CN105991622A - Message authentication method and device - Google Patents
Message authentication method and device Download PDFInfo
- Publication number
- CN105991622A CN105991622A CN201510098568.6A CN201510098568A CN105991622A CN 105991622 A CN105991622 A CN 105991622A CN 201510098568 A CN201510098568 A CN 201510098568A CN 105991622 A CN105991622 A CN 105991622A
- Authority
- CN
- China
- Prior art keywords
- key
- server
- client
- private key
- service server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a message authentication method. A private key server receives an encryption parameter and an encrypted preset main key from a service server, the preset main key is subjected to decryption processing according to the private key corresponding to the preset main key, a main key is generated according to a decrypted preset main key and the encryption parameter, a symmetric encryption key is generated according to the main key, the main key is used to carry out integrity verification processing on the client, and an integrity response message is returned to the client through the service server, or the symmetric encryption key is sent to the service server. Thus under the premise of reducing the load of an existing server, the safety of a message authentication process is improved further.
Description
Technical field
The application relates to communication technical field, particularly to a kind of message verification method.The application also simultaneously
Relate to a kind of authentication of message equipment.
Background technology
SSL (Secure Sockets Layer SSL)/TLS (Transport Layer Security,
Transport Layer Security) main purpose of agreement is to set up a secure connection so that at its cocommutative number
According to cannot be obtained by the third party in addition to communicating pair.The foundation of secure connection is to be completed by shaking hands
, in the handshake procedure of SSL/TLS, key agreement can be carried out first by the mode of asymmetric encryption,
Purpose is the key making the both sides of communication finally negotiate identical " symmetric cryptography ", afterwards in safety even
Connecing cocommutative data can use this symmetric key to encrypt and decrypt operation, thus ensures the peace of data
Entirely.
In SSL/TLS agreement, it is certain that different types of Diffie-Hellman can cause handshake procedure to exist
Difference.As it is shown in figure 1, be a kind of the most frequently used Diffie-Hellman in prior art, this RSA key exchanges
Algorithm is as follows to the handshake procedure of SSL/TLS:
I. client (being generally made up of one or more front-end servers) is initiated to set up peace
The full request connecting, this is completed by ClientHello (Client Hello) message, at this message
In containing the Client Random (client's random number) that generated by client;
Ii. server end is after receiving the request setting up secure connection that client is sent out, and is determining agreement version
After the contents such as basis, encryption suite, by a Server Random (server random number) and above-mentioned information
Server Hello (server hello) message is used to send back to client
Iii. server end sends certificate to client, have recorded the service of server end offer in certificate
Relevant information, such as domain name, Email, certificate expiry time etc..Also with a Public in certificate
Key (PKI), the corresponding private key of this PKI is stored in server end.
Iv. server sends ServerHelloDone (server hello completes) message.
V. client is after receiving above-mentioned 3 messages, the legitimacy of verification certificate, then generates one
PreMaster Secret (preset master key), and use the PKI in certificate to this PreMaster Secret
After being encrypted, send ClientKeyExchange (client key exchange) message to server end, its
In with encryption after PreMaster Secret.Client now uses this PreMaster Secret and Client
Random (client-side random number) and Server Random (server side random number) generates Master
Secret (master key).
Vi. server is after the ClientKeyExchange receiving client, uses and corresponding in certificate
Private key, encrypted PreMaster Secret therein is decrypted, and by itself and Client Random
And Server Random enters row operation together and obtains Master Secret.Rear extended meeting is based on Master Secret
Derive multiple Key, use when symmetric cryptography, deciphering and checking message integrity.
Vii. user end to server sends ChangeCipherSpec (modification ciphertext stipulations) message, sound
The AES negotiating can be used to encrypt for the data of bright follow-up transmission and to continue to send a Finished (complete
Knot) message, this message contains through the encrypted one piece of data of symmetry algorithm, this segment data be for
The summary info of message before, carries out data integrity validation for server end.
Viii. received server-side is to after ChangeCipherSpec message, and it is right to generate based on Master Secret
Claim key, and to client send Finished message in data be decrypted so that according to deciphering after
The integrality of summary info checking data with existing.
Ix. last server end in the same way to client send ChangeCipherSpec and
Finished message, client uses same method to verify.If the verification passes, then so far shake hands
Stage terminates, and flow process enters data transfer phase.
X. at data transfer phase, server end and client use the symmetry being negotiated by handshake procedure close
Key encrypts and decrypts operation to data, due to one of the element generating symmetric key PreMaster Secret
It is encrypted transmission, so assailant cannot generate symmetric key, it is ensured that the safety of data.
During realizing the application, inventor finds that prior art at least also exists following shortcoming:
(1) handshake procedure that current various SSL/TLS storehouses realize, is real based on standard SSL/TLS agreement
Existing, this requires that program needs pre-loaded private key then to use private key when deciphering PreMaster.
That is private key needs to remain in (internal memory/disk etc.) in the storage device of server.For on a large scale
Server cluster is in the servers/devices (clothes in the fringe node of such as CDN of network edge in a large number
Business device, SLB externally provide the server etc. of load balancing), owing to having retained private key, private key can be caused secondary
A large amount of risings of this quantity, and the directly externally offer service of these servers/devices, security risk is higher,
Make one server of any of which that safety problem occur, all may result in private key leakage thus affect whole
The data safety of body.
(2) in the handshake procedure of SSL/TLS agreement, private key solution ciphertext data or signature, Yi Jihou are used
Continuous calculating Master Secret, data integrity verifying are required for consuming substantial amounts of calculating resource so that clothes
The disposal ability of business device is deteriorated, and easily suffers DDoS (Distributed Denial of during shaking hands
Service, distributed denial of service) attack.
Content of the invention
This application provides a kind of message verification method, in order to the security during ensureing authentication of message
While mitigate server load, the method is applied to include client, service server and private key
In the system of server, comprising:
The preset master after described service server receives encryption parameter and encryption is close for described private key server
Key, described preset master key is the client key exchange report that described service server sends from described client
Obtain in Wen;
Described preset master key is entered by described private key server according to private key corresponding with described preset master key
Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Described private key server generates symmetric cryptographic key according to described master key;
Described private key server is after utilizing described master key to carry out integrity verification process to described client
Return integrality response message by described service server to described client, or by described symmetric cryptography
Key sends to described service server, so that described service server is according to described symmetric cryptographic key
Carry out integrity verification to described client and process backward described client return integrality response message.
The application also proposed a kind of message verification method, and described method is applied to include client, business
In the system of server and private key server, the method includes:
Described service server receives the client key exchange message that described client sends, and obtains described
The preset master key carrying in client key exchange message;
Described service server sends described preset master key and encryption parameter to described private key service
Device, so that described private key server is close to described preset master according to private key corresponding with described preset master key
Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
Described service server finishes Finished message according to the server side that described private key server returns
Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key
The Finished message sending described client carries out integrity verification by rear generation;Described symmetry
Encryption key is that described private key server generates according to described master key.
Correspondingly, the application also proposed a kind of authentication of message equipment, and described equipment is as private key server
It is applied to include that in the system of client, service server and described private key server, this equipment includes:
Receiver module, close for the preset master after receiving encryption parameter and encryption from described service server
Key, described preset master key is the client key exchange report that described service server sends from described client
Obtain in Wen;
Deciphering module, for according to described preset master key is entered by corresponding private key with described preset master key
Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Generation module, for generating symmetric cryptographic key according to described master key;
Authentication module, for after utilizing described master key to carry out integrity verification process to described client
Return integrality response message by described service server to described client, or by described symmetric cryptography
Key sends to described service server, so that described service server is according to described symmetric cryptographic key
Carry out integrity verification to described client and process backward described client return integrality response message.
The application also proposed a kind of authentication of message equipment, it is characterised in that described equipment takes as business
Business device is applied to include in the system of client, described service server and private key server, the method
Including:
Receiver module, the client key sending for receiving described client exchanges message, and obtains described
The preset master key carrying in client key exchange message;
Sending module, for sending described preset master key and encryption parameter to described private key server,
So that described preset master key is entered by described private key server according to private key corresponding with described preset master key
Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Respond module, finishes Finished message for the server side returning according to described private key server
Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key
The Finished message sending described client carries out integrity verification by rear generation;Described symmetry
Encryption key is that described private key server generates according to described master key.
As can be seen here, by the above technical scheme of application, private key server receives encryption from service server
Preset master key after parameter and encryption, according to private key corresponding with preset master key to preset master key
Be decrypted process, and according to the preset master key after deciphering and encryption parameter generate master key and according to
Master key generates symmetric cryptographic key, logical after utilizing master key to carry out integrity verification process to client
Cross service server and return integrality response message to client, or send symmetric cryptographic key to business
Server.Thus on the premise of reducing the load of existing server, further increase authentication of message mistake
The security of journey.
Brief description
Fig. 1 is the SSL/TLS schematic flow sheet in prior art based on RSA key exchange algorithm;
Fig. 2 is the schematic flow sheet of a kind of message verification method that the application proposes;
Fig. 3 is the schematic flow sheet of the another kind of message verification method that the application proposes;
Fig. 4 is the structural representation of a kind of authentication of message equipment that the application proposes;
Fig. 5 is the structural representation of the another kind of authentication of message equipment that the application proposes.
Detailed description of the invention
Because the technical problem in background technology, present applicant proposes a kind of SSL/TLS and shake hands middle by PKI
The method separating with private key, the main thought of the method is that the correlation function processing private key is from prior art
In separate on the front-end server that client directly communicates, the private key individually placing private key is set
Server simultaneously gives the process of its private key related function), will no longer place private key and separate private key work(
The front-end server of energy, as service server, wherein only retains certificate (containing PKI).Work as business service
When device and client carry out needing when SSL/TLS shakes hands to use private key, remotely connect private key server, will be pre-
Put master key etc. to be sent to private key server and process, generate particular data after process and return front end services
Device, service server recovers handshake procedure and completes to shake hands.
As in figure 2 it is shown, the method specifically includes below scheme:
S201, described private key server from described service server receive encryption parameter and encryption after pre-
Putting master key, described preset master key is the client key that described service server sends from described client
Exchange message obtains.
In order to ensure the security during authentication of message, PKI and private key separate part are deployed to not by the application
With server apparatus on, wherein deposit the server of PKI and be referred to as service server, and the service of private key
Device is referred to as private key server, and the equipment depositing PKI directly cannot read private from the equipment depositing private key
The content of key.When needs use private key, user's (service server) of private key needs to process
Data be sent to deposit the equipment (private key server) of private key, and returned in business by private key server
Server and client, at the symmetric key using required for the follow-up data interaction stage and master key, are divided
The user of private key these data Yong Yu not used to be encrypted/decipher/verification etc..
It should be noted that according to the difference (such as equipment performance or secure threshold) of actually used situation,
Technical staff can arrange same for multiple service servers during realizing technical scheme
Private key server or single service server arrange a private key server, and these broadly fall into this
The protection domain of application.
Owing to PKI and private key separate part are deployed on different server apparatus, therefore the application is preferable to carry out
Private key server directly can be connected by non-encrypted passage with service server by example, and encryption parameter can
Use client and service server in formal verification preceding step produced client-side random number with
And server side random number, wherein server side random number is that described server is receiving described client
Setting up of sending generates after secure connection request, set up secure connection request carries client-side with
Machine number.
Based on above-mentioned setting, PKI and private key externally provide SSL/TLS to service in the way of separating.Due to private
Key does not leave on the service server externally providing service, but remote deployment takes to single private key
On business device.Independent level of security can be carried out for service server and private key server on this basis
Design.Higher level of security is for example set to private key server, and relatively low to service server design
Level of security.So, even if the relatively low service server of level of security is invaded, private key content is also
Will not leak.
S202, described private key server according to private key corresponding with described preset master key to described preset master
Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
S203, described private key server generates symmetric cryptographic key according to described master key;
S204, described private key server carries out integrity verification to described client utilizing described master key
Integrality response message is returned by described service server to described client after process, or by described right
Encryption key is claimed to send to described service server, so that described service server is adding according to described symmetry
Decryption key carries out integrity verification and processes backward described client return integrality response report to described client
Literary composition.
Based on the master key generated in S202 and the symmetric cryptographic key generated in S203, the application
Preferred embodiment proposes two kinds of different concrete verification modes, as follows respectively:
(1) the described symmetric key after described private key server will be encrypted sends to described service server,
So that after the described symmetric key that described service server is after to described encryption is decrypted, utilizing described
Data in the Finished message that described client is sent by symmetric key carry out integrity data checking, with
And return integrality response message to described client after being verified.
Specifically, in this approach, user's (service server) of private key and the side of depositing of private key are (private
Key server) between communication be unencrypted passage, but private key server return data itself be
Encryption.Therefore first described symmetric key is entered by private key server by the extra symmetric key according to self
Row encryption, and send the described symmetric key after described encryption to described service server.Meanwhile,
Need to have between side's of depositing (private key server) of user's (service server) of private key and private key
An identical symmetric key is encrypted or deciphers (private key clothes for the data returning private key server
Business device presets identical extra symmetric key in service server), this key is by other means
It is handed down to two users, and do regular update.
(2) the Fnished message that described client is sent by master key described in described private key server by utilizing enters
Row integrity verification;If described integrity verification passes through, described private key server is raw according to described primary message
Become for respond described Fnished message server side Fnished message, and by described server side
Fnished message sends to described service server, so that described service server is according to described server side
Fnished message returns integrality response message to described client.
Owing to the work of checking being given private key server to complete by the program, therefore not only the making of private key
Do not need to receive any data (symmetric key, master after private key is processed with side (service server)
Key etc.) beyond, (private key takes in the side of depositing of user's (service server) of private key and private key simultaneously
Business device) between communication be unencrypted passage, the data wherein transmitted also are all unencrypted.
Further, since private key has been deployed on private key server, allow for disappearing of substantial amounts of calculating resource
Consumption has been transferred to private key server from service server, alleviates the calculating pressure of service server greatly
Power.When there is ddos attack, if private key servers go down, do not interfere with service server to it yet
The process (such as HTTP service) of his business, can also carry out degrading for service server simultaneously
Process, it is switched back into HTTP from HTTPS.Avoid affecting HTTP industry because service server is paralysed
The process of business.
Correspondingly, preferred embodiment above illustrates the flow process of authentication of message with the angle of private key server side,
The another kind of message verification method below proposing for the application, the method is carried out with the angle of service server
Illustrate, as it is shown on figure 3, comprise the following steps:
S301, described service server receives the client key exchange message that described client sends, and obtains
Take the preset master key carrying in described client key exchange message.
Owing to PKI and private key separate part are deployed on different equipment, therefore can in the application preferred embodiment
Directly private key server is connected by non-encrypted passage with service server, and encryption parameter can use visitor
Family end and service server produced client-side random number and service in formal verification preceding step
Device side random number, wherein to be described service server send out receiving described client server side random number
Setting up of sending generates after secure connection request, sets up that to carry client-side in secure connection request random
Number.Additionally, private key server and service server preset identical extra symmetric key
S302, described service server sends described preset master key and encryption parameter to described private key
Server so that described private key server according to private key corresponding with described preset master key to described preset
Master key is decrypted process, and generates main close according to the preset master key after deciphering and described encryption parameter
Key.
S303, described service server finishes Finished according to the server side that described private key server returns
Symmetric key after message or encryption, returns integrality response message to described client.
It should be noted that server side Finished message is that described private key server is utilizing in this step
The Finished message that described client is sent by described master key carries out integrity verification by rear generation;
Symmetric cryptographic key is that described private key server generates according to described master key.Except directly taking according to private key
The server side Finished message that business device returns returns outside integrality response message to client, the application
Preferred embodiment is for " after the server side Finished message returning according to described private key server or encryption
Symmetric key return integrality response message to described client " propose following concrete steps:
Symmetric key after the encryption that the described private key server of step a) described service server reception sends,
Described symmetric key is encrypted according to the extra symmetric key of self by described private key server;
The described service server of step b) according to self preset extra symmetric key to encryption after described right
Key is claimed to be decrypted process;
Described client is sent by the described service server of step c) according to the described symmetric key after deciphering
Data in Finished message carry out integrity data checking, and return to described client after being verified
Return described integrality response message.
In order to the technological thought of the application is expanded on further, in conjunction with concrete application scenarios, to the application
Technical scheme illustrate.Particularly, present applicant proposes following two specific embodiment:
Specific embodiment one: the program provides the business service of SSL service except PKI is saved in front end
Outside device, deposit private key (this is private key server) at the higher place of safe class deployment server separately.
It when service server needs to use private key, transmit a request to reach private key server, by private key server
Use in this locality private key to process data, result is returned to service server.Concrete steps
It is explained as follows:
I. client (service server) initiates to set up the request of secure connection, and this is logical
Cross what a ClientHello message completed, containing random number Client being generated by client in this message
Random。
Ii. server end is after receiving the request setting up secure connection that client is sent out, and is determining agreement version
After the contents such as basis, encryption suite, a Server Random random number and above-mentioned information are used Server
Hello packet sends back to client.
Iii. server end sends certificate to client, have recorded the service of server end offer in certificate
Relevant information, such as domain name, Email, certificate expiry time etc..Also with a PKI in certificate
(Public Key), the corresponding private key of this PKI is stored in server end.
Iv. server sends ServerHelloDone message.
V. client is after receiving above-mentioned 3 messages, the legitimacy of verification certificate, then generates one
PreMaster Secret, and after using the PKI in certificate to be encrypted this PreMaster Secret, to
Server end sends ClientKeyExchange message, wherein with the PreMaster Secret after encryption.
Client now uses this PreMaster Secret and Client Random and Server Random to generate
Master Secret。
Vi. user end to server sends ChangeCipherSpec message, states the data of follow-up transmission
The AES negotiating can be used to encrypt and continue to send a Fnished message, this message contain through
Crossing the encrypted one piece of data of symmetry algorithm, this segment data is the summary info for message before, is used for
Server end carries out data integrity validation.
Vii. server is after the ClientKeyExchange receiving client, owing to this locality does not has
Preserve and the corresponding private key of certificate, it is therefore desirable to by PreMaster Secret, Client Random after encryption
It is sent to long-range private key server with Server Random to process.In order to prevent data at midway quilt
Distort, need to do digital signature to above-mentioned data.
Viii. private key server is after receiving above-mentioned data, uses and corresponding private key in certificate, to wherein
Encrypted PreMaster Secret be decrypted, and by itself and Client Random and Server
Random enters row operation together and obtains Master Secret.Drawing symmetric cryptography based on Master Secret
Key.
Ix. private key server is by the Master Secret generating and symmetric cryptographic key, uses another one
They are encrypted by symmetric key, are then sent to server end, and server end is receiving this encryption number
According to rear, same symmetric key is used to decipher it, it is thus achieved that MasterSecret and symmetric cryptographic key.With
In the extra symmetric key to data encryption, need to be deployed to server end and private key server end in advance,
And timing updates.
X., after the data that received server-side is returned to private key server response, use symmetric key to client
Data in the Finished message that end sends are decrypted and then verify according to the summary info after deciphering
There is the integrality of data.
Xi. last server end in the same way to client send ChangeCipherSpec and
Finished message, client uses same method to verify.If the verification passes, then so far shake hands
Stage terminates, and flow process enters data transfer phase.
Xii. at data transfer phase, server end and client use the symmetry being negotiated by handshake procedure
Data key encrypts and decrypts operation, due to one of the element generating symmetric key PreMaster
Secret is encrypted transmission, so assailant cannot generate symmetric key, it is ensured that the safety of data.
Specific embodiment two: the program has separated symmetric key further so that the data after shaking hands are led to
The encrypting and decrypting of letter part, has been also transferred on private key server.Specifically comprise the following steps that
I. client (service server) initiates to set up the request of secure connection, and this is logical
Cross what a ClientHello message completed, containing random number Client being generated by client in this message
Random。
Ii. server end is after receiving the request setting up secure connection that client is sent out, and is determining agreement version
After the contents such as basis, encryption suite, a Server Random random number and above-mentioned information are used Server
Hello packet sends back to client.
Iii. server end sends certificate to client, have recorded the service of server end offer in certificate
Relevant information, such as domain name, Email, certificate expiry time etc..Also with a PKI in certificate
(Public Key), the corresponding private key of this PKI is stored in server end.
Iv. server sends ServerHelloDone message.
V. client is after receiving above-mentioned 3 messages, the legitimacy of verification certificate, then generates one
PreMaster Secret, and after using the PKI in certificate to be encrypted this PreMaster Secret, to
Server end sends ClientKeyExchange message, wherein with the PreMaster Secret after encryption.
Client now uses this PreMaster Secret and Client Random and Server Random to generate
Master Secret。
Vi. user end to server sends ChangeCipherSpec message, states the data of follow-up transmission
The AES negotiating can be used to encrypt and continue to send a Fnished message, this message contain through
Crossing the encrypted one piece of data of symmetry algorithm, this segment data is the summary info for message before, is used for
Server end carries out data integrity validation.
Vii. server is after the ClientKeyExchange receiving client, owing to this locality does not has
Preserve and the corresponding private key of certificate, it is therefore desirable to by PreMaster Secret, Client Random after encryption
With Server Random, and client send Finshed message and pending server end
Finished message, is sent to long-range private key server and processes.In order to prevent data from being usurped in midway
Change, need to do digital signature to above-mentioned data.
Viii. private key server is after receiving above-mentioned data, uses and corresponding private key in certificate, to wherein
Encrypted PreMaster Secret be decrypted, and by itself and Client Random and Server
Random enters row operation together and obtains Master Secret.Drawing symmetric cryptography based on Master Secret
Key.Then private key server uses the Fnished message of Master Secret checking client, and uses
Master Secret generates final server end Finished message.
Ix. the server end Finished message of generation is sent to server end by private key server.
X. last server end in the same way to client send ChangeCipherSpec and
Finished message, client uses same method to verify.If the verification passes, then so far shake hands
Stage terminates, and flow process enters data transfer phase.
Xi. at data transfer phase, due to server end and be not preserved in handshake phase consult right
Claiming key, therefore encryption data is after reaching server end, needs to be further transmitted to private key server
It is decrypted, or for server end data to be sent, it is also desirable to it is sent initially to private key server
It is encrypted.So so the step relating to encryption/decryption has all been transferred on private key server.
For reaching above technical purpose, the application also proposed a kind of authentication of message equipment, as shown in Figure 4,
Described equipment is applied to include client, service server and described private key service as private key server
In the system of device, 4 include:
Receiver module 410, for the preset master after described service server reception encryption parameter and encryption
Key, described preset master key is the client key exchange that described service server sends from described client
Message obtains;
Deciphering module 420, is used for according to the corresponding private key with described preset master key to described preset master key
It is decrypted process, and generate master key according to the preset master key after deciphering and described encryption parameter;
Generation module 430, for generating symmetric cryptographic key according to described master key;
Authentication module 440, for utilizing described master key to carry out integrity verification process to described client
Return integrality response message by described service server to described client afterwards, or described symmetry is added
Decryption key sends to described service server, so that described service server is close according to described symmetric cryptography
Key carries out integrity verification and processes backward described client return integrality response message to described client.
In concrete application scenarios, described authentication module specifically for:
Send the described symmetric key after encryption to described service server, so that described service server
After described symmetric key after to described encryption is decrypted, utilize described symmetric key to described client
The data finishing in Finished message that end sends carry out integrity data checking, and are being verified
Backward described client returns integrality response message.
In concrete application scenarios, the described symmetric key after described authentication module will be encrypted sends to institute
State service server, particularly as follows:
Described symmetric key is encrypted by described authentication module according to the extra symmetric key of self,
And send the described symmetric key after described encryption to described service server;
Wherein, described private key server and described service server preset identical extra symmetric key.
In concrete application scenarios, described authentication module specifically includes:
Checking submodule, is carried out for the Fnished message utilizing described master key to send described client
Integrity verification;
Generate submodule, be used for after described checking submodule confirms that described integrity verification passes through, according to
Described primary message generate for respond described Finished message server side Finished message, and will
Described server side Finished message sends to described service server, so that described service server root
Return integrality response message according to described server side Finished message to described client.
In concrete application scenarios, described private key server is led to by non-encrypted with described service server
Road connects, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client
Set up and generate after secure connection request, described foundation carries described client-side in secure connection request
Random number.
The application also proposed a kind of authentication of message equipment, as it is shown in figure 5, described equipment takes as business
Business device is applied to include in the system of client, described service server and private key server, this equipment
Including:
Receiver module 510, the client key sending for receiving described client exchanges message, and obtains institute
State the preset master key carrying in client key exchange message;
Sending module 520, for sending described preset master key and encryption parameter to described private key service
Device, so that described private key server is close to described preset master according to private key corresponding with described preset master key
Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
Respond module 530, for according to described private key server return server side finish Finished report
Symmetric key after literary composition or encryption, returns integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key
The Finished message sending described client carries out integrity verification by rear generation;Described symmetry
Encryption key is that described private key server generates according to described master key.
In concrete application scenarios, described respond module specifically includes:
Receive submodule, be used for the symmetric key after receiving the encryption that described private key server sends, described
Symmetric key is encrypted according to the extra symmetric key of self by described private key server;
Deciphering submodule, is used for according to self preset extra symmetric key close to the described symmetry after encryption
Key is decrypted process;
Checking submodule, for send to described client according to the described symmetric key after deciphering
Data in Finished message carry out integrity data checking, and return to described client after being verified
Return described integrality response message;
Wherein, described private key server and described service server preset identical extra symmetric key.
In concrete application scenarios, described private key server is led to by non-encrypted with described service server
Road connects, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client
Set up and generate after secure connection request, described foundation carries described client-side in secure connection request
Random number.
Through the above description of the embodiments, those skilled in the art is it can be understood that arrive this Shen
Please be realized by hardware, it is also possible to the mode adding necessary general hardware platform by software realizes.
Based on such understanding, the technical scheme of the application can embody with the form of software product, and this is soft
Part product can be stored in a non-volatile memory medium, and (can be CD-ROM, USB flash disk, movement be hard
Dish etc.) in, including some instructions are with so that a computer equipment (can be personal computer, take
Business device, or the network equipment etc.) each implements the method described in scene to perform the application.
It will be appreciated by those skilled in the art that accompanying drawing is a schematic diagram being preferable to carry out scene, in accompanying drawing
Module or flow process not necessarily implement necessary to the application.
It will be appreciated by those skilled in the art that the module in the device implemented in scene can be according to enforcement scene
Describe and carry out being distributed in the device implementing scene, it is also possible to carry out respective change and be disposed other than this enforcement
In one or more devices of scene.The module of above-mentioned enforcement scene can merge into a module, it is possible to
To be further split into multiple submodule.
Above-mentioned the application sequence number, just to describing, does not represent the quality implementing scene.
The several scenes that are embodied as being only the application disclosed above, but, the application is not limited to
This, the changes that any person skilled in the art can think of all should fall into the protection domain of the application.
Claims (16)
1. a message verification method, it is characterised in that described method is applied to include client, business
In the system of server and private key server, the method includes:
The preset master after described service server receives encryption parameter and encryption is close for described private key server
Key, described preset master key is the client key exchange report that described service server sends from described client
Obtain in Wen;
Described preset master key is entered by described private key server according to private key corresponding with described preset master key
Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Described private key server generates symmetric cryptographic key according to described master key;
Described private key server is after utilizing described master key to carry out integrity verification process to described client
Return integrality response message by described service server to described client, or by described symmetric cryptography
Key sends to described service server, so that described service server is according to described symmetric cryptographic key
Carry out integrity verification to described client and process backward described client return integrality response message.
2. the method for claim 1, it is characterised in that described private key server is by described symmetry
Encryption key sends to described service server, particularly as follows:
Described symmetric key after described private key server will be encrypted sends to described service server, so that
After described symmetric key after to described encryption for the described service server is decrypted, utilize described symmetry
The data finishing in Finished message that client described in double secret key sends carry out integrity data checking,
And return integrality response message to described client after being verified.
3. method as claimed in claim 2, it is characterised in that after described private key server will be encrypted
Described symmetric key sends to described service server, particularly as follows:
Described private key server is encrypted place according to the extra symmetric key of self to described symmetric key
Reason, and send the described symmetric key after described encryption to described service server;
Wherein, described private key server and described service server preset identical extra symmetric key.
4. the method for claim 1, it is characterised in that described private key server is described in utilization
Master key passes through described service server to described client carry out integrity verification process to described client after
End returns integrality response message, particularly as follows:
The Finished message that described client is sent by master key described in described private key server by utilizing is carried out
Integrity verification;
If described integrity verification passes through, described private key server generates according to described primary message and is used for responding
Described Finished message server side Finished message, and by described server side Finished
Message sends to described service server, so that described service server is according to described server side Finished
Message returns integrality response message to described client.
5. the method as described in any one of claim 1-4, it is characterised in that described private key server with
Described service server is connected by non-encrypted passage, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client
Set up and generate after secure connection request, described foundation carries described client-side in secure connection request
Random number.
6. a message verification method, it is characterised in that described method is applied to include client, business
In the system of server and private key server, the method includes:
Described service server receives the client key exchange message that described client sends, and obtains described
The preset master key carrying in client key exchange message;
Described service server sends described preset master key and encryption parameter to described private key service
Device, so that described private key server is close to described preset master according to private key corresponding with described preset master key
Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
Described service server finishes Finished message according to the server side that described private key server returns
Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key
The Finished message sending described client carries out integrity verification by rear generation;Described symmetry
Encryption key is that described private key server generates according to described master key.
7. method as claimed in claim 6, it is characterised in that described service server is according to described private
Symmetric key after the server side Finished message of key server return or encryption returns to described client
Return integrality response message, particularly as follows:
Symmetric key after the encryption that the described private key server of described service server reception sends, described right
Key is claimed to be encrypted according to the extra symmetric key of self by described private key server;
Described service server according to self preset extra symmetric key to encryption after described symmetric key
It is decrypted process;
Described client is sent by described service server according to the described symmetric key after deciphering
Data in Finished message carry out integrity data checking, and return to described client after being verified
Return described integrality response message;
Wherein, described private key server and described service server preset identical extra symmetric key.
8. the method as described in any one of claim 6 or 7, it is characterised in that described private key server
Being connected by non-encrypted passage with described service server, described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client
Set up and generate after secure connection request, described foundation carries described client-side in secure connection request
Random number.
9. an authentication of message equipment, it is characterised in that described equipment is applied to bag as private key server
Including in the system of client, service server and described private key server, this equipment includes:
Receiver module, close for the preset master after receiving encryption parameter and encryption from described service server
Key, described preset master key is the client key exchange report that described service server sends from described client
Obtain in Wen;
Deciphering module, for according to described preset master key is entered by corresponding private key with described preset master key
Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Generation module, for generating symmetric cryptographic key according to described master key;
Authentication module, for after utilizing described master key to carry out integrity verification process to described client
Return integrality response message by described service server to described client, or by described symmetric cryptography
Key sends to described service server, so that described service server is according to described symmetric cryptographic key
Carry out integrity verification to described client and process backward described client return integrality response message.
10. equipment as claimed in claim 9, it is characterised in that described authentication module specifically for:
Send the described symmetric key after encryption to described service server, so that described service server
After described symmetric key after to described encryption is decrypted, utilize described symmetric key to described client
The data finishing in Finished message that end sends carry out integrity data checking, and are being verified
Backward described client returns integrality response message.
11. equipment as claimed in claim 10, it is characterised in that after described authentication module will be encrypted
Described symmetric key sends to described service server, particularly as follows:
Described symmetric key is encrypted by described authentication module according to the extra symmetric key of self,
And send the described symmetric key after described encryption to described service server;
Wherein, described private key server and described service server preset identical extra symmetric key.
12. equipment as claimed in claim 9, it is characterised in that described authentication module specifically includes:
Checking submodule, is carried out for the Fnished message utilizing described master key to send described client
Integrity verification;
Generate submodule, be used for after described checking submodule confirms that described integrity verification passes through, according to
Described primary message generate for respond described Finished message server side Finished message, and will
Described server side Finished message sends to described service server, so that described service server root
Return integrality response message according to described server side Finished message to described client.
13. equipment as described in any one of claim 9-12, it is characterised in that described private key server
Being connected by non-encrypted passage with described service server, described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client
Set up and generate after secure connection request, described foundation carries described client-side in secure connection request
Random number.
14. 1 kinds of authentication of message equipment, it is characterised in that described equipment is applied to as service server
Including in the system of client, described service server and private key server, this equipment includes:
Receiver module, the client key sending for receiving described client exchanges message, and obtains described
The preset master key carrying in client key exchange message;
Sending module, for sending described preset master key and encryption parameter to described private key server,
So that described preset master key is entered by described private key server according to private key corresponding with described preset master key
Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Respond module, finishes Finished message for the server side returning according to described private key server
Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key
The Finished message sending described client carries out integrity verification by rear generation;Described symmetry
Encryption key is that described private key server generates according to described master key.
15. equipment as claimed in claim 14, it is characterised in that described respond module specifically includes:
Receive submodule, be used for the symmetric key after receiving the encryption that described private key server sends, described
Symmetric key is encrypted according to the extra symmetric key of self by described private key server;
Deciphering submodule, is used for according to self preset extra symmetric key close to the described symmetry after encryption
Key is decrypted process;
Checking submodule, for send to described client according to the described symmetric key after deciphering
Data in Finished message carry out integrity data checking, and return to described client after being verified
Return described integrality response message;
Wherein, described private key server and described service server preset identical extra symmetric key.
16. equipment as described in any one of claims 14 or 15, it is characterised in that described private key takes
Business device is connected by non-encrypted passage with described service server, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client
Set up and generate after secure connection request, described foundation carries described client-side in secure connection request
Random number.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510098568.6A CN105991622A (en) | 2015-03-05 | 2015-03-05 | Message authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510098568.6A CN105991622A (en) | 2015-03-05 | 2015-03-05 | Message authentication method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105991622A true CN105991622A (en) | 2016-10-05 |
Family
ID=57039314
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510098568.6A Pending CN105991622A (en) | 2015-03-05 | 2015-03-05 | Message authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105991622A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108574687A (en) * | 2017-07-03 | 2018-09-25 | 北京金山云网络技术有限公司 | A kind of communication connection method for building up, device and electronic equipment |
CN108881257A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | Distributed search cluster encrypted transmission method and encrypted transmission distributed search cluster |
CN109842664A (en) * | 2017-11-29 | 2019-06-04 | 苏宁云商集团股份有限公司 | A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS |
CN112235766A (en) * | 2020-09-09 | 2021-01-15 | 易兆微电子(杭州)股份有限公司 | POS terminal positioning and data transmission method based on Bluetooth BENP system |
WO2022111102A1 (en) * | 2020-11-24 | 2022-06-02 | 北京金山云网络技术有限公司 | Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1679066A (en) * | 2002-07-12 | 2005-10-05 | 英格里安网络公司 | Network attached encryption |
WO2007045395A1 (en) * | 2005-10-20 | 2007-04-26 | Ubs Ag | Device and method for carrying out cryptographic operations in a server-client computer network system |
CN101459506A (en) * | 2007-12-14 | 2009-06-17 | 华为技术有限公司 | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation |
CN102932350A (en) * | 2012-10-31 | 2013-02-13 | 华为技术有限公司 | TLS (Transport Layer Security) scanning method and device |
-
2015
- 2015-03-05 CN CN201510098568.6A patent/CN105991622A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1679066A (en) * | 2002-07-12 | 2005-10-05 | 英格里安网络公司 | Network attached encryption |
WO2007045395A1 (en) * | 2005-10-20 | 2007-04-26 | Ubs Ag | Device and method for carrying out cryptographic operations in a server-client computer network system |
CN101459506A (en) * | 2007-12-14 | 2009-06-17 | 华为技术有限公司 | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation |
CN102932350A (en) * | 2012-10-31 | 2013-02-13 | 华为技术有限公司 | TLS (Transport Layer Security) scanning method and device |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108574687A (en) * | 2017-07-03 | 2018-09-25 | 北京金山云网络技术有限公司 | A kind of communication connection method for building up, device and electronic equipment |
CN108574687B (en) * | 2017-07-03 | 2020-11-27 | 北京金山云网络技术有限公司 | Communication connection establishment method and device, electronic equipment and computer readable medium |
CN109842664A (en) * | 2017-11-29 | 2019-06-04 | 苏宁云商集团股份有限公司 | A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS |
CN108881257A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | Distributed search cluster encrypted transmission method and encrypted transmission distributed search cluster |
CN112235766A (en) * | 2020-09-09 | 2021-01-15 | 易兆微电子(杭州)股份有限公司 | POS terminal positioning and data transmission method based on Bluetooth BENP system |
WO2022111102A1 (en) * | 2020-11-24 | 2022-06-02 | 北京金山云网络技术有限公司 | Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210385201A1 (en) | Systems and methods for secure multi-party communications using aproxy | |
EP3642997B1 (en) | Secure communications providing forward secrecy | |
EP3534565B1 (en) | Data transmission method, apparatus and system | |
CN108352015B (en) | Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems | |
US10708072B2 (en) | Mutual authentication of confidential communication | |
US9065637B2 (en) | System and method for securing private keys issued from distributed private key generator (D-PKG) nodes | |
KR102015201B1 (en) | Efficient start-up for secured connections and related services | |
CN108886468B (en) | System and method for distributing identity-based key material and certificates | |
CN102833253B (en) | Set up method and server that client is connected with server security | |
JP5845393B2 (en) | Cryptographic communication apparatus and cryptographic communication system | |
CN109891423B (en) | Data encryption control using multiple control mechanisms | |
US11870891B2 (en) | Certificateless public key encryption using pairings | |
JP2003298568A (en) | Authenticated identification-based cryptosystem with no key escrow | |
CN110635901B (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
CN103427998A (en) | Internet data distribution oriented identity authentication and data encryption method | |
US10291600B2 (en) | Synchronizing secure session keys | |
CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
CN105991622A (en) | Message authentication method and device | |
CN105577377A (en) | Identity-based authentication method and identity-based authentication system with secret key negotiation | |
CN110493367A (en) | The non-public server of unaddressed IPv6, client computer and communication means | |
Rizvi et al. | A trusted third-party (TTP) based encryption scheme for ensuring data confidentiality in cloud environment | |
CN113098681B (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
CN108462677A (en) | A kind of file encrypting method and system | |
CN114760053B (en) | Distribution method, device, equipment and medium of symmetric key | |
EP3769462B1 (en) | Secure distribution of device key sets over a network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
AD01 | Patent right deemed abandoned | ||
AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20200811 |