CN106341375A - Method and system for realizing resource encrypted access - Google Patents

Method and system for realizing resource encrypted access Download PDF

Info

Publication number
CN106341375A
CN106341375A CN201510413498.9A CN201510413498A CN106341375A CN 106341375 A CN106341375 A CN 106341375A CN 201510413498 A CN201510413498 A CN 201510413498A CN 106341375 A CN106341375 A CN 106341375A
Authority
CN
China
Prior art keywords
described
service server
services device
decryption services
master key
Prior art date
Application number
CN201510413498.9A
Other languages
Chinese (zh)
Inventor
沈坤
余子军
刘强
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Priority to CN201510413498.9A priority Critical patent/CN106341375A/en
Publication of CN106341375A publication Critical patent/CN106341375A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources

Abstract

The invention discloses a method and a system for realizing resource encrypted access. The method for realizing resource encrypted access comprises the steps of: receiving a primary secret key ciphertext forwarded by a service server through a decryption server, wherein the primary secret key ciphertext is generated during the handshake of the service server and a client; and decrypting the primary secret key ciphertext according to a deployed private key certificate, so as to provide a primary secret key plaintext, wherein the primary secret key plaintext obtained through decryption is used for generating a secret key for resource encrypted access between the service server and the client. The system for realizing resource encrypted access corresponds to the method, and comprises the service server and the decryption server which interacts with the service server, wherein the decryption server comprises a receiving unit and a decryption unit. The method and the system can avoid the defect that the service server has low service processing capacity, and can improve the security of resource access.

Description

Realize the method and system of resource encryption access

Technical field

The present invention relates to Computer Applied Technology field, more particularly, to a kind of method and system realizing resource encryption access.

Background technology

With the rise of the emerging services such as the ecommerce of WWW, Web bank, it is very easy to the daily life of user, receive the favor of users.Because such emerging service is required for carrying out online transaction on network so that the requirement of their safeties to network service is higher than general business.And traditional WWW http agreement (hyper text transfer protocol, HTML (Hypertext Markup Language)) does not have security mechanism, this results in applies the resource access that traditional http agreement is carried out to such emerging service cannot meet security requirement.

In order to solve the drawbacks described above of resource access, a kind of solution more typically is addition ssl(secure socket layer on the basis of http agreement, SSL) agreement, to form https agreement (hyper text transfer protocol over ssl, HTML (Hypertext Markup Language) based on ssl), and then by ssl agreement, the resource in internet is encrypted with the safety to ensure its transmission.

Generally, client is the resource in access service server, user's access request will be initiated, i.e. https request, now, set up secure link firstly the need of by shaking hands between client and service server, then again the encrypted access to resource in service server for the client is carried out based on this secure link.

And the foundation of secure link is synchronous carrying out, i.e. service server is while receive user access request, also it is decrypted using the master key ciphertext being produced by client that service server private key pair receives, and the key for being encrypted to the resource access between client and service server is generated by the master key plaintext that deciphering obtains.Due to the involved process of deciphering slowly; need to consume service server substantial amounts of cpu resource; and more user's access requests can not be received in time, thus the traffic handing capacity that result in service server is low, have impact on the experience of user and access quality.

Content of the invention

Based on this it is necessary to provide a kind of traffic handing capacity that can avoid service server lowly moreover it is possible to improve the method realizing resource encryption access of the safety that resource accesses simultaneously.

Additionally, there is a need to providing a kind of traffic handing capacity that can avoid service server lowly moreover it is possible to improve the system realizing resource encryption access of the safety that resource accesses simultaneously.

In order to solve above-mentioned technical problem, the technical solution adopted in the present invention is:

A kind of method realizing resource encryption access includes: receives, by decryption services device, the master key ciphertext that service server forwards, described master key ciphertext is to generate in the handshake procedure with client for the described service server;And according to the private key certificate of deployment, described master key ciphertext is decrypted, to provide master key in plain text to described service server;Wherein, the described master key plaintext that deciphering obtains is used for generating the key that between described service server and client, resource encryption accesses.

A kind of system realizing resource encryption access includes: service server and the decryption services device interacting with described service server, described decryption services device includes: receiving unit, for receiving, by decryption services device, the master key ciphertext that service server forwards, described master key ciphertext is to generate in the handshake procedure with client for the described service server;And decryption unit, for being decrypted to described master key ciphertext according to the private key certificate of deployment, to provide master key in plain text to described service server;Wherein, the described master key plaintext that deciphering obtains is used for generating the key that between described service server and client, resource encryption accesses.

Compared with prior art, the method have the advantages that

Client is triggered in the resource encryption access carrying out, the master key ciphertext that service server is forwarded is received by the decryption services device of setting, and according to the private key certificate of deployment, this master key ciphertext is decrypted in decryption services device, realize the asynchronous process of master key ciphertext during resource accesses with the decryption services device by setting, abandon the method that secure link is set up in existing synchronization, i.e. so that the deciphering of master key ciphertext is not realized in service server.That is, under the cooperation of decryption services device, by way of asynchronous process master key ciphertext, process client and service server being realized consume most in resource encryption access process the master key ciphertext of service server cpu resource transfers to the decryption services device of rear end to complete, thus decreasing the consumption of service server cpu resource, service server is enable more efficiently to process more business, while ensureing resource access security, solve the problems, such as that service server traffic handing capacity is low all the time.

Further, since private key certificate is deployed on decryption services device, relative business server, it is transparent for client, private key certificate being unnecessarily exposed in public network, thus decreasing the risk of private key certificate leakage, further increasing the safety that in service server, resource accesses.

Brief description

Fig. 1 is the method flow diagram realizing resource encryption access of an embodiment;

Fig. 2 is the method flow diagram realizing resource encryption access of another embodiment;

Fig. 3 is the method flow diagram realizing resource encryption access of another embodiment;

Fig. 4 is the method flow diagram realizing resource encryption access of another embodiment;

Fig. 5 is that in Fig. 1, decryption services device is decrypted to master key ciphertext according to the private key certificate of deployment, to provide the method flow diagram of master key plaintext to service server;

Fig. 6 is the method flow diagram realizing resource encryption access of another embodiment;

Fig. 7 is the topology diagram of the system realizing resource encryption access of a specific embodiment;

Fig. 8 is the sequential chart realizing resource encryption access of a specific embodiment;

Fig. 9 is the structured flowchart of the system realizing resource encryption access of an embodiment;

Figure 10 is the structured flowchart of the system realizing resource encryption access of another embodiment;

Figure 11 is the structured flowchart of the system realizing resource encryption access of another embodiment;

Figure 12 is the structured flowchart of the system realizing resource encryption access of another embodiment;

Figure 13 is the structured flowchart of decryption unit in Fig. 9;

Figure 14 is the structured flowchart of the system realizing resource encryption access of another embodiment;

Figure 15 is the structural representation of the server of the embodiment of the present invention.

Specific embodiment

Embody feature of present invention will describe in detail in the following description with the exemplary embodiment of advantage.It should be understood that the present invention can have various changes on different embodiments, it neither departs from the scope of the present invention, and explanation therein and diagram are treated as purposes of discussion in itself, and is not used to limit the present invention.

As previously mentioned, the existing security access in order to realize resource in service server is based on ssl protocol realization, under the cooperation of this ssl agreement, accessed by the resource that http agreement is carried out and will initially set up the secure link between client and service server, and then access offer safety for follow-up resource.

But, this secure link still has defect, i.e. for service server, itself foundation of secure link and client between needs to consume more cpu resource, the traffic handing capacity which results in the service server realizing resource encryption access for magnanimity client is low, and the private key certificate due to realizing secure link foundation is deployed in service server, that is, private key certificate can be exposed in public network, increased the risk of private key certificate leakage, thus leading to the safety that resource accesses to reduce.

Therefore, in order to improve the traffic handing capacity of service server, improve the safety that resource accesses, spy proposes a kind of method realizing resource encryption access simultaneously.The method can be dependent on computer program, and this computer program will operate on server.

Refer to Fig. 1, in one embodiment, a kind of method realizing resource encryption access includes:

Step 110, receives, by decryption services device, the master key ciphertext that service server forwards, and master key ciphertext is to generate in the handshake procedure with client for the service server.

Various resources are stored in service server, and the resource being carried out by client accesses and provides entrance, the various services that client is asked are realized with the resource by storage, for example, if client is browser, correspondingly, service server is then the server that a certain website is located, and stores the resources such as the various webpages that this website can be provided to browser thereon;If client is virtual social network tool, correspondingly, service server is then the server storing virtual social Internet resources, and the resource access request that it can be triggered by virtual social network tool returns the resources such as picture.

For ensureing the safety that resource accesses, when any client triggers the resource in access service server, the secure link between this client and service server will be initially set up, the foundation of this secure link is to be realized by the handshake procedure between service server and client, in the process, the master key ciphertext that the client receiving sends is forwarded in decryption services device service server.

Decryption services device is the high-performance server for realizing the process of master key ciphertext, and it possesses powerful computing capability and business irrelevant character, therefore, for the master key ciphertext that it is realized is processed, has very high treatment effeciency.

Master key ciphertext is to encrypt through client to generate during shaking hands, there is certain safety, therefore, in repeating process, service server no longer will carry out any process to this master key ciphertext, but be directly forwarded to decryption services device and be decrypted, also take into account efficient treatment effeciency while ensureing safety.

Step 130, is decrypted to master key ciphertext according to the private key certificate of deployment, to provide master key in plain text to service server.Wherein, the master key plaintext that deciphering obtains is used for generating the key that between service server and client, resource encryption accesses.

In decryption services device, the master key ciphertext that service server is forwarded is decrypted, break the synchronous mode setting up secure link during existing resource encryption accesses, i.e. the deciphering of master key ciphertext is no longer realized by service server, but complete to consume very much the master key ciphertext deciphering of cpu resource in an asynchronous manner by the decryption services device of rear end, make substantial amounts of cpu resource on service server can be used for the process of more business, and then improve the traffic handing capacity of service server.

On the other hand, decryption processing due to master key ciphertext is peeled off from service server, and be placed in the decryption services device of rear end, so that the private key certificate for the deciphering of master key ciphertext also will be deployed in decryption services device, and decryption services device is transparent for client, private key certificate need not being re-exposed in the public network that client is located with service server, thus decreasing the risk of private key certificate leakage, improve the safety of resource access.

Under the cooperation of decryption services device, service server will get master key in plain text, now, triggering carries out all having master key in plain text in the service server that the client of resource access and offer resource access, master key plaintext can be calculated with each self-generating key according to the enciphering and deciphering algorithm consulted in advance in handshake procedure, this key will be used for providing escape way for the resource transmission between follow-up business server and client, and then realize the resource encryption access of client.

As from the foregoing, in an asynchronous manner master key ciphertext is decrypted by decryption services device, service server is freed from the work of heavy deciphering master key ciphertext, and simply assume responsibility for the work of easily transfer master key ciphertext, and then allow service server to undertake the process of the various client requests related to business with more cpu resources, thus solve the problems, such as service server for a long time traffic handing capacity low.

Refer to Fig. 2, in one embodiment, before step 110, the method realizing resource encryption access also includes:

Step 210, the user's access request being sent by service server customer in response end, so that the random number obtaining when service server storage is shaken hands with client, and provide public key certificate to client.

User's access request includes handshake request and resource access request.Wherein, the purpose of handshake request is the handshake procedure between starting client and service server, to set up the secure link carrying out therebetween resource transmission, so that follow-up resource encryption accesses can be carried out based on the secure link set up.Then client after handshake procedure completes carries out initiating when resource accesses, so that service server returns, by responding this resource access request, the resource response message including respective resources resource access request to resource in service server.

During shaking hands, client and service server randomly generate respective random number respectively and swap.For being further ensured that safe legitimacy, service server also provides public key certificate to client, to verify to the identity of service server in the client, and by rear, the random cipher string generating is encrypted in verification public key certificate by client, to obtain master key ciphertext.

Further, the AES accessing for resource encryption can be consulted between client and service server, the AES being then based on consulting calculates corresponding key, accesses for follow-up resource between protection client and service server.

As above, random number that client and service server produce respectively and master key ciphertext are all the calculating for corresponding secret key, and public key certificate one side can be used for the checking of service server identity in client, on the other hand it is then the generation for master key ciphertext, to ensure the safety that between client and service server, key exchanges.

Certainly, during shaking hands, available protocol version, the Diffie-Hellman for key exchange and the mac(message authentication codes for message integrity verification also can be consulted between client and service server, Message Authentication Code) algorithm, thus ensureing that handshaking information is not stolen and distorts, be conducive to further improving the safety of resource access.

Step 230, receives and serially adds the close master key ciphertext that obtain according to public key certificate to the random cipher generating by client.

Wherein, client carries out legitimate verification to the public key certificate of service server first, if being proved to be successful, from the public key certificate of service server, then extract service server public key, and using this service server public key, the random cipher string of the random generation of client is encrypted, to generate the master key ciphertext being sent to service server.

Certainly, in other embodiments, before transmission master key ciphertext is to service server, service server may require that the identity to client is further verified.In proof procedure, client is encrypted to history handshaking information using client private key, and by sent along with the public key certificate carrying client public key for the history handshaking information after encryption to service server, after service server verifies that the public key certificate of client is legal, client public key by using extracting from the public key certificate of client is decrypted and mates to the history handshaking information after this encryption, to ensure the safety of secure link, thus further improving the safety that resource accesses.

Step 250, forwards master key ciphertext to the decryption services device of distribution.

In the present embodiment, the quantity for deciphering the decryption services device of master key ciphertext is multiple, and each decryption services device all can be disposed the private key certificate of service server.

Further, before carrying out master key ciphertext forwarding, the decryption services device that in advance service server can be distributed carries out condition monitoring, to ensure the reliability of the decryption services device of the master key ciphertext that have received service server forwarding, thus effectively having ensured the smoothness of resource encryption access process.

In one embodiment, before step 130, the method realizing resource encryption access also includes:

The generating random number key obtaining when being shaken hands with client in plain text according to master key by service server.

Wherein, the random number that the random number that service server is obtained when being shaken hands with client includes the random number that client randomly generates and its own randomly generates, and pass through the key that the key that service server generated is only service server side.

Specifically, service server according to the enciphering and deciphering algorithm consulted in handshake procedure to master key in plain text, random number that client randomly generates, random number that its own randomly generates carry out calculating and generate the first session key, the i.e. key of service server side.

Meanwhile, client also according to the enciphering and deciphering algorithm consulted in handshake procedure to master key in plain text, random number that service server randomly generates, random number that its own randomly generates carry out calculating and generate the second session key, the i.e. key of client-side.

Wherein, first session key is symmetrically consistent with the second session key; secure link can be set up by this first, second session key; realize the symmetric cryptography transmission that follow-up resource between client and service server accesses; accessed with protection resource therebetween and be not stolen and distort, the high security realizing network transmission requires.

Refer to Fig. 3, in one embodiment, before step 250, the method realizing resource encryption access also includes:

Step 310, obtains, by service server, the available decryption services device message issuing.

Wherein, available decryption services device message is to be issued to service server by another server interacting with service server, interaction between service server and this server can adopt the network transmission protocol, but also dependent on transmission demand using other host-host protocols, which kind of agreement is interactive mode therebetween be will depend upon using.In the present embodiment, carry out the transmission of available decryption services device message between this server and service server by http agreement.

Quantity, the available ip address of decryption services device and the status information of available decryption services device of available decryption services device can be included in this available decryption services device message.Can achieve the distribution of decryption services device by available decryption services device message.

The process that issues of the available decryption services device message being carried out for service server can be that timing carries out or carries out when available decryption services device message has renewal.For example, when some decryption services device breaks down, the quantity of available decryption services device will occur respective change, and then updates available decryption services device message, so that this server issues the available decryption services device message after renewal.

Step 330, the decryption services device master key ciphertext receiving being decrypted according to the distribution of available decryption services device message.

If service server learns particular number and corresponding ip address (the internet protocol address of the available decryption services device interacting according to the available decryption services device message getting, internet protocol address), correspondingly, service server according to polling mechanism, the master key receiving ciphertext can be sequentially allocated on different decryption services devices and be decrypted.

If service server learns the status information of the available decryption services device interacting according to the available decryption services device message getting, for example, the cpu resources occupation rate of each decryption services device is included in this status information, correspondingly, service server the master key receiving ciphertext all can also be assigned on the minimum decryption services device of same cpu resource consumption and be decrypted.

In actual operation, process as above will be realized by deciphering dispatch server, and then ensure that the reasonable distribution of decryption services device, also ensure that the availability of decryption services device.

Refer to Fig. 4, in one embodiment, before step 310, the method realizing resource encryption access also includes:

Step 410, by deciphering the status information that dispatch server receiving and deciphering server reports, to monitor the state of decryption services device.

The status information of decryption services device reports to deciphering dispatch server by decryption services device, interaction between deciphering dispatch server and decryption services device can adopt the network transmission protocol, but also dependent on transmission demand using other host-host protocols, which kind of agreement is interactive mode therebetween be will depend upon using.In the present embodiment, carry out the transmission of status information between deciphering dispatch server and decryption services device by http agreement.

Status information includes the load in the number of request of each period treatment, unsuccessfully number, the cpu of health status and decryption services device, internal memory, hard disk and network interface card for the decryption services device.By the monitoring state to decryption services device for the status information, to determine whether whether this decryption services device is available decryption services device, thus being conducive to generating can use decryption services device message accordingly.

Preferably, by load, rationally and the strong decryption services device of availability is judged to available decryption services device to deciphering dispatch server.Wherein, load being supported in preset range of cpu, internal memory, hard disk and the network interface card that rationally can be understood as decryption services device, availability can be understood as by force decryption services device each period treatment number of request, unsuccessfully count in preset range, and/or, the health status of decryption services device are health.

For example, whether available, decryption services device the service processes of listening port according to decryption services device whether there is the health status judging decryption services device, if listening port is unavailable, judge the health status of this decryption services device as unhealthy, this decryption services device is poor availability decryption services device.

The process that reports of the status information being carried out for deciphering dispatch server can be that timing is carried out, can also be to carry out when decryption services device often completes the deciphering of a master key ciphertext, so that deciphering dispatch server grasps the state of each decryption services device in time, thus more efficiently the available decryption services device being deployed with private key certificate is scheduled to service server being allocated.

Step 430, the state according to decryption services device generates available decryption services device message, and issues available decryption services device message to service server.

Further, according to the status information that decryption services device reports, deciphering dispatch server judges that this status information, whether in preset range, generates available decryption services device message with the state according to decryption services device.

If it has, then reporting the decryption services device of this status information to be available decryption services device.For example, in status information, the cpu resources occupation rate of decryption services device is not higher than 75%, then judge to report the decryption services device of this status information as available decryption services device, and then decipher dispatch server and in the way of packet packing, the relevant information of this available decryption services device is packed, can use decryption services device message accordingly to generate.Wherein, including at least in the relevant information of this available decryption services device has the ip address of decryption services device, in order to follow-up interacting between service server and this available decryption services device.

If it has not, then reporting the decryption services device of this status information to be poor availability decryption services device.Further, deciphering dispatch server will be processed to this poor availability decryption services device according to predetermined process mode.For example, directly automatically shielded, the any information related to this decryption services device is not comprised in the available decryption services device message issuing, or, by way of manual intervention, fault detect is carried out to it, to repair to this decryption services device, or, the quantity of the master key ciphertext that this decryption services device can receive is defined, to prevent this decryption services device overload operation.

In the present embodiment, on the premise of reducing unnecessary cost, the particular number of decryption services device can be controlled to form decryption services device cluster according to actual service needed, the status information that deciphering dispatch server is then responsible for reporting by decryption services device is monitored to each decryption services device, to ensure the availability of this decryption services device cluster, it is simultaneously also beneficial to carry out dynamically dilatation or capacity reducing to this decryption services device cluster, preferably to coordinate with service server.

Refer to Fig. 5, in one embodiment, step 130 includes:

Step 131, receives by the private key certificate of deciphering dispatch server deployment in specified location.

Specifically, the private key certificate of service server is pre-stored within a certain position by deciphering dispatch server first.

Then, the storage location according to private key certificate replicates to this private key certificate, and is sent this private key certificate by encryption channel to the specified location of decryption services device, thus completing the deployment of private key certificate.

So-called encryption channel refers to decipher dispatch server before sending the private key certificate replicating, it is sent to decryption services device after this private key certificate being encrypted using AES and encryption key, after decryption services device receives encrypted private key certificate, recycle corresponding decipherment algorithm and decruption key that it is decrypted therefrom to obtain private key certificate, thus ensure that the safety of private key certificate transmission between deciphering dispatch server and decryption services device.This encryption channel can be ssh(secure shell, secure shell) encryption channel, or the channel using the encryption of other security protocols.

Step 133, private key certificate is loaded onto decryption services process by execution instruction corresponding with decryption services process.

Step 135, loads decryption services process, to be decrypted by the service server private key pair master key ciphertext in private key certificate.

In handshake procedure between client and service server, master key ciphertext is using the service server public key in the public key certificate of empirical tests, the random cipher string randomly generating to be encrypted by client and generates, correspondingly, in asymmetrical decrypting process, decryption services device passes through to load decryption services process, and then be decrypted using the service server private key pair master key ciphertext in private key certificate, you can obtain the master key plaintext for providing service server.

In the present embodiment, the quantity being deployed with the decryption services device of private key certificate is multiple, to form the deciphering that decryption services device cluster preferably carries out master key ciphertext.Because decryption services device is only used for deciphering, there is business irrelevant character, that is, decryption services device can carry out the computing of enciphering and deciphering algorithm with whole cpu resources, thus having more powerful computing capability compared to service server.By using this decryption services device cluster powerful computing capability, the master key ciphertext that rivest, shamir, adelman generates is decrypted, not only reduce the consumption of the cpu resource of service server, improve the service process performance of service server, and avoid private key certificate is deployed on the service server exposing in public network, but the deployment scope of private key certificate is limited within decryption services device cluster, decrease the risk of leakage of private key certificate, improve the safety of resource access.

Refer to Fig. 6, in one embodiment, after step 130, the method realizing resource encryption access also includes:

Step 510, the Diffie-Hellman that decryption services device passes through to arrange is encrypted to master key plaintext and obtains the first ciphertext.

Diffie-Hellman is made an appointment by decryption services device and service server, can adopt rivest, shamir, adelman, it would however also be possible to employ symmetric encipherment algorithm.By this Diffie-Hellman of agreement, master key plaintext is encrypted, improves the safety of transmission between decryption services device and service server.

In the present embodiment, this Diffie-Hellman is the symmetric encipherment algorithm of high intensity, and that is, decryption services device and service server use identical key, thus reducing the complexity that service server deciphers the first ciphertext.

Step 530, sends the first ciphertext to service server, so that service server obtains master key in plain text according to after the deciphering of this Diffie-Hellman.

Service server is decrypted to the first ciphertext receiving by using the symmetric encipherment algorithm of high intensity in step 510, so that excessive cpu resource will not be taken during deciphering, the arithmetic speed that this is different from rivest, shamir, adelman in existing decrypting process slowly can take more cpu resource, so that service server can discharge more cpu resources going to receive more user's access request, to improve the request process performance of service server, thus improving the traffic handing capacity of service server.

In one embodiment, after step 130, the method realizing resource encryption access also includes:

Pass through key according to client the resource encryption that the resource in service server is initiated is accessed, return the resource of key-encrypted to client.

That is, after client with service server each self-generating key, resource access process between client and service server, for example, the resource access request that client is initiated, or, the resource that service server responds this resource access request and returns is it is necessary to first just can carry out using after the encryption of this key.

Further, resource in service server can be word document, webpage or picture, correspondingly, the client that different resource in service server is initiated with resource encryption access may correspond to different applications, for example, if initiate resource encryption to webpage accessing, client can be browser, if initiating resource encryption to picture to access, client can be then various virtual social network tools, and such as wechat etc. is applied.

It is worth mentioning that, in other embodiments, before client initiates resource encryption access to the resource in service server, can also judge whether history handshake information is tampered according to message integrity verification mechanism, to ensure interact safety between client and service server, thus improving the safety of resource access further.For example, client and service server calculate the mac value of history handshake information each via the mac algorithm consulted in handshake procedure, and swapped by finish message using after key encryption, if checking mac value each other is completely the same, then show that the history handshake information in handshake procedure is not tampered with, and AES and key agreement success, thus completing the handshake procedure between client and service server.

Fig. 7 is the topology diagram of the system realizing resource encryption access of a specific embodiment.Fig. 8 is the sequential chart realizing resource encryption access of a specific embodiment.In one embodiment, the Picture section of the wechat public's account number preserving in service server employs https agreement, then it is intended to choose the user of this picture and two stages: 1) handshake phase are included by the resource encryption access process that the wechat as client is carried out, 2) resource dial-tone stage.This resource encryption access process is based on ssl protocol realization, in conjunction with Fig. 7 and Fig. 8, this resource encryption access process is illustrated as follows.

Step 601, client initiates handshake request to service server, and the protocol version that client is supported, the AES supported etc. send to service server.

Step 602, service server responds this handshake request and returns response message, and this response message includes protocol version that service server selected, the AES selected etc..After client receives this response message, you can think that the handshaking information between client and service server exchanges and finish, the two completes the negotiation of protocol version, AES etc..

Step 603, after negotiation finishes, client produces master key ciphertext and sends to service server according to the random random cipher string generating.

Step 604, the master key ciphertext of client is forwarded directly to decryption services device by service server.

Step 605, decryption services device is decrypted to the master key ciphertext that service server forwards and re-encryption is processed, by the first ciphertext response of decryption services device to service server.

Step 606, service server is decrypted to the first ciphertext of decryption services device, to obtain the master key consistent with client in plain text, service server and client each generate the key for following resource encrypted access according to this master key plaintext, so far, handshake procedure between client and service server completes, and that is, handshake phase completes.

Step 607, client is encrypted to resource access request using this key, and the resource access request after encryption is sent to service server.

Step 608, the content that service server is asked according to client in resource access request, the picture after encryption is returned to client.After picture after client receives this encryption, resource dial-tone stage completes, it is achieved thereby that the encrypted access to picture resource in service server for the client.

Meanwhile, in above-mentioned resource encryption access process, further comprising the steps of:

Step 609, the decryption services device in decryption services device cluster by state information report to deciphering dispatch server, to monitor the state of decryption services device by deciphering dispatch server.

Step 610, deciphering dispatch server goes out available decryption services device according to the condition adjudgement of decryption services device, and private key certificate is deployed in available decryption services device, so that available decryption services device is decrypted to master key ciphertext by private key certificate.

Step 611, deciphering dispatch server generates available decryption services device message according to the state of decryption services device, and is issued to service server, so that service server is allocated to the available decryption services device for deciphering.

Wherein, step 609 to step 611 only needs to complete before service server carries out master key ciphertext forwarding, completes before step 604, the present embodiment is not any limitation as to it.

Refer to Fig. 9, in one embodiment, the decryption services device 70 that a kind of system 700 realizing resource encryption access is included service server 80 and interacted with service server 80, decryption services device 70 includes: receiving unit 710 and decryption unit 730.

Wherein, receiving unit 710, for receiving, by decryption services device, the master key ciphertext that service server forwards, master key ciphertext is to generate in the handshake procedure with client for the service server.

Decryption unit 730, for being decrypted to master key ciphertext according to the private key certificate of deployment, to provide master key in plain text to service server.

Wherein, the master key plaintext that deciphering obtains is used for generating the key that between service server and client, resource encryption accesses.

Refer to Figure 10, in one embodiment, service server 80 also includes: request-response unit 810, master key ciphertext receiving unit 830 and retransmission unit 850.

Wherein, request-response unit 810, for the user's access request being sent by service server 80 customer in response end, so that the random number obtaining when service server 80 storage is shaken hands with client, and provide public key certificate to client.

Master key ciphertext receiving unit 830, serially adds the close master key ciphertext that obtain according to public key certificate to the random cipher generating by client for receiving.

Retransmission unit 850, for forwarding master key ciphertext to the decryption services device of distribution.

In one embodiment, service server also includes: Key generating unit.

Wherein, Key generating unit, for the generating random number key obtaining when being shaken hands with client in plain text according to master key by service server.

Refer to Figure 11, in one embodiment, service server 80 also includes: message retrieval unit 910 and allocation unit 930.

Wherein, message retrieval unit 910, for obtaining, by service server, the available decryption services device message issuing.

Allocation unit 930, for the decryption services device master key ciphertext receiving being decrypted according to available decryption services device message distribution.

Refer to Figure 12, in one embodiment, the system 700 realizing resource encryption access also includes the deciphering dispatch server 90 that interact with decryption services device 70 and service server 80, deciphers dispatch server 90 and includes: monitoring unit 1010 and message issuance unit 1030.

Wherein, monitoring unit 1010, for by deciphering the status information that dispatch server receiving and deciphering server reports, to monitor the state of decryption services device.

Message issuance unit 1030, generates available decryption services device message for the state according to decryption services device, and issues available decryption services device message to service server.

Refer to Figure 13, in one embodiment, decryption unit 730 includes: private key certificate receiver module 731, private key certificate load-on module 733, private key deciphering module 735.

Wherein, private key certificate receiver module 731, for receiving by the private key certificate of deciphering dispatch server deployment in specified location.

Private key certificate is loaded onto decryption services process for executing instruction corresponding with decryption services process by private key certificate load-on module 733.

Private key deciphering module 735, for loading decryption services process, to be decrypted by the private key pair master key ciphertext in private key certificate.

Refer to Figure 14, in one embodiment, decryption services device 70 also includes: master key plain text encryption unit 1110 and the first ciphertext transmitting element 1130.

Wherein, master key plain text encryption unit 1110, the Diffie-Hellman passing through agreement for decryption services device is encrypted to master key plaintext and obtains the first ciphertext.

First ciphertext transmitting element 1130, for sending the first ciphertext to service server, so that service server obtains master key in plain text according to after the deciphering of this Diffie-Hellman.

In one embodiment, service server also includes: resource returning unit.

Wherein, resource returning unit, accesses to the resource encryption that the resource in service server is initiated for passing through key according to client, returns the resource of key-encrypted to client.

Refer to Figure 15, Figure 15 is a kind of structural representation of server 1200 of the embodiment of the present invention.The step performed by service server in above-described embodiment, or, the step performed by decryption services device, or, the step performed by deciphering dispatch server all can structure based on server shown in this Fig.

This server 1200 can produce larger difference because of the difference of configuration or performance, comprising: power supply 1210, interface 1230, at least one storage medium 1250 and at least one central processing unit (cpu, central processing units) 1270.

Specifically, power supply 1210 is used for providing running voltage for each hardware device on server 1200.

Interface 1230 includes at least one wired or wireless network interface 1231, at least a string and translation interface 1233, at least one input/output interface 1235 and at least one usb interface 1237 etc., for external device communication.

The carrier that storage medium 1250 stores as resource, can be random storage medium, disk or CD etc., and the resource being stored thereon includes operating system 1251, application program 1253 and data 1255 etc., and storage mode can of short duration be stored or permanently store.Wherein, operating system 1251 is used for each hardware device and the application program 1253 managing with controlling on server 1200, to realize central processing unit 1270 to the calculating of mass data 1255 and process, it can be windows servertm, mac os xtm, unixtm, linuxtm, freebsdtm etc..Application program 1253 is based on the computer program completing at least one particular job on operating system 1251, and it can include at least one module (diagram is not shown), and each module can include the sequence of operations instruction to server 1200 respectively.Data 1255 can be stored in word document in disk, webpage, picture etc..

Central processing unit 1270 can include one or more above processors, and is set to communicate with storage medium 1250 by bus, for calculating and processing the mass data 1255 in storage medium 1250.

Read the sequence of operations instruction of storage in storage medium 1250 by central processing unit 1270, and execute on server 1200 based on the operating system 1251 on storage medium 1250, and then all or part of step of above-described embodiment is completed by running the computer program of correlation on the server.

The above; it is only presently preferred embodiments of the present invention; it is not intended to limit embodiment of the present invention; those of ordinary skill in the art are according to the central scope of the present invention and spirit; flexible accordingly or modification can very easily be carried out, therefore protection scope of the present invention should the protection domain required by by claims be defined.

Claims (16)

1. a kind of method realizing resource encryption access is it is characterised in that include:
The master key ciphertext that service server forwards is received by decryption services device, described master key ciphertext is to generate in the handshake procedure with client for the described service server;And
According to the private key certificate of deployment, described master key ciphertext is decrypted, to provide master key in plain text to described service server;
Wherein, the described master key plaintext that deciphering obtains is used for generating the key that between described service server and client, resource encryption accesses.
2. the method for claim 1, it is characterized in that, the described master key ciphertext receiving service server forwarding by decryption services device, before described master key ciphertext is the step generating in the handshake procedure with client for the described service server, methods described also includes:
The user's access request being sent by the described client of described service server response, so that the random number obtaining when the storage of described service server is shaken hands with described client, and provide public key certificate to described client;
Receive and the close master key ciphertext obtaining is serially added according to described public key certificate to the random cipher generating by described client;And
Forward described master key ciphertext to the described decryption services device of distribution.
3. it is characterised in that the described private key certificate according to deployment is decrypted to described master key ciphertext, after the step to described service server offer master key plaintext, methods described also includes method as claimed in claim 2:
The key described in generating random number being obtained according to when described master key is shaken hands with described client in plain text by described service server.
4. method as claimed in claim 2 is it is characterised in that before the described step to the described decryption services device described master key ciphertext of forwarding of distribution, methods described also includes:
The available decryption services device message issuing is obtained by described service server;And
Distribute the decryption services device that the described master key ciphertext receiving is decrypted according to described available decryption services device message.
5. method according to claim 4 is it is characterised in that before the step of the described available decryption services device message being issued by the acquisition of described service server, methods described also includes:
Receive the status information that described decryption services device reports by deciphering dispatch server, to monitor the state of described decryption services device;And
State according to described decryption services device generates available decryption services device message, and issues described available decryption services device message to described service server.
6. the method for claim 1, it is characterised in that the described private key certificate according to deployment is decrypted to described master key ciphertext, is included with the step to described service server offer master key plaintext:
Receive by the described private key certificate of deciphering dispatch server deployment in specified location;
Described private key certificate is loaded onto described decryption services process by execution instruction corresponding with decryption services process;And
Load described decryption services process, to be decrypted by the master key ciphertext described in service server private key pair in described private key certificate.
7. it is characterised in that the described private key certificate according to deployment is decrypted to described master key ciphertext, after the step to described service server offer master key plaintext, methods described also includes the method for claim 1:
The Diffie-Hellman that described decryption services device passes through to arrange is encrypted to described master key plaintext and obtains the first ciphertext;And
Send described first ciphertext to described service server, so that described service server obtains described master key in plain text according to after the deciphering of this Diffie-Hellman.
8. it is characterised in that the described private key certificate according to deployment is decrypted to described master key ciphertext, after the step to described service server offer master key plaintext, methods described also includes the method for claim 1:
By described key, the resource encryption that the resource in described service server is initiated is accessed according to described client, return the resource through the encryption of described key to described client.
9. it is characterised in that including service server and the decryption services device that interacts with described service server, described decryption services device includes a kind of system realizing resource encryption access:
Receiving unit, for receiving, by decryption services device, the master key ciphertext that service server forwards, described master key ciphertext is to generate in the handshake procedure with client for the described service server;And
Decryption unit, for being decrypted to described master key ciphertext according to the private key certificate of deployment, to provide master key in plain text to described service server;
Wherein, the described master key plaintext that deciphering obtains is used for generating the key that between described service server and client, resource encryption accesses.
10. system as claimed in claim 9 is it is characterised in that described service server includes:
Request-response unit, for the user's access request being sent by the described client of described service server response, so that the random number obtaining when the storage of described service server is shaken hands with described client, and provide public key certificate to described client;
Master key ciphertext receiving unit, serially adds the close master key ciphertext that obtain according to described public key certificate to the random cipher generating by described client for receiving;And
Retransmission unit, for forwarding described master key ciphertext to the described decryption services device of distribution.
11. systems as claimed in claim 10 are it is characterised in that described service server also includes:
Key generating unit, for the key described in generating random number being obtained according to when described master key is shaken hands with described client in plain text by described service server.
12. systems as claimed in claim 10 are it is characterised in that described service server also includes:
Message retrieval unit, for obtaining, by described service server, the available decryption services device message issuing;And
Allocation unit, for distributing, according to described available decryption services device message, the decryption services device that the described master key ciphertext receiving is decrypted.
It is characterised in that also including the deciphering dispatch server interacting with described decryption services device and service server, described deciphering dispatch server includes 13. systems as claimed in claim 12:
Monitoring unit, for receiving, by deciphering dispatch server, the status information that described decryption services device reports, to monitor the state of described decryption services device;And
Message issuance unit, generates available decryption services device message for the state according to described decryption services device, and issues described available decryption services device message to described service server.
14. systems as claimed in claim 9 are it is characterised in that described decryption unit includes:
Private key certificate receiver module, for receiving by the described private key certificate of deciphering dispatch server deployment in specified location;
Described private key certificate is loaded onto described decryption services process for executing instruction corresponding with decryption services process by private key certificate load-on module;And
Private key deciphering module, for loading described decryption services process, to be decrypted by the master key ciphertext described in service server private key pair in described private key certificate.
15. systems as claimed in claim 9 are it is characterised in that described decryption services device also includes:
Master key plain text encryption unit, the Diffie-Hellman passing through agreement for described decryption services device is encrypted to described master key plaintext and obtains the first ciphertext;And
First ciphertext transmitting element, for sending described first ciphertext to described service server, so that described service server obtains described master key in plain text according to after the deciphering of this Diffie-Hellman.
16. systems as claimed in claim 9 are it is characterised in that described service server also includes:
Resource returning unit, for accessing to the resource encryption that the resource in described service server is initiated by described key according to described client, returns the resource through the encryption of described key to described client.
CN201510413498.9A 2015-07-14 2015-07-14 Method and system for realizing resource encrypted access CN106341375A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510413498.9A CN106341375A (en) 2015-07-14 2015-07-14 Method and system for realizing resource encrypted access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510413498.9A CN106341375A (en) 2015-07-14 2015-07-14 Method and system for realizing resource encrypted access

Publications (1)

Publication Number Publication Date
CN106341375A true CN106341375A (en) 2017-01-18

Family

ID=57826350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510413498.9A CN106341375A (en) 2015-07-14 2015-07-14 Method and system for realizing resource encrypted access

Country Status (1)

Country Link
CN (1) CN106341375A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005361A (en) * 2007-01-22 2007-07-25 北京飞天诚信科技有限公司 Server and software protection method and system
CN101325519A (en) * 2008-06-05 2008-12-17 华为技术有限公司 Content auditing method, system based on safety protocol and content auditing equipment
CN101621509A (en) * 2009-07-31 2010-01-06 浪潮电子信息产业股份有限公司 Design architecture and method for secure load balancing by utilizing SSL communication protocol
CN101860540A (en) * 2010-05-26 2010-10-13 吴晓军 Method and device for identifying legality of website service
US20120250866A1 (en) * 2011-03-31 2012-10-04 Panasonic Corporation Communication apparatus and communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005361A (en) * 2007-01-22 2007-07-25 北京飞天诚信科技有限公司 Server and software protection method and system
CN101325519A (en) * 2008-06-05 2008-12-17 华为技术有限公司 Content auditing method, system based on safety protocol and content auditing equipment
CN101621509A (en) * 2009-07-31 2010-01-06 浪潮电子信息产业股份有限公司 Design architecture and method for secure load balancing by utilizing SSL communication protocol
CN101860540A (en) * 2010-05-26 2010-10-13 吴晓军 Method and device for identifying legality of website service
US20120250866A1 (en) * 2011-03-31 2012-10-04 Panasonic Corporation Communication apparatus and communication system

Similar Documents

Publication Publication Date Title
US9887838B2 (en) Method and device for secure communications over a network using a hardware security engine
CN102099810B (en) Mobile device assisted secure computer network communications
CN105378744B (en) User and device authentication in business system
KR101722631B1 (en) Secured access to resources using a proxy
JP2014225880A (en) Safe and efficient login and transaction authentication using i-phone (tm) and other smart mobile communication devices
CN100561916C (en) Method and system for updating certification key
US9673984B2 (en) Session key cache to maintain session keys
CN1871810B (en) Authentication system, and remotely distributed storage system
AU2014209472B2 (en) Secure virtual machine migration
Kalra et al. Secure authentication scheme for IoT and cloud servers
CN101075874B (en) Certifying method and system
CN101427510B (en) Digipass for the web-functional description
KR20180053701A (en) Local device authentication
CN104520873A (en) Systems and methods for securing and restoring virtual machines
KR19990072733A (en) Method and Apparatus for Conducting Crypto-Ignition Processes between Thin Client Devices and Server Devices over Data Network
WO2010005960A1 (en) Transmitting information using virtual input layout
CN105993146A (en) Secure session capability using public-key cryptography without access to the private key
CN101005361B (en) Server and software protection method and system
CN1747381A (en) Method and device for establishing safety peer-to-peer communications
AU2016211551A1 (en) Methods for secure credential provisioning
CN102098317B (en) Data transmitting method and system applied to cloud system
JP6389895B2 (en) Data security using keys supplied by request
CN102404116A (en) Cryptographic device that binds additional authentication factor to multiple identities
CN101393628B (en) Novel network safe transaction system and method
US8909933B2 (en) Decoupled cryptographic schemes using a visual channel

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination