The data processing method and device of channel
Technical field
The present invention relates to data processing field, in particular to a kind of data processing method and device of channel.
Background technology
With the high speed development of Internet technology, a large amount of web services spread all over industry-by-industry, there is provided various services.And phase
Answer, web safety is also always the emphasis that everybody pays close attention to.Sql injections, network kidnap eavesdropping as netizen's private information disclosure
Chief threat.And these, attacker is required for carrying out crawl analysis to network communication bag.
Especially because the lifting of privacy of user attention rate and the rise of network payment technology so that network transmission safety into
The problem of must paying attention to for all service commercial cities.In this case, https is formally born.Must using https server
One must be applied for from certificate authority (Certificate Authority, abbreviation CA) to be used to prove server purposes type
Certificate.When the certificate is only for corresponding server, client just trusts this main frame.So all banking systems
Website, key component application is all https.Client trusts the main frame by trusting the certificate.
Communicated for current https, third party is difficult to forge certificate to carry out network communication bag deception, and https leads to
News channel passes through private key encryption again, and third party can not obtain its content in the case of no certificate and private key.Only pass through
Invade client and obtain certificate, can just obtain the data in https channels.But this method needs to invade client, and enter
Invade that the technology of client is larger, the problem of causing to obtain between server and client the data inconvenience in channel.
The problem of for obtaining the data inconvenience between server and client in channel in the prior art, at present not yet
It is proposed effective solution.
The content of the invention
The embodiments of the invention provide a kind of data processing method and device of channel, at least to solve to obtain in the prior art
Take the inconvenient technical problem of the data between server and client in channel.
A kind of one side according to embodiments of the present invention, there is provided data processing method of channel.The channel is visitor
Channel between family end and server, the data processing method of the channel include:Third party intercepts the numeral card from server
Book;Client described in third direction injects pseudo- digital certificate;Third party intercept the client be sent to server first plus
Close random value, wherein, first encrypted random value is the value for encrypting generation to the first random value using the pseudo- digital certificate;
Third party obtains the second encrypted random value, wherein, second encrypted random value is random to second using the digital certificate
The value of value encryption generation;And third party sends second encrypted random value to the server.
Further, third party obtains the second encrypted random value and included:The digital certificate is obtained, wherein, the numeral
Certificate is used for the server for proving that the server is the client trust;Obtain second random value;And using institute
State digital certificate second random value is encrypted, obtain second encrypted random value.
Further, third party after second encrypted random value to the server is sent, also wrap by methods described
Include:Obtain the solicited message from the client;The solicited message is changed, obtains amended solicited message;And will
Amended solicited message is sent to the server.
Further, third party after second encrypted random value to the server is sent, also wrap by methods described
Include:The solicited message from the client is sent to the server;The server is intercepted to send out for the solicited message
The packet gone out, wherein, the packet is that the response message made using second random value to the server is carried out
Data after encryption;The packet is parsed using second random value, obtains the response message in the packet.
Further, after pseudo- digital certificate is injected to the client, methods described also includes third party:Receive and
From the encryption data of the client, wherein, the encryption data is the data using first random value encryption;And profit
The encryption data is decrypted with first random value, obtains ciphertext data.
Another aspect according to embodiments of the present invention, additionally provide a kind of data processing equipment of channel.The channel is
Channel between client and server, the data processing equipment of the channel connection include:First interception unit, for intercepting
Digital certificate from server;Injection unit, for injecting pseudo- digital certificate to the client;Second interception unit, use
In the first encrypted random value for intercepting the client and being sent to server, wherein, first encrypted random value is utilizes institute
The value that pseudo- digital certificate encrypts generation to the first random value is stated, the data processing equipment of the channel connection is additionally operable to according to
First encrypted random value is decrypted private key corresponding to pseudo- digital certificate, obtains first random value;First obtains
Unit, for obtaining the second encrypted random value, wherein, second encrypted random value be using the digital certificate to second with
The value of machine value encryption generation, the data processing equipment of the channel connection are additionally operable to generate second random value;And first
Transmitting element, for sending second encrypted random value to the server.
Further, the first acquisition unit includes:First acquisition module, for obtaining the digital certificate, wherein,
The digital certificate is used for the server for proving that the server is the client trust;Second acquisition module, for obtaining
Second random value;And encrypting module, for second random value to be encrypted using the digital certificate, obtain
Second encrypted random value.
Further, described device also includes:Second acquisition unit, for sending second encrypted random value to institute
After stating server, the solicited message from the client is obtained;Unit is changed, for changing the solicited message, is obtained
Amended solicited message;And second transmitting element, for amended solicited message to be sent to the server.
Further, described device also includes:3rd transmitting element, for sending second encrypted random value to institute
After stating server, the solicited message from the client is sent to the server;Interception unit, for intercepting the clothes
Business device is directed to the packet that the solicited message is sent, wherein, the packet is to the clothes using second random value
The response message made of business device be encrypted after data;First resolution unit, for utilizing second random value parsing institute
Packet is stated, obtains the response message in the packet.
Further, described device also includes:Second resolution unit, for injecting pseudo- digital certificate to the client
Afterwards, first encrypted random value is decrypted private key according to corresponding to the pseudo- digital certificate, obtains the first random value;
Receiving unit, for receiving the encryption data from the client, wherein, the encryption data is random using described first
It is worth the data of encryption;And decryption unit, for the encryption data to be decrypted using first random value, solved
Ciphertext data.
In embodiments of the present invention, the digital certificate from server is intercepted using third party;Client described in third direction
Pseudo- digital certificate is injected at end;Third party intercepts the first encrypted random value that the client is sent to server, wherein, described the
One encrypted random value is the value for encrypting generation to the first random value using the pseudo- digital certificate;Third party obtain second encryption with
Machine value, wherein, second encrypted random value is the value for encrypting generation to the second random value using the digital certificate;And the
Tripartite sends second encrypted random value to the mode of the server, so as to solve obtain in the prior art server with
The technical problem of data inconvenience between client in channel, and then realize to be easy to obtain and believe between server and client
The technique effect of data in road.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair
Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 show a kind of structured flowchart of computer;
Fig. 2 is the timing diagram of data transfer in the channel according to embodiments of the present invention based on https agreements;
Fig. 3 is the flow chart of the data processing method of channel according to embodiments of the present invention;
Fig. 4 is the timing diagram of the data processing method of channel according to embodiments of the present invention;
Fig. 5 is the schematic diagram of the data processing equipment of channel according to embodiments of the present invention;And
Fig. 6 is the schematic diagram of terminal device according to embodiments of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained under the premise of creative work is not made, it should all belong to the model that the present invention protects
Enclose.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, "
Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use
Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or
Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment
Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product
Or the intrinsic other steps of equipment or unit.
Embodiment 1
According to embodiments of the present invention, there is provided a kind of data processing method of channel.The data processing method of the channel can
Performed by computer or similar arithmetic unit.Fig. 1 show a kind of structured flowchart of computer.As shown in figure 1, computer
100 include one or more (one is only shown in figure) processor 102, memory 104 and transport modules 106.This area is general
Logical technical staff is appreciated that the structure shown in Fig. 1 is only to illustrate, and it does not cause to limit to the structure of above-mentioned electronic installation.
For example, computer 100 may also include more either less components than shown in Fig. 1 or match somebody with somebody with different from shown in Fig. 1
Put.
Memory 104 can be used for storage software program and module, such as the data processing of the channel in the embodiment of the present invention
Programmed instruction/module corresponding to method and apparatus, processor 102 by operation be stored in software program in memory 104 with
And module, so as to perform various function application and data processing, that is, realize above-mentioned web page processing method and device.Memory
104 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic storage device, dodge
Deposit or other non-volatile solid state memories.In some instances, memory 104 can further comprise relative to processor
102 remotely located memories, these remote memories can pass through network connection to computer 100.The example of above-mentioned network
Including but not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
Transport module 106 is used to data are received or sent via a network.Above-mentioned network instantiation may include
Cable network and wireless network.In an example, transport module 106 includes a network adapter (Network
Interface Controller, abbreviation NIC), its can be connected by netting twine with other network equipments with router so as to
Internet is communicated.In an example, transport module 106 is ethernet module, its be used for by ethernet line mode with
Internet is communicated.
In order to ensure the communication security between server and client side, generally use https agreements are in server and client
Data are transmitted in channel between end.Data transfer in the channel based on https agreements is illustrated below in conjunction with Fig. 2.
1. user end to server sends request.For example, request accesses certain webpage, or request is paid etc..
2. server generates digital certificate and private key.Server generates number after the request from client is received
Word certificate and private key, equivalent to one tapered end of digital certificate, equivalent to one key of private key, numeral can be parsed by private key
The data content latched in certificate.
3. digital certificate is sent to client by server.Server retains private key, and digital certificate only is sent into client
End, client can utilize the digital certificate to needing the content for being sent to server to be encrypted.
4. client generates random value, and random value is encrypted using digital certificate.Client generate random value it
Afterwards, the random value of generation is encrypted using digital certificate.Because server has private key, random value can be parsed, therefore utilize
Digital certificate is that desired service device can parse random value to random value encryption.
5. the random value after encryption is sent to server by client.
6. server parses random value, and using data encryption of the random value to transmission, the parsing of server by utilizing private key with
Machine value, now server and client side know the random value.
7. the data after encryption are sent to client by server.Now, the data between server and client side
To be transmitted after being encrypted using random value.Because client and server both knows about the random value, therefore using should be with
After the data of transmission are encrypted machine value, server and client side can not only be caused to know the data that other side sends,
And the data once transmitted are intercepted and captured by third party, third party can not also parse transmission therein due to not knowing random value
Data.
When being communicated by https agreements, because the data transmitted between client and server are after encrypting
Data, the random value of client is sent to by server by certificate first, random value is utilized after both sides know random value
The data transmitted to needs are encrypted, so that state of the Content of Communication of both sides all in encryption so that third party obtains
Data therein can not be parsed by taking during Content of Communication.Due to the security of this agreement, access safety website, network trading and
Sending safety E-mail etc. can be carried out data transmission using https agreements.
Fig. 3 is the flow chart of the data processing method of channel according to embodiments of the present invention.As illustrated, the number of the channel
Comprise the following steps according to the flow chart of processing method:
Step S202, intercept the digital certificate from server.
After user end to server sends access request, server generates a pair of public keys and private key, and public key is numeral
Digital certificate is sent to client by certificate, subsequent server.Now, third party intercepts the digital certificate from server, clothes
The digital certificate of business device can not then be received by client.
Step S204, inject pseudo- digital certificate to client.
Because client needs to verify digital certificate after digital certificate is received, it is verified and just represents to be somebody's turn to do
Certificate is corresponding with the server to be accessed, and client just trusts the server to continue to access.For example, logging in banking system
Website when, client needs to first verify that whether server is the server of banking system, if just may proceed to access, with
Ensure communication safety.
Client typically passes through X509TrustManager, checkClientTrusted etc. when verifying digital certificate
Interface is completed.Because third party has intercepted the digital certificate from client, in order to which digital certificate can be entered for client
Row response, then inject pseudo- digital certificate, client is after pseudo- digital certificate is received to client, it is believed that third party is trust
Server, client are established with third party and communicated, then, the solicited message that client should issue server can be all sent to
Third party.Wherein, pseudo- digital certificate is also digital certificate, and simply the pseudo- digital certificate is not from the digital certificate of server,
But the digital certificate sent by third party.
Step S206, the first encrypted random value that client is sent to server is intercepted, wherein, the first encrypted random value is
The value of generation is encrypted to the first random value using pseudo- digital certificate.
First random value is the random value of client generation, after client receives pseudo- digital certificate, utilizes pseudo- numeral
First random value is encrypted certificate, obtains the first encrypted random value, and according to the timing diagram shown in Fig. 2, client should incite somebody to action
First encrypted random value is sent to server, i.e. 5., but before server receives first encrypted random value step, is somebody's turn to do
First encrypted random value is intercepted by third party, i.e., server can not receive the first encrypted random value from client.Together
When, because the first encrypted random value is generated according to pseudo- digital certificate, third party is after the first encrypted random value is intercepted, and the 3rd
Private key corresponding to Fang Liyong puppet digital certificates is decrypted to the first encrypted random value, obtains the first random value, i.e. third party and client
Data can be transmitted by the first random value between end.Further, since the first encrypted random value is generated according to pseudo- digital certificate,
Even if the first encrypted random value is sent to server, server can not also decrypt the first encrypted random value, can not just obtain
One random value, also it can not just carry out data transmission with client.If server does not receive the first random value, also without normal direction visitor
Family end sends message, and in order to allow server to continue to send message, third party can also carry out step S208 and step S210.
Step S208, obtain the second encrypted random value, wherein, the second encrypted random value be using digital certificate to second with
The value of machine value encryption generation.
Step S210, the second encrypted random value is sent to server.
Second random value is the random value of third party's generation, and the second random value is encrypted to obtain using the digital certificate of interception
Second encrypted random value, the second encrypted random value is sent to server, because the second encrypted random value is the number by interception
Word certificate is encrypted what is obtained, and the digital certificate is that server is sent again, and server, which possesses, decrypts second encryption at random
The private key of value, therefore, after the second encrypted random value is received, server can parse the second random value.
Now, server and third party are owned by the second random value, data of the server by the second random value to transmission
When encrypting and being transferred to client, third party can intercept the packet after the encryption, and decrypt the number using the second random value
According to bag, the data of client are sent to so as to obtain server.Also, client and third party are transmitted using the first random value
Data, then, when client sends messages to server, intercepted first by third party and parse message therein, the 3rd
Fang Liyong crosses the second random value and the message of client is made to being sent to server, server after the message re-encrypted that parses
When going out to respond, response message encrypting and transmitting is gone out using the second random value, at this moment, third party again can be with intercept server
Response message is simultaneously decrypted with the second random value, so as to which third party can not only obtain the message of client transmission, moreover it is possible to obtain and
From the response message of server.
By above-described embodiment, third party intercepts the digital certificate from server, and sends pseudo- numeral card to client
Book so that client return server by checking, and generate the first random number, by pseudo- digital certificate encrypt after first with
Machine number is sent to third party, and third party decrypts to obtain the first random number using private key corresponding to pseudo- digital certificate, so as in visitor
Data are transmitted by the first random number between family end and third party.Similarly, third party sends what is encrypted by the digital certificate intercepted
Second random number, server private key corresponding to digital certificate are decrypted to obtain the second random number, so as in server and third party
Between pass through the second random number transmit data.Because third party can not only be with client communication, additionally it is possible to server communication,
Therefore, the data transmitted between client and server can be obtained by third party, so as to the numeral in client is not obtained
In the case of certificate, the data in the channel between server and client just can be obtained, solves and obtains clothes in the prior art
It is engaged between device and client in channel the problem of data inconvenience, has reached the effect for being easy to obtain data in channel.
Preferably, obtaining the second encrypted random value includes:Digital certificate is obtained, wherein, digital certificate is used to prove to service
Device is the server of client trust.Obtain the second random value.And the second random value is encrypted using digital certificate, obtain
To the second encrypted random value.
Because server needs the random value using client generation that the data of transmission are encrypted, therefore receiving visitor
The action of transmission data could be triggered after the random value at family end, in order to trigger the action of server transmission data, third party's life
The second random value is encrypted into the second random value, and using the digital certificate intercepted, so as to obtain the second encrypted random value.
Third party generates the second encrypted random value, sends the second random value to server by the second encrypted random value,
So that server thinks that third party is client, it is achieved thereby that the data between third party and server are in the second random value
Transmitted in the case of encryption, ensure that data safety, additionally it is possible to allow third party to obtain the data that server is sent, so as to reach
The effect of data in channel can be also obtained in the case where not obtaining certificate by client.
Preferably, in order to obtain the desired information of third party, after the second encrypted random value to server is sent,
Method also includes:Obtain the solicited message from client.Solicited message is changed, obtains amended solicited message.And will
Amended solicited message is sent to server.
After the second encrypted random value to server is sent, server and client side can carry out data by third party
Transmission.So, when client sends solicited message to server again, obtained first by third party, now third party can be with
Decrypted using the first random value, and the solicited message after decryption is modified, recycle the second random value to be asked to amended
Ask information to be encrypted, server is then sent to, after the such random value of server by utilizing second decryption, you can after obtaining modification
Solicited message.
When being encrypted using the first random value or the second random value, symmetric cryptography can be used to the number that transmit of needs
According to being encrypted.So-called symmetric cryptography is exactly mixed data waiting for transmission and private key by certain algorithm, is so removed
It is non-to know private key, it otherwise can not know data waiting for transmission.For example, server when data to be transmitted is encrypted, will be treated
The data of transmission and the second random value are mixed by certain algorithm, and third party knows second random value, then
After third party obtains the mixed packet, it can decrypt to obtain data to be transmitted using the second random value.
For example, the viral code for attacking other clients or server is have issued from some client, in order to prevent its hair
Viral code, the digital certificate of third party's intercept server are sent, and pseudo- digital certificate is injected to the client, it is achieved thereby that the
The connection of client of the tripartite with sending attack, when client is sent with virulent data, third party is random by first
Value decryption, and the viral code in packet is changed, after then having virulent data to be encrypted with the second random value after modification
It is sent to server.
For example, criminal gang is intercommunicated using certain https encryption channel, distributes action task.The criminal of knowing is badly in need of in the police
During the information such as the crime time of guilty clique and crime personnel, still, the police, which are just known that in clique, at present has some criminal often to live
Move in certain cafe.The police can monitor the network packet sent from the cafe, and carry out packet capturing to it, using first with
Machine value is to the packet decryption from client, using the second random value to the packet decryption from server, so as to
All packets of the network by the cafe are parsed, and then the Content of communciation of clique can be monitored.
Preferably, after the second encrypted random value to server is sent, method also includes:Sent to server from visitor
The solicited message at family end.Interception server is directed to the packet that solicited message is sent, wherein, packet is to utilize the second random value
Data after the response message that server is made is encrypted.Packet is parsed using the second random value, is obtained in packet
Response message.
Packet is captured in the channel of third party between clients and servers, if what is grabbed is the number of client
According to bag, then decrypted using the first random value, obtain the solicited message of client, made to obtain server for the solicited message
The response gone out, the then solicited message obtained using the second random value to decryption are encrypted, enabled the server to according to second
Random value parses the solicited message of client, and is responded for the solicited message.Third party does not just know that first is random
Value, currently it is also known that the second random value, so, third party is using response decryption of second random value to server, so as to know clothes
Response message in the packet that business device is sent.
After third party and client and server establish connection, i.e., third party know the private key of client for first with
Machine value, it is also known that the private key of server is the second random value, then, for client, third party is clothes trusty
Business device, for server, third party is the client for sending request, and therefore, client and server can be with the 3rd
Fang Jinhang communicates, and is pass on by third-party, can also be communicated between server and client side.This allows for third party's energy
All data in the channel between client and server are enough obtained, also, because third party can pass on data, so keeping away
Exempted from client can not receive the information of server and report an error or server does not receive the information of client and reporting an error causes to take
The problem of can not being communicated between business device and client, so that third party can be obtained between client and server
Data in channel.
Data in it can obtain channel after server communicates with third party's foundation, actually in third party and client
Establish after communication, the data from client can also be obtained, i.e., after pseudo- digital certificate is injected to client, this method
Also include:The encryption data from client is received, wherein, encryption data is the data encrypted using the first random value.And
Encryption data is decrypted using the first random value, obtains ciphertext data.
The pseudo- digital certificate that client receives is sent by third party, and therefore, third party intercepts client and sent
Data after, encryption data can be decrypted using the first random value, obtain ciphertext data.It need not be obtained in third party
When knowing the response that server is made for the encryption data, third party can not forward the encryption data that client is sent.It is
The request message that no forwarding client issues server is determined by third party, if third party needs to know server for that should ask
The response that information is made is asked, then the solicited message of client is forwarded, if third party requires no knowledge about server and is directed to the request
The response that information is made, then the solicited message of client is not forwarded.Similarly, after third party and server establish connection, such as
Fruit only needs to obtain the packet that server is sent, then after the packet that server is sent is obtained, that is, does not have to again to service
Data between device and client in channel are handled again.
By above-described embodiment, third party can select to obtain its data between client, can also select its with
Data between server, it can not only easily obtain the data in channel between client and server, moreover it is possible to be directed to
Property data of the selection from server or client, so as to substantially increase obtain channel in data convenience.
The data processing method of the channel in the embodiment of the present invention is illustrated below in conjunction with the timing diagram shown in Fig. 4.
1. user end to server sends request.Identical with the timing diagram shown in Fig. 2, now user end to server is sent
Request, such as access request.
2. server generates digital certificate and private key.It is identical with the timing diagram shown in Fig. 2, now server generation numeral card
Book and private key, the content encrypted by digital certificate can be decrypted by private key.
3. server sends digital certificate to client.The digital certificate is intercepted by third party.
4. third party injects pseudo- digital certificate.In the timing diagram shown in Fig. 2, the numeral that server is directly generated is demonstrate,proved
Book is sent to client, and in embodiments of the present invention, third party has intercepted the digital certificate from server, and gives client
It has sent pseudo- digital certificate.
5. pseudo- digital certificate is generated into the first encrypted random value.In the timing diagram shown in Fig. 2, client is according to from clothes
The digital certificate generation encrypted random value of business device, and in the embodiment of the present invention using the encryption of pseudo- digital certificate generation first at random
Value.
6. the first encrypted random value is sent to third party.The first encrypted random value that client is sent is obtained by third party
Take.
7. the second encrypted random value is generated according to digital certificate.Third party is according to the encryption of the digital certificate of interception generation second
Random value.
8. send the second encrypted random value to server.In the sequential shown in Fig. 2, client is random by the encryption of generation
Value is transmitted directly to server.
By the embodiment shown in Fig. 4, third party is generated by injecting pseudo- digital certificate to client to obtain client
The first random value, third party encrypts the second random value by the digital certificate of interception so that server obtains the second random value,
I.e. third party obtains the first random value, and the second random value of getting back, therefore, third party can pass through the first random value and client
End communication, can also be by the second random value and server communication, can also client and clothes by third-party pass on
Business device carries out data transmission.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement because
According to the present invention, some steps can use other orders or carry out simultaneously.Secondly, those skilled in the art should also know
Know, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but a lot
In the case of the former be more preferably embodiment.Based on such understanding, technical scheme is substantially in other words to existing
The part that technology contributes can be embodied in the form of software product, and the computer software product is stored in a storage
In medium (such as ROM/RAM, magnetic disc, CD), including some instructions to cause a station terminal equipment (can be mobile phone, calculate
Machine, server, or network equipment etc.) perform method described in each embodiment of the present invention.
Embodiment 2
According to embodiments of the present invention, a kind of data for being used to implement the channel of the data processing side of above-mentioned channel are additionally provided
Processing unit.
Fig. 5 is the schematic diagram of the data processing equipment of channel according to embodiments of the present invention.As illustrated, the channel is visitor
Channel between family end and server, the data processing equipment include:First interception unit 50, injection unit 60, second intercept
Unit 70, the transmitting element 90 of first acquisition unit 80 and first.
First interception unit 50 is used to intercept the digital certificate from server.
After user end to server sends access request, server generates a pair of public keys and private key, and public key is numeral
Digital certificate is sent to client by certificate, subsequent server.Now, third party intercepts the digital certificate from server, clothes
The digital certificate of business device can not then be received by client.
Injection unit 60 is used to inject pseudo- digital certificate to client.
Because client needs to verify digital certificate after digital certificate is received, it is verified and just represents to be somebody's turn to do
Certificate is corresponding with the server to be accessed, and client just trusts the server to continue to access.For example, logging in banking system
Website when, client needs to first verify that whether server is the server of banking system, if just may proceed to access, with
Ensure communication safety.
Client typically passes through X509TrustManager, checkClientTrusted etc. when verifying digital certificate
Interface is completed.Because third party has intercepted the digital certificate from client, in order to which digital certificate can be entered for client
Row response, then inject pseudo- digital certificate, client is after pseudo- digital certificate is received to client, it is believed that third party is trust
Server, client are established with third party and communicated, then, the solicited message that client should issue server can be all sent to
Third party.Wherein, pseudo- digital certificate is also digital certificate, and simply the pseudo- digital certificate is not from the digital certificate of server,
But the digital certificate sent by third party.
Second interception unit 70 is used to intercept the first encrypted random value that client is sent to server, wherein, first adds
Close random value is the value for encrypting generation to the first random value using pseudo- digital certificate, and the data processing equipment of channel connection is additionally operable to
The first encrypted random value is decrypted according to private key corresponding to pseudo- digital certificate, obtains the first random value.
First random value is the random value of client generation, after client receives pseudo- digital certificate, utilizes pseudo- numeral
First random value is encrypted certificate, obtains the first encrypted random value, and according to the timing diagram shown in Fig. 2, client should incite somebody to action
First encrypted random value is sent to server, i.e. 5., but before server receives first encrypted random value step, is somebody's turn to do
First encrypted random value is intercepted by third party, i.e., server can not receive the first encrypted random value from client.Together
When, because the first encrypted random value is generated according to pseudo- digital certificate, third party is after the first encrypted random value is intercepted, and the 3rd
Private key corresponding to Fang Liyong puppet digital certificates is decrypted to the first encrypted random value, obtains the first random value, i.e. third party and client
Data can be transmitted by the first random value between end.Further, since the first encrypted random value is generated according to pseudo- digital certificate,
Even if the first encrypted random value is sent to server, server can not also decrypt the first encrypted random value, can not just obtain
One random value, also it can not just carry out data transmission with client.If server does not receive the first random value, also without normal direction visitor
Family end sends message, and in order to allow server to continue to send message, third party can also carry out step S208 and step S210.
First acquisition unit 80 is used to obtain the second encrypted random value, wherein, the second encrypted random value is to utilize numeral card
Book encrypts the value of generation to the second random value.The data processing equipment of channel connection is additionally operable to generate the second random value.
First transmitting element 90 is used to send the second encrypted random value to server.
Second random value is the random value of third party's generation, and the second random value is encrypted to obtain using the digital certificate of interception
Second encrypted random value, the second encrypted random value is sent to server, because the second encrypted random value is the number by interception
Word certificate is encrypted what is obtained, and the digital certificate is that server is sent again, and server, which possesses, decrypts second encryption at random
The private key of value, therefore, after the second encrypted random value is received, server can parse the second random value.
Now, server and third party are owned by the second random value, data of the server by the second random value to transmission
When encrypting and being transferred to client, third party can intercept the packet after the encryption, and decrypt the number using the second random value
According to bag, the data of client are sent to so as to obtain server.Also, client and third party are transmitted using the first random value
Data, then, when client sends messages to server, intercepted first by third party and parse message therein, the 3rd
Fang Liyong crosses the second random value and the message of client is made to being sent to server, server after the message re-encrypted that parses
When going out to respond, response message encrypting and transmitting is gone out using the second random value, at this moment, third party again can be with intercept server
Response message is simultaneously decrypted with the second random value, so as to which third party can not only obtain the message of client transmission, moreover it is possible to obtain and
From the response message of server.
By above-described embodiment, third party intercepts the digital certificate from server, and sends pseudo- numeral card to client
Book so that client return server by checking, and generate the first random number, by pseudo- digital certificate encrypt after first with
Machine number is sent to third party, and third party decrypts to obtain the first random number using private key corresponding to pseudo- digital certificate, so as in visitor
Data are transmitted by the first random number between family end and third party.Similarly, third party sends what is encrypted by the digital certificate intercepted
Second random number, server private key corresponding to digital certificate are decrypted to obtain the second random number, so as in server and third party
Between pass through the second random number transmit data.Because third party can not only be with client communication, additionally it is possible to server communication,
Therefore, the data transmitted between client and server can be obtained by third party, so as to the numeral in client is not obtained
In the case of certificate, the data in the channel between server and client just can be obtained, solves and obtains clothes in the prior art
It is engaged between device and client in channel the problem of data inconvenience, has reached the effect for being easy to obtain data in channel.
Preferably, first acquisition unit includes:First acquisition module, for obtaining digital certificate, wherein, digital certificate is used
In the server for proving that server is client trust.Second acquisition module, for obtaining the second random value.And encryption mould
Block, for the second random value to be encrypted using digital certificate, obtain the second encrypted random value.
Because server needs the random value using client generation that the data of transmission are encrypted, therefore receiving visitor
The action of transmission data could be triggered after the random value at family end, in order to trigger the action of server transmission data, third party's life
The second random value is encrypted into the second random value, and using the digital certificate intercepted, so as to obtain the second encrypted random value.
Third party generates the second encrypted random value, sends the second random value to server by the second encrypted random value,
So that server thinks that third party is client, it is achieved thereby that the data between third party and server are in the second random value
Transmitted in the case of encryption, ensure that data safety, additionally it is possible to allow third party to obtain the data that server is sent, so as to reach
The effect of data in channel can be also obtained in the case where not obtaining certificate by client.
Preferably, in order to obtain the desired information of third party, the device also includes:Second acquisition unit, for
After sending the second encrypted random value to server, the solicited message from client is obtained.Unit is changed, is asked for changing
Information, obtain amended solicited message.And second transmitting element, for amended solicited message to be sent to service
Device.
After the second encrypted random value to server is sent, server and client side can carry out data by third party
Transmission.So, when client sends solicited message to server again, obtained first by third party, now third party can be with
Decrypted using the first random value, and the solicited message after decryption is modified, recycle the second random value to be asked to amended
Ask information to be encrypted, server is then sent to, after the such random value of server by utilizing second decryption, you can after obtaining modification
Solicited message.
When being encrypted using the first random value or the second random value, symmetric cryptography can be used to the number that transmit of needs
According to being encrypted.So-called symmetric cryptography is exactly mixed data waiting for transmission and private key by certain algorithm, is so removed
It is non-to know private key, it otherwise can not know data waiting for transmission.For example, server when data to be transmitted is encrypted, will be treated
The data of transmission and the second random value are mixed by certain algorithm, and third party knows second random value, then
After third party obtains the mixed packet, it can decrypt to obtain data to be transmitted using the second random value.
For example, the viral code for attacking other clients or server is have issued from some client, in order to prevent its hair
Viral code, the digital certificate of third party's intercept server are sent, and pseudo- digital certificate is injected to the client, it is achieved thereby that the
The connection of client of the tripartite with sending attack, when client is sent with virulent data, third party is random by first
Value decryption, and the viral code in packet is changed, after then having virulent data to be encrypted with the second random value after modification
It is sent to server.
For example, criminal gang is intercommunicated using certain https encryption channel, distributes action task.The criminal of knowing is badly in need of in the police
During the information such as the crime time of guilty clique and crime personnel, still, the police, which are just known that in clique, at present has some criminal often to live
Move in certain cafe.The police can monitor the network packet sent from the cafe, and carry out packet capturing to it, using first with
Machine value is to the packet decryption from client, using the second random value to the packet decryption from server, so as to
All packets of the network by the cafe are parsed, and then the Content of communciation of clique can be monitored.
Preferably, the data processing equipment also includes:3rd transmitting element, for sending the second encrypted random value to clothes
It is engaged in after device, the solicited message from client is sent to server.Interception unit, solicited message is directed to for intercepting server
The packet sent, wherein, packet is the number after the response message that server is made is encrypted using the second random value
According to.First resolution unit, for using the second random value parsing packet, obtaining the response message in packet.
Packet is captured in the channel of third party between clients and servers, if what is grabbed is the number of client
According to bag, then decrypted using the first random value, obtain the solicited message of client, made to obtain server for the solicited message
The response gone out, the then solicited message obtained using the second random value to decryption are encrypted, enabled the server to according to second
Random value parses the solicited message of client, and is responded for the solicited message.Third party does not just know that first is random
Value, currently it is also known that the second random value, so, third party is using response decryption of second random value to server, so as to know clothes
Response message in the packet that business device is sent.
After third party and client and server establish connection, i.e., third party know the private key of client for first with
Machine value, it is also known that the private key of server is the second random value, then, for client, third party is clothes trusty
Business device, for server, third party is the client for sending request, and therefore, client and server can be with the 3rd
Fang Jinhang communicates, and is pass on by third-party, can also be communicated between server and client side.This allows for third party's energy
All data in the channel between client and server are enough obtained, also, because third party can pass on data, so keeping away
Exempted from client can not receive the information of server and report an error or server does not receive the information of client and reporting an error causes to take
The problem of can not being communicated between business device and client, so that third party can be obtained between client and server
Data in channel.
Data in it can obtain channel after server communicates with third party's foundation, actually in third party and client
Establish after communication, the data from client can also be obtained, i.e., the device also includes:Second resolution unit, for
Client is injected after pseudo- digital certificate, and the first encrypted random value is decrypted according to private key corresponding to pseudo- digital certificate, obtained
To the first random value.Receiving unit, for receive the encryption data from client, wherein, encryption data be using first with
The data of machine value encryption.And decryption unit, for encryption data to be decrypted using the first random value, obtain decrypting number
According to.
The pseudo- digital certificate that client receives is sent by third party, and therefore, third party intercepts client and sent
Data after, encryption data can be decrypted using the first random value, obtain ciphertext data.It need not be obtained in third party
When knowing the response that server is made for the encryption data, third party can not forward the encryption data that client is sent.It is
The request message that no forwarding client issues server is determined by third party, if third party needs to know server for that should ask
The response that information is made is asked, then the solicited message of client is forwarded, if third party requires no knowledge about server and is directed to the request
The response that information is made, then the solicited message of client is not forwarded.Similarly, after third party and server establish connection, such as
Fruit only needs to obtain the packet that server is sent, then after the packet that server is sent is obtained, that is, does not have to again to service
Data between device and client in channel are handled again.
By above-described embodiment, third party can select to obtain its data between client, can also select its with
Data between server, it can not only easily obtain the data in channel between client and server, moreover it is possible to be directed to
Property data of the selection from server or client, so as to substantially increase obtain channel in data convenience.
Embodiment 3
According to embodiments of the present invention, a kind of terminal of the data processing method for implementing above-mentioned channel is additionally provided to set
It is standby.As shown in fig. 6, the terminal device includes:Storage device 602, processing equipment 604, capture apparatus 606 and output equipment 608.
Digital certificate from server is intercepted by capture apparatus 606;
Output equipment 608 injects pseudo- digital certificate to client;
Capture apparatus 606 intercepts the first encrypted random value that client is sent to server, wherein, the first encrypted random value
For the value of generation is encrypted to the first random value using pseudo- digital certificate;
Processing equipment 604 obtains the second encrypted random value, wherein, the second encrypted random value is to second using digital certificate
The value of random value encryption generation;And
Output equipment 608 sends the second encrypted random value to server.
Wherein, the second random value of the storage of storage device 602 generation, the first encrypted random value and numeral card that grab
Book.
Preferably, capture apparatus 606 obtains digital certificate, wherein, digital certificate is used to prove that server is believed for client
The server appointed;Capture apparatus 606 obtains the second random value;And processing equipment 604 utilizes digital certificate to the second random value
It is encrypted, obtains the second encrypted random value.
Preferably, capture apparatus 606 obtains asking from client after the second encrypted random value to server is sent
Seek information;Processing equipment 604 changes solicited message, obtains amended solicited message;And output equipment 608 will be amended
Solicited message is sent to server.
Preferably, output equipment 608 is sent from visitor after the second encrypted random value to server is sent to server
The solicited message at family end;Capture apparatus 606 intercepts server and is directed to the packet that solicited message is sent, wherein, packet is profit
Data after the response message that server is made is encrypted with the second random value;Processing equipment 604 utilizes the second random value
Packet is parsed, obtains the response message in packet.
Preferably, after pseudo- digital certificate is injected to client, method also includes:Capture apparatus 606 is received from visitor
The encryption data at family end, wherein, encryption data is the data encrypted using the first random value;And processing equipment 604 utilizes the
Encryption data is decrypted one random value, obtains ciphertext data.
Wherein, storage device 602 also stores the first random value.
Embodiment 4
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can
For storing the program code of the data processing method for stating channel of the embodiment of the present invention.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in multiple network equipments in internet extremely
Few network equipment.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps:
S1, third party intercept the digital certificate from server.
S2, third direction client inject pseudo- digital certificate.
S3, third party intercept the first encrypted random value that client is sent to server, wherein, the first encrypted random value is
The value of generation is encrypted to the first random value using pseudo- digital certificate.
S4, third party obtain the second encrypted random value, wherein, the second encrypted random value be using digital certificate to second with
The value of machine value encryption generation.
S5, third party send the second encrypted random value to server.
Alternatively, storage medium is also configured to the program code that storage is used to perform following steps:
Third party obtains digital certificate, wherein, digital certificate is used for the server for proving that server is client trust;Obtain
Take the second random value;And the second random value is encrypted using digital certificate, obtain the second encrypted random value.
Alternatively, storage medium is also configured to the program code that storage is used to perform following steps:Third party is sending
After second encrypted random value to server, the solicited message from client is obtained;Solicited message is changed, is obtained amended
Solicited message;And amended solicited message is sent to server.
Alternatively, storage medium is also configured to the program code that storage is used to perform following steps:Third party is sending
After second encrypted random value to server, the solicited message from client is sent to server;Server is intercepted for asking
The packet of delivering is sought, wherein, packet is that the response message that server is made is encrypted using the second random value
Data afterwards;Packet is parsed using the second random value, obtains the response message in packet.
Alternatively, storage medium is also configured to the program code that storage is used to perform following steps:Third party is to visitor
Family end is injected after pseudo- digital certificate, receives the encryption data from client, wherein, encryption data is to utilize the first random value
The data of encryption;And encryption data is decrypted using the first random value, obtain ciphertext data.
Alternatively, in the present embodiment, above-mentioned storage medium can include but is not limited to:USB flash disk, read-only storage (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disc or
CD etc. is various can be with the medium of store program codes.
Alternatively, the specific example in the present embodiment may be referred to showing described in above-described embodiment 1 and embodiment 2
Example, the present embodiment will not be repeated here.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
If the integrated unit in above-described embodiment is realized in the form of SFU software functional unit and is used as independent product
Sale or in use, the storage medium that above computer can be read can be stored in.Based on such understanding, skill of the invention
The part or all or part of the technical scheme that art scheme substantially contributes to prior art in other words can be with soft
The form of part product is embodied, and the computer software product is stored in storage medium, including some instructions are causing one
Platform or multiple stage computers equipment (can be personal computer, server or network equipment etc.) perform each embodiment institute of the present invention
State all or part of step of method.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment
The part of detailed description, it may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed client, can be by others side
Formula is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit, and only one
Kind of division of logic function, can there is an other dividing mode when actually realizing, for example, multiple units or component can combine or
Another system is desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed it is mutual it
Between coupling or direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module
Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.