CN107623571B - Handshake processing method, client and server - Google Patents

Handshake processing method, client and server Download PDF

Info

Publication number
CN107623571B
CN107623571B CN201610563372.4A CN201610563372A CN107623571B CN 107623571 B CN107623571 B CN 107623571B CN 201610563372 A CN201610563372 A CN 201610563372A CN 107623571 B CN107623571 B CN 107623571B
Authority
CN
China
Prior art keywords
handshake
information
server
key
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610563372.4A
Other languages
Chinese (zh)
Other versions
CN107623571A (en
Inventor
刘志坤
黄文浩
李军
邓锦福
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201610563372.4A priority Critical patent/CN107623571B/en
Publication of CN107623571A publication Critical patent/CN107623571A/en
Application granted granted Critical
Publication of CN107623571B publication Critical patent/CN107623571B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The embodiment of the invention provides a handshake processing method, a client and a server, wherein the method comprises the following steps: sending digital signature information of a key for performing PSK handshake to a server, and receiving summary information contained in the digital signature information sent by the server, wherein the summary information is obtained by decrypting the digital signature information by the server; processing preset handshake indication information and abstract information based on a preset abstract algorithm to obtain a processing result, wherein the handshake indication information is used for indicating PSK handshake with a server; and when the processing result is the same as the handshake identification information sent by the server, sending a PSK handshake request to the server according to the secret key so as to perform PSK handshake processing between the server and the server, wherein the handshake identification information is obtained by processing handshake indication information and abstract information by the server based on an abstract algorithm and is sent. The invention can improve the safety and reliability of handshake processing.

Description

Handshake processing method, client and server
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a handshake processing method, a client, and a server.
Background
The Transport Layer Security (TLS) is used to provide confidentiality and data integrity between clients and servers. Currently, in the process of creating a TLS 1.3 (version 1.3 of TLS), the TLS 1.3 draft designs a connection establishment method based on a pre-shared key (PSK), and the connection establishment method based on the PSK can establish efficient connection. In the PSK-based connection establishment method, a key negotiated between a client and a server needs to be stored in the client, and if the key stored in the client is leaked, the established connection is intercepted or attacked by a man-in-the-middle. If the client stores the key permanently (for example, the client stores the key in a disk), the permanently stored key is easily leaked and the security is low because the environment of the client is complex. If the client caches the key (e.g., the client stores the key in memory), when the client fails and a large number of processes associated with the connection exit, the key is lost, the connection is broken, and the reliability is low. The traditional PSK-based connection establishment mode cannot give consideration to both safety and reliability.
Disclosure of Invention
Embodiments of the present invention provide a handshake processing method, a client, and a server, which can improve the security and reliability of handshake processing.
A first aspect of an embodiment of the present invention provides a handshake processing method, including:
sending digital signature information of a key for performing PSK handshake to a server;
receiving summary information contained in the digital signature information sent by the server, wherein the summary information is obtained by decrypting the digital signature information by the server;
processing preset handshake indication information and the abstract information based on a preset abstract algorithm to obtain a processing result, wherein the handshake indication information is used for indicating PSK handshake with the server;
and when the processing result is the same as handshake identification information sent by the server, sending a PSK handshake request to the server according to the secret key so as to perform PSK handshake processing between the server and the server, wherein the handshake identification information is obtained by processing and sending handshake indication information and abstract information by the server based on the abstract algorithm.
A second aspect of the embodiments of the present invention provides another handshake processing method, including:
receiving digital signature information of a key for PSK handshake sent by a client;
decrypting the digital signature information to obtain abstract information contained in the digital signature information, and sending the abstract information to the client so that the client processes preset handshake indication information and the abstract information based on a preset abstract algorithm to obtain a processing result;
receiving a PSK handshake request sent by the client according to the key, wherein the PSK handshake request is generated and sent when the client determines that the processing result is the same as the handshake identification information received by the client;
and performing PSK handshake processing between the client and the server.
A third aspect of an embodiment of the present invention provides a client, including:
a signature information sending unit for sending digital signature information of a key for performing PSK handshake to a server;
the digest information receiving unit is used for receiving digest information contained in the digital signature information sent by the server, wherein the digest information is obtained by decrypting the digital signature information by the server;
a processing result obtaining unit, configured to process preset handshake indication information and the digest information based on a preset digest algorithm to obtain a processing result, where the handshake indication information is used to indicate PSK handshake with the server;
and the handshake request sending unit is used for sending a PSK handshake request to the server according to the secret key when the processing result is the same as handshake identification information sent by the server so as to perform PSK handshake processing with the server, wherein the handshake identification information is obtained by processing and sending handshake indication information and abstract information by the server based on the abstract algorithm.
A fourth aspect of the embodiments of the present invention provides a server, including:
the signature information receiving unit is used for receiving digital signature information of a key used for PSK handshake sent by a client;
the summary information sending unit is used for decrypting the digital signature information to obtain summary information contained in the digital signature information, and sending the summary information to the client so that the client processes preset handshake indication information and the summary information based on a preset summary algorithm to obtain a processing result;
a handshake request receiving unit, configured to receive a PSK handshake request sent by the client according to the key, where the PSK handshake request is generated and sent when the client determines that the processing result is the same as handshake identification information received by the client;
and the handshake processing unit is used for carrying out PSK handshake processing with the client.
In the embodiment of the invention, the client sends the digital signature information of the key to the server, and the server decrypts the digital signature information to obtain the summary information, wherein the private key for decrypting the digital signature information is stored in the server, so that a third-party platform cannot obtain the summary information contained in the digital signature information even if the third-party platform obtains the digital signature information; the client receives the summary information sent by the server and processes the preset handshake indicating information and the summary information based on the preset summary algorithm to obtain a processing result, when the processing result is the same as the handshake identifying information sent by the server, the client can consider that the sending end of the handshake indicating information is the server and not a third-party platform, because the third-party platform can not obtain the summary information, even if the handshake indicating information is obtained, the handshake identifying information obtained by the third-party platform processing the handshake indicating information based on the preset summary algorithm is different from the processing result obtained by the client, the client determines that the third-party platform is not the server and further refuses to send a PSK handshake request to the third-party platform, thereby showing that the embodiment of the invention can carry out identity authentication on the server, and when the identity authentication is successful, the client can carry out PSK handshake processing according to the secret key and the server, the security and reliability of the PSK handshake processing can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a handshake processing system according to an embodiment of the present invention;
fig. 2 is a flowchart of a handshake processing method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a handshake processing method according to another embodiment of the present invention;
fig. 4 is a schematic structural diagram of a client according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a server according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiment of the invention, the client sends the digital signature information of the key to the server, and the server decrypts the digital signature information to obtain the summary information, wherein the private key for decrypting the digital signature information is stored in the server, so that a third-party platform cannot obtain the summary information contained in the digital signature information even if the third-party platform obtains the digital signature information; the client receives the abstract information sent by the server, processes the preset handshake indicating information and the abstract information based on the preset abstract algorithm to obtain a processing result, and when the processing result is the same as the handshake identification information sent by the server, the client can consider the sending end of the handshake indicating information as the server. Compared with the traditional handshake processing method in which the key is stored in the internal memory and is easy to lose, the embodiment of the invention can permanently store the key, and further carry out PSK handshake processing between the key and the server, thereby improving the reliability of the PSK handshake processing.
Based on the above principle, an embodiment of the present invention provides a handshake processing system, which may be a communication application system such as an instant messaging application system, a Social Networking Services (SNS) application system, and the like. Referring to fig. 1, the architecture of the handshake processing system includes at least: the system comprises a server and at least one client connected to the server.
The client can operate in a notebook computer, a mobile phone, a PAD (tablet computer), a vehicle-mounted terminal, an intelligent wearable device and other terminals. The server may be an independent service device in the communication network or a cluster service device formed by a plurality of independent service devices in the communication network.
And the client is used for sending the digital signature information of the key for performing the PSK handshake to the server when session connection with the server is required to be established.
And the server is used for decrypting the digital signature information to obtain the summary information contained in the digital signature information and sending the summary information to the client.
And the client is further used for processing preset handshake indication information and abstract information based on a preset abstract algorithm to obtain a processing result, wherein the handshake indication information is used for indicating PSK handshake between the client and the server.
And the client is also used for sending a PSK handshake request to the server according to the key when the processing result is the same as the handshake identification information sent by the server so as to perform PSK handshake processing with the server, wherein the handshake identification information is obtained by processing handshake indication information and abstract information by the server based on an abstract algorithm and is sent.
The preset handshake indication information may be sent by the server to the client, and the handshake indication information is used to indicate that the server determines that the handshake mode with the client is PSK handshake. The preset Digest Algorithm, which may include a Message Digest Algorithm version 5(Message-Digest Algorithm 5, MD5) or a Secure Hash Algorithm (SHA), extracts fingerprint information from handshake indication information to implement the function of data signing.
Optionally, before the client sends the digital signature information to the server, a key may be obtained through negotiation between the client and the server, the server may generate digest information of the key, and encrypt the digest information through a preset encryption algorithm to obtain digital signature information, the server may send the key, the digital signature information, and storage indication information thereof to the client, and the client may store the key to the internal memory according to the storage indication information and store the key and the digital signature information to the external memory.
The internal Memory may include a Random Access Memory (RAM), a Read Only Memory (ROM), a CACHE Memory (CACHE), and the like, where the data Access rate in the internal Memory is fast, and the internal Memory may be used to temporarily store operation data in a Central Processing Unit (CPU) and data interacted with an external Memory. The external memory can comprise a floppy disk memory, a hard disk memory, an optical disk memory or the like, can still store data after being powered off, and can be used for permanently storing data.
The basic process of data encryption is to process data (the data is plaintext) according to some algorithm to make the data become an unreadable segment of code, which is generally called "ciphertext". When the preset encryption algorithm is based on a symmetric encryption technology (that is, the same key is used for encryption and decryption), the key can be stored in the server, the server encrypts the digest information through the key to obtain digital signature information, and sends the digital signature information to the client, and when the client needs to obtain the digest information, the client can send the digital signature information to the server, so that the server decrypts the digital signature information through the key to obtain the digest information, and feeds the digest information back to the client. When the preset encryption algorithm is based on an asymmetric encryption technology (that is, the encryption and decryption use different keys), a first key used for encryption and a second key used for decryption can be stored in the server, the server encrypts the digest information through the first key to obtain digital signature information, and sends the digital signature information to the client, and when the client needs to obtain the digest information, the client can send the digital signature information to the server so that the server decrypts the digital signature information through the second key to obtain the digest information, and feeds the digest information back to the client. According to the embodiment of the invention, the secret key used for encrypting and decrypting the digest algorithm is stored in the server, so that the third-party platform cannot decrypt the digital signature information to obtain the digest information even if the third-party platform acquires the digital signature information, the handshake identification information obtained by the third-party platform performing digest processing on the handshake indication information is different from the processing result obtained by the client processing the handshake indication information and the digest information, and the client can confirm that the third-party platform is not the server and further refuse to perform handshake processing with the third-party platform.
Optionally, before the client sends the digital signature information to the server, it may detect whether a key exists in the internal memory, and when the key does not exist in the internal memory, obtain the digital signature information of the key in the external memory, and send the digital signature information to the server; and when the key exists in the internal memory, sending a PSK handshake request to the server according to the key in the internal memory so as to perform PSK handshake processing with the server.
In the embodiment of the invention, as the access rate of the key in the internal memory is higher, but the key in the internal memory is easy to lose, the client can respectively store the key in the internal memory and the external memory, and when the key exists in the internal memory, the client can obtain the key in the internal memory, and further send a PSK handshake request to the server according to the key in the internal memory so as to perform PSK handshake processing between the server and the client, so that the efficiency of PSK handshake processing can be improved. When the key does not exist in the internal memory, the client can acquire the digital signature information of the key from the external memory, receive the summary information obtained by decrypting the digital signature information by the server, and authenticate the identity of the server according to the summary information, so that the safety and reliability of the PSK handshake processing can be improved.
Optionally, when the key does not exist in the internal memory, the client may send handshake mode request information to the server, the server may determine, according to the current load, that the handshake mode with the client is a PSK handshake or an elliptic curve key (ECDH) handshake, generate handshake indication information when the current load is greater than a preset threshold, and the server may process the handshake indication information and the digest information based on a digest algorithm to obtain handshake identification information and send the handshake identification information to the client. The ECDH is a DH (Diffie-Hellman) key exchange algorithm based on an Elliptic Curve Cryptosystem (ECC). The handshake indication information is used for indicating the PSK handshake with the client. The load may include resources such as a CPU, a memory, or an input/output port.
Compared with PSK handshake, ECDH handshake has higher safety, but larger performance loss and higher required load, so that when receiving handshake mode request information sent by a client, a server can detect whether the current load is greater than a preset threshold, and when the current load is greater than the preset threshold, the server can select PSK handshake with the client, further generate handshake indication information, process the handshake indication information and abstract information based on an abstract algorithm to obtain handshake identification information, and send the handshake identification information to the client. Optionally, the server may also send handshake indication information to the client. When the current load is less than or equal to the preset threshold, the server may generate ECDH handshake mode response information and send the ECDH handshake mode response information to the client, so that ECDH handshake processing is performed between the client and the server. The embodiment of the invention determines the handshake mode according to the current load of the server, and can improve the reliability of handshake processing.
Based on the above description, an embodiment of the present invention further provides a handshake processing method, please refer to fig. 2, where the handshake processing method at least includes the following steps:
s201, the server sends the key, the digital signature information and the storage indication information thereof to the client.
The server can send the key, the digital signature information and the storage indication information thereof to the client, wherein the key is used for PSK handshake processing between the client and the server, the digital signature information is used for encrypting the summary information, the summary information is used for identity authentication of the server by the client, and the storage indication information is used for indicating the client to store the key into the internal memory and store the key and the digital signature information into the external memory.
In specific implementation, the server can encrypt the digest information of the key to obtain digital signature information, and the server can send the key, the digital signature information and the storage indication information to the client in a 1-RTT ECDH handshake. The key for encrypting the digest information is stored in the server, and the third-party platform cannot acquire the key for decrypting the digital signature information, so that even if the third-party platform acquires the digital signature information in the client, the third-party platform cannot decrypt the digital signature information to obtain the digest information.
And S202, the client stores the key into the internal memory according to the storage indication information and stores the key and the digital signature information into the external memory.
S203, when the key does not exist in the internal memory, the client sends handshake mode request information to the server, and the handshake mode request information carries digital signature information.
In the specific implementation, since the access rate of the key in the internal memory is high, but the key in the internal memory is easy to lose, when the client needs to establish session connection with the server, it can be detected whether the key for performing PSK handshake processing with the server exists in the internal memory, and when the key exists in the internal memory, the client can send a PSK handshake request to the server according to the key in the internal memory, so as to perform PSK handshake with the server.
Taking the schematic flow chart of the handshake processing method shown in fig. 3 as an example, when the key does not exist in the internal memory, the client may perform a 1-RTT ECDH handshake with the server, and send handshake mode request information to the server in the 1-RTT ECDH handshake, where the handshake mode request information includes a PSK handshake mode, an ECDH handshake mode, and digital signature information. As shown in fig. 3, the PSK handshake mode may be as follows:
ECDH Ciphersuite
Certificate_Public_Key
Client_Ecdh_Public_Value
Client_Ecdh_Private_Value
the PSK handshake mode may be as follows:
PSK Ciphersuite
REFRESH_PSK=Key,Ticket{Key,Mac_Key},Mac_value
the Client searches the digital signature information of the Key in an external memory, and sends the digital signature information, namely, Client _ eckh _ Public _ Value, to the server.
And S204, when the current load of the server is greater than the preset threshold value, the server decrypts the digital signature information to obtain the summary information.
In the specific implementation, as the ECDH handshake security is higher, but the performance loss is larger, the required load is higher, and the load required by the PSK is smaller, the PSK handshake processing is performed between the server and the client under the condition that the current load of the server is higher, so that the effectiveness of the handshake processing can be improved; under the condition that the current load of the server is low, ECDH handshaking processing is carried out between the server and the client, and the reliability of the handshaking processing can be improved. Therefore, after the server receives the handshake mode request message, it may detect whether the current load of the server is greater than a preset threshold, and when the current load of the server is greater than the preset threshold, the server may search a key for decrypting the digital signature information in a memory of the server, and decrypt the digital signature information according to the key to obtain the digest information. Taking the flow diagram of the handshake processing method shown in fig. 3 as an example, after the server receives the digital signature information Ticket { Key, Mac _ Key }, the server may Decrypt the digital signature information to obtain the digest information Mac _ Key (i.e., Mac _ Key ═ decryption (Ticket { Key, Mac _ Key }, Ticket _ Key)). The Ticket _ Key is a Key used for encrypting and decrypting the digital signature information.
Optionally, when the current load of the server is less than or equal to the preset threshold, the server may generate ECDH handshake mode response information, and send the ECDH handshake mode response information to the client, so that ECDH handshake processing is performed between the client and the server.
S205, the server sends the summary information to the client.
And S206, the client processes the preset handshake indication information and the abstract information based on a preset abstract algorithm to obtain a processing result.
The client can process the preset handshake indication information and the summary information based on a preset summary algorithm to obtain a processing result. The preset handshake indication information may be sent by the server to the client in a 1-RTT ECDH handshake, and the handshake indication information is used to indicate that the server determines to perform PSK handshake processing with the client. Optionally, the handshake indication information may be generated and sent to the client when the server detects that the current load of the server is greater than a preset threshold. The preset digest algorithm may include an MD5 algorithm or an SHA algorithm, etc.
Taking the flow diagram of the handshake processing method shown in fig. 3 as an example, the client processes the preset handshake indication information and the digest information based on the preset digest algorithm to obtain a processing result, which may be as follows:
Cal_Mac_Value==HMAC(Key,Mac_Key)
and S207, when the current load of the server is greater than a preset threshold value, the server processes the handshake indication information and the abstract information based on a preset abstract algorithm to obtain handshake identification information.
Optionally, the handshake identification information may be sent to the client by the server in a 1-RTT ECDH handshake, that is, in the 1-RTT ECDH handshake, the server processes handshake indication information and digest information based on a preset digest algorithm to obtain handshake identification information, and sends the handshake identification information to the client through the 1-RTT ECDH handshake.
S208, the server sends the handshake identification information to the client.
And S209, when the processing result is the same as the handshake identification information, the client sends a PSK handshake request to the server according to the key in the external memory, so as to perform PSK handshake processing with the server.
When the processing result is the same as the handshake identification information, the client may determine that the authentication of the server is successful, and the client may send a PSK handshake request to the server according to the key in the external memory to perform PSK handshake processing with the server. Taking the schematic flow chart of the handshake processing method shown in fig. 3 as an example, when the processing result is the same as the handshake identification information, the client sends a PSK handshake request to the server according to the key in the external memory, so as to perform PSK handshake processing with the server, as follows:
If Mac_Value==Cal_Mac_Value then accept PSK Ciphersuite
and S210, session connection is established between the client and the server.
In the handshake processing method of the embodiment of the invention, the client sends the digital signature information of the key to the server, the server decrypts the digital signature information to obtain the abstract information, the client receives the abstract information sent by the server and processes the preset handshake indication information and the abstract information based on the preset abstract algorithm to obtain the processing result, and when the processing result is the same as the handshake identification information sent by the server, the client performs PSK handshake processing according to the key and the server, so that the safety and reliability of the PSK handshake processing can be improved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a client according to an embodiment of the present invention, as shown in the figure, the client in the embodiment at least includes a signature information sending unit 401, a digest information receiving unit 402, a processing result obtaining unit 403, and a handshake request sending unit 404, where:
a signature information sending unit 401, configured to send digital signature information of a key used for performing PSK handshake to a server.
A digest information receiving unit 402, configured to receive digest information included in the digital signature information sent by the server, where the digest information is obtained by decrypting the digital signature information by the server.
A processing result obtaining unit 403, configured to process preset handshake indication information and the digest information based on a preset digest algorithm, to obtain a processing result, where the handshake indication information is used to indicate that PSK handshake is performed with the server.
A handshake request sending unit 404, configured to send, when the processing result is the same as handshake identification information sent by the server, a PSK handshake request to the server according to the key, so as to perform PSK handshake processing with the server, where the handshake identification information is obtained and sent by the server by processing the handshake indication information and the digest information based on the digest algorithm.
Optionally, the client according to the embodiment of the present invention may further include:
a detecting unit 405, configured to detect whether the key exists in the internal memory before the signature information sending unit 401 sends the digital signature information to the server.
A signature information obtaining unit 406, configured to obtain digital signature information of the key in an external memory when the key does not exist in the internal memory.
A handshake request sending unit 404, configured to send, when the key exists in the internal memory, a PSK handshake request to the server according to the key in the internal memory, so as to perform PSK handshake processing with the server.
Optionally, the client according to the embodiment of the present invention may further include:
a detection unit 405 for detecting whether the key is present in the internal memory.
A request information sending unit 407, configured to send handshake mode request information to the server when the key does not exist in the internal memory, so that the server generates handshake indication information when detecting that the current load of the server is greater than a preset threshold, where the server processes the handshake indication information and the digest information based on the digest algorithm to obtain the handshake identification information.
An identification information receiving unit 408, configured to receive the handshake identification information sent by the server.
Optionally, the client according to the embodiment of the present invention may further include:
a response information receiving unit 409, configured to receive elliptic curve key ECDH handshake mode response information sent by the server after the request information sending unit 407 sends handshake mode request information to the server, where the ECDH handshake mode response information is generated when the server detects that the current load of the server is less than or equal to the preset threshold.
And a handshake processing unit 410, configured to perform ECDH handshake processing with the server.
Optionally, the client according to the embodiment of the present invention may further include:
a key receiving unit 411, configured to receive the key, the digital signature information, and storage indication information thereof sent by the server before the signature information sending unit 401 sends the digital signature information to the server, where the digital signature information is obtained by encrypting the digest information by the server.
A storage unit 412, configured to store the key to the internal memory according to the storage indication information, and store the key and the digital signature information to the external memory.
In this embodiment of the present invention, the signature information sending unit 401 sends the digital signature information to the server, the digest information receiving unit 402 receives digest information included in the digital signature information sent by the server, the processing result obtaining unit 403 processes the preset handshake instruction information and the digest information based on a preset digest algorithm to obtain a processing result, and when the processing result is the same as the handshake identification information sent by the server, the handshake request sending unit 404 sends a PSK handshake request to the server according to the key to perform PSK handshake processing between the server and the server, so that the security and reliability of handshake processing can be improved.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention, where the terminal according to the embodiment of the present invention may be used to implement the method according to the embodiment of the present invention shown in fig. 2, for convenience of description, only a part related to the embodiment of the present invention is shown, and details of the specific technology are not disclosed, please refer to the embodiment of the present invention shown in fig. 2.
As shown in fig. 5, the terminal includes: at least one processor 501, such as a CPU, at least one input device 503, at least one output device 504, memory 505, at least one communication bus 502. Wherein a communication bus 502 is used to enable connective communication between these components. The input device 503 may be a network interface, and is configured to receive digest information included in the digital signature information sent by the server. The output device 504 may be specifically a network interface, and is configured to send the digital signature information to the server. The internal memory 505 may include a RAM memory or a ROM memory, and the like, and is specifically used for storing the key. The external memory 506 may further include a non-volatile memory, such as at least one disk memory, for storing the key and the digital signature information. The internal memory 505 or the external memory 506 may optionally comprise at least one memory device located remotely from the aforementioned processor 501. The processor 501 may be incorporated in the client shown in fig. 4. A set of program codes is stored in the internal memory 505, and the processor 501, the input device 503 and the output device 504 call the program codes stored in the internal memory 505 for performing the following operations:
the output means 504 transmits the digital signature information of the key used for PSK handshake to the server.
The input device 503 receives digest information included in the digital signature information transmitted by the server, and the digest information is obtained by decrypting the digital signature information by the server.
The processor 501 processes preset handshake indication information and summary information based on a preset summary algorithm to obtain a processing result, where the handshake indication information is used to indicate PSK handshake with a server.
When the processing result is the same as the handshake identification information sent by the server, the output device 504 sends a PSK handshake request to the server according to the key to perform PSK handshake processing with the server, and the handshake identification information is obtained by processing handshake indication information and digest information by the server based on a digest algorithm and sent.
Optionally, before the output device 504 sends the digital signature information of the key for performing the PSK handshake to the server, the following operations may be performed:
the processor 501 detects whether a key is present in the internal memory 505.
When the key does not exist in the internal memory 505, the digital signature information of the key is acquired in the external memory 506.
When the key exists in the internal memory 505, the output device 504 sends a PSK handshake request to the server according to the key in the internal memory to perform PSK handshake processing with the server.
Optionally, the processor 501 may further perform the following operations:
it is detected whether a key is present in the internal memory 505.
When the key does not exist in the internal memory 505, the output device 504 sends handshake mode request information to the server, so that the server generates handshake indication information when detecting that the current load of the server is greater than a preset threshold, and the server processes the handshake indication information and the digest information based on the digest algorithm to obtain the handshake identification information.
The input device 503 receives the handshake identification information sent by the server.
Optionally, after the output device 504 sends the handshake mode request information to the server when the key does not exist in the internal memory, the following operations may be further performed:
the input device 503 receives ECDH handshake mode response information sent by the server, where the ECDH handshake mode response information is generated when the server detects that the current load of the server is less than or equal to the preset threshold.
The ECDH handshake process is performed between the processor 501 and the server.
Optionally, before the output device 504 sends the digital signature information of the key for performing the PSK handshake to the server, the following operations may be performed:
the input device 503 receives the key, the digital signature information and the storage indication information thereof sent by the server, wherein the digital signature information is obtained by encrypting the digest information by the server.
The processor 501 stores the key to the internal memory according to the storage indication information, and stores the key and the digital signature information to the external memory.
Specifically, the terminal described in the embodiment of the present invention may be used to implement part or all of the flow in the embodiment of the method described in conjunction with fig. 2 of the present invention.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a server provided in the embodiment of the present invention, and as shown in the diagram, the server in the embodiment at least may include a signature information receiving unit 601, a digest information sending unit 602, a handshake request receiving unit 603, and a handshake processing unit 604, where:
a signature information receiving unit 601, configured to receive digital signature information of a key used for performing pre-shared key PSK handshake sent by a client.
A digest information sending unit 602, configured to decrypt the digital signature information to obtain digest information included in the digital signature information, and send the digest information to the client, so that the client processes preset handshake indication information and the digest information based on a preset digest algorithm to obtain a processing result.
A handshake request receiving unit 603, configured to receive a PSK handshake request sent by the client according to the key, where the PSK handshake request is generated and sent when the client determines that the processing result is the same as the handshake identification information received by the client.
A handshake processing unit 604, configured to perform PSK handshake processing with the client.
Optionally, the server in the embodiment of the present invention may further include:
a request information receiving unit 605, configured to receive handshake mode request information sent by the client, where the handshake mode request information is generated when the client detects that the key does not exist in the internal memory of the client.
A detecting unit 606, configured to detect whether the current load is greater than a preset threshold.
An indication information sending unit 607, configured to generate the handshake indication information and send the handshake indication information to the client when the current load is greater than the preset threshold.
Optionally, the server in the embodiment of the present invention may further include:
an identification information obtaining unit 608, configured to process the handshake mode indication information and the digest information according to the digest algorithm to obtain handshake identification information.
An identification information sending unit 609, configured to send the handshake identification information to the client.
Optionally, the server in the embodiment of the present invention may further include:
the response information sending unit 610 is configured to generate elliptic curve key ECDH handshake mode response information when the current load is less than or equal to the preset threshold, and send the ECDH handshake mode response information to the client.
The handshake processing unit 604 is further configured to perform ECDH handshake processing with the client.
Optionally, the server in the embodiment of the present invention may further include:
a key sending unit 611, configured to send the key, the digital signature information, and storage indication information thereof to the client before the signature information receiving unit 601 receives the digital signature information sent by the client, so that the client stores the key into the internal memory according to the storage indication information, and stores the key and the digital signature information into the external memory.
In the embodiment of the present invention, the signature information receiving unit 601 receives digital signature information sent by a client, the digest information sending unit 602 decrypts the digital signature information to obtain digest information, and sends the digest information to the client, so that the client processes preset handshake indication information and the digest information based on a preset digest algorithm to obtain a processing result, the handshake request receiving unit 603 receives a PSK handshake request sent by the client according to a secret key, the PSK handshake request is generated and sent when the client determines that the processing result is the same as handshake identification information received by the client, and the PSK handshake processing unit 604 performs PSK handshake processing with the client, which can improve the security and reliability of handshake processing.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention, where the server according to the embodiment of the present invention may be used to implement the method shown in fig. 2 according to the embodiment of the present invention, and for convenience of description, only a part related to the embodiment of the present invention is shown, and details of the specific technology are not disclosed, please refer to the embodiment of the present invention shown in fig. 2.
As shown in fig. 7, the server includes: at least one processor 701, such as a CPU, at least one input device 703, at least one output device 704, memory 705, at least one communication bus 702. Wherein a communication bus 702 is used to enable connective communication between these components. The input device 703 may be specifically a network interface, and is configured to receive digital signature information sent by a client. The output device 704 may specifically be a network interface, and is configured to send the summary information to the client. The memory 705 may include a RAM memory, and may further include a non-volatile memory, such as at least one disk memory, for storing handshake identification information. The memory 705 may optionally include at least one memory device located remotely from the processor 701. A set of program codes is stored in the memory 705, and the processor 701, the input device 703 and the output device 704 call the program codes stored in the memory 705 for performing the following operations:
the input device 703 receives digital signature information of a key for PSK handshake sent by the client.
The processor 701 decrypts the digital signature information to obtain the digest information included in the digital signature information, and the output device 704 sends the digest information to the client, so that the client processes the preset handshake indication information and the digest information based on a preset digest algorithm to obtain a processing result.
Input device 703 receives a PSK handshake request sent by the client according to the key, where the PSK handshake request is generated and sent when the client determines that the processing result is the same as the handshake identification information received by the client.
And the processor 701 and the client perform PSK handshake processing.
Optionally, the input device 703 may further perform the following operations:
receiving handshake mode request information sent by the client, wherein the handshake mode request information is generated when the client detects that the secret key does not exist in an internal memory of the client.
The processor 701 detects whether the current load is greater than a preset threshold.
When the current load is greater than the preset threshold, the processor 701 generates the handshake indication information, and the output device 704 sends the handshake indication information to the client.
Optional processor 701 may also perform the following operations:
and processing the handshake mode indication information and the abstract information according to the abstract algorithm to obtain handshake identification information.
The output device 704 sends the handshake identification information to the client.
In alternative embodiments, processor 701 may also perform the following operations:
when the current load is less than or equal to the preset threshold, ECDH handshake mode response information is generated, and the output device 704 sends the ECDH handshake mode response information to the client.
The ECDH handshake processing is performed between the processor 701 and the client.
Optionally, before the input device 703 receives the digital signature information of the key used for PSK handshake sent by the client, the following operations may be performed:
the output device 704 sends the key, the digital signature information and the storage indication information thereof to the client, so that the client stores the key into the internal memory according to the storage indication information and stores the key and the digital signature information into the external memory.
Specifically, the server described in the embodiment of the present invention may be used to implement part or all of the flow in the embodiment of the method described in conjunction with fig. 2 of the present invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (24)

1. A method for handshake processing, comprising:
sending digital signature information of a key for carrying out pre-shared key PSK handshake to a server;
receiving summary information contained in the digital signature information sent by the server, wherein the summary information is obtained by decrypting the digital signature information by the server;
processing preset handshake indication information and the abstract information based on a preset abstract algorithm to obtain a processing result, wherein the handshake indication information is used for indicating PSK handshake with the server;
and when the processing result is the same as handshake identification information sent by the server, sending a PSK handshake request to the server according to the secret key so as to perform PSK handshake processing between the server and the server, wherein the handshake identification information is obtained by processing and sending handshake indication information and abstract information by the server based on the abstract algorithm.
2. The method of claim 1, wherein before sending the digitally signed information of the key used for the PSK handshake to the server, further comprising:
detecting whether the key exists in an internal memory;
when the key does not exist in the internal memory, acquiring digital signature information of the key in an external memory;
and when the key exists in the internal memory, sending a PSK handshake request to the server according to the key in the internal memory so as to perform PSK handshake processing with the server.
3. The method of claim 1, further comprising:
detecting whether the key exists in an internal memory;
when the secret key does not exist in the internal memory, sending handshake mode request information to the server so that the server generates handshake indication information when detecting that the current load of the server is greater than a preset threshold value, and processing the handshake indication information and the digest information by the server based on the digest algorithm to obtain handshake identification information;
and receiving the handshake identification information sent by the server.
4. The method of claim 3, wherein after sending handshake mode request information to the server when the key is not present in the internal memory, the method further comprises:
receiving ECDH handshake mode response information sent by the server, wherein the ECDH handshake mode response information is generated when the server detects that the current load of the server is smaller than or equal to the preset threshold value;
and performing ECDH handshake processing with the server.
5. The method of claim 1, wherein before sending the digitally signed information of the key used for the PSK handshake to the server, further comprising:
receiving the key, the digital signature information and storage indication information thereof sent by the server, wherein the digital signature information is obtained by encrypting the digest information by the server;
and storing the key into an internal memory according to the storage indication information, and storing the key and the digital signature information into an external memory.
6. A method for handshake processing, comprising:
receiving digital signature information of a key for carrying out PSK handshake of a pre-shared key sent by a client;
decrypting the digital signature information to obtain abstract information contained in the digital signature information, and sending the abstract information to the client so that the client processes preset handshake indication information and the abstract information based on a preset abstract algorithm to obtain a processing result, wherein the handshake indication information is used for indicating PSK handshake between the client and a server;
receiving a PSK handshake request sent by the client according to the key, wherein the PSK handshake request is generated and sent when the client determines that the processing result is the same as handshake identification information received by the client, and the handshake identification information is obtained and sent by processing the handshake indication information and the abstract information by the server based on the abstract algorithm;
and performing PSK handshake processing between the client and the server.
7. The method of claim 6, further comprising:
receiving handshake mode request information sent by the client, wherein the handshake mode request information is generated when the client detects that the secret key does not exist in an internal memory of the client;
detecting whether the current load is larger than a preset threshold value or not;
and when the current load is greater than the preset threshold value, generating the handshake indication information and sending the handshake indication information to the client.
8. The method of claim 7, further comprising:
processing the handshake indication information and the abstract information according to the abstract algorithm to obtain handshake identification information;
and sending the handshake identification information to the client.
9. The method of claim 7, further comprising:
when the current load is smaller than or equal to the preset threshold, generating response information of an elliptic curve key ECDH handshake mode, and sending the response information of the ECDH handshake mode to the client;
and performing ECDH handshake processing with the client.
10. The method of claim 6, wherein the receiving the digital signature information of the key for PSK handshake sent by the client further comprises:
and sending the key, the digital signature information and storage indication information thereof to the client, so that the client stores the key into an internal memory according to the storage indication information and stores the key and the digital signature information into an external memory.
11. A client, comprising:
the signature information sending unit is used for sending the digital signature information of the key for carrying out pre-shared key PSK handshake to the server;
the digest information receiving unit is used for receiving digest information contained in the digital signature information sent by the server, wherein the digest information is obtained by decrypting the digital signature information by the server;
a processing result obtaining unit, configured to process preset handshake indication information and the digest information based on a preset digest algorithm to obtain a processing result, where the handshake indication information is used to indicate PSK handshake with the server;
and the handshake request sending unit is used for sending a PSK handshake request to the server according to the secret key when the processing result is the same as handshake identification information sent by the server so as to perform PSK handshake processing with the server, wherein the handshake identification information is obtained by processing and sending handshake indication information and abstract information by the server based on the abstract algorithm.
12. The client of claim 11, further comprising:
a detection unit configured to detect whether the key exists in an internal memory before the signature information transmission unit transmits the digital signature information to the server;
a signature information acquisition unit configured to acquire digital signature information of the key in an external memory when the key does not exist in the internal memory;
the handshake request sending unit is further configured to send, when the key exists in the internal memory, a PSK handshake request to the server according to the key in the internal memory, so as to perform PSK handshake processing with the server.
13. The client of claim 11, further comprising:
a detecting unit for detecting whether the key exists in the internal memory;
a request information sending unit, configured to send handshake mode request information to the server when the key does not exist in the internal memory, so that the server generates handshake indication information when detecting that a current load of the server is greater than a preset threshold, and the server processes the handshake indication information and the digest information based on the digest algorithm to obtain the handshake identification information;
and the identification information receiving unit is used for receiving the handshake identification information sent by the server.
14. The client of claim 13, further comprising:
a response information receiving unit, configured to receive elliptic curve key ECDH handshake mode response information sent by the server after the request information sending unit sends handshake mode request information to the server, where the ECDH handshake mode response information is generated when the server detects that a current load of the server is less than or equal to the preset threshold;
and the handshake processing unit is used for performing ECDH handshake processing between the server and the handshake processing unit.
15. The client of claim 11, further comprising:
a key receiving unit, configured to receive the key, the digital signature information, and storage indication information thereof sent by the server before the signature information sending unit sends the digital signature information to the server, where the digital signature information is obtained by encrypting the digest information by the server;
and the storage unit is used for storing the key into an internal memory according to the storage indication information and storing the key and the digital signature information into an external memory.
16. A server, comprising:
the signature information receiving unit is used for receiving digital signature information of a key used for carrying out PSK handshake of a pre-shared key sent by a client;
the digest information sending unit is used for decrypting the digital signature information to obtain digest information contained in the digital signature information, and sending the digest information to the client so that the client processes preset handshake indication information and the digest information based on a preset digest algorithm to obtain a processing result, wherein the handshake indication information is used for indicating PSK handshake between the client and the server;
a handshake request receiving unit, configured to receive a PSK handshake request sent by the client according to the key, where the PSK handshake request is generated and sent when the client determines that the processing result is the same as handshake identification information received by the client, and the handshake identification information is obtained and sent by processing, by the server, the handshake indication information and the digest information based on the digest algorithm;
and the handshake processing unit is used for carrying out PSK handshake processing with the client.
17. The server of claim 16, further comprising:
a request information receiving unit, configured to receive handshake mode request information sent by the client, where the handshake mode request information is generated when the client detects that the key does not exist in an internal memory of the client;
the detection unit is used for detecting whether the current load is larger than a preset threshold value or not;
and the indication information sending unit is used for generating the handshake indication information and sending the handshake indication information to the client when the current load is greater than the preset threshold.
18. The server of claim 17, further comprising:
the identification information acquisition unit is used for processing the handshake indication information and the abstract information according to the abstract algorithm to obtain handshake identification information;
and the identification information sending unit is used for sending the handshake identification information to the client.
19. The server of claim 17, further comprising:
the response information sending unit is used for generating response information of an elliptic curve key ECDH handshake mode when the current load is smaller than or equal to the preset threshold value and sending the response information of the ECDH handshake mode to the client;
the handshake processing unit is further configured to perform ECDH handshake processing with the client.
20. The server of claim 16, further comprising:
and the key sending unit is used for sending the key, the digital signature information and storage indication information thereof to the client before the signature information receiving unit receives the digital signature information sent by the client, so that the client stores the key into an internal memory according to the storage indication information and stores the key and the digital signature information into an external memory.
21. A terminal, characterized in that the terminal comprises:
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the handshake processing method according to any one of claims 1 to 5.
22. A server, characterized in that the server comprises:
a memory for storing program code;
a processor for calling the program code stored in the memory to execute the handshake processing method according to any one of claims 6 to 10.
23. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a terminal, cause the terminal to execute the handshake processing method according to any one of claims 1 to 5.
24. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a server, cause the server to execute the handshake processing method according to any one of claims 6 to 10.
CN201610563372.4A 2016-07-15 2016-07-15 Handshake processing method, client and server Active CN107623571B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610563372.4A CN107623571B (en) 2016-07-15 2016-07-15 Handshake processing method, client and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610563372.4A CN107623571B (en) 2016-07-15 2016-07-15 Handshake processing method, client and server

Publications (2)

Publication Number Publication Date
CN107623571A CN107623571A (en) 2018-01-23
CN107623571B true CN107623571B (en) 2020-10-09

Family

ID=61087654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610563372.4A Active CN107623571B (en) 2016-07-15 2016-07-15 Handshake processing method, client and server

Country Status (1)

Country Link
CN (1) CN107623571B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115438A (en) * 2020-09-15 2020-12-22 安徽长泰信息安全服务有限公司 Data security protection device for data dynamic fuzzification server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119196A (en) * 2006-08-03 2008-02-06 西安电子科技大学 Bidirectional identification method and system
CN103338215A (en) * 2013-07-26 2013-10-02 中金金融认证中心有限公司 Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN104378374A (en) * 2014-11-14 2015-02-25 国家超级计算深圳中心(深圳云计算中心) SSL-based method and system for establishing communication
CN105357181A (en) * 2015-09-29 2016-02-24 广东顺德中山大学卡内基梅隆大学国际联合研究院 Method for monitoring Wi-Fi label through multiple terminals
CN105359480A (en) * 2013-07-02 2016-02-24 瑞典爱立信有限公司 Key establishment for constrained resource devices

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120284506A1 (en) * 2010-04-30 2012-11-08 T-Central, Inc. Methods and apparatus for preventing crimeware attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119196A (en) * 2006-08-03 2008-02-06 西安电子科技大学 Bidirectional identification method and system
CN105359480A (en) * 2013-07-02 2016-02-24 瑞典爱立信有限公司 Key establishment for constrained resource devices
CN103338215A (en) * 2013-07-26 2013-10-02 中金金融认证中心有限公司 Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN104378374A (en) * 2014-11-14 2015-02-25 国家超级计算深圳中心(深圳云计算中心) SSL-based method and system for establishing communication
CN105357181A (en) * 2015-09-29 2016-02-24 广东顺德中山大学卡内基梅隆大学国际联合研究院 Method for monitoring Wi-Fi label through multiple terminals

Also Published As

Publication number Publication date
CN107623571A (en) 2018-01-23

Similar Documents

Publication Publication Date Title
WO2018133686A1 (en) Method and device for password protection, and storage medium
US10785019B2 (en) Data transmission method and apparatus
KR101894232B1 (en) Method and apparatus for cloud-assisted cryptography
US20160269176A1 (en) Key Configuration Method, System, and Apparatus
EP3633913A1 (en) Provisioning a secure connection using a pre-shared key
WO2021196915A1 (en) Encryption and decryption operation-based data transmission methods and systems, and computer device
CN111371549B (en) Message data transmission method, device and system
CN112019541B (en) Data transmission method and device, computer equipment and storage medium
CN109951513B (en) Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN105634737B (en) Data transmission method, terminal and system
CN109495251B (en) Anti-quantum-computation intelligent home cloud storage method and system based on key fob
WO2022022009A1 (en) Message processing method and apparatus, device, and storage medium
WO2016200535A1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
CN109729000B (en) Instant messaging method and device
CN109272314B (en) Secure communication method and system based on two-party collaborative signature calculation
CN110690969B (en) Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation
US11671259B2 (en) Neighbor awareness networking password authentication
CN107872315B (en) Data processing method and intelligent terminal
CN113347143A (en) Identity authentication method, device, equipment and storage medium
WO2017004828A1 (en) Method and device for upgrading cryptographic algorithm
CN107623571B (en) Handshake processing method, client and server
CN110401531B (en) Cooperative signature and decryption system based on SM9 algorithm
CN112751868A (en) Heterogeneous encryption transmission method, storage medium and system
CN109120621B (en) Data processor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant