CN108847938A - A kind of connection method for building up and device - Google Patents

A kind of connection method for building up and device Download PDF

Info

Publication number
CN108847938A
CN108847938A CN201811148085.2A CN201811148085A CN108847938A CN 108847938 A CN108847938 A CN 108847938A CN 201811148085 A CN201811148085 A CN 201811148085A CN 108847938 A CN108847938 A CN 108847938A
Authority
CN
China
Prior art keywords
terminal
server
random string
cryptographic hash
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811148085.2A
Other languages
Chinese (zh)
Inventor
孙希发
李红卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201811148085.2A priority Critical patent/CN108847938A/en
Publication of CN108847938A publication Critical patent/CN108847938A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

The embodiment of the invention discloses a kind of connection method for building up and devices, including:Request is established in the connection for carrying terminal iidentification that server receiving terminal is sent;According to the pre-generated random string of public key encryption corresponding with terminal iidentification and encrypted random string is sent to terminal;Receive the first cryptographic Hash that terminal is sent;Wherein, the first cryptographic Hash carries out Hash operation acquisition to session sequence number and random string according to default hash function for terminal;Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash;When the first cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that since server and terminal realize mutual authentication, terminal identity is forged so as to avoid attacker and server establishes connection, ensure that network security.

Description

A kind of connection method for building up and device
Technical field
The present embodiments relate to Internet technical field more particularly to a kind of connection method for building up and device.
Background technique
Request is established in server needs to receive terminal with terminal connection before being communicated, is then asked to initiating the connection foundation The terminal asked carries out authentication, when authentication by after with terminal establish connection.
In the related technology, terminal is according to the public key of server to the user name of the server being written in itself in advance and close Code is encrypted to obtain encryption information, and encryption information is then sent to server, server according to private key pair encryption information into Row decryption obtains username and password, and then compared with the username and password of itself storage, if the same determines that terminal is logical Verifying is crossed, to establish connection with terminal.
However, since this method is the username and password progress terminal identity verifying based on server, once clothes The username and password leakage of business device is obtained by attacker, and attacker, which can forge terminal identity and initiate the connection foundation to server, to be asked It asks, and since attacker possesses the username and password of server, inherently passes through the authentication of server, success Connection is established with server, thus the hidden danger in terms of causing network security.
Summary of the invention
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of connection method for building up and device, can be avoided Attacker forges terminal identity and server establishes connection, guarantees network security.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of connection method for building up, including:
Request is established in the connection for carrying the terminal iidentification that server receiving terminal is sent;
The random string that the server is pre-generated according to public key encryption corresponding with the terminal iidentification, is added Random string after close;
Encrypted random string is sent to the terminal by the server;
The server receives the first cryptographic Hash that the terminal is sent;Wherein, first cryptographic Hash is the terminal Hash operation acquisition is carried out to session sequence number and the random string according to default hash function;
The server breathes out the session sequence number and the random string according to the default hash function Uncommon budget, obtains the second cryptographic Hash;
When first cryptographic Hash is identical with second cryptographic Hash, the server and the terminal establish connection.
The random string that the server is pre-generated according to public key encryption corresponding with terminal iidentification, including:
The server is according to the corresponding relationship of the terminal iidentification and public key information that pre-establish from the public key set of storage It is middle to obtain public key corresponding with the terminal iidentification obtained;
The server generates random string according to preset algorithm;
The server encrypts the random string of generation according to the public key of acquisition.
The connection for carrying terminal iidentification that the server receiving terminal is sent is established before request, further includes:
The server receives and stores the public key that the terminal is sent.
The embodiment of the invention also provides a kind of connection method for building up, which is characterized in that including:
Terminal to server sends the connection foundation request for carrying the terminal iidentification;
The terminal receives the encrypted random string that the server is sent;Wherein, described encrypted random Character string is what the server was obtained according to the public key encryption random string of the terminal;
The terminal decrypts the encrypted random string according to private key, obtains the random string;
The terminal carries out Hash operation according to random string of the default hash function to session sequence number and acquisition, obtains To the first cryptographic Hash;
First cryptographic Hash is sent to the server by the terminal, so that the server is verifying described the Connection is established with the terminal after one cryptographic Hash is correct.
Before the terminal to server sends the connection foundation request for carrying terminal iidentification, further include:
The terminal sends the public key of the terminal to the server.
After first cryptographic Hash is sent to server by the terminal, further include:
The terminal and the server establish session channel;
The terminal is scanned verifying to the configuration information on the server on the session channel of foundation.
The embodiment of the invention provides a kind of servers, including:
Request is established in first receiving module, the connection for carrying the terminal iidentification for receiving terminal transmission;
First processing module, the random character for being pre-generated according to public key encryption corresponding with the terminal iidentification String, obtains encrypted random string;
First sending module, for encrypted random string to be sent to the terminal;
First receiving module is also used to receive the first cryptographic Hash that the terminal is sent;Wherein, first Hash Value carries out Hash operation acquisition to session sequence number and the random string according to default hash function for the terminal;
The first processing module is also used to according to the default hash function to the session sequence number and described random Character string carries out Hash budget, obtains the second cryptographic Hash;
The first processing module is also used to when first cryptographic Hash is identical with second cryptographic Hash, and described Terminal establishes connection.
The first processing module is specifically used for:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish The corresponding public key of terminal iidentification obtained;
Random string is generated according to preset algorithm;
It is encrypted according to random string of the public key of acquisition to generation, obtains encrypted random string.
The embodiment of the invention provides a kind of terminals, including:
Second sending module, for sending the connection foundation request for carrying the terminal iidentification to server;
Second receiving module, the encrypted random string sent for receiving the server;Wherein, the encryption Random string afterwards is what the server was obtained according to the public key encryption random string of the terminal;
Second processing module obtains the random character for decrypting the encrypted random string according to private key String;
The Second processing module is also used to the random string according to default hash function to session sequence number and acquisition Hash operation is carried out, the first cryptographic Hash is obtained;
Second sending module is also used to first cryptographic Hash being sent to the server, so that the clothes Business device establishes connection with the terminal after verifying first cryptographic Hash correctly.
The Second processing module is also used to establish session channel with the server;
The Second processing module is also used to carry out the configuration information on the server on the session channel of foundation Scanning validation.
Compared with prior art, the embodiment of the present invention includes at least:What server receiving terminal was sent carries terminal mark Request is established in the connection of knowledge;According to the random string that public key encryption corresponding with terminal iidentification pre-generates, after obtaining encryption Random string;Encrypted random string is sent to terminal;The first cryptographic Hash that server receiving terminal is sent;Its In, the first cryptographic Hash carries out Hash operation acquisition to session sequence number and random string according to default hash function for terminal 's;Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash;When first When cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that due to Server is based on random string and has carried out authentication to terminal, and the dialogue-based sequence number of terminal and random string are to service Device has carried out authentication, therefore server and terminal realize mutual authentication, forges terminal identity so as to avoid attacker Connection is established with server, ensure that network security.
The other feature and advantage of the embodiment of the present invention will illustrate in the following description, also, partly from explanation It is become apparent in book, or understood by implementing the embodiment of the present invention.The purpose of the embodiment of the present invention and other advantages It can be achieved and obtained by structure specifically noted in the specification, claims and drawings.
Detailed description of the invention
Attached drawing is used to provide one for further understanding technical solution of the embodiment of the present invention, and constituting specification Point, it is used to explain the present invention the technical solution of embodiment together with embodiments herein, does not constitute to the embodiment of the present invention The limitation of technical solution.
Fig. 1 is a kind of flow diagram for connecting method for building up provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of another connection method for building up provided in an embodiment of the present invention;
Fig. 3 is terminal/server structural schematic diagram provided in an embodiment of the present invention;
Fig. 4 is the flow diagram of another connection method for building up provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of server provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of terminal provided in an embodiment of the present invention.
Specific embodiment
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing pair The embodiment of the embodiment of the present invention is described in detail.It should be noted that in the absence of conflict, the implementation in the application Feature in example and embodiment can mutual any combination.
The embodiment of the present invention provides a kind of connection method for building up, as shown in Figure 1, this method includes:
Request is established in the connection for carrying terminal iidentification that step 101, server receiving terminal are sent.
Specifically, terminal iidentification is used for the identity of unique identification terminal, terminal iidentification can be the identity recognition number of terminal (IDentification, ID).
The random string that step 102, server are pre-generated according to public key encryption corresponding with terminal iidentification, is added Random string after close.
Encrypted random string is sent to terminal by step 103, server.
The first cryptographic Hash that step 104, server receiving terminal are sent.
Wherein, the first cryptographic Hash carries out Hash to session sequence number and random string according to default hash function for terminal What operation obtained.
Step 105, server carry out Hash budget to session sequence number and random string according to default hash function, obtain To the second cryptographic Hash.
Specifically, session sequence number is that server passes through application programming interface (Application Programming Interface, API) obtained from bottom.Default hash function can be the 5th edition Message Digest 5 (Message- Digest Algorithm 5th, MD5).
Step 106, when the first cryptographic Hash is identical with the second cryptographic Hash, server and terminal establish connection.
Method for building up is connected provided by the embodiment of the present invention, what server receiving terminal was sent carries terminal iidentification Request is established in connection;According to public key encryption corresponding with terminal iidentification pre-generate random string, obtain it is encrypted with Machine character string;Encrypted random string is sent to terminal;The first cryptographic Hash that server receiving terminal is sent;Wherein, First cryptographic Hash carries out Hash operation acquisition to session sequence number and random string according to default hash function for terminal;Root Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash;When the first Hash When being worth identical with the second cryptographic Hash, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that due to service Device be based on random string to terminal carried out authentication, the dialogue-based sequence number of terminal and random string to server into It has gone authentication, therefore server and terminal realize mutual authentication, has forged terminal identity and clothes so as to avoid attacker Business device establishes connection, ensure that network security.
Optionally, the random string that server is pre-generated according to public key encryption corresponding with terminal iidentification, including:
Step 102a, server is according to the corresponding relationship of the terminal iidentification and public key information that pre-establish from the public key of storage Public key corresponding with the terminal iidentification obtained is obtained in set.
Step 102b, server generates random string according to preset algorithm.
Step 102c, server encrypts the random string of generation according to the public key of acquisition.
Optionally, the connection for carrying terminal iidentification that server receiving terminal is sent is established before request, further includes:
Step 107, server receive and store the public key of terminal transmission.
The embodiment of the present invention also provides a kind of connection method for building up, as shown in Fig. 2, this method includes:
Step 201, terminal to server send the connection foundation request for carrying terminal iidentification.
Step 202, terminal receive the encrypted random string that server is sent.
Wherein, encrypted random string is what server was obtained according to the public key encryption random string of terminal.
Step 203, terminal decrypt encrypted random string according to private key, obtain random string.
Step 204, terminal carry out Hash fortune according to random string of the default hash function to session sequence number and acquisition It calculates, obtains the first cryptographic Hash.
First cryptographic Hash is sent to server by step 205, terminal, so that server is correct in the first cryptographic Hash of verifying Connection is established with terminal afterwards.
Method for building up is connected provided by the embodiment of the present invention, terminal to server sends the connection for carrying terminal iidentification Establish request;Receive the encrypted random string that server is sent;Wherein, encrypted random string is server root It is obtained according to the public key encryption random string of terminal;Encrypted random string is decrypted according to private key, obtains random character String;Hash operation is carried out according to random string of the default hash function to session sequence number and acquisition, obtains the first cryptographic Hash; First cryptographic Hash is sent to server, so that server is after verifying the first cryptographic Hash correctly and terminal establishes connection.From Technical solution provided in an embodiment of the present invention as it can be seen that due to server be based on random string authentication has been carried out to terminal, The dialogue-based sequence number of terminal and random string have carried out authentication to server, therefore server and terminal realize mutually It mutually authenticates, forges terminal identity so as to avoid attacker and server establishes connection, ensure that network security.
Optionally, before terminal to server sends the connection foundation request for carrying terminal iidentification, further include:
Step 206, terminal to server send the public key of terminal.
Optionally, after the first cryptographic Hash is sent to server by terminal, further include:
Step 207, terminal and server establish session channel.
Step 208, terminal are scanned verifying to the configuration information on server on the session channel of foundation.
Specifically, the present embodiments relate to server to can be the safety in the server field Linux and Unix outer The free open source of shell (Secure SHell, SSH) agreement realizes (OpenSSH) server.SSH agreement is one kind unsafe In network environment, by encryption and authentication mechanism, the network security of the business such as safe remote access and file transmission is realized Agreement.OpenSSH be using SSH penetrate computer network coded communication realization, be it is a increased income completely based on SSH it is long-range Control, file transfer conveyance collection.Traditional tool such as remote terminal protocol (Telnet agreement), real time transport protocol (Real- Time Transport Protocol, RCP) realize above-mentioned function be it is unsafe, OpenSSH provides a server and guards Process and tool terminal come realize it is safe, encryption it is long-range control and file transfer operation, therefore completely instead of Conventional tool.OpenSSH server program is a typical independent finger daemon (standalone daemon), operates in On most of Linux and Unix server, the lasting connection request for listening to various terminals passes through terminal SSH protocol remote safety logs on server.A variety of authentication modes, including password, public key and management can be used in OpenSSH Tool Kerberostickets etc..By configure/etc/ssh/sshd_config can change the silent of OpenSSH server Recognize behavior, the default configuration of most OpenSSH server is safety-related and preferably safe set has been provided It sets, therefore change configures it is possible that some security risks manually.In actual server application, in addition to keep OpenSSH keeps latest edition, squeezes into security patch immediately, while because of specific environmental difference, it may be necessary to right/etc/ssh/ Sshd_config being customized of file.When safeguard service device cluster, the OpenSSH server of different server may be deposited In different configurations, but because of a variety of causes, more or less the having some configuration errors or omit of each server causes to occur Security breaches just need an OpenSSH strategy batch inspection and configuration tool at this time.
Specifically, step 207, scheme provided by 208 are for the OpenSSH on common Linux and Unix server There is preferable applicability, as shown in figure 3, the SSH protocol frame of standard uses terminal/server framework, including:Transport layer, Authentication layers and articulamentum.Wherein, the encryption that transport layer protocol is mainly used to establish a safety between terminal and server is led to Road provides enough Confidentiality protection for the stage more demanding to data transmission security such as user authentication, data interaction.It passes Defeated layer protocol is normally operated in transport control protocol view/Internet Protocol (Transmission Control Protocol/ Internet Protocol, TCP/IP) on connection (well-known port number that server uses be 22), it also may operate in it On his any data connection that can be trusted.Certification layer protocol operates on transport layer protocol, completes server to login The certification of user.Connection layer protocol is responsible for marking off several logical channels on encrypted tunnel, to run different applications.It is transported Row provides the services such as interactive sessions, remote command execution on certification layer protocol.It is bright that SSH agreement solves Telnet agreement The defect of text transmission, establishes encrypted tunnel between communicating pair, guarantees that the data of transmission are not ravesdropping;It is exchanged and is calculated using key The safety of method guarantee key itself.So-called encrypted tunnel, refer to sender before sending data, using encryption key to data into Row encryption, then sends the data to other side;After recipient receives data, obtained from ciphertext using decruption key in plain text. Since asymmetric key algorithm is than relatively time-consuming, generally it is chiefly used in digital signature and authentication.Data on SSH encrypted tunnel Encryption and decryption uses symmetric key algorithm, and the algorithm mainly supported at present has data encryption standards (Data Encryption Standard, DES), 3DES, Advanced Encryption Standard (Advanced Encryption Standard, AES) etc..
The embodiment of the present invention also provides a kind of connection method for building up, as shown in figure 4, this method includes:
Step 301, terminal generate public private key pair.
Public key is sent to server by step 302, terminal.
It should be noted that public key is stored in the file of entitled authorized_keys by server.
It should also be noted that, step 301 and step 302 belong to the preparation stage.
Log on request is sent to server by step 303, terminal.
It should be noted that including terminal iidentification in log on request.
Step 304, server obtain terminal public key.
It should be noted that server is matched to terminal according to terminal identification information in authorized_keys file Public key pubKey.
Step 305, server use public key encryption random string, obtain encryption information.
Encryption information is sent to terminal by step 306, server.
Step 307, terminal are decrypted with the private key of oneself, obtain random string, and according to default hash function to session Sequence number and random string carry out Hash operation and obtain the first cryptographic Hash.
First cryptographic Hash is sent to server by step 308, terminal.
Step 309, server carry out Hash operation to session sequence number and random string according to default hash function and obtain The second cryptographic Hash is obtained, and compares the first cryptographic Hash and the second cryptographic Hash.
If step 310, the first cryptographic Hash are identical with the second cryptographic Hash, terminal successful log server, i.e. terminal are determined Connection is established with server.
It should be noted that step 303~310 belong to login authentication process.
After successfully completing certification, terminal to server initiates service request, and request server provides certain application.
The process of service request is:
Step 1, terminal send SSH_MSG_CHANNEL_OPEN message, and request establishes session channel with server, i.e., session.Wherein, the requested channel type of terminal is carried in message.
After step 2, server receive SSH_MSG_CHANNEL_OPEN message, if supporting the channel type, reply SSH_MSG_CHANNEL_OPEN_CONFIRMATION message, to establish session channel.
After step 3, session channel are established, terminal can carry out on a passage verifying scanning server with confidence Breath.
The embodiment of the present invention also provides a kind of server, as shown in figure 5, the server 4 includes:
Request is established in first receiving module 41, the connection for carrying terminal iidentification for receiving terminal transmission.
First processing module 42, the random string for being pre-generated according to public key encryption corresponding with terminal iidentification, Obtain encrypted random string.
First sending module 43, for encrypted random string to be sent to terminal.
First receiving module 41 is also used to receive the first cryptographic Hash of terminal transmission;Wherein, the first cryptographic Hash is terminal root Hash operation acquisition is carried out to session sequence number and random string according to default hash function.
First processing module 42 is also used to carry out Hash to session sequence number and random string according to default hash function Budget obtains the second cryptographic Hash.
First processing module 42 is also used to establish connection with terminal when the first cryptographic Hash is identical with the second cryptographic Hash.
Optionally, first processing module 42 is specifically used for:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish The corresponding public key of terminal iidentification obtained.
Random string is generated according to preset algorithm.
It is encrypted according to random string of the public key of acquisition to generation.
Optionally, the first receiving module 41 is also used to receive and store the public key of terminal transmission.
Server provided by the embodiment of the present invention receives the connection foundation for carrying terminal iidentification that terminal is sent and asks It asks;According to the random string that public key encryption corresponding with terminal iidentification pre-generates, encrypted random string is obtained;It will Encrypted random string is sent to terminal;The first cryptographic Hash that server receiving terminal is sent;Wherein, the first cryptographic Hash is Terminal carries out Hash operation acquisition to session sequence number and random string according to default hash function;According to default Hash letter Several pairs of session sequence numbers and random string carry out Hash budget, obtain the second cryptographic Hash;When the first cryptographic Hash and the second Hash When being worth identical, connection is established with terminal.From technical solution provided in an embodiment of the present invention as it can be seen that since server is based on random words Symbol string has carried out authentication to terminal, and the dialogue-based sequence number of terminal and random string have carried out identity to server and tested Card, therefore server and terminal realize mutual authentication, forge terminal identity so as to avoid attacker and server is established and connected It connects, ensure that network security.
In practical applications, the first receiving module 41, first processing module 42 and the first sending module 43 can be by being located at Central processing unit (Central Processing Unit, CPU), microprocessor (Micro Processor in server Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or field programmable gate array (Field Programmable Gate Array, FPGA) etc. is realized.
The embodiment of the present invention also provides a kind of terminal, as shown in fig. 6, the terminal 5 includes:
Second sending module 51, for sending the connection foundation request for carrying terminal iidentification to server.
Second receiving module 52, for receiving the encrypted random string of server transmission;Wherein, it is encrypted with Machine character string is what server was obtained according to the public key encryption random string of terminal.
Second processing module 53 obtains random string for decrypting encrypted random string according to private key.
Second processing module 53, be also used to according to preset hash function to the random string of session sequence number and acquisition into Row Hash operation obtains the first cryptographic Hash.
Second sending module 51 is also used to the first cryptographic Hash being sent to server, so that server is in verifying first After cryptographic Hash is correct and terminal establishes connection.
Optionally, the second sending module 51 is also used to send the public key of terminal to server.
Optionally, Second processing module 53 is also used to:
Session channel is established with server.
Verifying is scanned to the configuration information on server on the session channel of foundation.
Terminal provided by the embodiment of the present invention sends the connection foundation request for carrying terminal iidentification to server;It connects Receive the encrypted random string that server is sent;Wherein, encrypted random string is public affairs of the server according to terminal Key encrypts what random string obtained;Encrypted random string is decrypted according to private key, obtains random string;According to default Hash function carries out Hash operation to the random string of session sequence number and acquisition, obtains the first cryptographic Hash;By the first Hash Value is sent to server, so that server is after verifying the first cryptographic Hash correctly and terminal establishes connection.Implement from the present invention The technical solution that example provides is as it can be seen that carried out authentication to terminal since server is based on random string, terminal is based on meeting Words sequence number and random string have carried out authentication to server, therefore server and terminal realize mutual authentication, from And avoid attacker's forgery terminal identity and establish connection with server, it ensure that network security.
In practical applications, the first receiving module 51, first processing module 52 and the first sending module 53 can be by being located at CPU, MPU, DSP or FPGA in terminal etc. are realized.
The embodiment of the present invention also provides a kind of connect and establishes device, including first memory and first processor, wherein the The following instruction that can be executed by first processor is stored in one memory:
It receives the connection for carrying terminal iidentification that terminal is sent and establishes request.
According to the random string that public key encryption corresponding with terminal iidentification pre-generates, encrypted random character is obtained String.
Encrypted random string is sent to terminal.
Receive the first cryptographic Hash that terminal is sent.Wherein, the first cryptographic Hash be terminal according to default hash function to session Sequence number and random string carry out Hash operation acquisition.
Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash.
When the first cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.
Optionally, the following instruction that can be executed by first processor is specifically stored in first memory:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish The corresponding public key of terminal iidentification obtained.
Random string is generated according to preset algorithm.
It is encrypted according to random string of the public key of acquisition to generation.
Optionally, the following instruction that can be executed by first processor is also stored in first memory:
Receive and store the public key of terminal transmission.
The embodiment of the present invention also provides a kind of connect and establishes device, including second memory and second processor, wherein the The following instruction that can be executed by second processor is stored in two memories:
The connection foundation request for carrying terminal iidentification is sent to server.
Receive the encrypted random string that server is sent.Wherein, encrypted random string is server root It is obtained according to the public key encryption random string of terminal.
Encrypted random string is decrypted according to private key, obtains random string.
Hash operation is carried out according to random string of the default hash function to session sequence number and acquisition, obtains the first Kazakhstan Uncommon value.
First cryptographic Hash is sent to server, so that server is verifying the correct rear and terminal foundation of the first cryptographic Hash Connection.
Optionally, the following instruction that can be executed by second processor is also stored in second memory:
The public key of terminal is sent to server.
Optionally, the following instruction that can be executed by second processor is also stored in second memory:
Session channel is established with server.
Verifying is scanned to the configuration information on server on the session channel of foundation.
The embodiment of the present invention also provides a kind of computer readable storage medium, and it is executable that computer is stored on storage medium Instruction, computer executable instructions are for executing following steps:
It receives the connection for carrying terminal iidentification that terminal is sent and establishes request.
According to the random string that public key encryption corresponding with terminal iidentification pre-generates, encrypted random character is obtained String.
Encrypted random string is sent to terminal.
Receive the first cryptographic Hash that terminal is sent.Wherein, the first cryptographic Hash be terminal according to default hash function to session Sequence number and random string carry out Hash operation acquisition.
Hash budget is carried out to session sequence number and random string according to default hash function, obtains the second cryptographic Hash.
When the first cryptographic Hash is identical with the second cryptographic Hash, connection is established with terminal.
Optionally, computer executable instructions are specifically used for executing following steps:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish The corresponding public key of terminal iidentification obtained.
Random string is generated according to preset algorithm.
It is encrypted according to random string of the public key of acquisition to generation.
Optionally, computer executable instructions are also used to execute following steps:
Receive and store the public key of terminal transmission.
The embodiment of the present invention also provides a kind of computer readable storage medium, and it is executable that computer is stored on storage medium Instruction, computer executable instructions are for executing following steps:
The connection foundation request for carrying terminal iidentification is sent to server.
Receive the encrypted random string that server is sent.Wherein, encrypted random string is server root It is obtained according to the public key encryption random string of terminal.
Encrypted random string is decrypted according to private key, obtains random string.
Hash operation is carried out according to random string of the default hash function to session sequence number and acquisition, obtains the first Kazakhstan Uncommon value.
First cryptographic Hash is sent to server, so that server is verifying the correct rear and terminal foundation of the first cryptographic Hash Connection.
Optionally, computer executable instructions are also used to execute following steps:
The public key of terminal is sent to server.
Optionally, computer executable instructions are also used to execute following steps:
Session channel is established with server.
Verifying is scanned to the configuration information on server on the session channel of foundation.
Although embodiment disclosed by the embodiment of the present invention is as above, only the present invention is real for ease of understanding for the content The embodiment applying example and using is not intended to limit the invention embodiment.Skill in any fields of the embodiment of the present invention Art personnel can be in the form and details of implementation under the premise of not departing from spirit and scope disclosed by the embodiment of the present invention It is upper to carry out any modification and variation, but the scope of patent protection of the embodiment of the present invention, it still must be with appended claims institute Subject to the range defined.

Claims (10)

1. a kind of connection method for building up, which is characterized in that including:
Request is established in the connection for carrying the terminal iidentification that server receiving terminal is sent;
The random string that the server is pre-generated according to public key encryption corresponding with the terminal iidentification, after obtaining encryption Random string;
Encrypted random string is sent to the terminal by the server;
The server receives the first cryptographic Hash that the terminal is sent;Wherein, first cryptographic Hash be the terminal according to Default hash function carries out Hash operation acquisition to session sequence number and the random string;
The server is pre- to the session sequence number and random string progress Hash according to the default hash function It calculates, obtains the second cryptographic Hash;
When first cryptographic Hash is identical with second cryptographic Hash, the server and the terminal establish connection.
2. connection method for building up according to claim 1, which is characterized in that the server is according to corresponding with terminal iidentification The pre-generated random string of public key encryption, including:
The server is obtained from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish Take public key corresponding with the terminal iidentification obtained;
The server generates random string according to preset algorithm;
The server encrypts the random string of generation according to the public key of acquisition.
3. connection method for building up according to claim 1, which is characterized in that the carrying that the server receiving terminal is sent There is the connection of terminal iidentification to establish before request, further includes:
The server receives and stores the public key that the terminal is sent.
4. a kind of connection method for building up, which is characterized in that including:
Terminal to server sends the connection foundation request for carrying the terminal iidentification;
The terminal receives the encrypted random string that the server is sent;Wherein, the encrypted random character String is what the server was obtained according to the public key encryption random string of the terminal;
The terminal decrypts the encrypted random string according to private key, obtains the random string;
The terminal carries out Hash operation according to random string of the default hash function to session sequence number and acquisition, obtains the One cryptographic Hash;
First cryptographic Hash is sent to the server by the terminal, so that the server is verifying first Kazakhstan Connection is established with the terminal after uncommon value is correct.
5. connection method for building up according to claim 4, which is characterized in that the terminal to server transmission carries end The connection of end mark is established before request, further includes:
The terminal sends the public key of the terminal to the server.
6. connection method for building up according to claim 4, which is characterized in that the first cryptographic Hash is sent to clothes by the terminal It is engaged in after device, further includes:
The terminal and the server establish session channel;
The terminal is scanned verifying to the configuration information on the server on the session channel of foundation.
7. a kind of server, which is characterized in that including:
Request is established in first receiving module, the connection for carrying the terminal iidentification for receiving terminal transmission;
First processing module, the random string for being pre-generated according to public key encryption corresponding with the terminal iidentification, obtains To encrypted random string;
First sending module, for encrypted random string to be sent to the terminal;
First receiving module is also used to receive the first cryptographic Hash that the terminal is sent;Wherein, first cryptographic Hash is The terminal carries out Hash operation acquisition to session sequence number and the random string according to default hash function;
The first processing module is also used to according to the default hash function to the session sequence number and the random character String carries out Hash budget, obtains the second cryptographic Hash;
The first processing module is also used to when first cryptographic Hash is identical with second cryptographic Hash, with the terminal Establish connection.
8. server according to claim 7, which is characterized in that the first processing module is specifically used for:
It obtains and obtains from the public key set of storage according to the corresponding relationship of the terminal iidentification and public key information that pre-establish The corresponding public key of terminal iidentification;
Random string is generated according to preset algorithm;
It is encrypted according to random string of the public key of acquisition to generation, obtains encrypted random string.
9. a kind of terminal, which is characterized in that including:
Second sending module, for sending the connection foundation request for carrying the terminal iidentification to server;
Second receiving module, the encrypted random string sent for receiving the server;Wherein, described encrypted Random string is what the server was obtained according to the public key encryption random string of the terminal;
Second processing module obtains the random string for decrypting the encrypted random string according to private key;
The Second processing module is also used to according to the random string progress for presetting hash function to session sequence number and acquisition Hash operation obtains the first cryptographic Hash;
Second sending module is also used to first cryptographic Hash being sent to the server, so that the server Connection is established verifying the correct rear and terminal of first cryptographic Hash.
10. terminal according to claim 9, which is characterized in that the Second processing module is also used to:
Session channel is established with the server;
Verifying is scanned to the configuration information on the server on the session channel of foundation.
CN201811148085.2A 2018-09-29 2018-09-29 A kind of connection method for building up and device Pending CN108847938A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811148085.2A CN108847938A (en) 2018-09-29 2018-09-29 A kind of connection method for building up and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811148085.2A CN108847938A (en) 2018-09-29 2018-09-29 A kind of connection method for building up and device

Publications (1)

Publication Number Publication Date
CN108847938A true CN108847938A (en) 2018-11-20

Family

ID=64188000

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811148085.2A Pending CN108847938A (en) 2018-09-29 2018-09-29 A kind of connection method for building up and device

Country Status (1)

Country Link
CN (1) CN108847938A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109739892A (en) * 2018-12-27 2019-05-10 王梅 The method and system of grading extension are carried out to the data acquisition request in internet
CN110691329A (en) * 2019-11-04 2020-01-14 李炳勇 Sensor node monitoring method and system
CN111259370A (en) * 2020-01-13 2020-06-09 苏州浪潮智能科技有限公司 FPGA program security verification method, system, terminal and storage medium
CN112437436A (en) * 2020-12-07 2021-03-02 中国联合网络通信集团有限公司 Identity authentication method and device
CN112507365A (en) * 2020-12-16 2021-03-16 平安银行股份有限公司 Data matching method, terminal and storage medium
CN113507483A (en) * 2021-07-27 2021-10-15 平安国际智慧城市科技股份有限公司 Instant messaging method, device, server and storage medium
CN115001716A (en) * 2022-08-02 2022-09-02 长沙朗源电子科技有限公司 Network data processing method and system of education all-in-one machine and education all-in-one machine
CN115022099A (en) * 2022-08-09 2022-09-06 北京华云安软件有限公司 Identity authentication method and system based on UDP transmission protocol
CN117395474A (en) * 2023-12-12 2024-01-12 法序(厦门)信息科技有限公司 Locally stored tamper-resistant video evidence obtaining and storing method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582906A (en) * 2009-06-23 2009-11-18 中国人民解放军信息工程大学 Key agreement method and device
US20100205443A1 (en) * 2007-10-23 2010-08-12 Sufen Ding Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols
US20150188704A1 (en) * 2013-12-27 2015-07-02 Fujitsu Limited Data communication method and data communication apparatus
CN108234409A (en) * 2016-12-15 2018-06-29 腾讯科技(深圳)有限公司 Auth method and device
CN108599939A (en) * 2018-04-25 2018-09-28 新华三技术有限公司 a kind of authentication method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100205443A1 (en) * 2007-10-23 2010-08-12 Sufen Ding Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols
CN101582906A (en) * 2009-06-23 2009-11-18 中国人民解放军信息工程大学 Key agreement method and device
US20150188704A1 (en) * 2013-12-27 2015-07-02 Fujitsu Limited Data communication method and data communication apparatus
CN108234409A (en) * 2016-12-15 2018-06-29 腾讯科技(深圳)有限公司 Auth method and device
CN108599939A (en) * 2018-04-25 2018-09-28 新华三技术有限公司 a kind of authentication method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
张国清主编: "CPAP验证", 《交换与路由技术 构建园区网络》 *
肖盛文: "SSH协议的工作过程", 《计算机网络基础》 *
黄志平: "漏洞扫描", 《电子商务综合实训》 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109739892A (en) * 2018-12-27 2019-05-10 王梅 The method and system of grading extension are carried out to the data acquisition request in internet
CN110691329A (en) * 2019-11-04 2020-01-14 李炳勇 Sensor node monitoring method and system
CN110691329B (en) * 2019-11-04 2020-12-25 北京网明电子技术有限公司 Sensor node monitoring method and system
CN111259370A (en) * 2020-01-13 2020-06-09 苏州浪潮智能科技有限公司 FPGA program security verification method, system, terminal and storage medium
CN112437436B (en) * 2020-12-07 2023-05-02 中国联合网络通信集团有限公司 Identity authentication method and device
CN112437436A (en) * 2020-12-07 2021-03-02 中国联合网络通信集团有限公司 Identity authentication method and device
CN112507365A (en) * 2020-12-16 2021-03-16 平安银行股份有限公司 Data matching method, terminal and storage medium
CN112507365B (en) * 2020-12-16 2023-08-22 平安银行股份有限公司 Data matching method, terminal and storage medium
CN113507483A (en) * 2021-07-27 2021-10-15 平安国际智慧城市科技股份有限公司 Instant messaging method, device, server and storage medium
CN113507483B (en) * 2021-07-27 2023-04-18 平安国际智慧城市科技股份有限公司 Instant messaging method, device, server and storage medium
CN115001716B (en) * 2022-08-02 2022-12-06 长沙朗源电子科技有限公司 Network data processing method and system of education all-in-one machine and education all-in-one machine
CN115001716A (en) * 2022-08-02 2022-09-02 长沙朗源电子科技有限公司 Network data processing method and system of education all-in-one machine and education all-in-one machine
CN115022099A (en) * 2022-08-09 2022-09-06 北京华云安软件有限公司 Identity authentication method and system based on UDP transmission protocol
CN117395474A (en) * 2023-12-12 2024-01-12 法序(厦门)信息科技有限公司 Locally stored tamper-resistant video evidence obtaining and storing method and system
CN117395474B (en) * 2023-12-12 2024-02-27 法序(厦门)信息科技有限公司 Locally stored tamper-resistant video evidence obtaining and storing method and system

Similar Documents

Publication Publication Date Title
CN108847938A (en) A kind of connection method for building up and device
CN109309565B (en) Security authentication method and device
US7945779B2 (en) Securing a communications exchange between computers
US11336641B2 (en) Security enhanced technique of authentication protocol based on trusted execution environment
US20090307486A1 (en) System and method for secured network access utilizing a client .net software component
CN101978650B (en) A system and method of secure network authentication
US11544365B2 (en) Authentication system using a visual representation of an authentication challenge
CN109728909A (en) Identity identifying method and system based on USBKey
CN109861813B (en) Anti-quantum computing HTTPS communication method and system based on asymmetric key pool
CN104135494A (en) Same-account incredible terminal login method and system based on credible terminal
TW201618492A (en) Improved installation of a terminal in a secure system
WO2015161689A1 (en) Data processing method based on negotiation key
TW201626752A (en) Generating a symmetric encryption key
CN104486087B (en) A kind of digital signature method based on remote hardware security module
US9398024B2 (en) System and method for reliably authenticating an appliance
TW201626776A (en) Improved system for establishing a secure communication channel
US11722466B2 (en) Methods for communicating data utilizing sessionless dynamic encryption
TW201626775A (en) Mutual authentication
TW201633206A (en) Improved security through authentication tokens
CN105119894A (en) Communication system and communication method based on hardware safety module
CN111130798A (en) Request authentication method and related equipment
CN113411187B (en) Identity authentication method and system, storage medium and processor
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN111010399A (en) Data transmission method and device, electronic equipment and storage medium
JP5186648B2 (en) System and method for facilitating secure online transactions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181120

RJ01 Rejection of invention patent application after publication