CN108847938A - A kind of connection method for building up and device - Google Patents
A kind of connection method for building up and device Download PDFInfo
- Publication number
- CN108847938A CN108847938A CN201811148085.2A CN201811148085A CN108847938A CN 108847938 A CN108847938 A CN 108847938A CN 201811148085 A CN201811148085 A CN 201811148085A CN 108847938 A CN108847938 A CN 108847938A
- Authority
- CN
- China
- Prior art keywords
- terminal
- server
- random string
- cryptographic hash
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
The embodiment of the invention discloses a kind of connection method for building up and devices, including:Request is established in the connection for carrying terminal iidentification that server receiving terminal is sent;According to the pre-generated random string of public key encryption corresponding with terminal iidentification and encrypted random string is sent to terminal;Receive the first cryptographic Hash that terminal is sent;Wherein, the first cryptographic Hash carries out Hash operation acquisition to session sequence number and random string according to default hash function for terminal;Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash;When the first cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that since server and terminal realize mutual authentication, terminal identity is forged so as to avoid attacker and server establishes connection, ensure that network security.
Description
Technical field
The present embodiments relate to Internet technical field more particularly to a kind of connection method for building up and device.
Background technique
Request is established in server needs to receive terminal with terminal connection before being communicated, is then asked to initiating the connection foundation
The terminal asked carries out authentication, when authentication by after with terminal establish connection.
In the related technology, terminal is according to the public key of server to the user name of the server being written in itself in advance and close
Code is encrypted to obtain encryption information, and encryption information is then sent to server, server according to private key pair encryption information into
Row decryption obtains username and password, and then compared with the username and password of itself storage, if the same determines that terminal is logical
Verifying is crossed, to establish connection with terminal.
However, since this method is the username and password progress terminal identity verifying based on server, once clothes
The username and password leakage of business device is obtained by attacker, and attacker, which can forge terminal identity and initiate the connection foundation to server, to be asked
It asks, and since attacker possesses the username and password of server, inherently passes through the authentication of server, success
Connection is established with server, thus the hidden danger in terms of causing network security.
Summary of the invention
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of connection method for building up and device, can be avoided
Attacker forges terminal identity and server establishes connection, guarantees network security.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of connection method for building up, including:
Request is established in the connection for carrying the terminal iidentification that server receiving terminal is sent;
The random string that the server is pre-generated according to public key encryption corresponding with the terminal iidentification, is added
Random string after close;
Encrypted random string is sent to the terminal by the server;
The server receives the first cryptographic Hash that the terminal is sent;Wherein, first cryptographic Hash is the terminal
Hash operation acquisition is carried out to session sequence number and the random string according to default hash function;
The server breathes out the session sequence number and the random string according to the default hash function
Uncommon budget, obtains the second cryptographic Hash;
When first cryptographic Hash is identical with second cryptographic Hash, the server and the terminal establish connection.
The random string that the server is pre-generated according to public key encryption corresponding with terminal iidentification, including:
The server is according to the corresponding relationship of the terminal iidentification and public key information that pre-establish from the public key set of storage
It is middle to obtain public key corresponding with the terminal iidentification obtained;
The server generates random string according to preset algorithm;
The server encrypts the random string of generation according to the public key of acquisition.
The connection for carrying terminal iidentification that the server receiving terminal is sent is established before request, further includes:
The server receives and stores the public key that the terminal is sent.
The embodiment of the invention also provides a kind of connection method for building up, which is characterized in that including:
Terminal to server sends the connection foundation request for carrying the terminal iidentification;
The terminal receives the encrypted random string that the server is sent;Wherein, described encrypted random
Character string is what the server was obtained according to the public key encryption random string of the terminal;
The terminal decrypts the encrypted random string according to private key, obtains the random string;
The terminal carries out Hash operation according to random string of the default hash function to session sequence number and acquisition, obtains
To the first cryptographic Hash;
First cryptographic Hash is sent to the server by the terminal, so that the server is verifying described the
Connection is established with the terminal after one cryptographic Hash is correct.
Before the terminal to server sends the connection foundation request for carrying terminal iidentification, further include:
The terminal sends the public key of the terminal to the server.
After first cryptographic Hash is sent to server by the terminal, further include:
The terminal and the server establish session channel;
The terminal is scanned verifying to the configuration information on the server on the session channel of foundation.
The embodiment of the invention provides a kind of servers, including:
Request is established in first receiving module, the connection for carrying the terminal iidentification for receiving terminal transmission;
First processing module, the random character for being pre-generated according to public key encryption corresponding with the terminal iidentification
String, obtains encrypted random string;
First sending module, for encrypted random string to be sent to the terminal;
First receiving module is also used to receive the first cryptographic Hash that the terminal is sent;Wherein, first Hash
Value carries out Hash operation acquisition to session sequence number and the random string according to default hash function for the terminal;
The first processing module is also used to according to the default hash function to the session sequence number and described random
Character string carries out Hash budget, obtains the second cryptographic Hash;
The first processing module is also used to when first cryptographic Hash is identical with second cryptographic Hash, and described
Terminal establishes connection.
The first processing module is specifically used for:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish
The corresponding public key of terminal iidentification obtained;
Random string is generated according to preset algorithm;
It is encrypted according to random string of the public key of acquisition to generation, obtains encrypted random string.
The embodiment of the invention provides a kind of terminals, including:
Second sending module, for sending the connection foundation request for carrying the terminal iidentification to server;
Second receiving module, the encrypted random string sent for receiving the server;Wherein, the encryption
Random string afterwards is what the server was obtained according to the public key encryption random string of the terminal;
Second processing module obtains the random character for decrypting the encrypted random string according to private key
String;
The Second processing module is also used to the random string according to default hash function to session sequence number and acquisition
Hash operation is carried out, the first cryptographic Hash is obtained;
Second sending module is also used to first cryptographic Hash being sent to the server, so that the clothes
Business device establishes connection with the terminal after verifying first cryptographic Hash correctly.
The Second processing module is also used to establish session channel with the server;
The Second processing module is also used to carry out the configuration information on the server on the session channel of foundation
Scanning validation.
Compared with prior art, the embodiment of the present invention includes at least:What server receiving terminal was sent carries terminal mark
Request is established in the connection of knowledge;According to the random string that public key encryption corresponding with terminal iidentification pre-generates, after obtaining encryption
Random string;Encrypted random string is sent to terminal;The first cryptographic Hash that server receiving terminal is sent;Its
In, the first cryptographic Hash carries out Hash operation acquisition to session sequence number and random string according to default hash function for terminal
's;Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash;When first
When cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that due to
Server is based on random string and has carried out authentication to terminal, and the dialogue-based sequence number of terminal and random string are to service
Device has carried out authentication, therefore server and terminal realize mutual authentication, forges terminal identity so as to avoid attacker
Connection is established with server, ensure that network security.
The other feature and advantage of the embodiment of the present invention will illustrate in the following description, also, partly from explanation
It is become apparent in book, or understood by implementing the embodiment of the present invention.The purpose of the embodiment of the present invention and other advantages
It can be achieved and obtained by structure specifically noted in the specification, claims and drawings.
Detailed description of the invention
Attached drawing is used to provide one for further understanding technical solution of the embodiment of the present invention, and constituting specification
Point, it is used to explain the present invention the technical solution of embodiment together with embodiments herein, does not constitute to the embodiment of the present invention
The limitation of technical solution.
Fig. 1 is a kind of flow diagram for connecting method for building up provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of another connection method for building up provided in an embodiment of the present invention;
Fig. 3 is terminal/server structural schematic diagram provided in an embodiment of the present invention;
Fig. 4 is the flow diagram of another connection method for building up provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of server provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of terminal provided in an embodiment of the present invention.
Specific embodiment
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing pair
The embodiment of the embodiment of the present invention is described in detail.It should be noted that in the absence of conflict, the implementation in the application
Feature in example and embodiment can mutual any combination.
The embodiment of the present invention provides a kind of connection method for building up, as shown in Figure 1, this method includes:
Request is established in the connection for carrying terminal iidentification that step 101, server receiving terminal are sent.
Specifically, terminal iidentification is used for the identity of unique identification terminal, terminal iidentification can be the identity recognition number of terminal
(IDentification, ID).
The random string that step 102, server are pre-generated according to public key encryption corresponding with terminal iidentification, is added
Random string after close.
Encrypted random string is sent to terminal by step 103, server.
The first cryptographic Hash that step 104, server receiving terminal are sent.
Wherein, the first cryptographic Hash carries out Hash to session sequence number and random string according to default hash function for terminal
What operation obtained.
Step 105, server carry out Hash budget to session sequence number and random string according to default hash function, obtain
To the second cryptographic Hash.
Specifically, session sequence number is that server passes through application programming interface (Application Programming
Interface, API) obtained from bottom.Default hash function can be the 5th edition Message Digest 5 (Message-
Digest Algorithm 5th, MD5).
Step 106, when the first cryptographic Hash is identical with the second cryptographic Hash, server and terminal establish connection.
Method for building up is connected provided by the embodiment of the present invention, what server receiving terminal was sent carries terminal iidentification
Request is established in connection;According to public key encryption corresponding with terminal iidentification pre-generate random string, obtain it is encrypted with
Machine character string;Encrypted random string is sent to terminal;The first cryptographic Hash that server receiving terminal is sent;Wherein,
First cryptographic Hash carries out Hash operation acquisition to session sequence number and random string according to default hash function for terminal;Root
Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash;When the first Hash
When being worth identical with the second cryptographic Hash, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that due to service
Device be based on random string to terminal carried out authentication, the dialogue-based sequence number of terminal and random string to server into
It has gone authentication, therefore server and terminal realize mutual authentication, has forged terminal identity and clothes so as to avoid attacker
Business device establishes connection, ensure that network security.
Optionally, the random string that server is pre-generated according to public key encryption corresponding with terminal iidentification, including:
Step 102a, server is according to the corresponding relationship of the terminal iidentification and public key information that pre-establish from the public key of storage
Public key corresponding with the terminal iidentification obtained is obtained in set.
Step 102b, server generates random string according to preset algorithm.
Step 102c, server encrypts the random string of generation according to the public key of acquisition.
Optionally, the connection for carrying terminal iidentification that server receiving terminal is sent is established before request, further includes:
Step 107, server receive and store the public key of terminal transmission.
The embodiment of the present invention also provides a kind of connection method for building up, as shown in Fig. 2, this method includes:
Step 201, terminal to server send the connection foundation request for carrying terminal iidentification.
Step 202, terminal receive the encrypted random string that server is sent.
Wherein, encrypted random string is what server was obtained according to the public key encryption random string of terminal.
Step 203, terminal decrypt encrypted random string according to private key, obtain random string.
Step 204, terminal carry out Hash fortune according to random string of the default hash function to session sequence number and acquisition
It calculates, obtains the first cryptographic Hash.
First cryptographic Hash is sent to server by step 205, terminal, so that server is correct in the first cryptographic Hash of verifying
Connection is established with terminal afterwards.
Method for building up is connected provided by the embodiment of the present invention, terminal to server sends the connection for carrying terminal iidentification
Establish request;Receive the encrypted random string that server is sent;Wherein, encrypted random string is server root
It is obtained according to the public key encryption random string of terminal;Encrypted random string is decrypted according to private key, obtains random character
String;Hash operation is carried out according to random string of the default hash function to session sequence number and acquisition, obtains the first cryptographic Hash;
First cryptographic Hash is sent to server, so that server is after verifying the first cryptographic Hash correctly and terminal establishes connection.From
Technical solution provided in an embodiment of the present invention as it can be seen that due to server be based on random string authentication has been carried out to terminal,
The dialogue-based sequence number of terminal and random string have carried out authentication to server, therefore server and terminal realize mutually
It mutually authenticates, forges terminal identity so as to avoid attacker and server establishes connection, ensure that network security.
Optionally, before terminal to server sends the connection foundation request for carrying terminal iidentification, further include:
Step 206, terminal to server send the public key of terminal.
Optionally, after the first cryptographic Hash is sent to server by terminal, further include:
Step 207, terminal and server establish session channel.
Step 208, terminal are scanned verifying to the configuration information on server on the session channel of foundation.
Specifically, the present embodiments relate to server to can be the safety in the server field Linux and Unix outer
The free open source of shell (Secure SHell, SSH) agreement realizes (OpenSSH) server.SSH agreement is one kind unsafe
In network environment, by encryption and authentication mechanism, the network security of the business such as safe remote access and file transmission is realized
Agreement.OpenSSH be using SSH penetrate computer network coded communication realization, be it is a increased income completely based on SSH it is long-range
Control, file transfer conveyance collection.Traditional tool such as remote terminal protocol (Telnet agreement), real time transport protocol (Real-
Time Transport Protocol, RCP) realize above-mentioned function be it is unsafe, OpenSSH provides a server and guards
Process and tool terminal come realize it is safe, encryption it is long-range control and file transfer operation, therefore completely instead of
Conventional tool.OpenSSH server program is a typical independent finger daemon (standalone daemon), operates in
On most of Linux and Unix server, the lasting connection request for listening to various terminals passes through terminal
SSH protocol remote safety logs on server.A variety of authentication modes, including password, public key and management can be used in OpenSSH
Tool Kerberostickets etc..By configure/etc/ssh/sshd_config can change the silent of OpenSSH server
Recognize behavior, the default configuration of most OpenSSH server is safety-related and preferably safe set has been provided
It sets, therefore change configures it is possible that some security risks manually.In actual server application, in addition to keep
OpenSSH keeps latest edition, squeezes into security patch immediately, while because of specific environmental difference, it may be necessary to right/etc/ssh/
Sshd_config being customized of file.When safeguard service device cluster, the OpenSSH server of different server may be deposited
In different configurations, but because of a variety of causes, more or less the having some configuration errors or omit of each server causes to occur
Security breaches just need an OpenSSH strategy batch inspection and configuration tool at this time.
Specifically, step 207, scheme provided by 208 are for the OpenSSH on common Linux and Unix server
There is preferable applicability, as shown in figure 3, the SSH protocol frame of standard uses terminal/server framework, including:Transport layer,
Authentication layers and articulamentum.Wherein, the encryption that transport layer protocol is mainly used to establish a safety between terminal and server is led to
Road provides enough Confidentiality protection for the stage more demanding to data transmission security such as user authentication, data interaction.It passes
Defeated layer protocol is normally operated in transport control protocol view/Internet Protocol (Transmission Control Protocol/
Internet Protocol, TCP/IP) on connection (well-known port number that server uses be 22), it also may operate in it
On his any data connection that can be trusted.Certification layer protocol operates on transport layer protocol, completes server to login
The certification of user.Connection layer protocol is responsible for marking off several logical channels on encrypted tunnel, to run different applications.It is transported
Row provides the services such as interactive sessions, remote command execution on certification layer protocol.It is bright that SSH agreement solves Telnet agreement
The defect of text transmission, establishes encrypted tunnel between communicating pair, guarantees that the data of transmission are not ravesdropping;It is exchanged and is calculated using key
The safety of method guarantee key itself.So-called encrypted tunnel, refer to sender before sending data, using encryption key to data into
Row encryption, then sends the data to other side;After recipient receives data, obtained from ciphertext using decruption key in plain text.
Since asymmetric key algorithm is than relatively time-consuming, generally it is chiefly used in digital signature and authentication.Data on SSH encrypted tunnel
Encryption and decryption uses symmetric key algorithm, and the algorithm mainly supported at present has data encryption standards (Data Encryption
Standard, DES), 3DES, Advanced Encryption Standard (Advanced Encryption Standard, AES) etc..
The embodiment of the present invention also provides a kind of connection method for building up, as shown in figure 4, this method includes:
Step 301, terminal generate public private key pair.
Public key is sent to server by step 302, terminal.
It should be noted that public key is stored in the file of entitled authorized_keys by server.
It should also be noted that, step 301 and step 302 belong to the preparation stage.
Log on request is sent to server by step 303, terminal.
It should be noted that including terminal iidentification in log on request.
Step 304, server obtain terminal public key.
It should be noted that server is matched to terminal according to terminal identification information in authorized_keys file
Public key pubKey.
Step 305, server use public key encryption random string, obtain encryption information.
Encryption information is sent to terminal by step 306, server.
Step 307, terminal are decrypted with the private key of oneself, obtain random string, and according to default hash function to session
Sequence number and random string carry out Hash operation and obtain the first cryptographic Hash.
First cryptographic Hash is sent to server by step 308, terminal.
Step 309, server carry out Hash operation to session sequence number and random string according to default hash function and obtain
The second cryptographic Hash is obtained, and compares the first cryptographic Hash and the second cryptographic Hash.
If step 310, the first cryptographic Hash are identical with the second cryptographic Hash, terminal successful log server, i.e. terminal are determined
Connection is established with server.
It should be noted that step 303~310 belong to login authentication process.
After successfully completing certification, terminal to server initiates service request, and request server provides certain application.
The process of service request is:
Step 1, terminal send SSH_MSG_CHANNEL_OPEN message, and request establishes session channel with server, i.e.,
session.Wherein, the requested channel type of terminal is carried in message.
After step 2, server receive SSH_MSG_CHANNEL_OPEN message, if supporting the channel type, reply
SSH_MSG_CHANNEL_OPEN_CONFIRMATION message, to establish session channel.
After step 3, session channel are established, terminal can carry out on a passage verifying scanning server with confidence
Breath.
The embodiment of the present invention also provides a kind of server, as shown in figure 5, the server 4 includes:
Request is established in first receiving module 41, the connection for carrying terminal iidentification for receiving terminal transmission.
First processing module 42, the random string for being pre-generated according to public key encryption corresponding with terminal iidentification,
Obtain encrypted random string.
First sending module 43, for encrypted random string to be sent to terminal.
First receiving module 41 is also used to receive the first cryptographic Hash of terminal transmission;Wherein, the first cryptographic Hash is terminal root
Hash operation acquisition is carried out to session sequence number and random string according to default hash function.
First processing module 42 is also used to carry out Hash to session sequence number and random string according to default hash function
Budget obtains the second cryptographic Hash.
First processing module 42 is also used to establish connection with terminal when the first cryptographic Hash is identical with the second cryptographic Hash.
Optionally, first processing module 42 is specifically used for:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish
The corresponding public key of terminal iidentification obtained.
Random string is generated according to preset algorithm.
It is encrypted according to random string of the public key of acquisition to generation.
Optionally, the first receiving module 41 is also used to receive and store the public key of terminal transmission.
Server provided by the embodiment of the present invention receives the connection foundation for carrying terminal iidentification that terminal is sent and asks
It asks;According to the random string that public key encryption corresponding with terminal iidentification pre-generates, encrypted random string is obtained;It will
Encrypted random string is sent to terminal;The first cryptographic Hash that server receiving terminal is sent;Wherein, the first cryptographic Hash is
Terminal carries out Hash operation acquisition to session sequence number and random string according to default hash function;According to default Hash letter
Several pairs of session sequence numbers and random string carry out Hash budget, obtain the second cryptographic Hash;When the first cryptographic Hash and the second Hash
When being worth identical, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that since server is based on random words
Symbol string has carried out authentication to terminal, and the dialogue-based sequence number of terminal and random string have carried out identity to server and tested
Card, therefore server and terminal realize mutual authentication, forge terminal identity so as to avoid attacker and server is established and connected
It connects, ensure that network security.
In practical applications, the first receiving module 41, first processing module 42 and the first sending module 43 can be by being located at
Central processing unit (Central Processing Unit, CPU), microprocessor (Micro Processor in server
Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or field programmable gate array
(Field Programmable Gate Array, FPGA) etc. is realized.
The embodiment of the present invention also provides a kind of terminal, as shown in fig. 6, the terminal 5 includes:
Second sending module 51, for sending the connection foundation request for carrying terminal iidentification to server.
Second receiving module 52, for receiving the encrypted random string of server transmission;Wherein, it is encrypted with
Machine character string is what server was obtained according to the public key encryption random string of terminal.
Second processing module 53 obtains random string for decrypting encrypted random string according to private key.
Second processing module 53, be also used to according to preset hash function to the random string of session sequence number and acquisition into
Row Hash operation obtains the first cryptographic Hash.
Second sending module 51 is also used to the first cryptographic Hash being sent to server, so that server is in verifying first
After cryptographic Hash is correct and terminal establishes connection.
Optionally, the second sending module 51 is also used to send the public key of terminal to server.
Optionally, Second processing module 53 is also used to:
Session channel is established with server.
Verifying is scanned to the configuration information on server on the session channel of foundation.
Terminal provided by the embodiment of the present invention sends the connection foundation request for carrying terminal iidentification to server;It connects
Receive the encrypted random string that server is sent;Wherein, encrypted random string is public affairs of the server according to terminal
Key encrypts what random string obtained;Encrypted random string is decrypted according to private key, obtains random string;According to default
Hash function carries out Hash operation to the random string of session sequence number and acquisition, obtains the first cryptographic Hash;By the first Hash
Value is sent to server, so that server is after verifying the first cryptographic Hash correctly and terminal establishes connection.Implement from the present invention
The technical solution that example provides is as it can be seen that carried out authentication to terminal since server is based on random string, terminal is based on meeting
Words sequence number and random string have carried out authentication to server, therefore server and terminal realize mutual authentication, from
And avoid attacker's forgery terminal identity and establish connection with server, it ensure that network security.
In practical applications, the first receiving module 51, first processing module 52 and the first sending module 53 can be by being located at
CPU, MPU, DSP or FPGA in terminal etc. are realized.
The embodiment of the present invention also provides a kind of connect and establishes device, including first memory and first processor, wherein the
The following instruction that can be executed by first processor is stored in one memory:
It receives the connection for carrying terminal iidentification that terminal is sent and establishes request.
According to the random string that public key encryption corresponding with terminal iidentification pre-generates, encrypted random character is obtained
String.
Encrypted random string is sent to terminal.
Receive the first cryptographic Hash that terminal is sent.Wherein, the first cryptographic Hash be terminal according to default hash function to session
Sequence number and random string carry out Hash operation acquisition.
Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash.
When the first cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.
Optionally, the following instruction that can be executed by first processor is specifically stored in first memory:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish
The corresponding public key of terminal iidentification obtained.
Random string is generated according to preset algorithm.
It is encrypted according to random string of the public key of acquisition to generation.
Optionally, the following instruction that can be executed by first processor is also stored in first memory:
Receive and store the public key of terminal transmission.
The embodiment of the present invention also provides a kind of connect and establishes device, including second memory and second processor, wherein the
The following instruction that can be executed by second processor is stored in two memories:
The connection foundation request for carrying terminal iidentification is sent to server.
Receive the encrypted random string that server is sent.Wherein, encrypted random string is server root
It is obtained according to the public key encryption random string of terminal.
Encrypted random string is decrypted according to private key, obtains random string.
Hash operation is carried out according to random string of the default hash function to session sequence number and acquisition, obtains the first Kazakhstan
Uncommon value.
First cryptographic Hash is sent to server, so that server is verifying the correct rear and terminal foundation of the first cryptographic Hash
Connection.
Optionally, the following instruction that can be executed by second processor is also stored in second memory:
The public key of terminal is sent to server.
Optionally, the following instruction that can be executed by second processor is also stored in second memory:
Session channel is established with server.
Verifying is scanned to the configuration information on server on the session channel of foundation.
The embodiment of the present invention also provides a kind of computer readable storage medium, and it is executable that computer is stored on storage medium
Instruction, computer executable instructions are for executing following steps:
It receives the connection for carrying terminal iidentification that terminal is sent and establishes request.
According to the random string that public key encryption corresponding with terminal iidentification pre-generates, encrypted random character is obtained
String.
Encrypted random string is sent to terminal.
Receive the first cryptographic Hash that terminal is sent.Wherein, the first cryptographic Hash be terminal according to default hash function to session
Sequence number and random string carry out Hash operation acquisition.
Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash.
When the first cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.
Optionally, computer executable instructions are specifically used for executing following steps:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish
The corresponding public key of terminal iidentification obtained.
Random string is generated according to preset algorithm.
It is encrypted according to random string of the public key of acquisition to generation.
Optionally, computer executable instructions are also used to execute following steps:
Receive and store the public key of terminal transmission.
The embodiment of the present invention also provides a kind of computer readable storage medium, and it is executable that computer is stored on storage medium
Instruction, computer executable instructions are for executing following steps:
The connection foundation request for carrying terminal iidentification is sent to server.
Receive the encrypted random string that server is sent.Wherein, encrypted random string is server root
It is obtained according to the public key encryption random string of terminal.
Encrypted random string is decrypted according to private key, obtains random string.
Hash operation is carried out according to random string of the default hash function to session sequence number and acquisition, obtains the first Kazakhstan
Uncommon value.
First cryptographic Hash is sent to server, so that server is verifying the correct rear and terminal foundation of the first cryptographic Hash
Connection.
Optionally, computer executable instructions are also used to execute following steps:
The public key of terminal is sent to server.
Optionally, computer executable instructions are also used to execute following steps:
Session channel is established with server.
Verifying is scanned to the configuration information on server on the session channel of foundation.
Although embodiment disclosed by the embodiment of the present invention is as above, only the present invention is real for ease of understanding for the content
The embodiment applying example and using is not intended to limit the invention embodiment.Skill in any fields of the embodiment of the present invention
Art personnel can be in the form and details of implementation under the premise of not departing from spirit and scope disclosed by the embodiment of the present invention
It is upper to carry out any modification and variation, but the scope of patent protection of the embodiment of the present invention, it still must be with appended claims institute
Subject to the range defined.
Claims (10)
1. a kind of connection method for building up, which is characterized in that including:
Request is established in the connection for carrying the terminal iidentification that server receiving terminal is sent;
The random string that the server is pre-generated according to public key encryption corresponding with the terminal iidentification, after obtaining encryption
Random string;
Encrypted random string is sent to the terminal by the server;
The server receives the first cryptographic Hash that the terminal is sent;Wherein, first cryptographic Hash be the terminal according to
Default hash function carries out Hash operation acquisition to session sequence number and the random string;
The server is pre- to the session sequence number and random string progress Hash according to the default hash function
It calculates, obtains the second cryptographic Hash;
When first cryptographic Hash is identical with second cryptographic Hash, the server and the terminal establish connection.
2. connection method for building up according to claim 1, which is characterized in that the server is according to corresponding with terminal iidentification
The pre-generated random string of public key encryption, including:
The server is obtained from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish
Take public key corresponding with the terminal iidentification obtained;
The server generates random string according to preset algorithm;
The server encrypts the random string of generation according to the public key of acquisition.
3. connection method for building up according to claim 1, which is characterized in that the carrying that the server receiving terminal is sent
There is the connection of terminal iidentification to establish before request, further includes:
The server receives and stores the public key that the terminal is sent.
4. a kind of connection method for building up, which is characterized in that including:
Terminal to server sends the connection foundation request for carrying the terminal iidentification;
The terminal receives the encrypted random string that the server is sent;Wherein, the encrypted random character
String is what the server was obtained according to the public key encryption random string of the terminal;
The terminal decrypts the encrypted random string according to private key, obtains the random string;
The terminal carries out Hash operation according to random string of the default hash function to session sequence number and acquisition, obtains the
One cryptographic Hash;
First cryptographic Hash is sent to the server by the terminal, so that the server is verifying first Kazakhstan
Connection is established with the terminal after uncommon value is correct.
5. connection method for building up according to claim 4, which is characterized in that the terminal to server transmission carries end
The connection of end mark is established before request, further includes:
The terminal sends the public key of the terminal to the server.
6. connection method for building up according to claim 4, which is characterized in that the first cryptographic Hash is sent to clothes by the terminal
It is engaged in after device, further includes:
The terminal and the server establish session channel;
The terminal is scanned verifying to the configuration information on the server on the session channel of foundation.
7. a kind of server, which is characterized in that including:
Request is established in first receiving module, the connection for carrying the terminal iidentification for receiving terminal transmission;
First processing module, the random string for being pre-generated according to public key encryption corresponding with the terminal iidentification, obtains
To encrypted random string;
First sending module, for encrypted random string to be sent to the terminal;
First receiving module is also used to receive the first cryptographic Hash that the terminal is sent;Wherein, first cryptographic Hash is
The terminal carries out Hash operation acquisition to session sequence number and the random string according to default hash function;
The first processing module is also used to according to the default hash function to the session sequence number and the random character
String carries out Hash budget, obtains the second cryptographic Hash;
The first processing module is also used to when first cryptographic Hash is identical with second cryptographic Hash, with the terminal
Establish connection.
8. server according to claim 7, which is characterized in that the first processing module is specifically used for:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish
The corresponding public key of terminal iidentification;
Random string is generated according to preset algorithm;
It is encrypted according to random string of the public key of acquisition to generation, obtains encrypted random string.
9. a kind of terminal, which is characterized in that including:
Second sending module, for sending the connection foundation request for carrying the terminal iidentification to server;
Second receiving module, the encrypted random string sent for receiving the server;Wherein, described encrypted
Random string is what the server was obtained according to the public key encryption random string of the terminal;
Second processing module obtains the random string for decrypting the encrypted random string according to private key;
The Second processing module is also used to according to the random string progress for presetting hash function to session sequence number and acquisition
Hash operation obtains the first cryptographic Hash;
Second sending module is also used to first cryptographic Hash being sent to the server, so that the server
Connection is established verifying the correct rear and terminal of first cryptographic Hash.
10. terminal according to claim 9, which is characterized in that the Second processing module is also used to:
Session channel is established with the server;
Verifying is scanned to the configuration information on the server on the session channel of foundation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811148085.2A CN108847938A (en) | 2018-09-29 | 2018-09-29 | A kind of connection method for building up and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811148085.2A CN108847938A (en) | 2018-09-29 | 2018-09-29 | A kind of connection method for building up and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108847938A true CN108847938A (en) | 2018-11-20 |
Family
ID=64188000
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811148085.2A Pending CN108847938A (en) | 2018-09-29 | 2018-09-29 | A kind of connection method for building up and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108847938A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109739892A (en) * | 2018-12-27 | 2019-05-10 | 王梅 | The method and system of grading extension are carried out to the data acquisition request in internet |
CN110691329A (en) * | 2019-11-04 | 2020-01-14 | 李炳勇 | Sensor node monitoring method and system |
CN111259370A (en) * | 2020-01-13 | 2020-06-09 | 苏州浪潮智能科技有限公司 | FPGA program security verification method, system, terminal and storage medium |
CN112437436A (en) * | 2020-12-07 | 2021-03-02 | 中国联合网络通信集团有限公司 | Identity authentication method and device |
CN112507365A (en) * | 2020-12-16 | 2021-03-16 | 平安银行股份有限公司 | Data matching method, terminal and storage medium |
CN113507483A (en) * | 2021-07-27 | 2021-10-15 | 平安国际智慧城市科技股份有限公司 | Instant messaging method, device, server and storage medium |
CN115001716A (en) * | 2022-08-02 | 2022-09-02 | 长沙朗源电子科技有限公司 | Network data processing method and system of education all-in-one machine and education all-in-one machine |
CN115022099A (en) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | Identity authentication method and system based on UDP transmission protocol |
CN117395474A (en) * | 2023-12-12 | 2024-01-12 | 法序(厦门)信息科技有限公司 | Locally stored tamper-resistant video evidence obtaining and storing method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582906A (en) * | 2009-06-23 | 2009-11-18 | 中国人民解放军信息工程大学 | Key agreement method and device |
US20100205443A1 (en) * | 2007-10-23 | 2010-08-12 | Sufen Ding | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
US20150188704A1 (en) * | 2013-12-27 | 2015-07-02 | Fujitsu Limited | Data communication method and data communication apparatus |
CN108234409A (en) * | 2016-12-15 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Auth method and device |
CN108599939A (en) * | 2018-04-25 | 2018-09-28 | 新华三技术有限公司 | a kind of authentication method and device |
-
2018
- 2018-09-29 CN CN201811148085.2A patent/CN108847938A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100205443A1 (en) * | 2007-10-23 | 2010-08-12 | Sufen Ding | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
CN101582906A (en) * | 2009-06-23 | 2009-11-18 | 中国人民解放军信息工程大学 | Key agreement method and device |
US20150188704A1 (en) * | 2013-12-27 | 2015-07-02 | Fujitsu Limited | Data communication method and data communication apparatus |
CN108234409A (en) * | 2016-12-15 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Auth method and device |
CN108599939A (en) * | 2018-04-25 | 2018-09-28 | 新华三技术有限公司 | a kind of authentication method and device |
Non-Patent Citations (3)
Title |
---|
张国清主编: "CPAP验证", 《交换与路由技术 构建园区网络》 * |
肖盛文: "SSH协议的工作过程", 《计算机网络基础》 * |
黄志平: "漏洞扫描", 《电子商务综合实训》 * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109739892A (en) * | 2018-12-27 | 2019-05-10 | 王梅 | The method and system of grading extension are carried out to the data acquisition request in internet |
CN110691329A (en) * | 2019-11-04 | 2020-01-14 | 李炳勇 | Sensor node monitoring method and system |
CN110691329B (en) * | 2019-11-04 | 2020-12-25 | 北京网明电子技术有限公司 | Sensor node monitoring method and system |
CN111259370A (en) * | 2020-01-13 | 2020-06-09 | 苏州浪潮智能科技有限公司 | FPGA program security verification method, system, terminal and storage medium |
CN112437436B (en) * | 2020-12-07 | 2023-05-02 | 中国联合网络通信集团有限公司 | Identity authentication method and device |
CN112437436A (en) * | 2020-12-07 | 2021-03-02 | 中国联合网络通信集团有限公司 | Identity authentication method and device |
CN112507365A (en) * | 2020-12-16 | 2021-03-16 | 平安银行股份有限公司 | Data matching method, terminal and storage medium |
CN112507365B (en) * | 2020-12-16 | 2023-08-22 | 平安银行股份有限公司 | Data matching method, terminal and storage medium |
CN113507483A (en) * | 2021-07-27 | 2021-10-15 | 平安国际智慧城市科技股份有限公司 | Instant messaging method, device, server and storage medium |
CN113507483B (en) * | 2021-07-27 | 2023-04-18 | 平安国际智慧城市科技股份有限公司 | Instant messaging method, device, server and storage medium |
CN115001716B (en) * | 2022-08-02 | 2022-12-06 | 长沙朗源电子科技有限公司 | Network data processing method and system of education all-in-one machine and education all-in-one machine |
CN115001716A (en) * | 2022-08-02 | 2022-09-02 | 长沙朗源电子科技有限公司 | Network data processing method and system of education all-in-one machine and education all-in-one machine |
CN115022099A (en) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | Identity authentication method and system based on UDP transmission protocol |
CN117395474A (en) * | 2023-12-12 | 2024-01-12 | 法序(厦门)信息科技有限公司 | Locally stored tamper-resistant video evidence obtaining and storing method and system |
CN117395474B (en) * | 2023-12-12 | 2024-02-27 | 法序(厦门)信息科技有限公司 | Locally stored tamper-resistant video evidence obtaining and storing method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108847938A (en) | A kind of connection method for building up and device | |
CN109309565B (en) | Security authentication method and device | |
US7945779B2 (en) | Securing a communications exchange between computers | |
US11336641B2 (en) | Security enhanced technique of authentication protocol based on trusted execution environment | |
US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
CN101978650B (en) | A system and method of secure network authentication | |
US11544365B2 (en) | Authentication system using a visual representation of an authentication challenge | |
CN109728909A (en) | Identity identifying method and system based on USBKey | |
CN109861813B (en) | Anti-quantum computing HTTPS communication method and system based on asymmetric key pool | |
CN104135494A (en) | Same-account incredible terminal login method and system based on credible terminal | |
TW201618492A (en) | Improved installation of a terminal in a secure system | |
WO2015161689A1 (en) | Data processing method based on negotiation key | |
TW201626752A (en) | Generating a symmetric encryption key | |
CN104486087B (en) | A kind of digital signature method based on remote hardware security module | |
US9398024B2 (en) | System and method for reliably authenticating an appliance | |
TW201626776A (en) | Improved system for establishing a secure communication channel | |
US11722466B2 (en) | Methods for communicating data utilizing sessionless dynamic encryption | |
TW201626775A (en) | Mutual authentication | |
TW201633206A (en) | Improved security through authentication tokens | |
CN105119894A (en) | Communication system and communication method based on hardware safety module | |
CN111130798A (en) | Request authentication method and related equipment | |
CN113411187B (en) | Identity authentication method and system, storage medium and processor | |
KR102591826B1 (en) | Apparatus and method for authenticating device based on certificate using physical unclonable function | |
CN111010399A (en) | Data transmission method and device, electronic equipment and storage medium | |
JP5186648B2 (en) | System and method for facilitating secure online transactions |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181120 |
|
RJ01 | Rejection of invention patent application after publication |