CN106572109B - The method and device of coded communication is realized based on tls protocol - Google Patents
The method and device of coded communication is realized based on tls protocol Download PDFInfo
- Publication number
- CN106572109B CN106572109B CN201610983468.6A CN201610983468A CN106572109B CN 106572109 B CN106572109 B CN 106572109B CN 201610983468 A CN201610983468 A CN 201610983468A CN 106572109 B CN106572109 B CN 106572109B
- Authority
- CN
- China
- Prior art keywords
- cryptographic algorithm
- customized
- tls
- symmetric
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The present invention relates to the method and devices that coded communication is realized based on tls protocol.The described method includes: preset computing module is configured in server software, the cryptographic algorithm of the compatible TLS standard of the computing module is also compatible with customized cryptographic algorithm;The coded communication request for receiving client identifies the encryption method that the client is supported according to coded communication request;The adaptable cryptographic algorithm of the encryption method supported with the client is selected in the cryptographic algorithm compatible from the computing module, and coded communication is carried out using the cryptographic algorithm and the client selected.The present invention can extend the cryptographic algorithm of legacy TLS protocol.
Description
Technical field
The present invention relates to Internet technical fields, more particularly to the method and dress for realizing coded communication based on tls protocol
It sets.
Background technique
Secure transport layer protocol TLS is used to provide confidentiality and data integrity, TLS between two communication application programs
Just more and more extensive for ensureing internet data safety.
The basic process of tls protocol includes: that (1) client asks for simultaneously verification public key;(2) both sides negotiate life
At " session key ";(3) both sides carry out coded communication using " session key ".The first two steps of process above, also known as " rank of shaking hands
Section " (handshake), " handshake phase " are related to following four communication process:
H1, client issue request (ClientHello)
Client (usually browser) first issues the request of coded communication to server, this is called ClientHello
Request.The protocol version supported in the request including client, such as TLS 1.0 editions;The random number that one client generates, slightly
Afterwards for generating " session key ";The encryption method that client is supported, such as RSA public key encryption;The compression side that client is supported
The information such as method.
H2, server response (SeverHello)
It after server receives client request, issues and responds to client, used in the response comprising server end confirmation
Coded communication protocol version, such as 1.0 version of TLS, if browser and the version that server is supported are inconsistent, server
Close coded communication;The random number that one server generates is later used to generate " session key ";Confirm the encryption side used
Method, such as RSA public key encryption;An and digital certificate.
H3, client are responded
After client receives server response, server certificate is first verified that.If certificate be not trust authority promulgate,
Or the domain name in certificate and actual domain name are inconsistent or certificate is expired, and a warning will be shown to visitor, by
It chooses whether also to continue to communicate;If there is no problem for certificate, client will take out the public key of server from certificate, so
Following information is sent to server afterwards:
One random number (also referred to as pre-master key).The random number is encrypted with server public key, prevents from being ravesdropping;
Coding changes notice, indicates that subsequent information will all be sent with agreed encryption method and key;Client is shaken hands end
Notice, indicates that the handshake phase of client is over.
The last response of H4, server
After server receives the random number pre-master key of client, calculates and generate " meeting used in this session
Talk about key ".Then following information is finally sent to client:
Coding changes notice, indicates that subsequent information will all be sent with agreed encryption method and key;Server
It shakes hands end notification, indicates that the handshake phase of server is over.
So far, handshake phase all terminates.Following client and server enter coded communication, are equivalent to using common
Http protocol, unlike use " session key " coded communication content.
However standard cipher algorithm defined in tls protocol is the cryptographic algorithm of design abroad, safety at present
Sufficient proof is not yet received.And the server software and client software due to existing tls protocol also it is most all
By foreign countries' exploitation and maintenance, it is caused to be difficult to be compatible with other cryptographic algorithms.
Summary of the invention
Based on this, the embodiment of the present invention provides the method and device that coded communication is realized based on tls protocol, can extend
The cryptographic algorithm of tls protocol.
One aspect of the present invention provides the method for realizing coded communication based on tls protocol, comprising:
Preset computing module is configured in server software, the password of the compatible TLS standard of the computing module is calculated
Method is also compatible with customized cryptographic algorithm;
The coded communication request for receiving client identifies the encryption that the client is supported according to coded communication request
Method;
The encryption method supported with the client is selected in the cryptographic algorithm compatible from the computing module to be adapted
Cryptographic algorithm, coded communication is carried out using the cryptographic algorithm selected and the client.
The present invention also provides a kind of methods for realizing coded communication based on tls protocol, comprising:
Preset configuration item information is read, judges whether local terminal supports customized cryptographic algorithm;
Coded communication request is sent to server end, server is received and receives the response to the coded communication request;
If local terminal supports customized cryptographic algorithm, detect in the digital certificate with the presence or absence of customized for storing
The extension of the corresponding public key of asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm mark;If it exists, it caches customized
The corresponding public key of asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm be identified to local;
Customized asymmetric cryptographic algorithm encrypted result SecretTLS is constructed, and according to the public key of caching to described
SecretTLS encrypts to obtain customized ciphertext SelfCipher;Using the customized ciphertext SelfCipher as in tls protocol
A part in the Client Key Exchange message ClientKeyExchange of definition;Send the ClientKeyExchange
Message is to server;
Coded communication is carried out using customized cryptographic algorithm and server end.
The present invention also provides a kind of server-side devices of tls protocol, comprising:
Configuration module, for preset computing module to be configured in server software, the compatible TLS of the computing module
The cryptographic algorithm of standard is also compatible with customized cryptographic algorithm;
Request receiving module, the coded communication for receiving client are requested, and request identification institute according to the coded communication
State the encryption method of client support;
Algorithms selection module is supported for selecting from the compatible cryptographic algorithm of the computing module with the client
The adaptable cryptographic algorithm of encryption method, coded communication is carried out using the cryptographic algorithm and the client selected.
The present invention also provides a kind of client terminal devices of tls protocol, comprising:
Detection module judges whether local terminal supports customized cryptographic algorithm for reading preset configuration item information;
CIPHERING REQUEST module receives server to the coded communication for sending coded communication request to server end
Request is receiveed the response, the digital certificate including server end of receiveing the response;
Whether certificate parsing module detects in the digital certificate and deposits if supporting customized cryptographic algorithm for local terminal
In the extension for storing the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm mark;
If it exists, it caches the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm is identified to local;
Responding module, for constructing customized asymmetric cryptographic algorithm encrypted result SecretTLS, and according to the public affairs of caching
Key encrypts the SecretTLS to obtain customized ciphertext SelfCipher;Using the customized ciphertext SelfCipher as
A part in Client Key Exchange message ClientKeyExchange defined in tls protocol;Described in transmission
ClientKeyExchange message is to server;
Communication module, for carrying out coded communication using customized cryptographic algorithm and server end.
Above-mentioned technical proposal, by the way that preset computing module to be configured in server software, the computing module is simultaneous
The cryptographic algorithm for holding TLS standard, is also compatible with customized cryptographic algorithm;When receiving the coded communication request of client, according to
The coded communication request identifies the encryption method that the client is supported;And it can be calculated from the compatible password of the computing module
The adaptable cryptographic algorithm of the encryption method supported with the client is selected in method, so that server end is close using selecting
Code algorithm and the client carry out coded communication.Only need for mainstream server software (such as: Weblogic, Tomcat,
IIS etc.) computing module of the configuration with compatibility function, that is, it may make server end while supporting TLS standard cipher algorithm and oneself
Cryptographic algorithm is defined, while to support customized cryptographic algorithm and the client of customized cryptographic algorithm not being supported to provide service,
Be conducive to popularization of the customized cryptographic algorithm in actual application environment.
Detailed description of the invention
Fig. 1 is the schematic flow chart of the method that coded communication is realized based on tls protocol of an embodiment;
Fig. 2 is the schematic flow chart of the method that coded communication is realized based on tls protocol of another embodiment;
Fig. 3 is the schematic diagram of the server-side device of the tls protocol of an embodiment;
Fig. 4 is the schematic diagram of the client terminal device of the tls protocol of an embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Fig. 1 is the schematic flow chart of the method that coded communication is realized based on tls protocol of an embodiment;In the embodiment
In, it is to be applied to be illustrated for server end in TLS system in this way.As shown in Figure 1, in the present embodiment based on
Tls protocol realize coded communication method comprising steps of
Preset computing module is configured in server software by S11, and the computing module is compatible with the close of TLS standard
Code algorithm, is also compatible with customized cryptographic algorithm;
The cryptographic algorithm of TLS standard described in the present embodiment, customized cryptographic algorithm include symmetric cryptographic algorithm and
Asymmetric cryptographic algorithm.The asymmetric cryptographic algorithm of TLS standard and customized asymmetric cryptographic algorithm are to meet the following conditions
One or condition two algorithm:
Condition one: it is not required to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm in TLS system
In the case where, it is desirable that customized asymmetric cryptographic algorithm is to the encrypted result of pre_master_secret data in tls protocol
Length is less than or equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result;Wherein, pre_
Master_secret is in tls protocol for generating one section of random number of master key.
Condition two: it need to support that TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm in TLS system
In the case of, then require customized asymmetric cryptographic algorithm to pre_master_secret, client_random in tls protocol with
And the length of the encrypted result of the description information of this three segment data of server_random and a byte is marked less than or equal to TLS
Length of the quasi- asymmetric cryptographic algorithm to pre_master_secret encrypted result;Wherein, client_random is tls protocol
Defined in client random number;Server_random is server end random number defined in tls protocol;
The TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetric cryptographic algorithm are the algorithm for meeting the following conditions three:
Condition three: if need to support, TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm, it is required that
TLS Standard Symmetric Multivariate cryptographic algorithm is equal with the key length of customized symmetric cryptographic algorithm;When symmetric cryptographic algorithm is that grouping is close
When code algorithm, need to also on the basis of key length is equal further requirement TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetrical
The block length of cryptographic algorithm is equal.
Preferably, the wherein asymmetric cryptographic algorithm of TLS standard such as RSA Algorithm, the symmetric cryptographic algorithm example of TLS standard
Such as AES128 algorithm;The close SM2 algorithm of customized asymmetric cryptographic algorithm such as state, customized symmetric cryptographic algorithm such as state
Close SM4 algorithm.
Preferably, after preset computing module being configured in server software, TLS mark is being configured for server end
When the key pair of quasi- asymmetric cryptographic algorithm, also need to configure the corresponding key pair of the customized asymmetric cryptographic algorithm;
Also, corresponding customized extension need to be also added in the digital certificate of server end, it is customized asymmetric for storing
The public key of cryptographic algorithm, and the mark of the customized symmetric cryptographic algorithm of storage.Such as: if the TLS standard cipher algorithm packet
Include RSA Algorithm and AES128 algorithm;The customized cryptographic algorithm includes that (also referred to as SM2 curve public key is close for the close SM2 algorithm of state
Code algorithm) He Guomi SM4 algorithm (also referred to as SM4 block cipher), then RSA key pair is being configured for server end, is also needing to match
Set corresponding SM2 key pair;Add two customized extensions in the digital certificate that the RSA public key of server end is signed and issued, one
A to be used to store SM2 public key, another is for storing SM4 algorithm mark.
Due to that can judge its class of algorithms according to its corresponding public key length for existing customized asymmetric arithmetic
Type, therefore the mark for storing customized asymmetric arithmetic can not had to.Certainly, if being difficult to be judged according to its corresponding public key length
The customized asymmetric arithmetic of its algorithm types then need to also store the mark of the customized asymmetric arithmetic in customized extension
Know.
S12, receives the coded communication request of client, identifies what the client was supported according to coded communication request
Encryption method;
In the present embodiment, client determined respectively by two configuration items itself whether support it is customized asymmetric close
Code algorithm and customized symmetric cryptographic algorithm.It include the configuration item information in above-mentioned coded communication request.
S13 selects the encryption method phase supported with the client from the cryptographic algorithm of computing module compatibility
The cryptographic algorithm of adaptation carries out coded communication using the cryptographic algorithm and the client selected.
In the present embodiment, if client does not support customized asymmetric cryptographic algorithm and customized symmetric cryptography to calculate
Method, then server end selection TLS standard asymmetric cryptographic algorithm or TLS Standard Symmetric Multivariate cryptographic algorithm and the client are added
Close communication;If client supports customized asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm, server end choosing
It selects customized asymmetric cryptographic algorithm or customized symmetric cryptographic algorithm and the client carries out coded communication.
The method for realizing that above-described embodiment realizes coded communication based on tls protocol is further detailed below.
Realize that TLS system corresponding to the method based on tls protocol realization coded communication includes three parts: configuration has compatible function
Can computing module, TLS system the is configured when computing module is applied to tls protocol and client and clothes
Device end group be engaged in the interaction schemes of the TLS system.This three parts is illustrated separately below.
One), configuration has the computing module of compatibility function
The computing module of the present embodiment supports asymmetric cryptographic algorithm and symmetric cryptographic algorithm, wherein asymmetric cryptographic algorithm
Compatible TLS standard asymmetric cryptographic algorithm (by taking RSA as an example) and customized asymmetric cryptographic algorithm (by taking the close SM2 of state as an example), it is right
Claim cryptographic algorithm compatible TLS Standard Symmetric Multivariate cipher algorithm (by taking AES128 as an example) and customized symmetric cryptographic algorithm (with state
For close SM4).Specific design sees below the description of 3 parts:
1. the format of customized ciphertext (also being indicated below by SelfCipher): the total length that customized ciphertext is arranged is equal to
Length of the TLS standard asymmetric cryptographic algorithm to pre_master_secret encrypted result in tls protocol;The ciphertext
The structure of SelfCipher includes at least two parts cipher and padding, and wherein cipher indicates making by oneself for SecretTLS
Adopted asymmetric cryptographic algorithm encrypted result;Padding is byte of padding, and byte of padding number is customized for guaranteeing more than or equal to 0
The length of ciphertext is equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result in tls protocol
Degree.The SecretTLS by there must be pre_master_secret part and infoBytes that may be present,
The part client_random, server_random is constituted;InfoBytes, client_random, server_random conduct
One entirety, three exist simultaneously or are not present simultaneously.Pre_master_secret indicates the pre_ that tls protocol defines
Master_secret, i.e., for generating one section of random number of master key in tls protocol;InfoBytes is at least one byte
Description information, for describing the information such as current TLS version, customized symmetry algorithm type;Client_random indicates TLS association
Discuss and decide the client random number client_random of justice;The server end that server_random indicates that tls protocol defines is random
Number server_random.
For example, the mould that the total length of customized SM2 ciphertext SelfCipher is equal to RSA private key is long, it is desirable that mould length is not less than
2048 bits (256 byte), are defined as the DER coding structure of following ASN.1 structure:
It is wherein every is defined as:
Version:1 byte is used to identify the version of customized SM2 ciphertext format;
The SM2 encrypted result of cipher:SecretTLS, i.e. cipher=SM2Enc (SecretTLS), SecretTLS's
Definition is seen below;
4 byte CRC32 check codes of cipher CRC32:cipher;
Padding: byte of padding, byte of padding number is more than or equal to 0, for guaranteeing the length of customized SM2 ciphertext just
Mould equal to RSA private key is long;
SecretTLS is defined as the DER coding structure of following ASN.1 structure:
It is wherein every is defined as:
VersionTLS:1 byte is used to identify the version of tls protocol;
SymmAlgo:1 byte non-zero value is used to identify the type of customized symmetric cryptographic algorithm, indicates if the value is 0
Customized symmetric cryptographic algorithm is not supported;
The pre_master_secret of pre_master_secret:TLS protocol definition is defined as RSA Algorithm at present
48 bytes;
The client random number of client_random:TLS protocol definition, is defined as 32 bytes at present;
The server end random number of server_random:TLS protocol definition, is defined as 32 bytes at present.
It is constituted 2. every record of symmetric key table is configured to be arranged by following 4 data:
SymmAlgo, RecordTime, client_write_key, server_write_key,
Wherein the meaning of each column is as follows:
SymmAlgo: for identifying the type of customized symmetric cryptographic algorithm, it is defined as non-zero positive integer value;
RecordTime: for identifying time when this records creation;
Client_write_key defined in client_write_key:TLS agreement, i.e. client in tls protocol
When carrying out write operation, data are carried out to encrypt used key;
Server_write_key defined in server_write_key:TLS agreement, i.e. server in tls protocol
End carries out carrying out encrypting used key to data when write operation.
Preferably, the maintenance mechanism of the also settable computing module are as follows: also timing at regular intervals is removed symmetrical close
Record in key table there are duration beyond setting limit value, can be according to the current time and record of computing module internal maintenance
RecordTime come calculate be recorded in symmetric key table there are durations.The maintenance mechanism is conducive to whole system and keeps length
The normal operation of time.
3. the calculating logic at configuration server end, comprising:
3.1, when computing module carries out customized asymmetric cryptographic algorithm decryption calculating, input data is analyzed and is held
Row is corresponding to be calculated, and computing module is completed the process that primary customized asymmetric cryptography calculates and completed by several following steps:
Step 1, the content of input data is analyzed, input data can be divided into three kinds of situations:
(1) customized ciphertext, jumps to step 3;(2) TLS standard formatted data to be signed, jumps to step 2;(3) it does not meet
Other data of (1) (2) two kinds of formats above, jump to step 2;
Step 2, the asymmetric cryptographic algorithm for executing TLS standard to input data, which is decrypted, to be calculated, and is exported calculated result, is jumped to
Step 7;
Step 3, it parses customized ciphertext SelfCipher and obtains cipher, then use customized asymmetric cryptographic algorithm
Calculating is decrypted to cipher in private key, can be obtained pre_master_secret and infoBytes that may be present,
Then client_random, server_random execute step 4;
Step 4, judgment step 3 decrypt in obtained result whether comprising infoBytes, client_random,
Server_random, if comprising jumping to step 5;If not including, step 6 is jumped to.
Step 5, correlation defined in tls protocol version described in the infoBytes obtained by step 3 decryption is calculated
Method, by pre_master_secret, client_random, server_random calculate client_write_key and
Then server_write_key is recorded in symmetric key table.Circular can be found in tls protocol original text
Following related content:
Jump to step 7;
Step 6, pre_master_secret step 3 decryption obtained is again by TLS standard asymmetric cryptographic algorithm solution
Close result format standard is assembled, and the output knot calculated result is assembled as the decryption of TLS standard asymmetric cryptographic algorithm
Fruit jumps to step 7;
The decryption of step 7.TLS standard asymmetric cryptographic algorithm, which calculates, to be terminated;
3.2, when computing module carries out TLS standard asymmetric cryptographic algorithm verifying signature calculation, input data is not carried out
Analysis all executes TLS standard asymmetric cryptographic algorithm to input data and verifies signature calculation.
3.3, computing module carries out customized symmetric password encryption or the process of decryption calculating is complete by several following steps
At:
Step 1, symmetric key of the inquiry with the presence or absence of input first in current symmetric key table.If it does not exist, it jumps to
Step 2;If it exists, step 3 is jumped to;
Step 2, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm, exports calculated result, jumps to step
4;
Step 3, it automatically switches to inside computing module and input data is counted using customized symmetric cryptographic algorithm
It calculates, exports calculated result, jump to step 4;
Step 4, customized symmetric cryptography calculating terminates.
Two) TLS system is configured
TLS system is needed to configure configured with following 4 parts:
1. above-mentioned computing module is configured in server software;
2. also configuring institute when configuring the key pair of asymmetric cryptographic algorithm of TLS standard for server end for server
State the corresponding key pair of customized asymmetric cryptographic algorithm;
Such as: for server end computing module configure RSA key to while, be also that it configures corresponding SM2 key
It is right;
3. customized extension is added in the digital certificate of server end, it is described customized asymmetric close for storing
The code public key of algorithm and the mark of customized symmetric cryptographic algorithm;
Such as: increase by two customized extensions in the digital certificate that the RSA public key for server end computing module is signed and issued
, one of them customized extension for storing SM2 public key, propped up for service device end by another customized extension
The customized symmetric cryptographic algorithm mark (such as: SM4) held.
4. client determined respectively by two configuration items itself whether support customized asymmetric cryptographic algorithm and
Customized symmetric cryptographic algorithm.
Three) TLS system interaction scheme
If client does not support customized asymmetric cryptographic algorithm, pressed completely with server end standard tls protocol into
Row interaction.If client supports customized asymmetric cryptographic algorithm, client need to be in several links of TLS interactive process
Customized processing is carried out, specific as follows:
Handle the random number ClientHello.random in 1. client-cache ClientHello message;
Handle the random number in the ServerHello message of 2. client-cache server ends return
ServerHello.random;
Handle the customized extension of digital certificate in the Certificate message of 3. client resolution server ends return
, if in certificate there is no store customized asymmetric cryptographic algorithm public key and customized symmetric cryptographic algorithm mark it is customized
Extension, then interacted by standard tls protocol in subsequent interactive process with server end completely, no longer carry out it is following from
Definition process;Conversely, then the customized asymmetric cryptographic algorithm public key in cached certificates and customized symmetric cryptographic algorithm identify,
And following customized processing is carried out in subsequent interactive process.
When handling 4. clients generation ClientKeyExchange message, the data cached by front and itself configuration structure
Make customized asymmetric cryptographic algorithm encrypted result SecretTLS, and with customized asymmetric in server end digital certificate
Cryptographic algorithm public key encrypts the SecretTLS, and ultimately constructed customized ciphertext SelfCipher out, by customized ciphertext
The a part of SelfCipher as ClientKeyExchange message;ClientKeyExchange is to define in tls protocol
Client Key Exchange message.If it is customized close that client and server end digital certificate indicate that any side does not support
Code algorithm, then interacted by standard tls protocol in subsequent interactive process with server end completely, no longer carry out it is following from
Definition process;Conversely, then carrying out following customized processing in subsequent interactive process.
5. clients are handled during Application Data, are added using customized cryptographic algorithm (such as: SM4)
Close and decryption calculates.
The method that coded communication is realized based on tls protocol through the foregoing embodiment, it is only necessary to soft for the server end of mainstream
The compatible computing module of part (such as: Weblogic, Tomcat, IIS etc.) configuration, that is, may make server end while TLS being supported to mark
Quasi- cryptographic algorithm and customized cryptographic algorithm, while to support customized cryptographic algorithm and not supporting the visitor of customized cryptographic algorithm
Family end provides service, is conducive to popularization of the customized cryptographic algorithm in actual application environment.
Fig. 2 is the schematic flow chart of the method that coded communication is realized based on tls protocol of another embodiment of the present invention, this
Embodiment is to be applied to be illustrated for client end in TLS system in this way.As shown in Fig. 2, described be based on tls protocol
Realize coded communication method comprising steps of
S21, preset configuration item information is read, judges whether local terminal supports customized cryptographic algorithm;
In the present embodiment, if it is detected that local terminal does not support customized cryptographic algorithm, the cryptographic algorithm of TLS standard is used
Coded communication is carried out with server end, it is no in the presence of customized non-for storing in the digital certificate returned without detection service device
The extension of the extension of the corresponding public key of symmetric cryptographic algorithm and customized symmetric cryptographic algorithm mark.
S22, coded communication request is sent to server end, receive the response that server requests the coded communication and disappear
Breath, the digital certificate including server end of receiveing the response;
In the present embodiment, request to provide following information to server by above-mentioned coded communication:
(1) protocol version supported, such as TLS 1.0 editions;The random number that (2) clients generate, is later used to give birth to
At " session key ";(3) encryption method supported, such as RSA public key encryption;(4) compression method supported.
If detecting in S23, step S21, local terminal supports customized cryptographic algorithm, detect in the digital certificate whether
In the presence of the extension for storing the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetry algorithm mark;If depositing
It is caching the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetry algorithm is identified to local;
In the present embodiment, after receiving server response, server certificate is first verified that.If certificate is not trust authority
Promulgate or certificate in domain name and actual domain name it is inconsistent or certificate is expired, a police will be shown to visitor
It accuses, chooses whether also to continue to communicate by it;If there is no problem for certificate, then detection service device return digital certificate in whether
In the presence of the extension for storing the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetry algorithm mark.
S24, the customized asymmetric cryptographic algorithm encrypted result SecretTLS of construction, and according to the public key of caching to described
SecretTLS encryption, obtains SelfCipher;Using the customized ciphertext SelfCipher as visitor defined in tls protocol
A part in the cipher key exchange message ClientKeyExchange of family end;The ClientKeyExchange message is sent to clothes
Business device indicates that subsequent information all will use agreed encryption method and key to send;
In addition, also need to send following information: (1) random number (also known as " pre-master key ") to server, it should
Random number is encrypted with server public key, prevents from being ravesdropping;(2) client is shaken hands end notification, indicates the handshake phase of client
It is over, this is also the hash value of previously sent all the elements simultaneously, is used to verify for server.
S25, added using customized asymmetric cryptographic algorithm or customized symmetric cryptographic algorithm and server end
Close communication.
That is customized symmetric cryptographic algorithm (such as: the close SM4 of state) can be used during Application Data in client
It carries out encrypting/decrypting calculating, or carries out encrypting/decrypting calculating using customized asymmetric cryptographic algorithm (such as: the close SM2 of state).
Through this embodiment, client both can carry out coded communication by TLS standard cipher algorithm and server end, may be used also
Coded communication is carried out by TLS standard cipher algorithm by customized cryptographic algorithm and server end, improves the spirit of client
Activity, and be conducive to improve the safety of communication.
It should be noted that for the various method embodiments described above, describing for simplicity, it is all expressed as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described, because according to
According to the present invention, certain steps can use other sequences or carry out simultaneously.
Based on the identical thought of the method for coded communication is realized based on tls protocol with above-described embodiment, the present invention is also
The device that coded communication is realized based on tls protocol is provided, which can be used for executing above-mentioned based on tls protocol realization coded communication
Method.For ease of description, in the structural schematic diagram of Installation practice that coded communication is realized based on tls protocol, only show
Part related to the embodiment of the present invention is gone out, it will be understood by those skilled in the art that schematic structure not structure twin installation
It limits, may include perhaps combining certain components or different component layouts than illustrating more or fewer components.
Fig. 3 is the schematic diagram of the server-side device of the tls protocol of one embodiment of the invention, which includes:
Configuration module 310, for preset computing module to be configured in server software, the computing module is compatible
The asymmetric cryptographic algorithm and TLS Standard Symmetric Multivariate cryptographic algorithm of TLS standard are also compatible with customized asymmetric cryptographic algorithm and oneself
The symmetric cryptographic algorithm of definition;
Request receiving module 320, the coded communication for receiving client request, request to identify according to the coded communication
The encryption method that the client is supported;
And algorithms selection module 330, for being selected and the visitor from the compatible cryptographic algorithm of the computing module
It is logical to carry out encryption using the cryptographic algorithm and the client selected for the adaptable cryptographic algorithm of the encryption method that family end is supported
Letter.
Preferably, the configuration module can also be used in: the asymmetric cryptographic algorithm of TLS standard is being configured for server end
When key pair, the corresponding key pair of the customized asymmetric cryptographic algorithm also is configured for server;And for servicing
Customized extension is added in the digital certificate at device end, for store the customized asymmetric cryptographic algorithm public key and from
Define the mark of symmetric cryptographic algorithm.Such as two corresponding customized extensions can be added in the digital certificate of server end
, one is used to store the public key of the customized asymmetric cryptographic algorithm, another is for storing customized symmetric cryptography
The mark of algorithm.
In the present embodiment, cryptographic algorithm, the customized cryptographic algorithm of the TLS standard include symmetric cryptographic algorithm and
Asymmetric cryptographic algorithm.The asymmetric cryptographic algorithm of TLS standard and customized asymmetric cryptographic algorithm are to meet the following conditions
One or condition two algorithm:
Condition one: it is not required to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm in TLS system
In the case where, it is desirable that customized asymmetric cryptographic algorithm is to the encrypted result of pre_master_secret data in tls protocol
Length is less than or equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result;
Condition two: it need to support that TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm in TLS system
In the case of, then require customized asymmetric cryptographic algorithm to pre_master_secret, client_random in tls protocol with
And the length of the encrypted result of the description information of this three segment data of server_random and a byte is marked less than or equal to TLS
Length of the quasi- asymmetric cryptographic algorithm to pre_master_secret encrypted result;
The TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetric cryptographic algorithm are the algorithm for meeting the following conditions three:
Condition three: if need to support, TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm, it is required that
TLS Standard Symmetric Multivariate cryptographic algorithm is equal with the key length of customized symmetric cryptographic algorithm;When symmetric cryptographic algorithm is that grouping is close
When code algorithm, need to also on the basis of key length is equal further requirement TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetrical
The block length of cryptographic algorithm is equal.
Preferably, the wherein asymmetric cryptographic algorithm of TLS standard such as RSA Algorithm, the symmetric cryptographic algorithm example of TLS standard
Such as AES128 algorithm;The close SM2 algorithm of customized asymmetric cryptographic algorithm such as state, customized symmetric cryptographic algorithm such as state
Close SM4 algorithm.
Corresponding, the server-side device further includes computing module configuration module (not shown), for matching in advance
The computing module is set, is specifically included:
1. the format of customized ciphertext: the total length that customized ciphertext is arranged is equal to TLS standard asymmetric cryptographic algorithm pair
The length of pre_master_secret encrypted result in tls protocol;The ciphertext structure includes at least cipher and padding
Two parts, wherein cipher indicates the customized asymmetric cryptographic algorithm encrypted result of SecretTLS;Padding is filling
Byte, byte of padding number are more than or equal to 0 for guaranteeing that the length of customized ciphertext is equal to TLS standard asymmetric cryptographic algorithm pair
The length of pre_master_secret encrypted result in tls protocol.The SecretTLS is by the pre_master_ that there must be
The part secret and the part infoBytes, client_random, server_random that may be present are constituted.pre_
Master_secret indicates the pre_master_secret that tls protocol defines;InfoBytes is the description of at least one byte
Information, for describing the information such as current TLS version, customized symmetry algorithm type;Client_random indicates that tls protocol is fixed
The client random number of justice;Server_random indicates the server end random number that tls protocol defines;
It is constituted 2. every record of symmetric key table is configured to be arranged by following 4 data:
SymmAlgo, RecordTime, client_write_key, server_write_key,
Wherein the meaning of each column is as follows:
SymmAlgo: for identifying the type of customized symmetric cryptographic algorithm, it is defined as non-zero positive integer value;
RecordTime: for identifying time when this records creation;
Client_write_key defined in client_write_key:TLS agreement;
Server_write_key defined in server_write_key:TLS agreement.
3. the calculating logic at configuration server end, comprising:
3.1, when computing module carries out customized asymmetric cryptographic algorithm decryption calculating, input data is analyzed and is held
Row is corresponding to be calculated, and computing module is completed the process that primary customized asymmetric cryptography calculates and completed by several following steps:
Step 1, the content of input data is analyzed, input data can be divided into three kinds of situations:
(1) customized ciphertext, jumps to step 3;(2) TLS standard formatted data to be signed, jumps to step 2;(3) it does not meet
Other data of (1) (2) two kinds of formats above, jump to step 2;
Step 2, the asymmetric cryptographic algorithm for executing TLS standard to input data, which is decrypted, to be calculated, and is exported calculated result, is jumped to
Step 7;
Step 3, it parses customized ciphertext SelfCipher and obtains cipher, then use customized asymmetric cryptographic algorithm
Calculating is decrypted to cipher in private key, can be obtained pre_master_secret and infoBytes that may be present,
Then client_random, server_random execute step 4;
Step 4, judgment step 3 decrypt in obtained result whether comprising infoBytes, client_random,
Server_random, if comprising jumping to step 5;If not including, step 6 is jumped to.
Step 5, correlation defined in tls protocol version described in the infoBytes obtained by step 3 decryption is calculated
Method, by pre_master_secret, client_random, server_random calculate client_write_key and
Then server_write_key is recorded in symmetric key table.
3.2, when computing module carries out TLS standard asymmetric cryptographic algorithm verifying signature calculation, input data is not carried out
Analysis all executes TLS standard asymmetric cryptographic algorithm to input data and verifies signature calculation.
3.3, computing module carries out customized symmetric password encryption or the process of decryption calculating is complete by several following steps
At:
Step 1, symmetric key of the inquiry with the presence or absence of input first in current symmetric key table.If it does not exist, it jumps to
Step 2;If it exists, step 3 is jumped to;
Step 2, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm, exports calculated result, jumps to step
4;
Step 3, it automatically switches to inside computing module and input data is counted using customized symmetric cryptographic algorithm
It calculates, exports calculated result, jump to step 4;
Step 4, customized symmetric cryptography calculating terminates.
Preferably, the server-side device further includes system configuration module (not shown), for TLS system into
Row configuration;Specifically for above-mentioned computing module is configured in server software;And for configuring TLS for server end
When the key pair of the asymmetric cryptographic algorithm of standard, it is corresponding that the customized asymmetric cryptographic algorithm also is configured for server
Key pair;It is described customized non-for storing and for adding customized extension in the digital certificate of server end
The mark of the public key of symmetric cryptographic algorithm and customized symmetric cryptographic algorithm.
Fig. 4 is the schematic diagram of the client end device of the tls protocol of one embodiment of the invention, which includes:
Detection module 410 judges whether local terminal supports customized password to calculate for reading preset configuration item information
Method;
It is logical to the encryption to receive server for sending coded communication request to server end for CIPHERING REQUEST module 420
Letter request is receiveed the response, the digital certificate including server end of receiveing the response;
Certificate parsing module 430, if supporting customized cryptographic algorithm for local terminal, detect in the digital certificate whether
In the presence of the extension and customized symmetric cryptographic algorithm mark for storing the corresponding public key of customized asymmetric cryptographic algorithm
Extension;If it exists, the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm mark are cached
To local;
Responding module 440, for constructing customized asymmetric cryptographic algorithm encrypted result SecretTLS, and according to caching
Public key the SecretTLS is encrypted, obtain SelfCipher;Using customized ciphertext SelfCipher as in tls protocol
A part in the Client Key Exchange message ClientKeyExchange of definition;Send the ClientKeyExchange
Message is to server;
And communication module 450, for carrying out coded communication using customized cryptographic algorithm and server end.
It should be noted that in the embodiment of the device for realizing coded communication based on tls protocol of above-mentioned example, each mould
The contents such as information exchange, implementation procedure between block/unit, due to being based on same design with preceding method embodiment of the present invention,
Its bring technical effect is identical as preceding method embodiment of the present invention, and particular content can be found in embodiment of the present invention method
Narration, details are not described herein again.
It is understood that above-mentioned case study on implementation is based on unidirectional authentication to the present invention is based on tls protocols to realize encryption
The method of communication is expounded, the thought of those skilled in the art based on the above embodiment, can also be configured in client same
Digital certificate, be extended to realized by way of two-way authentication it is of the invention based on tls protocol realize coded communication method,
Such extension should also be as belonging in protection category of the invention.
In addition, in the embodiment of the device for realizing coded communication based on tls protocol of above-mentioned example, each functional module
Logical partitioning is merely illustrative of, and can according to need in practical application, such as the configuration requirement of corresponding hardware or soft
The convenient of the realization of part considers, above-mentioned function distribution is completed by different functional modules, i.e., described will be realized based on tls protocol
The internal structure of the device of coded communication is divided into different functional modules, to complete all or part of function described above
Energy.Wherein each function mould both can take the form of hardware realization, can also be realized in the form of software function module.
It will appreciated by the skilled person that realizing all or part of the process in above-described embodiment method, being can
It is completed with instructing relevant hardware by computer program, the program can be stored in a computer-readable storage and be situated between
In matter, sells or use as independent product.When being executed, the complete of the embodiment such as above-mentioned each method can be performed in described program
Portion or part steps.Wherein, the storage medium can be magnetic disk, CD, read-only memory (Read-Only
Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiments.It is appreciated that term " first ", " second " used in wherein etc. is at this
For distinguishing object in text, but these objects should not be limited by these terms.
The embodiments described above only express several embodiments of the present invention, should not be understood as to the invention patent range
Limitation.It should be pointed out that for those of ordinary skill in the art, without departing from the inventive concept of the premise,
Various modifications and improvements can be made, and these are all within the scope of protection of the present invention.Therefore, the scope of protection of the patent of the present invention
It should be determined by the appended claims.
Claims (12)
1. a kind of method for realizing coded communication based on tls protocol characterized by comprising
Preset computing module is configured in server software, the cryptographic algorithm of the compatible TLS standard of the computing module, also
Customized cryptographic algorithm except the cryptographic algorithm of the compatible TLS standard;
The coded communication request for receiving client identifies the encryption side that the client is supported according to coded communication request
Method;
Selected in the cryptographic algorithm compatible from the computing module encryption method supported with the client be adapted it is close
Code algorithm carries out coded communication using the cryptographic algorithm and the client selected;
Wherein, the cryptographic algorithm, customized cryptographic algorithm of the TLS standard include symmetric cryptographic algorithm and asymmetric cryptography
Algorithm;
The TLS standard asymmetric cryptographic algorithm and customized asymmetric cryptographic algorithm are to meet the following conditions one or condition two
Algorithm:
Condition one: it is not required to support the feelings that TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm in TLS system
Under condition, customized asymmetric cryptographic algorithm is less than the length of the encrypted result of pre_master_secret data in tls protocol
Equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result;pre_master_secret
For one section of random number for being used to generate master key in tls protocol;
Condition two: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, customized asymmetric cryptographic algorithm is to pre_master_secret, client_random and server_ in tls protocol
The length of the encrypted result of tri- segment data of random and description information is less than or equal to TLS standard asymmetric cryptographic algorithm to pre_
The length of master_secret encrypted result;Client_random is client random number defined in tls protocol;
Server_random is server end random number defined in tls protocol;
The TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetric cryptographic algorithm are the algorithm for meeting the following conditions three:
Condition three: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, TLS Standard Symmetric Multivariate cryptographic algorithm is equal with the key length of customized symmetric cryptographic algorithm;When symmetric cryptographic algorithm is grouping
When cryptographic algorithm, also require TLS Standard Symmetric Multivariate cryptographic algorithm equal with the block length of customized symmetric cryptographic algorithm;
The computing module is configured as: every of symmetric key table record be configured to include SymmAlgo, RecordTime,
Tetra- data column of client_write_key, server_write_key;Wherein, SymmAlgo is customized symmetrical close for identifying
The type of code algorithm;RecordTime is used to identify time when this records creation;Client_write_key is tls protocol
Defined in client carry out write operation when data are carried out to encrypt used key;Server_write_key is TLS
Server end defined in agreement carries out carrying out encrypting used key to data when write operation;
The maintenance mechanism of the computing module is configured as: calculating each item record in symmetric key table according to RecordTime
There are durations, are spaced setting time and remove the record for exceeding in the symmetric key table there are duration and setting limit value;
It is configured as in the calculating logic of server end, comprising:
When carrying out customized asymmetric cryptographic algorithm decryption calculating, input data is analyzed to judge whether it is customized
Ciphertext;If so, executing preset customized calculating to input data;If it is not, executing TLS standard asymmetric cryptography to input data
Algorithm decryption calculates;
When carrying out TLS standard asymmetric cryptographic algorithm verifying signature calculation, it is asymmetric that TLS standard is all executed to input data
Cryptographic algorithm verifies signature calculation;
When carrying out the calculating of customized symmetric cryptographic algorithm, inquire in current symmetric key table with the presence or absence of the symmetrical close of input
Key;If it does not exist, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm;If it exists, using customized symmetrical close
Code algorithm calculates input data.
2. the method according to claim 1 for realizing coded communication based on tls protocol, which is characterized in that by preset meter
Module is calculated to be configured to after the step in server software, further includes:
For server end configure TLS standard asymmetric cryptographic algorithm key pair when, also for server configuration described in make by oneself
The corresponding key pair of asymmetric cryptographic algorithm of justice;
Customized extension is added in the digital certificate of server end, for storing the customized asymmetric cryptographic algorithm
Public key and customized symmetric cryptographic algorithm mark.
3. the method according to claim 1 for realizing coded communication based on tls protocol, which is characterized in that described customized
The structure setting of ciphertext SelfCipher is including at least two parts cipher and padding:
The customized asymmetric cryptographic algorithm encrypted result of cipher:SecretTLS;
Padding: byte of padding, byte of padding number are more than or equal to 0, for guaranteeing that the length of customized ciphertext is equal to TLS standard
Length of the asymmetric cryptographic algorithm to pre_master_secret encrypted result in tls protocol;
The SecretTLS is made of the part pre_master_secret;Or by the part pre_mastersecret, and
It is partially constituted composed by infoBytes, client_random, server_random:
The pre_master_secret of pre_master_secret:TLS protocol definition;
InfoBytes: the description information of at least one byte, for describing current TLS version and customized symmetry algorithm type;
The client random number of client_random:TLS protocol definition;
The server end random number of server_random:TLS protocol definition.
4. it is according to claim 3 based on tls protocol realize coded communication method, which is characterized in that server end into
The calculating logic when decryption of row TLS standard asymmetric cryptographic algorithm calculates specifically:
S1, the content of input data is analyzed;If input data is customized ciphertext, step S2 is executed;Otherwise, to input
Data execute the decryption of TLS standard asymmetric cryptographic algorithm and calculate, and export calculated result, jump to step S6;
S2, the customized ciphertext SelfCipher of parsing obtain cipher, use customized asymmetric cryptographic algorithm private key pair
Calculating is decrypted in cipher;
Whether comprising infoBytes, client_random and server_random in S3, judgment step S2 decrypted result, if
It include to execute step S4;If not including, step S5 is executed;
S4, pass through pre_ by algorithm defined in tls protocol version described in the infoBytes in step S2 decrypted result
Master_secret, client_random, server_random calculate client_write_key and server_
Write_key, and be recorded in symmetric key table;Jump to step S6;
S5, the pre_master_secret in step S2 decrypted result is pressed to TLS standard asymmetric cryptographic algorithm decryption knot again
Fruit format standard is assembled, and the output result calculated result is assembled as the decryption of TLS standard asymmetric cryptographic algorithm;It jumps
Go to step S6;
The decryption of S6, TLS standard asymmetric cryptographic algorithm, which calculates, to be terminated.
5. it is according to claim 4 based on tls protocol realize coded communication method, which is characterized in that server end into
Calculating logic when row symmetric cryptography calculates specifically:
With the presence or absence of the symmetric key of input in L1, the current symmetric key table of inquiry;If it does not exist, L2 is jumped to;If it exists, it jumps to
L3;
L2, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm, exports calculated result, jumps to L4;
L3, input data is calculated using customized symmetric cryptographic algorithm, exports calculated result, jumps to L4;
L4. symmetric cryptography calculating terminates.
6. the method according to any one of claims 1 to 5 for realizing coded communication based on tls protocol, which is characterized in that from institute
The adaptable cryptographic algorithm of the encryption method selected in the compatible cryptographic algorithm of computing module and supported with the client is stated, is adopted
The step of carrying out coded communication with the client with the cryptographic algorithm selected include:
If client does not support customized cryptographic algorithm, the asymmetric cryptographic algorithm of TLS standard or symmetric cryptography is selected to calculate
Method and the client carry out coded communication;
If client supports customized cryptographic algorithm, select customized asymmetric cryptographic algorithm or symmetric cryptographic algorithm with
The client carries out coded communication.
7. the method according to any one of claims 1 to 5 for realizing coded communication based on tls protocol, which is characterized in that described
Customized cryptographic algorithm are as follows: SM2 ellipse curve public key cipher algorithm or SM4 block cipher.
8. a kind of method for realizing coded communication based on tls protocol characterized by comprising
Preset configuration item information is read, judges whether local terminal supports customized cryptographic algorithm;The customized password is calculated
Method is the cryptographic algorithm except the cryptographic algorithm of TLS standard;
Coded communication request is sent to server end, server is received and receives the response to the coded communication request, described time
Answering message includes the digital certificate of server end;
If local terminal supports customized cryptographic algorithm, detect in the digital certificate with the presence or absence of customized asymmetric for storing
The extension of the corresponding public key of cryptographic algorithm and customized symmetry algorithm mark;If it exists, customized asymmetric cryptography is cached to calculate
The corresponding public key of method and customized symmetry algorithm are identified to local;
Customized asymmetric cryptographic algorithm encrypted result SecretTLS is constructed, and according to the public key of caching to the SecretTLS
Encryption obtains customized ciphertext SelfCipher;Using the customized ciphertext SelfCipher as visitor defined in tls protocol
A part in the cipher key exchange message ClientKeyExchange of family end;The ClientKeyExchange message is sent to clothes
Business device;
Coded communication is carried out using customized cryptographic algorithm and server end;
Wherein, preset computing module, the password of the compatible TLS standard of the computing module are configured in the server software
Algorithm and the customized cryptographic algorithm;Cryptographic algorithm, the customized cryptographic algorithm of the TLS standard include symmetrical
Cryptographic algorithm and asymmetric cryptographic algorithm;
The TLS standard asymmetric cryptographic algorithm and customized asymmetric cryptographic algorithm are to meet the following conditions one or condition two
Algorithm:
Condition one: it is not required to support the feelings that TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm in TLS system
Under condition, customized asymmetric cryptographic algorithm is less than the length of the encrypted result of pre_master_secret data in tls protocol
Equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result;pre_master_secret
For one section of random number for being used to generate master key in tls protocol;
Condition two: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, customized asymmetric cryptographic algorithm is to pre_master_secret, client_random and server_ in tls protocol
The length of the encrypted result of tri- segment data of random and description information is less than or equal to TLS standard asymmetric cryptographic algorithm to pre_
The length of master_secret encrypted result;Client_random is client random number defined in tls protocol;
Server_random is server end random number defined in tls protocol;
The TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetric cryptographic algorithm are the algorithm for meeting the following conditions three:
Condition three: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, TLS Standard Symmetric Multivariate cryptographic algorithm is equal with the key length of customized symmetric cryptographic algorithm;When symmetric cryptographic algorithm is grouping
When cryptographic algorithm, also require TLS Standard Symmetric Multivariate cryptographic algorithm equal with the block length of customized symmetric cryptographic algorithm;
The computing module is configured as:
Every of symmetric key table record be configured to include SymmAlgo, RecordTime, client_write_key,
Tetra- data column of server_write_key;Wherein, SymmAlgo is used to identify the type of customized symmetric cryptographic algorithm;
RecordTime is used to identify time when this records creation;Client_write_key is visitor defined in tls protocol
Family end carries out carrying out encrypting used key to data when write operation;Server_write_key is defined in tls protocol
Server end carry out write operation when data are carried out to encrypt used key;
The maintenance mechanism of the computing module is configured as: calculating each item record in symmetric key table according to RecordTime
There are durations, are spaced setting time and remove the record for exceeding in the symmetric key table there are duration and setting limit value;
It is configured as in the calculating logic of server end:
When carrying out customized asymmetric cryptographic algorithm decryption calculating, input data is analyzed to judge whether it is customized
Ciphertext;If so, executing preset customized calculating to input data;If it is not, executing TLS standard asymmetric cryptography to input data
Algorithm decryption calculates;
When carrying out TLS standard asymmetric cryptographic algorithm verifying signature calculation, it is asymmetric that TLS standard is all executed to input data
Cryptographic algorithm verifies signature calculation;
When carrying out the calculating of customized symmetric cryptographic algorithm, inquire in current symmetric key table with the presence or absence of the symmetrical close of input
Key;If it does not exist, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm;If it exists, using customized symmetrical close
Code algorithm calculates input data.
9. the method according to claim 8 for realizing coded communication based on tls protocol, which is characterized in that further include:
If local terminal does not support customized cryptographic algorithm, alternatively, there is no customized asymmetric close for storing in digital certificate
The extension of the code corresponding public key of algorithm and customized symmetry algorithm mark, then use TLS standard cipher algorithm and server end
Carry out coded communication.
10. a kind of server-side device of tls protocol characterized by comprising
Configuration module, for preset computing module to be configured in server software, the compatible TLS standard of the computing module
Cryptographic algorithm, the customized cryptographic algorithm being also compatible with except the cryptographic algorithm of the TLS standard;
Request receiving module, the coded communication for receiving client are requested, and identify the visitor according to coded communication request
The encryption method that family end is supported;
Algorithms selection module adds for selecting from the compatible cryptographic algorithm of the computing module with what the client was supported
The adaptable cryptographic algorithm of decryption method carries out coded communication using the cryptographic algorithm and the client selected;
Wherein, the cryptographic algorithm, customized cryptographic algorithm of the TLS standard include symmetric cryptographic algorithm and asymmetric cryptography
Algorithm;
The TLS standard asymmetric cryptographic algorithm and customized asymmetric cryptographic algorithm are to meet the following conditions one or condition two
Algorithm:
Condition one: it is not required to support the feelings that TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm in TLS system
Under condition, customized asymmetric cryptographic algorithm is less than the length of the encrypted result of pre_master_secret data in tls protocol
Equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result;pre_master_secret
For one section of random number for being used to generate master key in tls protocol;
Condition two: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, customized asymmetric cryptographic algorithm is to pre_master_secret, client_random and server_ in tls protocol
The length of the encrypted result of tri- segment data of random and description information is less than or equal to TLS standard asymmetric cryptographic algorithm to pre_
The length of master_secret encrypted result;Client_random is client random number defined in tls protocol;
Server_random is server end random number defined in tls protocol;
The TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetric cryptographic algorithm are the algorithm for meeting the following conditions three:
Condition three: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, TLS Standard Symmetric Multivariate cryptographic algorithm is equal with the key length of customized symmetric cryptographic algorithm;When symmetric cryptographic algorithm is grouping
When cryptographic algorithm, also require TLS Standard Symmetric Multivariate cryptographic algorithm equal with the block length of customized symmetric cryptographic algorithm;
The computing module is configured as: every of symmetric key table record be configured to include SymmAlgo, RecordTime,
Tetra- data column of client_write_key, server_write_key;Wherein, SymmAlgo is customized symmetrical close for identifying
The type of code algorithm;RecordTime is used to identify time when this records creation;Client_write_key is tls protocol
Defined in client carry out write operation when data are carried out to encrypt used key;Server_write_key is TLS
Server end defined in agreement carries out carrying out encrypting used key to data when write operation;
The maintenance mechanism of the computing module is configured as: calculating each item record in symmetric key table according to RecordTime
There are durations, are spaced setting time and remove the record for exceeding in the symmetric key table there are duration and setting limit value;
It is configured as in the calculating logic of server end, comprising:
When carrying out customized asymmetric cryptographic algorithm decryption calculating, input data is analyzed to judge whether it is customized
Ciphertext;If so, executing preset customized calculating to input data;If it is not, executing TLS standard asymmetric cryptography to input data
Algorithm decryption calculates;
When carrying out TLS standard asymmetric cryptographic algorithm verifying signature calculation, it is asymmetric that TLS standard is all executed to input data
Cryptographic algorithm verifies signature calculation;
When carrying out the calculating of customized symmetric cryptographic algorithm, inquire in current symmetric key table with the presence or absence of the symmetrical close of input
Key;If it does not exist, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm;If it exists, using customized symmetrical close
Code algorithm calculates input data.
11. a kind of client terminal device of tls protocol characterized by comprising
Detection module judges whether local terminal supports customized cryptographic algorithm for reading preset configuration item information;It is described from
The cryptographic algorithm of definition is the cryptographic algorithm except the cryptographic algorithm of TLS standard;
CIPHERING REQUEST module receives server and requests the coded communication for sending coded communication request to server end
Receive the response, the digital certificate including server end of receiveing the response;
Certificate parsing module detects in the digital certificate if supporting customized cryptographic algorithm for local terminal with the presence or absence of use
In the extension of the extension and customized symmetric cryptographic algorithm mark of storing the corresponding public key of customized asymmetric cryptographic algorithm
;If it exists, it caches the corresponding public key of customized asymmetric cryptographic algorithm and customized symmetric cryptographic algorithm is identified to local;
Responding module, for constructing customized asymmetric cryptographic algorithm encrypted result SecretTLS, and according to the public key pair of caching
The SecretTLS encrypts to obtain customized ciphertext SelfCipher;It is assisted the customized ciphertext SelfCipher as TLS
A part in Client Key Exchange message ClientKeyExchange defined in view;Described in transmission
ClientKeyExchange message is to server;
Communication module, for carrying out coded communication using customized cryptographic algorithm and server end;
Wherein, preset computing module, the password of the compatible TLS standard of the computing module are configured in the server software
Algorithm and the customized cryptographic algorithm;Cryptographic algorithm, the customized cryptographic algorithm of the TLS standard include symmetrical
Cryptographic algorithm and asymmetric cryptographic algorithm;
The TLS standard asymmetric cryptographic algorithm and customized asymmetric cryptographic algorithm are to meet the following conditions one or condition two
Algorithm:
Condition one: it is not required to support the feelings that TLS Standard Symmetric Multivariate cryptographic algorithm is compatible with customized symmetric cryptographic algorithm in TLS system
Under condition, customized asymmetric cryptographic algorithm is less than the length of the encrypted result of pre_master_secret data in tls protocol
Equal to TLS standard asymmetric cryptographic algorithm to the length of pre_master_secret encrypted result;pre_master_secret
For one section of random number for being used to generate master key in tls protocol;
Condition two: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, customized asymmetric cryptographic algorithm is to pre_master_secret, client_random and server_ in tls protocol
The length of the encrypted result of tri- segment data of random and description information is less than or equal to TLS standard asymmetric cryptographic algorithm to pre_
The length of master_secret encrypted result;Client_random is client random number defined in tls protocol;
Server_random is server end random number defined in tls protocol;
The TLS Standard Symmetric Multivariate cryptographic algorithm and customized symmetric cryptographic algorithm are the algorithm for meeting the following conditions three:
Condition three: in the situation that TLS system need to support TLS Standard Symmetric Multivariate cryptographic algorithm compatible with customized symmetric cryptographic algorithm
Under, TLS Standard Symmetric Multivariate cryptographic algorithm is equal with the key length of customized symmetric cryptographic algorithm;When symmetric cryptographic algorithm is grouping
When cryptographic algorithm, also require TLS Standard Symmetric Multivariate cryptographic algorithm equal with the block length of customized symmetric cryptographic algorithm;
The computing module is configured as: every of symmetric key table record be configured to include SymmAlgo, RecordTime,
Tetra- data column of client_write_key, server_write_key;Wherein, SymmAlgo is customized symmetrical close for identifying
The type of code algorithm;RecordTime is used to identify time when this records creation;Client_write_key is tls protocol
Defined in client carry out write operation when data are carried out to encrypt used key;Server_write_key is TLS
Server end defined in agreement carries out carrying out encrypting used key to data when write operation;
The maintenance mechanism of the computing module is configured as: calculating each item record in symmetric key table according to RecordTime
There are durations, are spaced setting time and remove the record for exceeding in the symmetric key table there are duration and setting limit value;
It is configured as in the calculating logic of server end, comprising:
When carrying out customized asymmetric cryptographic algorithm decryption calculating, input data is analyzed to judge whether it is customized
Ciphertext;If so, executing preset customized calculating to input data;If it is not, executing TLS standard asymmetric cryptography to input data
Algorithm decryption calculates;
When carrying out TLS standard asymmetric cryptographic algorithm verifying signature calculation, it is asymmetric that TLS standard is all executed to input data
Cryptographic algorithm verifies signature calculation;
When carrying out the calculating of customized symmetric cryptographic algorithm, inquire in current symmetric key table with the presence or absence of the symmetrical close of input
Key;If it does not exist, input data is calculated using TLS Standard Symmetric Multivariate cryptographic algorithm;If it exists, using customized symmetrical close
Code algorithm calculates input data.
12. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The step of claim 1 to 9 any the method is realized when execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610983468.6A CN106572109B (en) | 2016-11-08 | 2016-11-08 | The method and device of coded communication is realized based on tls protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610983468.6A CN106572109B (en) | 2016-11-08 | 2016-11-08 | The method and device of coded communication is realized based on tls protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106572109A CN106572109A (en) | 2017-04-19 |
| CN106572109B true CN106572109B (en) | 2019-11-08 |
Family
ID=58540653
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610983468.6A Active CN106572109B (en) | 2016-11-08 | 2016-11-08 | The method and device of coded communication is realized based on tls protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106572109B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107147497B (en) * | 2017-05-02 | 2018-07-06 | 北京海泰方圆科技股份有限公司 | Information processing method and device |
| CN108650227B (en) * | 2018-03-30 | 2021-03-30 | 苏州科达科技股份有限公司 | Handshaking method and system based on datagram secure transmission protocol |
| CN110690969B (en) * | 2018-07-06 | 2023-06-16 | 武汉信安珞珈科技有限公司 | Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation |
| CN108924596B (en) * | 2018-08-28 | 2020-11-13 | 苏州科达科技股份有限公司 | Media data transmission method, device and storage medium |
| CN110267253B (en) * | 2019-05-13 | 2022-09-27 | 中国联合网络通信集团有限公司 | eSIM management platform, eSIM installation method and device |
| CN112422530B (en) * | 2020-11-04 | 2023-05-30 | 无锡沐创集成电路设计有限公司 | Key security protection method and password device for server in TLS handshake process |
| CN113541938A (en) * | 2021-06-25 | 2021-10-22 | 国网山西省电力公司营销服务中心 | Non-deception non-blocking channel-based calculation amount asymmetric evidence storing method |
| CN113572601B (en) * | 2021-07-06 | 2024-03-12 | 长沙证通云计算有限公司 | VNC remote safety communication method based on national secret TLS |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103118027A (en) * | 2013-02-05 | 2013-05-22 | 中金金融认证中心有限公司 | Transport layer security (TLS) channel constructing method based on cryptographic algorithm |
| CN105530090A (en) * | 2015-12-31 | 2016-04-27 | 中国建设银行股份有限公司 | Key negotiation method and device |
| CN106656939A (en) * | 2015-11-03 | 2017-05-10 | 华耀(中国)科技有限公司 | State cryptography SSL protocol and standard SSL protocol forwarding system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120317279A1 (en) * | 2011-06-08 | 2012-12-13 | Thomas Love | System for scaling a system of related windows-based servers of all types operating in a cloud system, including file management and presentation, in a completely secured and encrypted system |
-
2016
- 2016-11-08 CN CN201610983468.6A patent/CN106572109B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103118027A (en) * | 2013-02-05 | 2013-05-22 | 中金金融认证中心有限公司 | Transport layer security (TLS) channel constructing method based on cryptographic algorithm |
| CN106656939A (en) * | 2015-11-03 | 2017-05-10 | 华耀(中国)科技有限公司 | State cryptography SSL protocol and standard SSL protocol forwarding system and method |
| CN105530090A (en) * | 2015-12-31 | 2016-04-27 | 中国建设银行股份有限公司 | Key negotiation method and device |
Non-Patent Citations (1)
| Title |
|---|
| 国密SSL安全通信协议的研究与实现;吴永强;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160315;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106572109A (en) | 2017-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106572109B (en) | The method and device of coded communication is realized based on tls protocol | |
| US10523707B2 (en) | Secure transport channel using multiple cipher suites | |
| CN104219228B (en) | A kind of user's registration, user identification method and system | |
| CN110326267B (en) | Network security system, method and storage medium with substitute digital certificate | |
| WO2017045552A1 (en) | Method and device for loading digital certificate in ssl or tls communication | |
| CN105580311B (en) | Use the method and apparatus of the cryptographic key protection Information Security of request supply | |
| US9258117B1 (en) | Mutual authentication with symmetric secrets and signatures | |
| US11329962B2 (en) | Pluggable cipher suite negotiation | |
| CN104580189B (en) | A kind of safe communication system | |
| CN104580172B (en) | A kind of data communications method and device based on https agreements | |
| WO2016107320A1 (en) | Website security information loading method, and browser device | |
| US9450758B1 (en) | Virtual requests | |
| CN105208024B (en) | Without using the data safe transmission method and system of HTTPS, client and server-side | |
| CN106790090A (en) | Communication means, apparatus and system based on SSL | |
| CN107800675A (en) | A kind of data transmission method, terminal and server | |
| US8656471B1 (en) | Virtual requests | |
| WO2021041771A1 (en) | Decentralized techniques for verification of data in transport layer security and other contexts | |
| EP3987744A1 (en) | Hybrid key exchanges for double-hulled encryption | |
| US20130019092A1 (en) | System to Embed Enhanced Security / Privacy Functions Into a User Client | |
| US9961055B1 (en) | Inaccessibility of data to server involved in secure communication | |
| WO2014106148A1 (en) | Techniques for validating data exchange | |
| CN107592315B (en) | For the client of encrypted transmission data, server, network system and method | |
| US20140237239A1 (en) | Techniques for validating cryptographic applications | |
| EP3242444A1 (en) | Service processing method and device | |
| CN110139163A (en) | A kind of method and relevant apparatus obtaining barrage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |