after described data to be sent are sent to agent apparatus, described method also comprises:

A13, method as described in A1, it is characterized in that, described agent apparatus is built in browser.

B14, a kind of terminal equipment, is characterized in that, comprising:

B15, terminal equipment as described in B14, it is characterized in that, whether described detection module is specifically for detecting the level of security of the IP address of described destination server higher than level of security threshold value; If the level of security of the IP address of described destination server is higher than described level of security threshold value, then show that the institution where he works of described destination server belongs to described privacy mechanism.

B16, terminal equipment as described in B14, it is characterized in that, whether described detection module belongs to described preset security rank specifically for the level of security detecting the institution where he works of described destination server; If the level of security of the institution where he works of described destination server belongs to described preset security rank, then show that the institution where he works of described destination server belongs to described privacy mechanism.

B17, terminal equipment as described in B14, it is characterized in that, whether described detection module is present in specifically for the institution where he works detecting described destination server records in the first white list of described privacy mechanism; If the institution where he works of described destination server is present in described first white list, then show that the institution where he works of described destination server belongs to described privacy mechanism.

B18, terminal equipment as described in B17, it is characterized in that, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or

B19, terminal equipment as described in B14, it is characterized in that, described judge module specifically comprises:

B20, terminal equipment as described in B19, it is characterized in that, describedly judge that submodule is specifically for judging whether the characteristic information of described destination server exists in the second white list, describes the characteristic information of the server supporting described preset security passage in described second white list; If the characteristic information of described destination server exists in described second white list, then represent that data to be sent described in described preset security channel reception are set up in described destination server support.

B21, terminal equipment as described in B14 or B19, it is characterized in that, the characteristic information of described destination server comprises: IP address and/or receiving port.

B22, terminal equipment as described in B20, it is characterized in that, the renewal of described second white list comprises step below:

Timing upgrades described second white list; Or

B23, terminal equipment as described in B14, is characterized in that, described first sending module sends to described agent apparatus after described data to be sent are used secret key encryption.

B24, terminal equipment as described in B14, it is characterized in that, described terminal equipment also comprises:

B25, terminal equipment as described in B14, it is characterized in that, described terminal equipment also comprises:

B26, terminal equipment as described in B14, it is characterized in that, described agent apparatus is built in browser.

Claims

1. a method for safety-oriented data transfer, is characterized in that, described method comprises:

2. the method for claim 1, is characterized in that, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

3. the method for claim 1, is characterized in that, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

4. the method for claim 1, is characterized in that, whether the institution where he works of the destination server that described detection data to be sent are corresponding belongs to privacy mechanism, specifically comprises:

5. method as claimed in claim 4, it is characterized in that, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or

6. a terminal equipment, is characterized in that, comprising:

7. terminal equipment as claimed in claim 6, it is characterized in that, whether described detection module is specifically for detecting the level of security of the IP address of described destination server higher than level of security threshold value; If the level of security of the IP address of described destination server is higher than described level of security threshold value, then show that the institution where he works of described destination server belongs to described privacy mechanism.

8. terminal equipment as claimed in claim 6, it is characterized in that, whether described detection module belongs to described preset security rank specifically for the level of security detecting the institution where he works of described destination server; If the level of security of the institution where he works of described destination server belongs to described preset security rank, then show that the institution where he works of described destination server belongs to described privacy mechanism.

9. terminal equipment as claimed in claim 6, it is characterized in that, whether described detection module is present in specifically for the institution where he works detecting described destination server records in the first white list of described privacy mechanism; If the institution where he works of described destination server is present in described first white list, then show that the institution where he works of described destination server belongs to described privacy mechanism.

10. terminal equipment as claimed in claim 9, it is characterized in that, the renewal of described first white list comprises the steps:

Timing upgrades described first white list; Or