Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
The embodiment of the present invention provides a kind of communication means based on SSL, as shown in figure 1, methods described includes:
101st, the security sockets SSL protocol handshake data bag that client sends is received.
The embodiment of the present invention can be applied to client and set up secure connection, and the process for being communicated with destination server
In, in secure connection communication process, the protection node that can be based on high in the clouds carries out security protection to the data in secure connection passage,
To protect node to launch to illustrate as executive agent, the protection node is located at server side to the embodiment of the present invention;Can not also position
In server side, but there is data interaction relation with server, illustrated as a example by protecting node to be located at high in the clouds below, but
It is, it is understood that, this kind of explanation mode is not intended to limit protects node to be only capable of being located at high in the clouds.
For the ease of the understanding to each node described in the embodiment of the present invention, the present invention below will be in exemplary fashion illustrated
The block schematic illustration of the data communication that embodiment is provided, as described in Figure 2, secure connection is set up in client and destination server
When, client needs to be shaken hands to destination server one secure socket layer protocol (Secure Socket Layer, SSL) of transmission
Packet, starts the session between client and destination server, can be included in the SSL handshake data bags that client sends
But herein below is not limited to, for example:Client random number, client support AES (symmetric cryptography and it is asymmetric plus
Close algorithm) content such as list;Server sends one after the SSL handshake data bags for receiving client transmission to client
The response data packet of SSL handshake data bags, can be including but not limited to herein below, such as in the corresponding data bag:Service
The information such as the session id of device random number, server public key and the unique session of ID.
To ensure the security of client, especially for the client that client type is government organs, financial transaction,
The security for transmitting data is particularly important, therefore, client is sending SSL handshake data bags to protection node, and is protected
After the response of node, client can be from data confidentiality and data integrity angle be ensured, it is determined that the data to sending are entered
Row encryption is signed.
During concrete application, to ensure the security and integrality of communication data, server can also be sent out to client
Server certificate is sent, the server certificate is decoded by Base64, result will be obtained and use ASN.1 said shanks, by server
Certificate is sent to client, and whether the legitimacy of the issuer of client validation server certificate, the term of validity and signature value are legal
Deng.Wherein, the detailed description of prior art is refer to about verifying the implementation process of certificate legitimacy, the embodiment of the present invention is herein
No longer repeated one by one.
It is Hyper text transfer security protocol (Hypertext that server sets up the agreement used during secure connection with client
Transfer Protocol Secure, HTTPS), in the embodiment of the present invention, relevant HTTPS's implements step, refer to
Related description of the prior art, the embodiment of the present invention is no longer repeated herein.
102nd, SSL handshake data bags are sent to key server, so that the key server is shaken hands number to the SSL
Responded according to bag.
Because protection node is not aware that client private key in advance, therefore, in embodiments of the present invention, by means of key clothes
Decryption/the signature to SSL handshake datas bag in client is realized in business device (third party's trusted servers).
Key server described in the embodiment of the present invention dedicated for storing the private key information of client, or, for right
Client random number, server random number are signed, client, server identity, the key server position is had verified that
In client-side, key server can't provide other service functions, for example, request of data response etc.;Also, it is not
Any network equipment can access the key server, access the premise of key server and be, based on client, the phase of server
Pass information, realizes authentication, and certification may have access to key server by rear.Please continue to refer to Fig. 2, be briefly given in Fig. 2
Interactive relation between key server and protection node, in specific implementation process, the key server can be included
But herein below is not limited to, cloudflare servers, the embodiment of the present invention is not limited the particular type of key server
It is fixed.
Protection node is the session key for generating SSL handshake data bags, and the SSL handshake data bags that will be received are sent to close
Key server, key server receives the SSL handshake data bags that protection node sends, and SSL handshake data bags are decrypted
Or signature, and the SSL handshake data bags after decryption or signature are sent to protection node, perform step 103.Actually should
During, the authority of client private key is not obtained due to protection node, therefore, connect with the safety of server in client
In termination process, protection node need to realize the exchange of key by key server.
103rd, response message of the key server to the SSL handshake datas bag is received, and according to the response letter
Breath generation session key.
Protection node has two kinds of generating modes when session key is generated, and both generating modes correspond to what is received
SSL handshake data bags are encryption types, or signature type.No matter generation session key is according to which type of handshake data
Bag generation, the necessary and sufficient condition of protection node generation session key is the life that generation parameter must generate session key with client
Identical into parameter, its reason is that the session key described in the embodiment of the present invention is symmetric key, in a session,
The response message that the solicited message that client sends sends with server can be encrypted using the session key, to ensure number
According to security.Exemplary, it is assumed that the generation parameter of client generation session key is included:Parameter 1, parameter 2, parameter 3,
So, when session key is generated, its generation parameter is also parameter 1, parameter 2, parameter 3 to protection node.The embodiment of the present invention pair
The generation parameter for generating session key is not especially limited.
104th, the request of data that the client sends is decrypted using the session key, and verifies the data
The security of data in request.
After protection node generation session key, each packet to being sent between client and destination server enters
The checking of row Information Security, to safeguard network data security.In specific implementation process, whether data in checking request of data
Safety, for example, checking data are in checking data with the presence or absence of data (fallacious message such as wooden horse, virus, binding data) are attacked
It is no to there is SQL injection etc..
If the data in checking request of data are secure data, node is protected to carry out request of data square, if checking number
It is malicious data according to the data in request, protection node is intercepted request of data, to ensure the transmission safety of network data.
As the optional implementation of the embodiment of the present invention, when the data in protecting node to determine request of data are malicious data, enter
One step determines the malice grade of data, if malice is higher ranked, disconnects the secure connection with destination service, or even forbid client
All network access at end;If malice grade is relatively low, this data access to destination server is intercepted.
Communication means based on SSL provided in an embodiment of the present invention, protection node receives the safe socket that client sends
Layer protocol SSL handshake data bags;SSL handshake data bags are sent to key server, so that key server is shaken hands number to SSL
Responded according to bag;Response message of the key server to SSL handshake data bags is received, and it is close to generate session according to response message
Key;The request of data that client sends is decrypted using session key, and verifies the security of data in request of data;With
Prior art is compared, and node is protected described in the embodiment of the present invention during data communications security is protected, without obtaining client
Private key, but realized to the decryption of SSL handshake data bags by means of the key server for specializing in user's storage client private key or
Signature, and then verify the data safety of SSL handshake data bag contents, it is ensured that the safety of data in secure connection.
In specific implementation process, the peace that the embodiment of the present invention is set up between client and protection node using two ways
Full communication, one kind is cipher mode, and one kind is signature scheme, and following examples can be said to above two secure communication respectively
It is bright.But, it is understood that, client and protection node set up mode that secure communication is connected not merely comprising above-mentioned two
The mode of kind.
First way:By encrypting and decrypting mode, the secure communication of client and protection node is set up.
Illustrated by taking RSA cryptographic algorithms (RSA algorithm) as an example, it is exemplary, as shown in figure 3, Fig. 3 shows
The present invention implements a kind of client for providing with the interaction figure for protecting node to set up secure communication.Client sends to protection node
Hello information, carries the AES list that client random number and client are supported in the hello information;Protection section
Point receives hello information, and to contents, client such as the server random number of client return, server public key and session ids
The first character section of 48byte, is arranged to major version number by the pre- master key of the random generation 48byte in end, and second byte is set
Into secondary version number, and pre- master key and server public key are encrypted with the private key of RSA cryptographic algorithms, by the pre-master after encryption
Key and server public key pass to protection node, and the decruption key of pre- master key and server public key is sent to cipher key service
Device is stored.Key server is parsed after SSL handshake data bags are received to it, and the pre-master obtained after encryption is close
Key and server public key, do not know the decruption key of pre-master key and server public key due to protection node, accordingly, it would be desirable to will add
Pre- master key and server public key after close are forwarded to key server, sent according to client so as to key server with plus
Pre- master key and the corresponding decruption key of server public key after close are decrypted.During implementing, except rsa encryption
Outside algorithm, the AES of client can also include:Elgamal, knapsack algorithm, Rabin, HD, ECC (elliptic curve cryptographies
Algorithm) etc., specifically, the embodiment of the present invention is not limited the particular type of AES.
After key server is to pre-master secret key decryption, the pre-master after encrypted tunnel returns to decryption to protection node is close
Key, the i.e. pre- master key of plaintext;After protection node obtains pre- master key in plain text, according to client random number, server random number and
Pre- master key generates session key, completes SSLs of the HTTPS without private key and shakes hands.
The second way:By encrypting and decrypting mode, the secure communication of client and protection node is set up.
Illustrated by taking Diffie-Hellman algorithms (DH algorithms) as an example, as shown in figure 4, Fig. 4 shows that the present invention is real
Another client for applying example offer sets up the interaction figure of secure communication with protection node.Client is generating a random number
Afterwards, it is placed in SSL handshake data bags, protection node is parsed to SSL handshake data bags, obtains SSL handshake datas
Client random number in bag;Meanwhile, protection node sends to client server random number, server public key and session id
End;Protection node sends to key server client random number, server public key, server random number DH parameters, by close
Key server is preset to client random number, server public key, server random number, server using the key weapon private key that flips
Signature parameter (server DH parameters) is signed, and after key server is signed, key server is signed and taken
Business device DH parameters are sent to client;Client receives the server DH parameters that protection node sends, and is joined according to server DH
Number and the preset signature parameter (client DH parameters) of client generate pre- master key, also, client according to client random number,
Server random number and pre- master key generation session key.
Described above is the explanation carried out by taking DH algorithms as an example, however, it should be clear that when signature is performed, can also adopt
With but be not limited to Message Digest Algorithm 5 (Message Digest Algorithm, MD5), Secure Hash Algorithm
(Secure Hash Algorithm, SHA) etc., specifically, the embodiment of the present invention is not construed as limiting to signature algorithm.
During implementing, client after pre- master key is generated, by pre- master key server public key to pre-master
Key is encrypted, and sends it to protection node;Protection node receives the pre- master key after the encryption that client sends, and uses
Privacy key to encryption after pre- master key be decrypted, obtain pre- master key.Protection node is additionally operable to receive client hair
The client DH parameters sent, and session key is generated according to server random number, client random number and pre- master key.So with
Come, client generates session key when session key is generated using server random number, client random number and pre- master key,
Protection node equally generates session when session key is generated using server random number, client random number and pre- master key
Key, therefore so that the session key of client is consistent with the session key of protection node.
Further, it is the security of data in secure connection between determination client and destination server, when it is determined that institute
After stating the data safety in request of data, ask to be encrypted using session key data, and the request of data after encryption is sent out
Destination server is delivered to, to ensure the security of request of data data transfer between protection node and destination server.Equally
, when client sends next data to protection node asks, it is still desirable to request of data is carried out using session key
Encryption;It is using the request of data after session key and close using session that protection node receives the client of client transmission
Key is decrypted to request of data, has verified that the safety of data in request of data.
In embodiments of the present invention, the protection node also effect with reverse proxy, mesh is received in protection node
After mark server is responded to the request of data of client, response message is stored, in order to follow-up other clients
During the request identical content of end, response contents can be locally directly obtained from protection node, and be sent to client, improve response
The request efficiency of client.
As another implementation of the embodiment of the present invention, the data peace in protection node determines the request of data
Quan Hou, the corresponding response message of the request of data it is determined that whether protection node is locally stored with, however, it is determined that be locally stored
The corresponding response message of request of data is stated, the request of data is responded.
Further, as the refinement to above-described embodiment, performed in step 102 and send to close SSL handshake data bags
During key server, following methods realization can be used but be not limited to, for example:Send to set up to connect to the key server and ask
Ask;The CertPubKey set up comprising protection node in connection request, so that the key server is based on protection node
CertPubKey carries out authentication;When the authentication that protection node receives the key server transmission successfully notifies to disappear
Breath, sets up with the key server and communicates to connect;Held to the key server transmission SSL based on described communication connection
Hand packet.
Further, as the realization to method shown in above-mentioned Fig. 1, another embodiment of the present invention additionally provides one kind and is based on
The communicator of SSL.The device embodiment is corresponding with preceding method embodiment, and for ease of reading, present apparatus embodiment is no longer right
Detail content in preceding method embodiment is repeated one by one, it should be understood that the device in the present embodiment can be corresponded in fact
Full content in existing preceding method embodiment.
The embodiment of the present invention provides a kind of communicator based on SSL, as shown in figure 5, described device includes:
First receiving unit 21, the security sockets SSL protocol handshake data bag for receiving client transmission;
First transmitting element 22, the SSL handshake data bags for first receiving unit 21 to be received are sent to close
Key server, so that the key server is responded to the SSL handshake datas bag;
Second receiving unit 23, for sending to key the SSL handshake datas bag in first transmitting element 22
After server, response message of the key server to the SSL handshake datas bag is received;
Generation unit 24, the response message generation session for being received according to second receiving unit 23 is close
Key;
Decryption unit 25, the session key for being generated using second generation unit 24 is sent out the client
The request of data sent is decrypted;
Authentication unit 26, verifies the security of data in the request of data after the decryption of decryption unit 25.
Further, as shown in fig. 6, first transmitting element 22 includes:
Parsing module 221, for being parsed to the SSL handshake datas bag;
Acquisition module 222, after being parsed in 221 pairs of SSL handshake datas bags of the parsing module, obtains
Pre- master key after encryption;
First sending module 223, for the pre- master key after the encryption that obtains the acquisition module 222 send to
The key server, so as to the key server to the encryption after pre- master key be decrypted.
Further, second receiving unit 23, is additionally operable to receive the key server based on encrypted tunnel transmission
Decryption after pre- master key;
Further, as shown in fig. 6, the generation unit 24 includes:
Acquisition module 241, for obtaining the client random number included in the SSL handshake datas bag;
First generation module 242, for the institute that the pre- master key after according to the decryption, the acquisition module 241 are obtained
State client random number and server random number generation session key.
Further, as shown in fig. 6, first transmitting element 22 includes:
Parsing module 224, for being parsed to the SSL handshake datas bag;
Acquisition module 225, for after 224 pairs of SSL handshake datas bags of the parsing module are parsed, obtaining institute
State the client random number included in SSL handshake data bags;
Second sending module 226, for the client random number, the server random number that obtain the acquisition module
And server public key is sent to the key server, so as to the key server using key server private key to the visitor
Family end random number, the server random number and the server public key are signed.
Further, second receiving unit 23, is additionally operable to receive the key clothes that the key server sends
Business device signature.
Further, as shown in fig. 6, described device also includes:
Second transmitting element 27, for receiving response message of the key server to the SSL handshake datas bag
Afterwards, send the preset signature parameter of server to the client and the key server is signed, so as to the client root
Pre- master key is generated according to the preset signature parameter of the server, key server signature and the preset signature parameter of client;
3rd transmitting element 28, for sending server random number to the client, so that the client is according to institute
State server random number, client random number and the pre- master key generation session key;
3rd receiving unit 29, for receiving the preset signature parameter of client that the client sends.
Further, as shown in fig. 6, the generation unit 24 includes:
Receiver module 243, for receiving the described pre- master key that the client sends;The pre- master key is the visitor
Family end group is in the pre- master key after server public key encryption;
Deciphering module 244, it is close for the pre-master after the encryption that is received to the receiver module 243 using privacy key
Key is decrypted, and obtains the pre- master key;
Second generation module 245, for according to the server random number, the client random number and the decryption mould
Described pre- master key after block 244 is decrypted generates session key.
Further, as shown in fig. 6, described device also includes:
4th transmitting element 210, for verifying the request of data in the authentication unit 26 in data security, and
Determine after the data safety in the request of data, then send to destination server the request of data, so as to the mesh
Mark server is responded to the request of data.
Determining unit 211, for when it is determined that during data safety in the request of data, it is determined that locally whether storing
State the corresponding response message of request of data;
Response unit 212, for determining the corresponding response letter of the request of data has been locally stored when the determining unit
During breath, the request of data is responded.
Further, as shown in fig. 6, the decryption unit 25 includes:
Receiver module 251, for receiving the request of data that the client sends, the request of data is used for client
Request after the session key;
Deciphering module 252, for being decrypted to the request of data using the session key.
Further, the embodiment of the present invention provides a kind of communication system based on SSL, as shown in fig. 7, the system bag
Include:
Client 31, for sending security sockets SSL protocol handshake data bag to protection node 32;
The protection node 32, the SSL handshake data bags for receiving the transmission of the client 31, and SSL is shaken hands number
Sent to key server according to bag;
The key server, for receiving the SSL handshake data bags that the protection node 32 sends, and to the protection
Node 32 sends the response message of the SSL handshake datas bag;
The protection node 32, is additionally operable to receive the response of the SSL handshake datas bag that the key server sends
Information, session key is generated according to the response message, and the data sent to the client 31 using the session key please
Ask and be decrypted, and verify the security of data in the request of data.
Further, as shown in figure 8, the system also includes:
The protection node 32, is additionally operable to when it is determined that during data safety in the request of data, by the request of data
Send to destination server 33;
The destination server 33, for receive it is described protection node 32 send the request of data, and to data
Request is responded.
Communicator and system based on SSL provided in an embodiment of the present invention, protection node receive the peace that client sends
A full set connects layer protocol SSL handshake data bags;SSL handshake data bags are sent to key server, so that key server is to SSL
Handshake data bag is responded;Response message of the key server to SSL handshake data bags is received, and is generated according to response message
Session key;The request of data that client sends is decrypted using session key, and verifies the peace of data in request of data
Quan Xing;Compared with prior art, node is protected described in the embodiment of the present invention during data communications security is protected, without obtaining
Client private key, but realized to SSL handshake data bags by means of the key server for specializing in user's storage client private key
Decryption is signed, and then verifies the data safety of SSL handshake data bag contents, it is ensured that the safety of data in secure connection.
The embodiment of the invention also discloses following technical scheme:
A1, a kind of communication means based on SSL, including:
Receive the security sockets SSL protocol handshake data bag that client sends;
SSL handshake data bags are sent to key server, so that the key server is to the SSL handshake datas bag
Responded;
Response message of the key server to the SSL handshake datas bag is received, and is given birth to according to the response message
Into session key;
The request of data that the client sends is decrypted using the session key, and verifies the request of data
The security of middle data.
A2, the method according to A1, SSL handshake data bags are sent to key server to be included:
The SSL handshake datas bag is parsed, the pre- master key after encryption is obtained;
Pre- master key after by the encryption is sent to the key server, so that the key server adds to described
Pre- master key after close is decrypted.
A3, the method according to A2, response of the reception key server to the SSL handshake datas bag are believed
Breath is specially:
Receive the pre- master key after the key server is based on the decryption that encrypted tunnel sends;
It is described to be specially according to response message generation session key:
Obtain the client random number included in the SSL handshake datas bag;
Pre- master key, the client random number and server random number generation session key after according to the decryption.
A4, the method according to A1, SSL handshake data bags are sent to key server to be included:
The SSL handshake datas bag is parsed, the client included in the SSL handshake datas bag is obtained random
Number;
The client random number, server random number and server public key are sent to the key server, so as to
The key server is using key server private key to the client random number, the server random number and the service
Device public key is signed.
A5, the method according to A4, receive response message bag of the key server to the SSL handshake datas bag
Include:
Receive the key server signature that the key server sends.
A6, the method according to A5, are receiving response message of the key server to the SSL handshake datas bag
Afterwards, methods described also includes:
The preset signature parameter of server is sent to the client and the key server is signed, so as to the client
It is close according to the preset signature parameter of the server, key server signature and the preset signature parameter generation pre-master of client
Key;
Server random number is sent to the client, so that the client is according to the server random number, client
End random number and the pre- master key generation session key;
Receive the preset signature parameter of client that the client sends.
A7, the method according to A6, generating session key according to the response message includes:
Receive the described pre- master key that the client sends;The pre- master key is that the client is based on server public affairs
Pre- master key after key encryption;
Using privacy key to encryption after pre- master key be decrypted, obtain the pre- master key;
According to the server random number, the client random number and the pre- master key generation session key.
A8, the method according to any one of A1-A7, after the security of data in verifying the request of data,
Methods described also includes:
If it is determined that the data safety in the request of data, then send to destination server the request of data, so as to
The destination server is responded to the request of data;
Or, however, it is determined that the data safety in the request of data, it is determined that the local request of data that whether is stored with
Corresponding response message, however, it is determined that the corresponding response message of the request of data has been locally stored, has been carried out to the request of data
Response.
A9, the method according to A8, are solved using the session key to the request of data that the client sends
It is close including:
The request of data that the client sends is received, the request of data is that client uses the session key
Request afterwards;
The request of data is decrypted using the session key.
B10, a kind of communicator based on SSL, including:
First receiving unit, the security sockets SSL protocol handshake data bag for receiving client transmission;
First transmitting element, the SSL handshake data bags for first receiving unit to be received are sent to key clothes
Business device, so that the key server is responded to the SSL handshake datas bag;
Second receiving unit, for sending to cipher key service the SSL handshake datas bag in first transmitting element
After device, response message of the key server to the SSL handshake datas bag is received;
Generation unit, the response message for being received according to second receiving unit generates session key;
Decryption unit, what the session key for being generated using second generation unit was sent to the client
Request of data is decrypted;
Authentication unit, verifies the security of data in the request of data after the decryption unit decryption.
B11, the device according to B10, first transmitting element include:
Parsing module, for being parsed to the SSL handshake datas bag;
Acquisition module, after being parsed to the SSL handshake datas bag in the parsing module, after obtaining encryption
Pre- master key;
First sending module, sends to described close for the pre- master key after the encryption that obtains the acquisition module
Key server, so as to the key server to the encryption after pre- master key be decrypted.
B12, the device according to B11, second receiving unit, are additionally operable to, and receive the key server and are based on
Pre- master key after the decryption that encrypted tunnel sends;
The generation unit includes:
Acquisition module, for obtaining the client random number included in the SSL handshake datas bag;
First generation module, for the client that the pre- master key after according to the decryption, the acquisition module are obtained
End random number and server random number generation session key.
B13, the device according to B10, first transmitting element include:
Parsing module, for being parsed to the SSL handshake datas bag;
Acquisition module, for after the parsing module is parsed to the SSL handshake datas bag, obtaining the SSL
The client random number included in handshake data bag;
Second sending module, for the acquisition module is obtained the client random number, server random number and
Server public key is sent to the key server, so as to the key server using key server private key to the client
End random number, the server random number and the server public key are signed.
B14, the device according to B13, second receiving unit are additionally operable to receive the key server hair
The key server for sending is signed.
B15, the device according to B14, described device also include:
Second transmitting element, for receive the key server to the response message of the SSL handshake datas bag it
Afterwards, to the client send server it is preset signature parameter and the key server sign, so as to the client according to
The preset signature parameter of server, key server signature and the preset signature parameter of client generate pre- master key;
3rd transmitting element, for sending server random number to the client, so that the client is according to
Server random number, client random number and the pre- master key generation session key;
3rd receiving unit, for receiving the preset signature parameter of client that the client sends.
B16, the device according to B15, the generation unit include:
Receiver module, for receiving the described pre- master key that the client sends;The pre- master key is the client
End group is in the pre- master key after server public key encryption;
Deciphering module, is carried out for the pre- master key after the encryption that is received to the receiver module using privacy key
Decryption, obtains the pre- master key;
Second generation module, for according to the server random number, the client random number and the deciphering module
Described pre- master key generation session key after decryption.
B17, the device according to any one of B11-B16, described device also include:
4th transmitting element, for the security of the data in the authentication unit checking request of data, and determines
After data safety in the request of data, then the request of data is sent to destination server, so that the target takes
Business device is responded to the request of data.
Determining unit, for when it is determined that during data safety in the request of data, it is determined that it is local whether be stored with it is described
The corresponding response message of request of data;
Response unit, for determining the corresponding response message of the request of data has been locally stored when the determining unit
When, the request of data is responded.
B18, the device according to B17, the decryption unit include:
Receiver module, for receiving the request of data that the client sends, the request of data uses institute for client
State the request after session key;
Deciphering module, for being decrypted to the request of data using the session key.
C19, a kind of communication system based on SSL, the system include:
Client, for sending security sockets SSL protocol handshake data bag to protection node;
The protection node, for receiving the SSL handshake data bags that the client sends, and by SSL handshake data bags
Send to key server;
The key server, for receiving the SSL handshake data bags that the protection node sends, and saves to the protection
Point sends the response message of the SSL handshake datas bag;
The protection node, is additionally operable to receive the response letter of the SSL handshake datas bag that the key server sends
Breath, session key is generated according to the response message, and the request of data that the client sends is entered using the session key
Row decryption, and verify the security of data in the request of data.
C20, the system according to C19, the system also include:
The protection node, is additionally operable to when it is determined that during data safety in the request of data, by request of data hair
Deliver to destination server;
The destination server, for receive it is described protection node send the request of data, and to request of data
Responded.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion described in detail in certain embodiment
Point, may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be, for distinguishing each embodiment, and not represent the quality of each embodiment.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair
Bright preferred forms.
In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist
Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself
All as separate embodiments of the invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection is appointed
One of meaning mode can be used in any combination.
All parts embodiment of the invention can be realized with hardware, or be run with one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) realize denomination of invention according to embodiments of the present invention (as determined in website
The device of Hyperlink rank) in some or all parts some or all functions.The present invention be also implemented as
Some or all equipment or program of device of method as described herein are performed (for example, computer program and calculating
Machine program product).It is such to realize that program of the invention be stored on a computer-readable medium, or can have one
Or the form of multiple signals.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal,
Or provided in any other form.
It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.