CN105991569A - Safe transmission method of TLS communication data - Google Patents
Safe transmission method of TLS communication data Download PDFInfo
- Publication number
- CN105991569A CN105991569A CN201510066824.3A CN201510066824A CN105991569A CN 105991569 A CN105991569 A CN 105991569A CN 201510066824 A CN201510066824 A CN 201510066824A CN 105991569 A CN105991569 A CN 105991569A
- Authority
- CN
- China
- Prior art keywords
- key
- client
- encryption
- security context
- environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a safe transmission method of TLS communication data. The method comprises that 1) a TLS execution environment of a client is divided into a safe environment and a common environment; 2) in the common environment, the client obtains an encryption suite, a TLS protocol version, a compression algorithm, a session ID and two sharing random numbers used by a session by negotiating with a server end; 3) the client transmits the needed parameters from the common environment to the safe environment, the client generates a pre main secrete key, a main secret key and a secret key group in the safe environment, and leads out a session secrete key according to the secret key group; 4) the client uses a public key to encrypt the pre main secret key in the safe environment, transmits the encrypted pre main secret key to the common environment, and sends the encrypted pre main secret key to the server end in the common environment; and 5) in the common environment, encrypted or decrypted data is transmitted to the safe environment for corresponding processing, and the in the safe environment, the processed data is sent to the common environment. According to the invention, the communication safety of the client is improved.
Description
Technical field
The invention belongs to communication protocol security fields, primarily with regard to the safe Enhancement Method of TLS based on TrustZone, specifically
For a kind of new TLS storehouse application solutions scheme based on TrustZone is proposed.
Background technology
At present, having been introduced into many security mechanisms for data safe transmission in a network, principle is all by protocol stack not
There is provided extra safety measure with layer, such as the ipsec protocol of Internet, the SSL/TLS agreement of transport layer, the SET of application layer
Deng.Wherein tls protocol is one of most widely used security protocol in ecommerce, this agreement major deployments HTTPS,
In mail transmission, VPN, radio communication, provide the safety clothes such as certification, confidentiality and integrity for information transmission in a network
Business, has become as actual Transport Layer Security standard.Realization for tls protocol has many, such as OpenSSL, NSS,
GnuTLS, PolarSSL, CyaSSL, MatrixSSL etc..OpenSSL is security socket layer cryptographic libraries of increasing income, and includes master
Cryptographic algorithm, conventional key and the certificate encapsulation manager function wanted and SSL/TLS agreement, and provide abundant application program to supply
Test or other purposes use.
TrustZone technology is the safety method of the system scope that ARM provides, for the extensive application on high-performance calculation platform,
Including secure payment, digital copyright management (DRM), enterprises service and the service based on Web.It is integrated in CPU core
Security of system expansion technique to provide secure hardware basis for embedded OS, by all SoC hardware and softwares of isolation
Resource guarantees security of system, make they lay respectively at for secure subsystem security context and for store other all in
The conventional environment holding, conventional environment haves no right to access any resource of security context.
The execution flow process of legacy TLS protocol includes: shake hands and data transmission procedure.During shaking hands, tls protocol regulation makes
Guarantee the encrypted transmission of pre-master key with Diffie-Hellman such as RSA, Diffie Hellman, PRF algorithm generates key data,
Status mechanism of shaking hands guarantees that shakes hands is correctly carried out, and End-Customer end generates corresponding session key with server end both sides;Counting
According in transmitting procedure, all message transmitted in a network are all encrypted, and use MAC to protect the integrality of message
Protect.Research for tls protocol safety mainly includes three aspects: protocol logic, protocol specification, protocol realization, as passed through
Unified realization to MAC error message and Decryption error message can resist Padding Oracle attack, IETF system
Fixed safety weight negotiation mechanism can be resisted and heavily consult to attack, and can be resisted by checking master key inside status mechanism of shaking hands
CCS injection attacks, uses AES-GCM encrypted authentication mechanism to replace RC4 and CBC encryption mode, this series of reparation
Measure makes tls protocol security constantly strengthen.
But, it is all that such as assailant sends out to server by way of interacting with server for attack mentioned above
Illegal challenge message or the role acting as an intermediary is sent to kidnap connection, if not accounting for the controlled situation of client.
When assailant has obtained the highest weight limit of goal systems by the implantation mode such as wooden horse or system vulnerability, assailant just can steal
Network service is monitored by client running memory simultaneously, now protects the sensitive information in TLS communication just to seem most important,
The wherein protection of the session key to be belonged to of most critical.
Content of the invention
For the problems referred to above, it is an object of the invention to provide a kind of TLS communication data safe transmission method.The present invention is fixed
Software systems overall architecture on a kind of TrustZone platform of justice, this framework includes safety in client TLS communication process
The execution flow process of environment and the interaction of conventional environment and security context.
Technical problem solved by the invention can realize by the following technical solutions.
A kind of TLS communication data safe transmission method, the steps include:
1) TLS of client is performed environment and be divided into security context and conventional environment;
2) client negotiate with server end in conventional environment encryption suite, tls protocol version that this session used,
Compression algorithm, session id, and two share random number: client random number, server end random number;
3) client is by desired parameters by the incoming security context of conventional environment, then generates client pre-master in security context close
Key, master key and key packet, and it is grouped derivation session key according to key;
4) client incoming conventional environment after pre-master key is encrypted by the PKI of security context server end, then general
The pre-master key of encryption is sent to server end by logical environment;
5) client calculates the summary of master key at security context, and is sent to server end after incoming for result of calculation conventional environment
Verify;
6), after being verified, to be encrypted or the solution incoming security context of ciphertext data are carried out respective handling, then safety collar by conventional environment
Border will process after the incoming conventional environment of data.
Further, described pre-master key, the generation method of master key are: first client generates pre-master key at security context,
It is then based on pre-master key and incoming client random number, server end generating random number master key.
Further, key packet according to described master key, client random number, server end generating random number.
Further, described key packet includes six parts: client writes MAC key, server end writes MAC key, visitor
Family end writes key, server end writes key, client writes initialization vector, server end writes initialization vector, every partial-length
Correspond to mac_len, mac_len, key_len, key_len, iv_len, iv_len respectively.
Further, described security context is according to by the incoming MAC key length mac_len of described conventional environment, symmetric cryptography
Key length key_len, symmetric cryptography initialization vector length iv_len derive described session key from key packet;Wherein,
It is incoming and be stored in described conventional environment that described client writes MAC key, server end writes MAC key;Described client is write
Key, server end write key, client writes initialization vector, server end is write initialization vector and is stored in described security context.
Further, the method that incoming to be encrypted or solution ciphertext data is processed by described security context is: first at safety collar
Border creates an encryption and decryption structure, it include that the original vector using for first encryption and non-first encryption use effective to
Amount;And the effective vector after security context arranges a overall situation each encryption and decryption of array record;Then when receiving be-encrypted data
After, it is that this encryption and decryption structure distributes heap memory, and initializes this encryption and decryption structure, comprising: encryption and decryption mark, encryption is calculated
Method, encryption key, original vector;Then judge that whether pending data are encryption and decryption first, if it is, call encryption and decryption
Function carries out corresponding operating to data, then records effectively vector, the releasing memory of this operation;If it is not, then according to entirely
The record result of inning group updates the effective vector in encryption and decryption structure, calls encryption and decryption function and carries out corresponding operating to data,
Then effectively vector, the releasing memory of this operation are recorded.
Further, described security context receives the parameter that conventional environment transmits by way of shared drive.
The safety that the invention mainly comprises TLS key produces and storage, the safe encryption and decryption of data.The optimized integration of the present invention is
OpenSSL open source software, generates TLS association key in security context, utilizes the internal memory that TrustZone system bus constructs
Isolation mech isolation test, reaches the purpose of conversation key safety storage.Even if assailant has obtained the highest weight limit of conventional environment, also can
Guarantee the safety of session key during client communication, and then guarantee the safety of Content of Communication.
The present invention proposes the new TLS application solutions system architecture based on TrustZone technology.In this framework, main work(
Can include following a few class:
1st, the securely generating and storing of TLS key: TLS association key produces in security context, does not deposits in conventional environment internal memory
In any participant words relevant information of key, desired parameters by application program in conventional environment by calling the incoming peace of security service
Full ambient engine.
2nd, the safe encryption and decryption of data: at data transfer phase, application program is by calling security service by incoming for initial data peace
Full ambient engine, and after carrying out corresponding operating wherein, data are back to application program.
Specifically, the application solutions in above-mentioned new TLS storehouse, its feature is as follows:
Feature 1: in described scheme, the execution environment of client TLS is divided into security context and common ring by TrustZone technology
Border, security context is responsible for the generation of TLS key and data encrypting and deciphering operates, and conventional environment is responsible for TLS establishment of connection and number
According to transmission operation.
Feature 2: as described in feature 1, original security context does not has an encryption and decryption functions, but due to will be by TLS key
Produce to put in security context with data encrypting and deciphering operation and perform, so needing to redesign wherein encryption library, i.e. security context
Should provide symmetric cryptography, asymmetric encryption, digest functionality, specific design function is as follows:
1. Stack: deposit data cached;
2. Hash table: accelerate inquiry operation;
3. Buffer mechanism: a kind of data cached packing forms;
4. digest algorithm: MD5, SHA1, HMAC, make an abstract operation to data;
5. big number: support RSA operation;
6. EVP encapsulation: call more succinct specification, can be with unified operation;
7. ASN1 storehouse: realize the DER coding of RSA key;
8. random number: fill pre-master key;
9. RSA Algorithm: the pre-master key of encryption safe environment generation;
10. symmetric encipherment algorithm: AES, DES, encryption and decryption application data.
Feature 3: as described in feature 1, session key results from security context, owing to tls protocol regulation uses PRF algorithm to produce
Raw master key and key are grouped, it is therefore desirable to add PRF algorithm at security context.
Feature 4: as described in feature 1, for guaranteeing that the safety of session key results from storage, client TLS needs to call safety
Service completes key generation operation in security context, and the security service called is as described below successively:
Generate the security service of pre-master key and master key.Pre-master key is produced by client in tradition TLS session, visitor
Pre-master key after encryption is passed to server end after using the RSA public key encryption that server end transmits by family end, and server end is sharp
Obtain pre-master key with the deciphering of RSA private key;Master key generates according to two random numbers, pre-master key, due to communicating pair
Share three, it is possible to generate identical master key.In the present invention, client TLS receives RSA in conventional environment
After PKI, first RSA PKI is carried out DER coding, then calls safety service and encoded radio is transferred to security context,
Now performing environment and switching to security context, then client TLS produces pre-master key, afterwards client in security context
TLS obtains RSA PKI in security context, and client TLS encrypts pre-master key, afterwards client in security context afterwards
End TLS generates master key in security context, and the pre-master key of encryption is back to general in security context by client TLS afterwards
Logical environment, now execution environment changing is to conventional environment, and last client TLS sends the pre-master key of encryption in conventional environment
To server end, thus ensure the pre-master key of client TLS and the security of master key.Explained below is pre-master key
Generating security service handling process with master key, wherein d2i function is provided by ASN1 storehouse.Safety service is described below
Interface definition, when calling safety service, parameter and the data of security service that conventional environment transmit to security context process and flow
Journey, finally illustrates to be back to the data content of conventional environment.
1. interface definition:
int process_otz_echo_send_cmd_gen_prem_m_key(
void*req_buf,u32req_buf_len,void*res_buf,u32res_buf_len,
struct otzc_encode_meta*meta_data,u32*ret_res_buf_len)
2. parameter transmission: client random number, server end random number, protocol version cli_ver, RSA PKI DER compile
Code value;
3. security service flow chart of data processing:
D2i operation is utilized to obtain RSA PKI;
The pre-master key of random filling;
Call PRF algorithm and generate master key;
Use the pre-master key of RSA public key encryption;
4. data return: return the pre-master key after encryption;
Generate key packet security service.The effect that key is grouped in the session of general T LS be derive session key, by master key,
Client random number, server end generating random number.The interface definition of safety service is described below, calls safety service
When, the parameter that conventional environment transmits to security context and the flow chart of data processing of security service, finally illustrate to be back to common
The data content of environment.
1. interface definition:
int process_otz_echo_send_cmd_gen_key_block(
void*req_buf,u32req_buf_len,void*res_buf,u32res_buf_len,
struct otzc_encode_meta*meta_data,u32*ret_res_buf_len)
2. parameter transmission: the length of key packet, MAC algorithm mark;
3. data process:
Memory Allocation;
Call PRF algorithm and generate key packet;
Internal memory discharges;
4. data return: nothing;
Generate conversation key safety service.Key packet is an array, when deriving session key, first by key packet point
Being six parts, every partial-length is respectively mac_len, mac_len, key_len, key_len, iv_len, iv_len, right respectively
Answer client to write MAC key, server end writes MAC key, client writes key, server end writes key, client is write
Initialization vector, server end write initialization vector.It is close that hmac algorithm needs to use MAC when doing hashing operation to data
Key, client needs to use client to write MAC data key and does hashing operation when sending data, and client receives service
Needing to use server end during device end data and writing MAC key verification data integrality, client writes MAC key, server end
Write MAC key and need not be stored in security context, stored by conventional environment;Under CBC encryption mode, client is being sent out
When sending data, client writes key, client writes initialization vector encryption data in use, and client makes when receiving servers' data
With server end write key, server end writes initialization vector solution ciphertext data.The interface definition of safety service is described below,
When calling safety service, parameter that conventional environment transmits to security context and the flow chart of data processing of security service, finally say
Understand the data content being back to conventional environment.
1. interface definition:
int process_otz_echo_send_cmd_gen_session_key(
void*req_buf,u32req_buf_len,void*res_buf,u32res_buf_len,
struct otzc_encode_meta*meta_data,u32*ret_res_buf_len)
2. parameter transmission: MAC key length mac_len, symmetric cryptographic key length key_len, symmetric cryptography initialize to
Amount length iv_len;
3. data process:
Being grouped according to key derives session key;
4. data return: client writes MAC key, server end writes MAC key.
Feature 5: as described in feature 1, session key is stored in security context, so at data transfer phase, client is connecing
Sending and receiving need to call encryption safe service when sending data or deciphering security service completes data encrypting and deciphering operation in security context.
The interface definition of safety service, when calling two security services, parameter that conventional environment transmits to security context are described below
And the flow chart of data processing of security service, finally illustrate to be back to the data content of conventional environment.
1. interface definition:
int process_otz_echo_send_cmd_enc_data(
void*req_buf,u32req_buf_len,void*res_buf,u32res_buf_len,
struct otzc_encode_meta*meta_data,u32*ret_res_buf_len)
int process_otz_echo_send_cmd_dec_data(
void*req_buf,u32req_buf_len,void*res_buf,u32res_buf_len,
struct otzc_encode_meta*meta_data,u32*ret_res_buf_len)
2. parameter transmission: to be encrypted or deciphering data;
3. data process:
Determine whether to encrypt first, be not the effective initialization vector then updating in encryption and decryption structure;
It is encrypted or decryption oprerations;
Record effective initialization vector of this encryption and decryption structure;
4. data return: return the data after encryption or deciphering.
Feature 6: as described in feature 1, after improvement, client association key is stored in security context, due to period meter of shaking hands
Master key can be used, so this step operation in handshake procedure need to perform, i.e. in security context when calculating the final MAC value of message
Client TLS needs to call final MAC and calculates security service.The interface definition of safety service is described below, calls this
During security service, parameter that conventional environment transmits to security context and the flow chart of data processing of security service, finally illustrate to return
It is back to the data content of conventional environment.
1. interface definition:
int process_otz_echo_send_cmd_final_MAC(
void*req_buf,u32req_buf_len,void*res_buf,u32res_buf_len,
struct otzc_encode_meta*meta_data,u32*ret_res_buf_len)
2. parameter transmission: original handshake data;
3. data process:
Call PRF algorithm and calculate original handshake data, the MAC value of master key;
4. data return: return the MAC value calculating.
Compared with prior art, the positive effect of the present invention is:
The present invention provides the implementation in a kind of safe TLS storehouse based on TrustZone technology.Utilize the hardware isolated machine of this system
System, TLS handshake procedure of recombinating, the operation that relevant session key produces is put in SOS execution, and then reaches to hold
The purpose of key link protection during hand, promotes the ability that session key opposing is attacked.Even if the client layer of conventional environment is even
Inner nuclear layer is invaded, but assailant still can not steal session key, then protects the communication security of client.
Brief description
Fig. 1 is the system architecture diagram that the present invention safe TLS storehouse realizes
Fig. 2 is the communication flow diagram that the present invention safe TLS storehouse realizes
Fig. 3 is that the client communication that the present invention safe TLS storehouse realizes performs flow chart
Fig. 4 is the safe encryption and decryption flow chart that the present invention safe TLS storehouse realizes
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely retouched
State, it is to be understood that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Base
Embodiment in the present invention, the every other enforcement that those skilled in the art are obtained under the premise of not making creative work
Example, broadly falls into the scope of protection of the invention.
It is the system architecture diagram implementing towards safe TLS storehouse in the present embodiment shown in Fig. 1.Whole embedded safety system
It is made up of three parts:
(1) ARM TrustZone hardware security platform.
(2) general-purpose operating system.The general-purpose operating system is packaged at the api interface to SOS for the inner nuclear layer, with
Call the service that SOS provides for upper level applications;Each layer can be run in the general-purpose operating system
Agreement, wherein tls handshake protocol and security context complete safety generation and the storage operation of session key alternately,
TLS record protocol and security context complete the safe encryption and decryption operation of data alternately.
(3) SOS of oriented mission.Various self-defining security service can be run wherein for general operation system
Tracking use, receives the parameter that conventional environment transmits by way of shared drive;This programme exists data encryption
Service, data deciphering service, pre-master key and master key generate service, key packet generates service, session is close
Service derived by key, final MAC calculates service, and above-mentioned service depends on the encryption library in security context design.
It is that the present embodiment performs flow chart towards the safe TLS communication based on TrustZone shown in Fig. 2.Shown in Fig. 3
Be in the present embodiment towards improve after client TLS perform flow chart, in the present embodiment perform flow process as follows:
1. client sends client hello message client_hello, the highest version of the tls protocol having client to support within the message
Basis, client random number, purpose encryption suite list, compression algorithm list, SessionID, this step is held in normal circumstances
OK;
2. client receives server end hello messages server_hello, server side certificate certificate* (comprises clothes in certificate
Business device end RSA PKI), server end greet end server_hello_done, wherein server_hello message
In comprise server end random number, both sides so far share two random numbers, and negotiate what this session was used
Encryption suite, tls protocol version, compression algorithm, SessionID, this step performs in normal circumstances;
3. client executing is to Client Key Exchange message client_key_exchange, is one in the corresponding extremely realization of this message
Function, in the communication of general T LS, client TLS generates pre-master key by this function, and it is encrypted transmission
To server end.Flow process is performed for the TLS after change, when client TLS performs to this function body,
Call the pre-master key of generation and master key security service, simultaneously incoming parameter: client random number, server end are random
Number, protocol version cli_ver, RSA PKI DER encoded radio, complete in security context the pre-master key of client,
The generation of master key and the cryptographic operation of pre-master key, the generation of pre-master key and cryptographic operation are in a secure environment
Performing, the transmission operation of the pre-master key of encryption performs in normal circumstances;
4. user end to server sends change key message change_cipher_spec, and this message is that client generates master key
Sending afterwards, the content comprising is a byte, and effect is to remind server end we can carry out key generation operation,
This step performs in normal circumstances;
5., when client generates key packet, client TLS is called key packet and is generated security service, simultaneously incoming parameter:
The length of key packet, MAC algorithm mark, according to master key and client random number, clothes in security context
Business device end generating random number key is grouped and stores, and this step performs in a secure environment;
6., during client change key state, client TLS is called session key and is generated security service, simultaneously incoming parameter:
MAC key length mac_len, symmetric cryptographic key length key_len, symmetric cryptography initialization vector length iv_len,
Being grouped according to key in security context derives session key and stores, and this step performs in a secure environment;
7., when client calculates handshake information final MAC value, client TLS is called final MAC and is calculated security service, with
When incoming parameter: original handshake data, security context calculates the summary of master key and passes result back conventional environment,
This step performs in a secure environment;
8. client sends the end finished that shakes hands containing this summary info, and this step performs in normal circumstances;
9. client receives server end change key message change_cipher_spec, shake hands end finished, shakes hands
Terminating, this step performs in a secure environment;
10. client sends application data, and client TLS calls data encryption or data deciphering security service, at security context
Complete data encrypting and deciphering operation, and be back to conventional environment.
It is the process schematic towards the safe encryption and decryption in TLS storehouse in the present embodiment shown in Fig. 4.In the present embodiment, owing to shaking hands
The session key that stage produces is stored in security context, so must call data encrypting and deciphering safety when client application sending and receiving data
Service is by incoming for source data security context, and passes conventional environment back after completing corresponding operating wherein.Encryption and decryption structure is (by pacifying
The EVP encapsulation of full ambient engine encryption library provides) there are two initialization vectors: original vector, first encryption uses;Effectively vector,
Non-first encryption and decryption uses, and after encrypting every time, this vector can change.Therefore, security context must arrange overall situation array minute book
Effective vector after secondary encryption and decryption.Concrete encryption and decryption performs flow process:
1. heap memory is distributed for encryption and decryption structure;
2. encryption and decryption structure is initialized, comprising: encryption and decryption mark, AES, encryption key, original vector;
3. encryption and decryption first is determined whether, if 5. encryption and decryption then performs first;Otherwise perform 4.;
4. the effective vector in encryption and decryption structure is updated according to the record result of overall situation array;
5. call encryption and decryption function and corresponding operating is carried out to data;
6. effective vector of this operation is recorded;
7. internal memory release.
Describe the TLS storehouse application solutions scheme based on TrustZone technology that the present invention provides above by simple illustration,
It should be appreciated by those skilled in the art, in the case of without departing from spirit and scope of the present invention, can modify, the present invention
Protection domain should be to be as the criterion described in claim.
Claims (7)
1. a TLS communication data safe transmission method, the steps include:
1) TLS of client is performed environment and be divided into security context and conventional environment;
2) client negotiate with server end in conventional environment encryption suite, tls protocol version that this session used,
Compression algorithm, session id, and two share random number: client random number, server end random number;
3) client is by desired parameters by the incoming security context of conventional environment, then generates client pre-master in security context close
Key, master key and key packet, and it is grouped derivation session key according to key;
4) client incoming conventional environment after pre-master key is encrypted by the PKI of security context server end, then general
The pre-master key of encryption is sent to server end by logical environment;
5) client calculates the summary of master key at security context, and is sent to server end after incoming for result of calculation conventional environment
Verify;
6), after being verified, to be encrypted or the solution incoming security context of ciphertext data are carried out respective handling, then safety collar by conventional environment
Border will process after the incoming conventional environment of data.
2. the method for claim 1, it is characterised in that described pre-master key, the generation method of master key be: client is first
First generate pre-master key at security context, be then based on pre-master key and incoming client random number, server end random number
Generate master key.
3. method as claimed in claim 1 or 2, it is characterised in that according to described master key, client random number, server end
Key packet described in generating random number.
4. method as claimed in claim 3, it is characterised in that the packet of described key includes six parts: client write MAC key,
Server end writes MAC key, client writes key, server end writes key, client writes initialization vector, server
End write initialization vector, every partial-length correspond to respectively mac_len, mac_len, key_len, key_len, iv_len,
iv_len。
5. method as claimed in claim 4, it is characterised in that described security context is according to by the incoming MAC of described conventional environment
Key length mac_len, symmetric cryptographic key length key_len, symmetric cryptography initialization vector length iv_len are divided from key
Group derives described session key;Wherein, it is incoming simultaneously that described client writes MAC key, server end writes MAC key
It is stored in described conventional environment;Described client writes key, server end writes key, client writes initialization vector, service
Device end is write initialization vector and is stored in described security context.
6. method as claimed in claim 1 or 2, it is characterised in that incoming to be encrypted or solution ciphertext data is entered by described security context
The method that row is processed is: first create an encryption and decryption structure in security context, and it includes encrypting the former of use for first
Effective vector that the non-first encryption of beginning vector sum uses;And after security context arranges a overall situation each encryption and decryption of array record
Effective vector;Then it, after receiving be-encrypted data, is that this encryption and decryption structure distributes heap memory, and initializes this and add solution
Close structure, comprising: encryption and decryption mark, AES, encryption key, original vector;Then judge that pending data are
No for encryption and decryption first, if it is, call encryption and decryption function corresponding operating is carried out to data, then record this operation
Effectively vector, releasing memory;If it is not, then according to the overall situation array record result renewal encryption and decryption structure in effective
Vector, calls encryption and decryption function and carries out corresponding operating to data, then records effectively vector, the releasing memory of this operation.
7. the method for claim 1, it is characterised in that described security context receives conventional environment by way of shared drive
The parameter transmitting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510066824.3A CN105991569A (en) | 2015-02-09 | 2015-02-09 | Safe transmission method of TLS communication data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510066824.3A CN105991569A (en) | 2015-02-09 | 2015-02-09 | Safe transmission method of TLS communication data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105991569A true CN105991569A (en) | 2016-10-05 |
Family
ID=57038167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510066824.3A Pending CN105991569A (en) | 2015-02-09 | 2015-02-09 | Safe transmission method of TLS communication data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991569A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108055128A (en) * | 2017-12-18 | 2018-05-18 | 数安时代科技股份有限公司 | Generation method, device, storage medium and the computer equipment of RSA key |
| CN108429724A (en) * | 2017-02-15 | 2018-08-21 | 贵州白山云科技有限公司 | The selection method and device of encryption suite during a kind of handshake process |
| CN108605046A (en) * | 2016-11-14 | 2018-09-28 | 华为技术有限公司 | A kind of information push method and terminal |
| CN109218260A (en) * | 2017-07-03 | 2019-01-15 | 深圳市中兴微电子技术有限公司 | A kind of authentication protection system and method based on dependable environment |
| CN109426742A (en) * | 2017-08-23 | 2019-03-05 | 深圳市中兴微电子技术有限公司 | A kind of secure memory dynamic management system and method based on credible performing environment |
| CN110768792A (en) * | 2019-09-30 | 2020-02-07 | 奇安信科技集团股份有限公司 | Master key generation method and device and encryption and decryption method of sensitive security parameters |
| CN111753312A (en) * | 2019-03-26 | 2020-10-09 | 钉钉控股(开曼)有限公司 | Data processing method, device, equipment and system |
| CN112422530A (en) * | 2020-11-04 | 2021-02-26 | 无锡沐创集成电路设计有限公司 | Security protection method for server-side secret key in TLS (transport layer security) handshaking process and password equipment |
| CN112714053A (en) * | 2020-12-25 | 2021-04-27 | 北京天融信网络安全技术有限公司 | Communication connection method and device |
| CN113612746A (en) * | 2021-07-26 | 2021-11-05 | 建信金融科技有限责任公司 | Sensitive information storage method and system based on Android system |
| CN115834246A (en) * | 2023-01-29 | 2023-03-21 | 厦门简算科技有限公司 | Cloud-to-local terminal data transmission safety protection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002091662A1 (en) * | 2001-05-01 | 2002-11-14 | Vasco Data Security, Inc. | Use and generation of a session key in a secure socket layer connection |
| CN101645893A (en) * | 2009-08-25 | 2010-02-10 | 北京握奇数据系统有限公司 | Network trading method, device and system |
| CN102811224A (en) * | 2012-08-02 | 2012-12-05 | 天津赢达信科技有限公司 | Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection |
| CN104170312A (en) * | 2011-12-15 | 2014-11-26 | 英特尔公司 | Method and device for secure communications over a network using a hardware security engine |
-
2015
- 2015-02-09 CN CN201510066824.3A patent/CN105991569A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002091662A1 (en) * | 2001-05-01 | 2002-11-14 | Vasco Data Security, Inc. | Use and generation of a session key in a secure socket layer connection |
| CN101645893A (en) * | 2009-08-25 | 2010-02-10 | 北京握奇数据系统有限公司 | Network trading method, device and system |
| CN104170312A (en) * | 2011-12-15 | 2014-11-26 | 英特尔公司 | Method and device for secure communications over a network using a hardware security engine |
| CN102811224A (en) * | 2012-08-02 | 2012-12-05 | 天津赢达信科技有限公司 | Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11258871B2 (en) | 2016-11-14 | 2022-02-22 | Huawei Technologies Co., Ltd. | Message push method and terminal |
| CN108605046A (en) * | 2016-11-14 | 2018-09-28 | 华为技术有限公司 | A kind of information push method and terminal |
| CN108605046B (en) * | 2016-11-14 | 2021-02-12 | 华为技术有限公司 | Message pushing method and terminal |
| CN108429724A (en) * | 2017-02-15 | 2018-08-21 | 贵州白山云科技有限公司 | The selection method and device of encryption suite during a kind of handshake process |
| CN109218260A (en) * | 2017-07-03 | 2019-01-15 | 深圳市中兴微电子技术有限公司 | A kind of authentication protection system and method based on dependable environment |
| CN109218260B (en) * | 2017-07-03 | 2020-11-06 | 深圳市中兴微电子技术有限公司 | Trusted environment-based authentication protection system and method |
| US11620373B2 (en) | 2017-07-03 | 2023-04-04 | Sanechips Technology Co., Ltd. | Authentication protection system and method based on trusted environment, and storage medium |
| CN109426742A (en) * | 2017-08-23 | 2019-03-05 | 深圳市中兴微电子技术有限公司 | A kind of secure memory dynamic management system and method based on credible performing environment |
| CN109426742B (en) * | 2017-08-23 | 2022-04-22 | 深圳市中兴微电子技术有限公司 | Trusted execution environment-based dynamic management system and method for secure memory |
| CN108055128A (en) * | 2017-12-18 | 2018-05-18 | 数安时代科技股份有限公司 | Generation method, device, storage medium and the computer equipment of RSA key |
| CN111753312A (en) * | 2019-03-26 | 2020-10-09 | 钉钉控股(开曼)有限公司 | Data processing method, device, equipment and system |
| CN111753312B (en) * | 2019-03-26 | 2023-09-08 | 钉钉控股(开曼)有限公司 | Data processing method, device, equipment and system |
| CN110768792A (en) * | 2019-09-30 | 2020-02-07 | 奇安信科技集团股份有限公司 | Master key generation method and device and encryption and decryption method of sensitive security parameters |
| CN110768792B (en) * | 2019-09-30 | 2023-09-05 | 奇安信科技集团股份有限公司 | Main key generation method, device and encryption and decryption method for sensitive security parameters |
| CN112422530B (en) * | 2020-11-04 | 2023-05-30 | 无锡沐创集成电路设计有限公司 | Key security protection method and password device for server in TLS handshake process |
| CN112422530A (en) * | 2020-11-04 | 2021-02-26 | 无锡沐创集成电路设计有限公司 | Security protection method for server-side secret key in TLS (transport layer security) handshaking process and password equipment |
| CN112714053A (en) * | 2020-12-25 | 2021-04-27 | 北京天融信网络安全技术有限公司 | Communication connection method and device |
| CN113612746A (en) * | 2021-07-26 | 2021-11-05 | 建信金融科技有限责任公司 | Sensitive information storage method and system based on Android system |
| CN115834246A (en) * | 2023-01-29 | 2023-03-21 | 厦门简算科技有限公司 | Cloud-to-local terminal data transmission safety protection method and system |
| CN115834246B (en) * | 2023-01-29 | 2023-09-01 | 厦门简算科技有限公司 | Cloud terminal-to-local terminal data transmission safety protection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105991569A (en) | Safe transmission method of TLS communication data | |
| WO2021184961A1 (en) | Contract deploying method and apparatus | |
| WO2021184968A1 (en) | Cluster key sharing method and device | |
| US10482291B2 (en) | Secure field-programmable gate array (FPGA) architecture | |
| CN106161402B (en) | Encryption equipment key injected system, method and device based on cloud environment | |
| WO2021184970A1 (en) | Method and device for calling contract | |
| CN110313146B (en) | Ambiguity enhancement | |
| GB2555961A (en) | System of enclaves | |
| CN110889696A (en) | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology | |
| CN106230584B (en) | A kind of key migration method of credible platform control module | |
| CN104253694A (en) | Encrypting method for network data transmission | |
| AU2017396531A1 (en) | Addressing a trusted execution environment using signing key | |
| US20220108028A1 (en) | Providing cryptographically secure post-secrets-provisioning services | |
| CN114448624B (en) | Transparent internet of things safe transmission method and device based on white box password service | |
| CN108234114A (en) | A kind of implementation method of the SSL based on hardware encryption algorithm | |
| CN104270242A (en) | Encryption and decryption device used for network data encryption transmission | |
| CN204180095U (en) | A kind of ciphering and deciphering device for network data encryption transmission | |
| JP2020532177A (en) | Computer-implemented systems and methods for advanced data security, high-speed encryption, and transmission | |
| CN113591109B (en) | Method and system for communication between trusted execution environment and cloud | |
| CN105915345B (en) | The implementation method of licensed-type production and restructuring in a kind of family gateway equipment production test | |
| CN103944721A (en) | Method and device for protecting terminal data security on basis of web | |
| CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
| CN116132043B (en) | Session key negotiation method, device and equipment | |
| US20230153445A1 (en) | Enhanced security systems and methods using a hybrid security solution | |
| Hussien et al. | Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161005 |