CN105991622A - Message authentication method and device - Google Patents

Message authentication method and device Download PDF

Info

Publication number
CN105991622A
CN105991622A CN201510098568.6A CN201510098568A CN105991622A CN 105991622 A CN105991622 A CN 105991622A CN 201510098568 A CN201510098568 A CN 201510098568A CN 105991622 A CN105991622 A CN 105991622A
Authority
CN
China
Prior art keywords
key
server
client
private key
service server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510098568.6A
Other languages
Chinese (zh)
Inventor
杨洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510098568.6A priority Critical patent/CN105991622A/en
Publication of CN105991622A publication Critical patent/CN105991622A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses a message authentication method. A private key server receives an encryption parameter and an encrypted preset main key from a service server, the preset main key is subjected to decryption processing according to the private key corresponding to the preset main key, a main key is generated according to a decrypted preset main key and the encryption parameter, a symmetric encryption key is generated according to the main key, the main key is used to carry out integrity verification processing on the client, and an integrity response message is returned to the client through the service server, or the symmetric encryption key is sent to the service server. Thus under the premise of reducing the load of an existing server, the safety of a message authentication process is improved further.

Description

A kind of message verification method and equipment
Technical field
The application relates to communication technical field, particularly to a kind of message verification method.The application also simultaneously Relate to a kind of authentication of message equipment.
Background technology
SSL (Secure Sockets Layer SSL)/TLS (Transport Layer Security, Transport Layer Security) main purpose of agreement is to set up a secure connection so that at its cocommutative number According to cannot be obtained by the third party in addition to communicating pair.The foundation of secure connection is to be completed by shaking hands , in the handshake procedure of SSL/TLS, key agreement can be carried out first by the mode of asymmetric encryption, Purpose is the key making the both sides of communication finally negotiate identical " symmetric cryptography ", afterwards in safety even Connecing cocommutative data can use this symmetric key to encrypt and decrypt operation, thus ensures the peace of data Entirely.
In SSL/TLS agreement, it is certain that different types of Diffie-Hellman can cause handshake procedure to exist Difference.As it is shown in figure 1, be a kind of the most frequently used Diffie-Hellman in prior art, this RSA key exchanges Algorithm is as follows to the handshake procedure of SSL/TLS:
I. client (being generally made up of one or more front-end servers) is initiated to set up peace The full request connecting, this is completed by ClientHello (Client Hello) message, at this message In containing the Client Random (client's random number) that generated by client;
Ii. server end is after receiving the request setting up secure connection that client is sent out, and is determining agreement version After the contents such as basis, encryption suite, by a Server Random (server random number) and above-mentioned information Server Hello (server hello) message is used to send back to client
Iii. server end sends certificate to client, have recorded the service of server end offer in certificate Relevant information, such as domain name, Email, certificate expiry time etc..Also with a Public in certificate Key (PKI), the corresponding private key of this PKI is stored in server end.
Iv. server sends ServerHelloDone (server hello completes) message.
V. client is after receiving above-mentioned 3 messages, the legitimacy of verification certificate, then generates one PreMaster Secret (preset master key), and use the PKI in certificate to this PreMaster Secret After being encrypted, send ClientKeyExchange (client key exchange) message to server end, its In with encryption after PreMaster Secret.Client now uses this PreMaster Secret and Client Random (client-side random number) and Server Random (server side random number) generates Master Secret (master key).
Vi. server is after the ClientKeyExchange receiving client, uses and corresponding in certificate Private key, encrypted PreMaster Secret therein is decrypted, and by itself and Client Random And Server Random enters row operation together and obtains Master Secret.Rear extended meeting is based on Master Secret Derive multiple Key, use when symmetric cryptography, deciphering and checking message integrity.
Vii. user end to server sends ChangeCipherSpec (modification ciphertext stipulations) message, sound The AES negotiating can be used to encrypt for the data of bright follow-up transmission and to continue to send a Finished (complete Knot) message, this message contains through the encrypted one piece of data of symmetry algorithm, this segment data be for The summary info of message before, carries out data integrity validation for server end.
Viii. received server-side is to after ChangeCipherSpec message, and it is right to generate based on Master Secret Claim key, and to client send Finished message in data be decrypted so that according to deciphering after The integrality of summary info checking data with existing.
Ix. last server end in the same way to client send ChangeCipherSpec and Finished message, client uses same method to verify.If the verification passes, then so far shake hands Stage terminates, and flow process enters data transfer phase.
X. at data transfer phase, server end and client use the symmetry being negotiated by handshake procedure close Key encrypts and decrypts operation to data, due to one of the element generating symmetric key PreMaster Secret It is encrypted transmission, so assailant cannot generate symmetric key, it is ensured that the safety of data.
During realizing the application, inventor finds that prior art at least also exists following shortcoming:
(1) handshake procedure that current various SSL/TLS storehouses realize, is real based on standard SSL/TLS agreement Existing, this requires that program needs pre-loaded private key then to use private key when deciphering PreMaster. That is private key needs to remain in (internal memory/disk etc.) in the storage device of server.For on a large scale Server cluster is in the servers/devices (clothes in the fringe node of such as CDN of network edge in a large number Business device, SLB externally provide the server etc. of load balancing), owing to having retained private key, private key can be caused secondary A large amount of risings of this quantity, and the directly externally offer service of these servers/devices, security risk is higher, Make one server of any of which that safety problem occur, all may result in private key leakage thus affect whole The data safety of body.
(2) in the handshake procedure of SSL/TLS agreement, private key solution ciphertext data or signature, Yi Jihou are used Continuous calculating Master Secret, data integrity verifying are required for consuming substantial amounts of calculating resource so that clothes The disposal ability of business device is deteriorated, and easily suffers DDoS (Distributed Denial of during shaking hands Service, distributed denial of service) attack.
Content of the invention
This application provides a kind of message verification method, in order to the security during ensureing authentication of message While mitigate server load, the method is applied to include client, service server and private key In the system of server, comprising:
The preset master after described service server receives encryption parameter and encryption is close for described private key server Key, described preset master key is the client key exchange report that described service server sends from described client Obtain in Wen;
Described preset master key is entered by described private key server according to private key corresponding with described preset master key Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Described private key server generates symmetric cryptographic key according to described master key;
Described private key server is after utilizing described master key to carry out integrity verification process to described client Return integrality response message by described service server to described client, or by described symmetric cryptography Key sends to described service server, so that described service server is according to described symmetric cryptographic key Carry out integrity verification to described client and process backward described client return integrality response message.
The application also proposed a kind of message verification method, and described method is applied to include client, business In the system of server and private key server, the method includes:
Described service server receives the client key exchange message that described client sends, and obtains described The preset master key carrying in client key exchange message;
Described service server sends described preset master key and encryption parameter to described private key service Device, so that described private key server is close to described preset master according to private key corresponding with described preset master key Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
Described service server finishes Finished message according to the server side that described private key server returns Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key The Finished message sending described client carries out integrity verification by rear generation;Described symmetry Encryption key is that described private key server generates according to described master key.
Correspondingly, the application also proposed a kind of authentication of message equipment, and described equipment is as private key server It is applied to include that in the system of client, service server and described private key server, this equipment includes:
Receiver module, close for the preset master after receiving encryption parameter and encryption from described service server Key, described preset master key is the client key exchange report that described service server sends from described client Obtain in Wen;
Deciphering module, for according to described preset master key is entered by corresponding private key with described preset master key Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Generation module, for generating symmetric cryptographic key according to described master key;
Authentication module, for after utilizing described master key to carry out integrity verification process to described client Return integrality response message by described service server to described client, or by described symmetric cryptography Key sends to described service server, so that described service server is according to described symmetric cryptographic key Carry out integrity verification to described client and process backward described client return integrality response message.
The application also proposed a kind of authentication of message equipment, it is characterised in that described equipment takes as business Business device is applied to include in the system of client, described service server and private key server, the method Including:
Receiver module, the client key sending for receiving described client exchanges message, and obtains described The preset master key carrying in client key exchange message;
Sending module, for sending described preset master key and encryption parameter to described private key server, So that described preset master key is entered by described private key server according to private key corresponding with described preset master key Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Respond module, finishes Finished message for the server side returning according to described private key server Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key The Finished message sending described client carries out integrity verification by rear generation;Described symmetry Encryption key is that described private key server generates according to described master key.
As can be seen here, by the above technical scheme of application, private key server receives encryption from service server Preset master key after parameter and encryption, according to private key corresponding with preset master key to preset master key Be decrypted process, and according to the preset master key after deciphering and encryption parameter generate master key and according to Master key generates symmetric cryptographic key, logical after utilizing master key to carry out integrity verification process to client Cross service server and return integrality response message to client, or send symmetric cryptographic key to business Server.Thus on the premise of reducing the load of existing server, further increase authentication of message mistake The security of journey.
Brief description
Fig. 1 is the SSL/TLS schematic flow sheet in prior art based on RSA key exchange algorithm;
Fig. 2 is the schematic flow sheet of a kind of message verification method that the application proposes;
Fig. 3 is the schematic flow sheet of the another kind of message verification method that the application proposes;
Fig. 4 is the structural representation of a kind of authentication of message equipment that the application proposes;
Fig. 5 is the structural representation of the another kind of authentication of message equipment that the application proposes.
Detailed description of the invention
Because the technical problem in background technology, present applicant proposes a kind of SSL/TLS and shake hands middle by PKI The method separating with private key, the main thought of the method is that the correlation function processing private key is from prior art In separate on the front-end server that client directly communicates, the private key individually placing private key is set Server simultaneously gives the process of its private key related function), will no longer place private key and separate private key work( The front-end server of energy, as service server, wherein only retains certificate (containing PKI).Work as business service When device and client carry out needing when SSL/TLS shakes hands to use private key, remotely connect private key server, will be pre- Put master key etc. to be sent to private key server and process, generate particular data after process and return front end services Device, service server recovers handshake procedure and completes to shake hands.
As in figure 2 it is shown, the method specifically includes below scheme:
S201, described private key server from described service server receive encryption parameter and encryption after pre- Putting master key, described preset master key is the client key that described service server sends from described client Exchange message obtains.
In order to ensure the security during authentication of message, PKI and private key separate part are deployed to not by the application With server apparatus on, wherein deposit the server of PKI and be referred to as service server, and the service of private key Device is referred to as private key server, and the equipment depositing PKI directly cannot read private from the equipment depositing private key The content of key.When needs use private key, user's (service server) of private key needs to process Data be sent to deposit the equipment (private key server) of private key, and returned in business by private key server Server and client, at the symmetric key using required for the follow-up data interaction stage and master key, are divided The user of private key these data Yong Yu not used to be encrypted/decipher/verification etc..
It should be noted that according to the difference (such as equipment performance or secure threshold) of actually used situation, Technical staff can arrange same for multiple service servers during realizing technical scheme Private key server or single service server arrange a private key server, and these broadly fall into this The protection domain of application.
Owing to PKI and private key separate part are deployed on different server apparatus, therefore the application is preferable to carry out Private key server directly can be connected by non-encrypted passage with service server by example, and encryption parameter can Use client and service server in formal verification preceding step produced client-side random number with And server side random number, wherein server side random number is that described server is receiving described client Setting up of sending generates after secure connection request, set up secure connection request carries client-side with Machine number.
Based on above-mentioned setting, PKI and private key externally provide SSL/TLS to service in the way of separating.Due to private Key does not leave on the service server externally providing service, but remote deployment takes to single private key On business device.Independent level of security can be carried out for service server and private key server on this basis Design.Higher level of security is for example set to private key server, and relatively low to service server design Level of security.So, even if the relatively low service server of level of security is invaded, private key content is also Will not leak.
S202, described private key server according to private key corresponding with described preset master key to described preset master Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
S203, described private key server generates symmetric cryptographic key according to described master key;
S204, described private key server carries out integrity verification to described client utilizing described master key Integrality response message is returned by described service server to described client after process, or by described right Encryption key is claimed to send to described service server, so that described service server is adding according to described symmetry Decryption key carries out integrity verification and processes backward described client return integrality response report to described client Literary composition.
Based on the master key generated in S202 and the symmetric cryptographic key generated in S203, the application Preferred embodiment proposes two kinds of different concrete verification modes, as follows respectively:
(1) the described symmetric key after described private key server will be encrypted sends to described service server, So that after the described symmetric key that described service server is after to described encryption is decrypted, utilizing described Data in the Finished message that described client is sent by symmetric key carry out integrity data checking, with And return integrality response message to described client after being verified.
Specifically, in this approach, user's (service server) of private key and the side of depositing of private key are (private Key server) between communication be unencrypted passage, but private key server return data itself be Encryption.Therefore first described symmetric key is entered by private key server by the extra symmetric key according to self Row encryption, and send the described symmetric key after described encryption to described service server.Meanwhile, Need to have between side's of depositing (private key server) of user's (service server) of private key and private key An identical symmetric key is encrypted or deciphers (private key clothes for the data returning private key server Business device presets identical extra symmetric key in service server), this key is by other means It is handed down to two users, and do regular update.
(2) the Fnished message that described client is sent by master key described in described private key server by utilizing enters Row integrity verification;If described integrity verification passes through, described private key server is raw according to described primary message Become for respond described Fnished message server side Fnished message, and by described server side Fnished message sends to described service server, so that described service server is according to described server side Fnished message returns integrality response message to described client.
Owing to the work of checking being given private key server to complete by the program, therefore not only the making of private key Do not need to receive any data (symmetric key, master after private key is processed with side (service server) Key etc.) beyond, (private key takes in the side of depositing of user's (service server) of private key and private key simultaneously Business device) between communication be unencrypted passage, the data wherein transmitted also are all unencrypted.
Further, since private key has been deployed on private key server, allow for disappearing of substantial amounts of calculating resource Consumption has been transferred to private key server from service server, alleviates the calculating pressure of service server greatly Power.When there is ddos attack, if private key servers go down, do not interfere with service server to it yet The process (such as HTTP service) of his business, can also carry out degrading for service server simultaneously Process, it is switched back into HTTP from HTTPS.Avoid affecting HTTP industry because service server is paralysed The process of business.
Correspondingly, preferred embodiment above illustrates the flow process of authentication of message with the angle of private key server side, The another kind of message verification method below proposing for the application, the method is carried out with the angle of service server Illustrate, as it is shown on figure 3, comprise the following steps:
S301, described service server receives the client key exchange message that described client sends, and obtains Take the preset master key carrying in described client key exchange message.
Owing to PKI and private key separate part are deployed on different equipment, therefore can in the application preferred embodiment Directly private key server is connected by non-encrypted passage with service server, and encryption parameter can use visitor Family end and service server produced client-side random number and service in formal verification preceding step Device side random number, wherein to be described service server send out receiving described client server side random number Setting up of sending generates after secure connection request, sets up that to carry client-side in secure connection request random Number.Additionally, private key server and service server preset identical extra symmetric key
S302, described service server sends described preset master key and encryption parameter to described private key Server so that described private key server according to private key corresponding with described preset master key to described preset Master key is decrypted process, and generates main close according to the preset master key after deciphering and described encryption parameter Key.
S303, described service server finishes Finished according to the server side that described private key server returns Symmetric key after message or encryption, returns integrality response message to described client.
It should be noted that server side Finished message is that described private key server is utilizing in this step The Finished message that described client is sent by described master key carries out integrity verification by rear generation; Symmetric cryptographic key is that described private key server generates according to described master key.Except directly taking according to private key The server side Finished message that business device returns returns outside integrality response message to client, the application Preferred embodiment is for " after the server side Finished message returning according to described private key server or encryption Symmetric key return integrality response message to described client " propose following concrete steps:
Symmetric key after the encryption that the described private key server of step a) described service server reception sends, Described symmetric key is encrypted according to the extra symmetric key of self by described private key server;
The described service server of step b) according to self preset extra symmetric key to encryption after described right Key is claimed to be decrypted process;
Described client is sent by the described service server of step c) according to the described symmetric key after deciphering Data in Finished message carry out integrity data checking, and return to described client after being verified Return described integrality response message.
In order to the technological thought of the application is expanded on further, in conjunction with concrete application scenarios, to the application Technical scheme illustrate.Particularly, present applicant proposes following two specific embodiment:
Specific embodiment one: the program provides the business service of SSL service except PKI is saved in front end Outside device, deposit private key (this is private key server) at the higher place of safe class deployment server separately. It when service server needs to use private key, transmit a request to reach private key server, by private key server Use in this locality private key to process data, result is returned to service server.Concrete steps It is explained as follows:
I. client (service server) initiates to set up the request of secure connection, and this is logical Cross what a ClientHello message completed, containing random number Client being generated by client in this message Random。
Ii. server end is after receiving the request setting up secure connection that client is sent out, and is determining agreement version After the contents such as basis, encryption suite, a Server Random random number and above-mentioned information are used Server Hello packet sends back to client.
Iii. server end sends certificate to client, have recorded the service of server end offer in certificate Relevant information, such as domain name, Email, certificate expiry time etc..Also with a PKI in certificate (Public Key), the corresponding private key of this PKI is stored in server end.
Iv. server sends ServerHelloDone message.
V. client is after receiving above-mentioned 3 messages, the legitimacy of verification certificate, then generates one PreMaster Secret, and after using the PKI in certificate to be encrypted this PreMaster Secret, to Server end sends ClientKeyExchange message, wherein with the PreMaster Secret after encryption. Client now uses this PreMaster Secret and Client Random and Server Random to generate Master Secret。
Vi. user end to server sends ChangeCipherSpec message, states the data of follow-up transmission The AES negotiating can be used to encrypt and continue to send a Fnished message, this message contain through Crossing the encrypted one piece of data of symmetry algorithm, this segment data is the summary info for message before, is used for Server end carries out data integrity validation.
Vii. server is after the ClientKeyExchange receiving client, owing to this locality does not has Preserve and the corresponding private key of certificate, it is therefore desirable to by PreMaster Secret, Client Random after encryption It is sent to long-range private key server with Server Random to process.In order to prevent data at midway quilt Distort, need to do digital signature to above-mentioned data.
Viii. private key server is after receiving above-mentioned data, uses and corresponding private key in certificate, to wherein Encrypted PreMaster Secret be decrypted, and by itself and Client Random and Server Random enters row operation together and obtains Master Secret.Drawing symmetric cryptography based on Master Secret Key.
Ix. private key server is by the Master Secret generating and symmetric cryptographic key, uses another one They are encrypted by symmetric key, are then sent to server end, and server end is receiving this encryption number According to rear, same symmetric key is used to decipher it, it is thus achieved that MasterSecret and symmetric cryptographic key.With In the extra symmetric key to data encryption, need to be deployed to server end and private key server end in advance, And timing updates.
X., after the data that received server-side is returned to private key server response, use symmetric key to client Data in the Finished message that end sends are decrypted and then verify according to the summary info after deciphering There is the integrality of data.
Xi. last server end in the same way to client send ChangeCipherSpec and Finished message, client uses same method to verify.If the verification passes, then so far shake hands Stage terminates, and flow process enters data transfer phase.
Xii. at data transfer phase, server end and client use the symmetry being negotiated by handshake procedure Data key encrypts and decrypts operation, due to one of the element generating symmetric key PreMaster Secret is encrypted transmission, so assailant cannot generate symmetric key, it is ensured that the safety of data.
Specific embodiment two: the program has separated symmetric key further so that the data after shaking hands are led to The encrypting and decrypting of letter part, has been also transferred on private key server.Specifically comprise the following steps that
I. client (service server) initiates to set up the request of secure connection, and this is logical Cross what a ClientHello message completed, containing random number Client being generated by client in this message Random。
Ii. server end is after receiving the request setting up secure connection that client is sent out, and is determining agreement version After the contents such as basis, encryption suite, a Server Random random number and above-mentioned information are used Server Hello packet sends back to client.
Iii. server end sends certificate to client, have recorded the service of server end offer in certificate Relevant information, such as domain name, Email, certificate expiry time etc..Also with a PKI in certificate (Public Key), the corresponding private key of this PKI is stored in server end.
Iv. server sends ServerHelloDone message.
V. client is after receiving above-mentioned 3 messages, the legitimacy of verification certificate, then generates one PreMaster Secret, and after using the PKI in certificate to be encrypted this PreMaster Secret, to Server end sends ClientKeyExchange message, wherein with the PreMaster Secret after encryption. Client now uses this PreMaster Secret and Client Random and Server Random to generate Master Secret。
Vi. user end to server sends ChangeCipherSpec message, states the data of follow-up transmission The AES negotiating can be used to encrypt and continue to send a Fnished message, this message contain through Crossing the encrypted one piece of data of symmetry algorithm, this segment data is the summary info for message before, is used for Server end carries out data integrity validation.
Vii. server is after the ClientKeyExchange receiving client, owing to this locality does not has Preserve and the corresponding private key of certificate, it is therefore desirable to by PreMaster Secret, Client Random after encryption With Server Random, and client send Finshed message and pending server end Finished message, is sent to long-range private key server and processes.In order to prevent data from being usurped in midway Change, need to do digital signature to above-mentioned data.
Viii. private key server is after receiving above-mentioned data, uses and corresponding private key in certificate, to wherein Encrypted PreMaster Secret be decrypted, and by itself and Client Random and Server Random enters row operation together and obtains Master Secret.Drawing symmetric cryptography based on Master Secret Key.Then private key server uses the Fnished message of Master Secret checking client, and uses Master Secret generates final server end Finished message.
Ix. the server end Finished message of generation is sent to server end by private key server.
X. last server end in the same way to client send ChangeCipherSpec and Finished message, client uses same method to verify.If the verification passes, then so far shake hands Stage terminates, and flow process enters data transfer phase.
Xi. at data transfer phase, due to server end and be not preserved in handshake phase consult right Claiming key, therefore encryption data is after reaching server end, needs to be further transmitted to private key server It is decrypted, or for server end data to be sent, it is also desirable to it is sent initially to private key server It is encrypted.So so the step relating to encryption/decryption has all been transferred on private key server.
For reaching above technical purpose, the application also proposed a kind of authentication of message equipment, as shown in Figure 4, Described equipment is applied to include client, service server and described private key service as private key server In the system of device, 4 include:
Receiver module 410, for the preset master after described service server reception encryption parameter and encryption Key, described preset master key is the client key exchange that described service server sends from described client Message obtains;
Deciphering module 420, is used for according to the corresponding private key with described preset master key to described preset master key It is decrypted process, and generate master key according to the preset master key after deciphering and described encryption parameter;
Generation module 430, for generating symmetric cryptographic key according to described master key;
Authentication module 440, for utilizing described master key to carry out integrity verification process to described client Return integrality response message by described service server to described client afterwards, or described symmetry is added Decryption key sends to described service server, so that described service server is close according to described symmetric cryptography Key carries out integrity verification and processes backward described client return integrality response message to described client.
In concrete application scenarios, described authentication module specifically for:
Send the described symmetric key after encryption to described service server, so that described service server After described symmetric key after to described encryption is decrypted, utilize described symmetric key to described client The data finishing in Finished message that end sends carry out integrity data checking, and are being verified Backward described client returns integrality response message.
In concrete application scenarios, the described symmetric key after described authentication module will be encrypted sends to institute State service server, particularly as follows:
Described symmetric key is encrypted by described authentication module according to the extra symmetric key of self, And send the described symmetric key after described encryption to described service server;
Wherein, described private key server and described service server preset identical extra symmetric key.
In concrete application scenarios, described authentication module specifically includes:
Checking submodule, is carried out for the Fnished message utilizing described master key to send described client Integrity verification;
Generate submodule, be used for after described checking submodule confirms that described integrity verification passes through, according to Described primary message generate for respond described Finished message server side Finished message, and will Described server side Finished message sends to described service server, so that described service server root Return integrality response message according to described server side Finished message to described client.
In concrete application scenarios, described private key server is led to by non-encrypted with described service server Road connects, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client Set up and generate after secure connection request, described foundation carries described client-side in secure connection request Random number.
The application also proposed a kind of authentication of message equipment, as it is shown in figure 5, described equipment takes as business Business device is applied to include in the system of client, described service server and private key server, this equipment Including:
Receiver module 510, the client key sending for receiving described client exchanges message, and obtains institute State the preset master key carrying in client key exchange message;
Sending module 520, for sending described preset master key and encryption parameter to described private key service Device, so that described private key server is close to described preset master according to private key corresponding with described preset master key Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
Respond module 530, for according to described private key server return server side finish Finished report Symmetric key after literary composition or encryption, returns integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key The Finished message sending described client carries out integrity verification by rear generation;Described symmetry Encryption key is that described private key server generates according to described master key.
In concrete application scenarios, described respond module specifically includes:
Receive submodule, be used for the symmetric key after receiving the encryption that described private key server sends, described Symmetric key is encrypted according to the extra symmetric key of self by described private key server;
Deciphering submodule, is used for according to self preset extra symmetric key close to the described symmetry after encryption Key is decrypted process;
Checking submodule, for send to described client according to the described symmetric key after deciphering Data in Finished message carry out integrity data checking, and return to described client after being verified Return described integrality response message;
Wherein, described private key server and described service server preset identical extra symmetric key.
In concrete application scenarios, described private key server is led to by non-encrypted with described service server Road connects, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client Set up and generate after secure connection request, described foundation carries described client-side in secure connection request Random number.
Through the above description of the embodiments, those skilled in the art is it can be understood that arrive this Shen Please be realized by hardware, it is also possible to the mode adding necessary general hardware platform by software realizes. Based on such understanding, the technical scheme of the application can embody with the form of software product, and this is soft Part product can be stored in a non-volatile memory medium, and (can be CD-ROM, USB flash disk, movement be hard Dish etc.) in, including some instructions are with so that a computer equipment (can be personal computer, take Business device, or the network equipment etc.) each implements the method described in scene to perform the application.
It will be appreciated by those skilled in the art that accompanying drawing is a schematic diagram being preferable to carry out scene, in accompanying drawing Module or flow process not necessarily implement necessary to the application.
It will be appreciated by those skilled in the art that the module in the device implemented in scene can be according to enforcement scene Describe and carry out being distributed in the device implementing scene, it is also possible to carry out respective change and be disposed other than this enforcement In one or more devices of scene.The module of above-mentioned enforcement scene can merge into a module, it is possible to To be further split into multiple submodule.
Above-mentioned the application sequence number, just to describing, does not represent the quality implementing scene.
The several scenes that are embodied as being only the application disclosed above, but, the application is not limited to This, the changes that any person skilled in the art can think of all should fall into the protection domain of the application.

Claims (16)

1. a message verification method, it is characterised in that described method is applied to include client, business In the system of server and private key server, the method includes:
The preset master after described service server receives encryption parameter and encryption is close for described private key server Key, described preset master key is the client key exchange report that described service server sends from described client Obtain in Wen;
Described preset master key is entered by described private key server according to private key corresponding with described preset master key Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Described private key server generates symmetric cryptographic key according to described master key;
Described private key server is after utilizing described master key to carry out integrity verification process to described client Return integrality response message by described service server to described client, or by described symmetric cryptography Key sends to described service server, so that described service server is according to described symmetric cryptographic key Carry out integrity verification to described client and process backward described client return integrality response message.
2. the method for claim 1, it is characterised in that described private key server is by described symmetry Encryption key sends to described service server, particularly as follows:
Described symmetric key after described private key server will be encrypted sends to described service server, so that After described symmetric key after to described encryption for the described service server is decrypted, utilize described symmetry The data finishing in Finished message that client described in double secret key sends carry out integrity data checking, And return integrality response message to described client after being verified.
3. method as claimed in claim 2, it is characterised in that after described private key server will be encrypted Described symmetric key sends to described service server, particularly as follows:
Described private key server is encrypted place according to the extra symmetric key of self to described symmetric key Reason, and send the described symmetric key after described encryption to described service server;
Wherein, described private key server and described service server preset identical extra symmetric key.
4. the method for claim 1, it is characterised in that described private key server is described in utilization Master key passes through described service server to described client carry out integrity verification process to described client after End returns integrality response message, particularly as follows:
The Finished message that described client is sent by master key described in described private key server by utilizing is carried out Integrity verification;
If described integrity verification passes through, described private key server generates according to described primary message and is used for responding Described Finished message server side Finished message, and by described server side Finished Message sends to described service server, so that described service server is according to described server side Finished Message returns integrality response message to described client.
5. the method as described in any one of claim 1-4, it is characterised in that described private key server with Described service server is connected by non-encrypted passage, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client Set up and generate after secure connection request, described foundation carries described client-side in secure connection request Random number.
6. a message verification method, it is characterised in that described method is applied to include client, business In the system of server and private key server, the method includes:
Described service server receives the client key exchange message that described client sends, and obtains described The preset master key carrying in client key exchange message;
Described service server sends described preset master key and encryption parameter to described private key service Device, so that described private key server is close to described preset master according to private key corresponding with described preset master key Key is decrypted process, and generates master key according to the preset master key after deciphering and described encryption parameter;
Described service server finishes Finished message according to the server side that described private key server returns Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key The Finished message sending described client carries out integrity verification by rear generation;Described symmetry Encryption key is that described private key server generates according to described master key.
7. method as claimed in claim 6, it is characterised in that described service server is according to described private Symmetric key after the server side Finished message of key server return or encryption returns to described client Return integrality response message, particularly as follows:
Symmetric key after the encryption that the described private key server of described service server reception sends, described right Key is claimed to be encrypted according to the extra symmetric key of self by described private key server;
Described service server according to self preset extra symmetric key to encryption after described symmetric key It is decrypted process;
Described client is sent by described service server according to the described symmetric key after deciphering Data in Finished message carry out integrity data checking, and return to described client after being verified Return described integrality response message;
Wherein, described private key server and described service server preset identical extra symmetric key.
8. the method as described in any one of claim 6 or 7, it is characterised in that described private key server Being connected by non-encrypted passage with described service server, described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client Set up and generate after secure connection request, described foundation carries described client-side in secure connection request Random number.
9. an authentication of message equipment, it is characterised in that described equipment is applied to bag as private key server Including in the system of client, service server and described private key server, this equipment includes:
Receiver module, close for the preset master after receiving encryption parameter and encryption from described service server Key, described preset master key is the client key exchange report that described service server sends from described client Obtain in Wen;
Deciphering module, for according to described preset master key is entered by corresponding private key with described preset master key Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Generation module, for generating symmetric cryptographic key according to described master key;
Authentication module, for after utilizing described master key to carry out integrity verification process to described client Return integrality response message by described service server to described client, or by described symmetric cryptography Key sends to described service server, so that described service server is according to described symmetric cryptographic key Carry out integrity verification to described client and process backward described client return integrality response message.
10. equipment as claimed in claim 9, it is characterised in that described authentication module specifically for:
Send the described symmetric key after encryption to described service server, so that described service server After described symmetric key after to described encryption is decrypted, utilize described symmetric key to described client The data finishing in Finished message that end sends carry out integrity data checking, and are being verified Backward described client returns integrality response message.
11. equipment as claimed in claim 10, it is characterised in that after described authentication module will be encrypted Described symmetric key sends to described service server, particularly as follows:
Described symmetric key is encrypted by described authentication module according to the extra symmetric key of self, And send the described symmetric key after described encryption to described service server;
Wherein, described private key server and described service server preset identical extra symmetric key.
12. equipment as claimed in claim 9, it is characterised in that described authentication module specifically includes:
Checking submodule, is carried out for the Fnished message utilizing described master key to send described client Integrity verification;
Generate submodule, be used for after described checking submodule confirms that described integrity verification passes through, according to Described primary message generate for respond described Finished message server side Finished message, and will Described server side Finished message sends to described service server, so that described service server root Return integrality response message according to described server side Finished message to described client.
13. equipment as described in any one of claim 9-12, it is characterised in that described private key server Being connected by non-encrypted passage with described service server, described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client Set up and generate after secure connection request, described foundation carries described client-side in secure connection request Random number.
14. 1 kinds of authentication of message equipment, it is characterised in that described equipment is applied to as service server Including in the system of client, described service server and private key server, this equipment includes:
Receiver module, the client key sending for receiving described client exchanges message, and obtains described The preset master key carrying in client key exchange message;
Sending module, for sending described preset master key and encryption parameter to described private key server, So that described preset master key is entered by described private key server according to private key corresponding with described preset master key Row decryption processing, and generate master key according to the preset master key after deciphering and described encryption parameter;
Respond module, finishes Finished message for the server side returning according to described private key server Or the symmetric key after encryption, return integrality response message to described client;
Wherein, described server side Finished message is that described private key server is utilizing described master key The Finished message sending described client carries out integrity verification by rear generation;Described symmetry Encryption key is that described private key server generates according to described master key.
15. equipment as claimed in claim 14, it is characterised in that described respond module specifically includes:
Receive submodule, be used for the symmetric key after receiving the encryption that described private key server sends, described Symmetric key is encrypted according to the extra symmetric key of self by described private key server;
Deciphering submodule, is used for according to self preset extra symmetric key close to the described symmetry after encryption Key is decrypted process;
Checking submodule, for send to described client according to the described symmetric key after deciphering Data in Finished message carry out integrity data checking, and return to described client after being verified Return described integrality response message;
Wherein, described private key server and described service server preset identical extra symmetric key.
16. equipment as described in any one of claims 14 or 15, it is characterised in that described private key takes Business device is connected by non-encrypted passage with described service server, and described encryption parameter at least includes:
Client-side random number, server side random number;
Wherein, described server side random number is that described service server is receiving the transmission of described client Set up and generate after secure connection request, described foundation carries described client-side in secure connection request Random number.
CN201510098568.6A 2015-03-05 2015-03-05 Message authentication method and device Pending CN105991622A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510098568.6A CN105991622A (en) 2015-03-05 2015-03-05 Message authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510098568.6A CN105991622A (en) 2015-03-05 2015-03-05 Message authentication method and device

Publications (1)

Publication Number Publication Date
CN105991622A true CN105991622A (en) 2016-10-05

Family

ID=57039314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510098568.6A Pending CN105991622A (en) 2015-03-05 2015-03-05 Message authentication method and device

Country Status (1)

Country Link
CN (1) CN105991622A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574687A (en) * 2017-07-03 2018-09-25 北京金山云网络技术有限公司 A kind of communication connection method for building up, device and electronic equipment
CN108881257A (en) * 2018-06-29 2018-11-23 北京奇虎科技有限公司 Distributed search cluster encrypted transmission method and encrypted transmission distributed search cluster
CN109842664A (en) * 2017-11-29 2019-06-04 苏宁云商集团股份有限公司 A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS
CN112235766A (en) * 2020-09-09 2021-01-15 易兆微电子(杭州)股份有限公司 POS terminal positioning and data transmission method based on Bluetooth BENP system
WO2022111102A1 (en) * 2020-11-24 2022-06-02 北京金山云网络技术有限公司 Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679066A (en) * 2002-07-12 2005-10-05 英格里安网络公司 Network attached encryption
WO2007045395A1 (en) * 2005-10-20 2007-04-26 Ubs Ag Device and method for carrying out cryptographic operations in a server-client computer network system
CN101459506A (en) * 2007-12-14 2009-06-17 华为技术有限公司 Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
CN102932350A (en) * 2012-10-31 2013-02-13 华为技术有限公司 TLS (Transport Layer Security) scanning method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679066A (en) * 2002-07-12 2005-10-05 英格里安网络公司 Network attached encryption
WO2007045395A1 (en) * 2005-10-20 2007-04-26 Ubs Ag Device and method for carrying out cryptographic operations in a server-client computer network system
CN101459506A (en) * 2007-12-14 2009-06-17 华为技术有限公司 Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
CN102932350A (en) * 2012-10-31 2013-02-13 华为技术有限公司 TLS (Transport Layer Security) scanning method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574687A (en) * 2017-07-03 2018-09-25 北京金山云网络技术有限公司 A kind of communication connection method for building up, device and electronic equipment
CN108574687B (en) * 2017-07-03 2020-11-27 北京金山云网络技术有限公司 Communication connection establishment method and device, electronic equipment and computer readable medium
CN109842664A (en) * 2017-11-29 2019-06-04 苏宁云商集团股份有限公司 A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS
CN108881257A (en) * 2018-06-29 2018-11-23 北京奇虎科技有限公司 Distributed search cluster encrypted transmission method and encrypted transmission distributed search cluster
CN112235766A (en) * 2020-09-09 2021-01-15 易兆微电子(杭州)股份有限公司 POS terminal positioning and data transmission method based on Bluetooth BENP system
WO2022111102A1 (en) * 2020-11-24 2022-06-02 北京金山云网络技术有限公司 Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium

Similar Documents

Publication Publication Date Title
US20210385201A1 (en) Systems and methods for secure multi-party communications using aproxy
EP3642997B1 (en) Secure communications providing forward secrecy
EP3534565B1 (en) Data transmission method, apparatus and system
CN108352015B (en) Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems
US10708072B2 (en) Mutual authentication of confidential communication
US9065637B2 (en) System and method for securing private keys issued from distributed private key generator (D-PKG) nodes
KR102015201B1 (en) Efficient start-up for secured connections and related services
CN108886468B (en) System and method for distributing identity-based key material and certificates
CN102833253B (en) Set up method and server that client is connected with server security
JP5845393B2 (en) Cryptographic communication apparatus and cryptographic communication system
CN109891423B (en) Data encryption control using multiple control mechanisms
US11870891B2 (en) Certificateless public key encryption using pairings
JP2003298568A (en) Authenticated identification-based cryptosystem with no key escrow
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN103427998A (en) Internet data distribution oriented identity authentication and data encryption method
US10291600B2 (en) Synchronizing secure session keys
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN105991622A (en) Message authentication method and device
CN105577377A (en) Identity-based authentication method and identity-based authentication system with secret key negotiation
CN110493367A (en) The non-public server of unaddressed IPv6, client computer and communication means
Rizvi et al. A trusted third-party (TTP) based encryption scheme for ensuring data confidentiality in cloud environment
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN108462677A (en) A kind of file encrypting method and system
CN114760053B (en) Distribution method, device, equipment and medium of symmetric key
EP3769462B1 (en) Secure distribution of device key sets over a network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
AD01 Patent right deemed abandoned
AD01 Patent right deemed abandoned

Effective date of abandoning: 20200811